Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/01/2025, 14:14

General

  • Target

    RoninTweaksCLI.exe

  • Size

    20.1MB

  • MD5

    230f9e03576ff4e7a7e66e2114fe6b8e

  • SHA1

    89971565edd8fef92cfb8f0c143905136b64be32

  • SHA256

    1f4c708d803e7607540b967db81e8ffb6c3390b06935793c0f11f41e1bcfea40

  • SHA512

    fccc96b48b46c6392da69bf8a7175bc40a16ec6e96a798edab49b4fd28c35f4810cde34e1636e7bfd18ddc86d6c670bd751a4a147c3b3e572825f2fa8f90d8b8

  • SSDEEP

    393216:iTN7dtptnIVZd7p9mdLt/WVi0teZKwnOEGL26VjSQS6yT:cJtDGL7p8dai06KRq6RSH6yT

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 1 IoCs
  • Obfuscated with Agile.Net obfuscator 3 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

  • Themida packer 12 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RoninTweaksCLI.exe
    "C:\Users\Admin\AppData\Local\Temp\RoninTweaksCLI.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2308

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\evbA75D.tmp

          Filesize

          1KB

          MD5

          9adc328239101235f8232b6ebb6a1d4d

          SHA1

          3ba838ea75ad852caf6d76b4354d70cd4bd27efc

          SHA256

          e0d0cac9520b77ea931ca2b656893adc41c96acf7d52276fa9267e96813f3426

          SHA512

          09a6cc36992bfd03abcba2430676ce511489754df854a4c1ef3ff734cdd4ecbf9cda19e844b9ff1eb21ae9d65395eaa549e36ff7fe8810c67a21b439b4b207ca

        • C:\Users\Admin\AppData\Local\Temp\evbB260.tmp

          Filesize

          1KB

          MD5

          4fc356bb5e3a4c1783a55d3fa28d118f

          SHA1

          eb48c330e792182b0753257c7f92979a70f3a13d

          SHA256

          10abee9a7be4e5fa7ca14a411d76dc62a8fde49ccc6e47129be0d466c7225881

          SHA512

          03b7a36bc7a7bb5938cdc196f01fb5eb21034d58e100c4573cf5386a858760ec587eb01427f3242333c581f99a7aa2cdf795e1f1db3fefa5827c54117141979f

