Analysis Overview
SHA256
d11d8b30372496a9cbc9b279e5195e5c1b04bf01b8da38473374b3f5c197931e
Threat Level: Likely malicious
The file RoninTweaksCLI.zip was found to be: Likely malicious.
Malicious Activity Summary
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Obfuscated with Agile.Net obfuscator
Checks BIOS information in registry
Loads dropped DLL
Themida packer
Checks whether UAC is enabled
Suspicious use of NtSetInformationThreadHideFromDebugger
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-18 04:31
Signatures
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-18 04:31
Reported
2025-01-18 04:34
Platform
win10ltsc2021-20250113-en
Max time kernel
141s
Max time network
125s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\RoninTweaksCLI\RoninTweaksCLI.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\RoninTweaksCLI\RoninTweaksCLI.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\RoninTweaksCLI\RoninTweaksCLI.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RoninTweaksCLI\RoninTweaksCLI.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\RoninTweaksCLI\RoninTweaksCLI.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RoninTweaksCLI\RoninTweaksCLI.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\RoninTweaksCLI\RoninTweaksCLI.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\RoninTweaksCLI\RoninTweaksCLI.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RoninTweaksCLI\RoninTweaksCLI.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\RoninTweaksCLI\RoninTweaksCLI.exe
"C:\Users\Admin\AppData\Local\Temp\RoninTweaksCLI\RoninTweaksCLI.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 148.245.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ronintweaks.com | udp |
| US | 104.21.91.182:443 | ronintweaks.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.200.35:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| GB | 142.250.200.35:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | 182.91.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.200.250.142.in-addr.arpa | udp |
| US | 104.21.91.182:443 | ronintweaks.com | tcp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/644-0-0x0000000000400000-0x000000000081A000-memory.dmp
memory/644-1-0x00007FFC5C6ED000-0x00007FFC5C6EE000-memory.dmp
memory/644-6-0x0000000000400000-0x0000000000768000-memory.dmp
memory/644-5-0x00007FFC5C650000-0x00007FFC5C848000-memory.dmp
memory/644-7-0x00007FFC5C650000-0x00007FFC5C848000-memory.dmp
memory/644-4-0x00007FFC5C650000-0x00007FFC5C848000-memory.dmp
memory/644-3-0x00007FFC5C650000-0x00007FFC5C848000-memory.dmp
memory/644-2-0x00007FFC5C650000-0x00007FFC5C848000-memory.dmp
memory/644-10-0x00007FFC5C650000-0x00007FFC5C848000-memory.dmp
memory/644-12-0x00007FFC5C650000-0x00007FFC5C848000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\evb6AFF.tmp
| MD5 | 9adc328239101235f8232b6ebb6a1d4d |
| SHA1 | 3ba838ea75ad852caf6d76b4354d70cd4bd27efc |
| SHA256 | e0d0cac9520b77ea931ca2b656893adc41c96acf7d52276fa9267e96813f3426 |
| SHA512 | 09a6cc36992bfd03abcba2430676ce511489754df854a4c1ef3ff734cdd4ecbf9cda19e844b9ff1eb21ae9d65395eaa549e36ff7fe8810c67a21b439b4b207ca |
memory/644-11-0x0000000180000000-0x0000000181D0F000-memory.dmp
memory/644-19-0x00007FF4FDBF0000-0x00007FF4FDDE0000-memory.dmp
memory/644-20-0x00007FFC5C650000-0x00007FFC5C848000-memory.dmp
memory/644-21-0x00007FFC5C650000-0x00007FFC5C848000-memory.dmp
memory/644-23-0x00007FFC5C650000-0x00007FFC5C848000-memory.dmp
memory/644-24-0x00007FFC5C650000-0x00007FFC5C848000-memory.dmp
memory/644-25-0x000000001E590000-0x000000001F321000-memory.dmp
memory/644-26-0x0000000180000000-0x0000000181D0F000-memory.dmp
memory/644-27-0x0000000180000000-0x0000000181D0F000-memory.dmp
memory/644-28-0x0000000180000000-0x0000000181D0F000-memory.dmp
memory/644-29-0x0000000180000000-0x0000000181D0F000-memory.dmp
memory/644-30-0x0000000180000000-0x0000000181D0F000-memory.dmp
memory/644-31-0x0000000180000000-0x0000000181D0F000-memory.dmp
memory/644-32-0x00007FFC3C810000-0x00007FFC3C95F000-memory.dmp
memory/644-39-0x0000000004010000-0x000000000402A000-memory.dmp
memory/644-44-0x000000001D540000-0x000000001D55C000-memory.dmp
memory/644-49-0x000000001F140000-0x000000001F1F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\evb74EA.tmp
| MD5 | 4fc356bb5e3a4c1783a55d3fa28d118f |
| SHA1 | eb48c330e792182b0753257c7f92979a70f3a13d |
| SHA256 | 10abee9a7be4e5fa7ca14a411d76dc62a8fde49ccc6e47129be0d466c7225881 |
| SHA512 | 03b7a36bc7a7bb5938cdc196f01fb5eb21034d58e100c4573cf5386a858760ec587eb01427f3242333c581f99a7aa2cdf795e1f1db3fefa5827c54117141979f |
memory/644-54-0x00007FFC5C650000-0x00007FFC5C848000-memory.dmp
memory/644-64-0x0000000000400000-0x000000000081A000-memory.dmp
memory/644-65-0x00007FFC5C650000-0x00007FFC5C848000-memory.dmp
memory/644-66-0x000000001D560000-0x000000001D582000-memory.dmp
memory/644-68-0x00007FFC5C650000-0x00007FFC5C848000-memory.dmp
memory/644-67-0x00007FFC5C6ED000-0x00007FFC5C6EE000-memory.dmp
memory/644-69-0x0000000180000000-0x0000000181D0F000-memory.dmp
memory/644-70-0x0000000026F40000-0x0000000026FA4000-memory.dmp
memory/644-75-0x0000000027B20000-0x0000000027C84000-memory.dmp
memory/644-76-0x000000001DD40000-0x000000001DD48000-memory.dmp
memory/644-78-0x000000001DD60000-0x000000001DD6E000-memory.dmp
memory/644-77-0x0000000027A90000-0x0000000027AC8000-memory.dmp
memory/644-79-0x00007FFC5C650000-0x00007FFC5C848000-memory.dmp
memory/644-80-0x00007FFC5C650000-0x00007FFC5C848000-memory.dmp
memory/644-81-0x00007FFC5C650000-0x00007FFC5C848000-memory.dmp
memory/644-84-0x00007FFC5C650000-0x00007FFC5C848000-memory.dmp
memory/644-83-0x0000000180000000-0x0000000181D0F000-memory.dmp
memory/644-85-0x00007FFC5C650000-0x00007FFC5C848000-memory.dmp
memory/644-86-0x00007FFC5C650000-0x00007FFC5C848000-memory.dmp
memory/644-88-0x0000000180000000-0x0000000181D0F000-memory.dmp
memory/644-90-0x0000000180000000-0x0000000181D0F000-memory.dmp
memory/644-92-0x0000000180000000-0x0000000181D0F000-memory.dmp
memory/644-94-0x0000000180000000-0x0000000181D0F000-memory.dmp
memory/644-98-0x0000000180000000-0x0000000181D0F000-memory.dmp
memory/644-100-0x0000000180000000-0x0000000181D0F000-memory.dmp
memory/644-103-0x0000000180000000-0x0000000181D0F000-memory.dmp
memory/644-111-0x0000000180000000-0x0000000181D0F000-memory.dmp
memory/644-113-0x0000000180000000-0x0000000181D0F000-memory.dmp