Analysis

  • max time kernel
    141s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/01/2025, 18:55

General

  • Target

    RoninTweaksCLI.exe

  • Size

    20.1MB

  • MD5

    230f9e03576ff4e7a7e66e2114fe6b8e

  • SHA1

    89971565edd8fef92cfb8f0c143905136b64be32

  • SHA256

    1f4c708d803e7607540b967db81e8ffb6c3390b06935793c0f11f41e1bcfea40

  • SHA512

    fccc96b48b46c6392da69bf8a7175bc40a16ec6e96a798edab49b4fd28c35f4810cde34e1636e7bfd18ddc86d6c670bd751a4a147c3b3e572825f2fa8f90d8b8

  • SSDEEP

    393216:iTN7dtptnIVZd7p9mdLt/WVi0teZKwnOEGL26VjSQS6yT:cJtDGL7p8dai06KRq6RSH6yT

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 1 IoCs
  • Obfuscated with Agile.Net obfuscator 3 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

  • Themida packer 13 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RoninTweaksCLI.exe
    "C:\Users\Admin\AppData\Local\Temp\RoninTweaksCLI.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2036

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\evb900C.tmp

          Filesize

          1KB

          MD5

          9adc328239101235f8232b6ebb6a1d4d

          SHA1

          3ba838ea75ad852caf6d76b4354d70cd4bd27efc

          SHA256

          e0d0cac9520b77ea931ca2b656893adc41c96acf7d52276fa9267e96813f3426

          SHA512

          09a6cc36992bfd03abcba2430676ce511489754df854a4c1ef3ff734cdd4ecbf9cda19e844b9ff1eb21ae9d65395eaa549e36ff7fe8810c67a21b439b4b207ca

        • C:\Users\Admin\AppData\Local\Temp\evb9A15.tmp

          Filesize

          1KB

          MD5

          4fc356bb5e3a4c1783a55d3fa28d118f

          SHA1

          eb48c330e792182b0753257c7f92979a70f3a13d

          SHA256

          10abee9a7be4e5fa7ca14a411d76dc62a8fde49ccc6e47129be0d466c7225881

          SHA512

          03b7a36bc7a7bb5938cdc196f01fb5eb21034d58e100c4573cf5386a858760ec587eb01427f3242333c581f99a7aa2cdf795e1f1db3fefa5827c54117141979f

