22503a27c8bd1299e67f484b0c750276323d5a97b9dd45e1da7a935fe377ec1e

Analysis

max time kernel
129s
max time network
126s
platform
windows7_x64
resource
win7v200217
submitted
10-03-2020 00:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Inte.exe
Size

56KB
MD5

1ea2c756a0f0528d2e80ab204aa9de0b
SHA1

44177c8b4959a3b84ae65a5ea724a8e409b3dec1
SHA256

6d77d544364cdfaebd7252d14091653c903d0a11c34bddad60f5951da257a651
SHA512

ecaa88ae3a0b51ba9320870a6b7172a3f02c466571d79f7536ee3b557da14f0b268be39cc3fbeadae79f3de33d816a59737efdc7ce11d322d4891c82421d1de5

Score

8^/10

persistence

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

vmware-vmx.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	vmware-vmx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	vmware-vmx.exe

Drops file in System32 directory 2 IoCs

Processes:

Inte.exe

description ioc process

File created C:\Windows\SysWOW64\vmware-vmx.exe Inte.exe
File opened for modification C:\Windows\SysWOW64\vmware-vmx.exe Inte.exe

description	ioc	process
File created	C:\Windows\SysWOW64\vmware-vmx.exe	Inte.exe
File opened for modification	C:\Windows\SysWOW64\vmware-vmx.exe	Inte.exe

Modifies service 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

Inte.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Windows Test My Test 1.0\Description = "This is Windows Test My Test Server 1.0"	Inte.exe

Executes dropped EXE 1 IoCs

Processes:

vmware-vmx.exe

pid process

1864 vmware-vmx.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Inte.exe

description pid process

Token: SeIncBasePriorityPrivilege 1856 Inte.exe

pid	process
1864	vmware-vmx.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	1856	Inte.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

Inte.exe

description	pid	process	target process
PID 1856 wrote to memory of 1892	1856	Inte.exe	cmd.exe
PID 1856 wrote to memory of 1892	1856	Inte.exe	cmd.exe
PID 1856 wrote to memory of 1892	1856	Inte.exe	cmd.exe
PID 1856 wrote to memory of 1892	1856	Inte.exe	cmd.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1892 cmd.exe

pid	process
1892	cmd.exe

C:\Users\Admin\AppData\Local\Temp\Inte.exe
"C:\Users\Admin\AppData\Local\Temp\Inte.exe"
1⤵
- Drops file in System32 directory
- Modifies service
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\Inte.exe > nul
2⤵
- Deletes itself
PID:1892

C:\Windows\SysWOW64\vmware-vmx.exe
C:\Windows\SysWOW64\vmware-vmx.exe
1⤵
- Checks processor information in registry
- Executes dropped EXE
PID:1864

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\vmware-vmx.exe

Download Submit