        • memory/2308-26-0x0000000180000000-0x0000000181D0F000-memory.dmp

          Filesize

          29.1MB

        • memory/2308-25-0x0000000180000000-0x0000000181D0F000-memory.dmp

          Filesize

          29.1MB

        • memory/2308-8-0x00007FFBA80F0000-0x00007FFBA82E5000-memory.dmp

          Filesize

          2.0MB

        • memory/2308-3-0x00007FFBA80F0000-0x00007FFBA82E5000-memory.dmp

          Filesize

          2.0MB

        • memory/2308-10-0x00007FFBA80F0000-0x00007FFBA82E5000-memory.dmp

          Filesize

          2.0MB

        • memory/2308-6-0x00007FFBA80F0000-0x00007FFBA82E5000-memory.dmp

          Filesize

          2.0MB

        • memory/2308-11-0x0000000180000000-0x0000000181D0F000-memory.dmp

          Filesize

          29.1MB

        • memory/2308-5-0x00007FFBA80F0000-0x00007FFBA82E5000-memory.dmp

          Filesize

          2.0MB

        • memory/2308-2-0x00007FFBA80F0000-0x00007FFBA82E5000-memory.dmp

          Filesize

          2.0MB

        • memory/2308-18-0x00007FF4FDBF0000-0x00007FF4FDDDF000-memory.dmp

          Filesize

          1.9MB

        • memory/2308-19-0x00007FFBA80F0000-0x00007FFBA82E5000-memory.dmp

          Filesize

          2.0MB

        • memory/2308-20-0x00007FFBA80F0000-0x00007FFBA82E5000-memory.dmp

          Filesize

          2.0MB

        • memory/2308-22-0x00007FFBA80F0000-0x00007FFBA82E5000-memory.dmp

          Filesize

          2.0MB

        • memory/2308-47-0x000000001F0D0000-0x000000001F180000-memory.dmp

          Filesize

          704KB

        • memory/2308-24-0x0000000180000000-0x0000000181D0F000-memory.dmp

          Filesize

          29.1MB

        • memory/2308-1-0x00007FFBA818D000-0x00007FFBA818E000-memory.dmp

          Filesize

          4KB

        • memory/2308-27-0x0000000180000000-0x0000000181D0F000-memory.dmp

          Filesize

          29.1MB

        • memory/2308-28-0x0000000180000000-0x0000000181D0F000-memory.dmp

          Filesize

          29.1MB

        • memory/2308-30-0x00007FFB948D0000-0x00007FFB94A1E000-memory.dmp

          Filesize

          1.3MB

        • memory/2308-29-0x0000000180000000-0x0000000181D0F000-memory.dmp

          Filesize

          29.1MB

        • memory/2308-0-0x0000000000400000-0x000000000081A000-memory.dmp

          Filesize

          4.1MB

        • memory/2308-37-0x000000001D520000-0x000000001D53A000-memory.dmp

          Filesize

          104KB

        • memory/2308-4-0x0000000000400000-0x0000000000768000-memory.dmp

          Filesize

          3.4MB

        • memory/2308-42-0x000000001D580000-0x000000001D59C000-memory.dmp

          Filesize

          112KB

        • memory/2308-23-0x000000001E420000-0x000000001F1B1000-memory.dmp

          Filesize

          13.6MB

        • memory/2308-52-0x00007FFBA80F0000-0x00007FFBA82E5000-memory.dmp

          Filesize

          2.0MB

        • memory/2308-62-0x0000000000400000-0x000000000081A000-memory.dmp

          Filesize

          4.1MB

        • memory/2308-63-0x00007FFBA80F0000-0x00007FFBA82E5000-memory.dmp

          Filesize

          2.0MB

        • memory/2308-64-0x000000001F020000-0x000000001F042000-memory.dmp

          Filesize

          136KB

        • memory/2308-66-0x00007FFBA80F0000-0x00007FFBA82E5000-memory.dmp

          Filesize

          2.0MB

        • memory/2308-65-0x00007FFBA818D000-0x00007FFBA818E000-memory.dmp

          Filesize

          4KB

        • memory/2308-67-0x0000000180000000-0x0000000181D0F000-memory.dmp

          Filesize

          29.1MB

        • memory/2308-68-0x0000000026A20000-0x0000000026A84000-memory.dmp

          Filesize

          400KB

        • memory/2308-73-0x0000000027600000-0x0000000027764000-memory.dmp

          Filesize

          1.4MB

        • memory/2308-75-0x000000001F050000-0x000000001F058000-memory.dmp

          Filesize

          32KB

        • memory/2308-74-0x00007FFBA80F0000-0x00007FFBA82E5000-memory.dmp

          Filesize

          2.0MB

        • memory/2308-77-0x000000001F070000-0x000000001F07E000-memory.dmp

          Filesize

          56KB

        • memory/2308-76-0x000000002B6F0000-0x000000002B728000-memory.dmp

          Filesize

          224KB

        • memory/2308-78-0x00007FFBA80F0000-0x00007FFBA82E5000-memory.dmp

          Filesize

          2.0MB

        • memory/2308-81-0x00007FFBA80F0000-0x00007FFBA82E5000-memory.dmp

          Filesize

          2.0MB

        • memory/2308-80-0x0000000180000000-0x0000000181D0F000-memory.dmp

          Filesize

          29.1MB

        • memory/2308-82-0x00007FFBA80F0000-0x00007FFBA82E5000-memory.dmp

          Filesize

          2.0MB

        • memory/2308-83-0x00007FFBA80F0000-0x00007FFBA82E5000-memory.dmp

          Filesize

          2.0MB

        • memory/2308-85-0x0000000180000000-0x0000000181D0F000-memory.dmp

          Filesize

          29.1MB

        • memory/2308-87-0x0000000180000000-0x0000000181D0F000-memory.dmp

          Filesize

          29.1MB