        • memory/2036-20-0x00007FFE100D0000-0x00007FFE102C5000-memory.dmp

          Filesize

          2.0MB

        • memory/2036-26-0x0000000180000000-0x0000000181D0F000-memory.dmp

          Filesize

          29.1MB

        • memory/2036-5-0x0000000000400000-0x0000000000768000-memory.dmp

          Filesize

          3.4MB

        • memory/2036-4-0x00007FFE100D0000-0x00007FFE102C5000-memory.dmp

          Filesize

          2.0MB

        • memory/2036-8-0x00007FFE100D0000-0x00007FFE102C5000-memory.dmp

          Filesize

          2.0MB

        • memory/2036-2-0x00007FFE100D0000-0x00007FFE102C5000-memory.dmp

          Filesize

          2.0MB

        • memory/2036-9-0x0000000180000000-0x0000000181D0F000-memory.dmp

          Filesize

          29.1MB

        • memory/2036-16-0x00007FF4FDBF0000-0x00007FF4FDDDF000-memory.dmp

          Filesize

          1.9MB

        • memory/2036-17-0x00007FFE100D0000-0x00007FFE102C5000-memory.dmp

          Filesize

          2.0MB

        • memory/2036-19-0x00007FFE100D0000-0x00007FFE102C5000-memory.dmp

          Filesize

          2.0MB

        • memory/2036-0-0x0000000000400000-0x000000000081A000-memory.dmp

          Filesize

          4.1MB

        • memory/2036-21-0x000000001E690000-0x000000001F421000-memory.dmp

          Filesize

          13.6MB

        • memory/2036-22-0x0000000180000000-0x0000000181D0F000-memory.dmp

          Filesize

          29.1MB

        • memory/2036-23-0x0000000180000000-0x0000000181D0F000-memory.dmp

          Filesize

          29.1MB

        • memory/2036-24-0x0000000180000000-0x0000000181D0F000-memory.dmp

          Filesize

          29.1MB

        • memory/2036-50-0x00007FFE100D0000-0x00007FFE102C5000-memory.dmp

          Filesize

          2.0MB

        • memory/2036-25-0x0000000180000000-0x0000000181D0F000-memory.dmp

          Filesize

          29.1MB

        • memory/2036-28-0x00007FFE00F30000-0x00007FFE0107E000-memory.dmp

          Filesize

          1.3MB

        • memory/2036-27-0x0000000180000000-0x0000000181D0F000-memory.dmp

          Filesize

          29.1MB

        • memory/2036-35-0x0000000003C80000-0x0000000003C9A000-memory.dmp

          Filesize

          104KB

        • memory/2036-40-0x00000000042E0000-0x00000000042FC000-memory.dmp

          Filesize

          112KB

        • memory/2036-45-0x000000001E740000-0x000000001E7F0000-memory.dmp

          Filesize

          704KB

        • memory/2036-3-0x00007FFE100D0000-0x00007FFE102C5000-memory.dmp

          Filesize

          2.0MB

        • memory/2036-1-0x00007FFE1016D000-0x00007FFE1016E000-memory.dmp

          Filesize

          4KB

        • memory/2036-78-0x00007FFE100D0000-0x00007FFE102C5000-memory.dmp

          Filesize

          2.0MB

        • memory/2036-61-0x0000000180000000-0x0000000181D0F000-memory.dmp

          Filesize

          29.1MB

        • memory/2036-62-0x00007FFE100D0000-0x00007FFE102C5000-memory.dmp

          Filesize

          2.0MB

        • memory/2036-63-0x000000001DE10000-0x000000001DE32000-memory.dmp

          Filesize

          136KB

        • memory/2036-65-0x00007FFE100D0000-0x00007FFE102C5000-memory.dmp

          Filesize

          2.0MB

        • memory/2036-64-0x00007FFE1016D000-0x00007FFE1016E000-memory.dmp

          Filesize

          4KB

        • memory/2036-66-0x0000000026660000-0x00000000266C4000-memory.dmp

          Filesize

          400KB

        • memory/2036-71-0x0000000027240000-0x00000000273A4000-memory.dmp

          Filesize

          1.4MB

        • memory/2036-72-0x000000001DE40000-0x000000001DE48000-memory.dmp

          Filesize

          32KB

        • memory/2036-73-0x00007FFE100D0000-0x00007FFE102C5000-memory.dmp

          Filesize

          2.0MB

        • memory/2036-75-0x000000001DE60000-0x000000001DE6E000-memory.dmp

          Filesize

          56KB

        • memory/2036-74-0x0000000027190000-0x00000000271C8000-memory.dmp

          Filesize

          224KB

        • memory/2036-76-0x00007FFE100D0000-0x00007FFE102C5000-memory.dmp

          Filesize

          2.0MB

        • memory/2036-77-0x00007FFE100D0000-0x00007FFE102C5000-memory.dmp

          Filesize

          2.0MB

        • memory/2036-60-0x0000000000400000-0x000000000081A000-memory.dmp

          Filesize

          4.1MB

        • memory/2036-81-0x00007FFE100D0000-0x00007FFE102C5000-memory.dmp

          Filesize

          2.0MB

        • memory/2036-82-0x00007FFE100D0000-0x00007FFE102C5000-memory.dmp

          Filesize

          2.0MB

        • memory/2036-80-0x0000000180000000-0x0000000181D0F000-memory.dmp

          Filesize

          29.1MB

        • memory/2036-83-0x00007FFE100D0000-0x00007FFE102C5000-memory.dmp

          Filesize

          2.0MB

        • memory/2036-85-0x0000000180000000-0x0000000181D0F000-memory.dmp

          Filesize

          29.1MB

        • memory/2036-87-0x0000000180000000-0x0000000181D0F000-memory.dmp

          Filesize

          29.1MB

        • memory/2036-89-0x0000000180000000-0x0000000181D0F000-memory.dmp

          Filesize

          29.1MB