Analysis
-
max time kernel
141s -
max time network
125s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20250113-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
18/01/2025, 04:31
General
-
Target
RoninTweaksCLI/RoninTweaksCLI.exe
-
Size
20.1MB
-
MD5
230f9e03576ff4e7a7e66e2114fe6b8e
-
SHA1
89971565edd8fef92cfb8f0c143905136b64be32
-
SHA256
1f4c708d803e7607540b967db81e8ffb6c3390b06935793c0f11f41e1bcfea40
-
SHA512
fccc96b48b46c6392da69bf8a7175bc40a16ec6e96a798edab49b4fd28c35f4810cde34e1636e7bfd18ddc86d6c670bd751a4a147c3b3e572825f2fa8f90d8b8
-
SSDEEP
393216:iTN7dtptnIVZd7p9mdLt/WVi0teZKwnOEGL26VjSQS6yT:cJtDGL7p8dai06KRq6RSH6yT
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ RoninTweaksCLI.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion RoninTweaksCLI.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion RoninTweaksCLI.exe -
Loads dropped DLL 1 IoCs
pid Process 644 RoninTweaksCLI.exe -
Obfuscated with Agile.Net obfuscator 3 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral1/memory/644-0-0x0000000000400000-0x000000000081A000-memory.dmp agile_net behavioral1/memory/644-6-0x0000000000400000-0x0000000000768000-memory.dmp agile_net behavioral1/memory/644-64-0x0000000000400000-0x000000000081A000-memory.dmp agile_net -
resource yara_rule behavioral1/memory/644-11-0x0000000180000000-0x0000000181D0F000-memory.dmp themida behavioral1/memory/644-25-0x000000001E590000-0x000000001F321000-memory.dmp themida behavioral1/memory/644-26-0x0000000180000000-0x0000000181D0F000-memory.dmp themida behavioral1/memory/644-27-0x0000000180000000-0x0000000181D0F000-memory.dmp themida behavioral1/memory/644-28-0x0000000180000000-0x0000000181D0F000-memory.dmp themida behavioral1/memory/644-29-0x0000000180000000-0x0000000181D0F000-memory.dmp themida behavioral1/memory/644-30-0x0000000180000000-0x0000000181D0F000-memory.dmp themida behavioral1/memory/644-31-0x0000000180000000-0x0000000181D0F000-memory.dmp themida behavioral1/memory/644-69-0x0000000180000000-0x0000000181D0F000-memory.dmp themida behavioral1/memory/644-83-0x0000000180000000-0x0000000181D0F000-memory.dmp themida behavioral1/memory/644-88-0x0000000180000000-0x0000000181D0F000-memory.dmp themida behavioral1/memory/644-90-0x0000000180000000-0x0000000181D0F000-memory.dmp themida behavioral1/memory/644-92-0x0000000180000000-0x0000000181D0F000-memory.dmp themida behavioral1/memory/644-94-0x0000000180000000-0x0000000181D0F000-memory.dmp themida behavioral1/memory/644-98-0x0000000180000000-0x0000000181D0F000-memory.dmp themida behavioral1/memory/644-100-0x0000000180000000-0x0000000181D0F000-memory.dmp themida behavioral1/memory/644-103-0x0000000180000000-0x0000000181D0F000-memory.dmp themida behavioral1/memory/644-111-0x0000000180000000-0x0000000181D0F000-memory.dmp themida behavioral1/memory/644-113-0x0000000180000000-0x0000000181D0F000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RoninTweaksCLI.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 644 RoninTweaksCLI.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RoninTweaksCLI.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RoninTweaksCLI.exe -
Suspicious behavior: EnumeratesProcesses 63 IoCs
pid Process 644 RoninTweaksCLI.exe 644 RoninTweaksCLI.exe 644 RoninTweaksCLI.exe 644 RoninTweaksCLI.exe 644 RoninTweaksCLI.exe 644 RoninTweaksCLI.exe 644 RoninTweaksCLI.exe 644 RoninTweaksCLI.exe 644 RoninTweaksCLI.exe 644 RoninTweaksCLI.exe 644 RoninTweaksCLI.exe 644 RoninTweaksCLI.exe 644 RoninTweaksCLI.exe 644 RoninTweaksCLI.exe 644 RoninTweaksCLI.exe 644 RoninTweaksCLI.exe 644 RoninTweaksCLI.exe 644 RoninTweaksCLI.exe 644 RoninTweaksCLI.exe 644 RoninTweaksCLI.exe 644 RoninTweaksCLI.exe 644 RoninTweaksCLI.exe 644 RoninTweaksCLI.exe 644 RoninTweaksCLI.exe 644 RoninTweaksCLI.exe 644 RoninTweaksCLI.exe 644 RoninTweaksCLI.exe 644 RoninTweaksCLI.exe 644 RoninTweaksCLI.exe 644 RoninTweaksCLI.exe 644 RoninTweaksCLI.exe 644 RoninTweaksCLI.exe 644 RoninTweaksCLI.exe 644 RoninTweaksCLI.exe 644 RoninTweaksCLI.exe 644 RoninTweaksCLI.exe 644 RoninTweaksCLI.exe 644 RoninTweaksCLI.exe 644 RoninTweaksCLI.exe 644 RoninTweaksCLI.exe 644 RoninTweaksCLI.exe 644 RoninTweaksCLI.exe 644 RoninTweaksCLI.exe 644 RoninTweaksCLI.exe 644 RoninTweaksCLI.exe 644 RoninTweaksCLI.exe 644 RoninTweaksCLI.exe 644 RoninTweaksCLI.exe 644 RoninTweaksCLI.exe 644 RoninTweaksCLI.exe 644 RoninTweaksCLI.exe 644 RoninTweaksCLI.exe 644 RoninTweaksCLI.exe 644 RoninTweaksCLI.exe 644 RoninTweaksCLI.exe 644 RoninTweaksCLI.exe 644 RoninTweaksCLI.exe 644 RoninTweaksCLI.exe 644 RoninTweaksCLI.exe 644 RoninTweaksCLI.exe 644 RoninTweaksCLI.exe 644 RoninTweaksCLI.exe 644 RoninTweaksCLI.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 644 RoninTweaksCLI.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RoninTweaksCLI\RoninTweaksCLI.exe"C:\Users\Admin\AppData\Local\Temp\RoninTweaksCLI\RoninTweaksCLI.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:644
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:4276
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD59adc328239101235f8232b6ebb6a1d4d
SHA13ba838ea75ad852caf6d76b4354d70cd4bd27efc
SHA256e0d0cac9520b77ea931ca2b656893adc41c96acf7d52276fa9267e96813f3426
SHA51209a6cc36992bfd03abcba2430676ce511489754df854a4c1ef3ff734cdd4ecbf9cda19e844b9ff1eb21ae9d65395eaa549e36ff7fe8810c67a21b439b4b207ca
-
Filesize
1KB
MD54fc356bb5e3a4c1783a55d3fa28d118f
SHA1eb48c330e792182b0753257c7f92979a70f3a13d
SHA25610abee9a7be4e5fa7ca14a411d76dc62a8fde49ccc6e47129be0d466c7225881
SHA51203b7a36bc7a7bb5938cdc196f01fb5eb21034d58e100c4573cf5386a858760ec587eb01427f3242333c581f99a7aa2cdf795e1f1db3fefa5827c54117141979f