22503a27c8bd1299e67f484b0c750276323d5a97b9dd45e1da7a935fe377ec1e

Analysis

max time kernel
151s
max time network
153s
platform
windows10_x64
resource
win10v200217
submitted
10-03-2020 00:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Inte.exe
Size

56KB
MD5

1ea2c756a0f0528d2e80ab204aa9de0b
SHA1

44177c8b4959a3b84ae65a5ea724a8e409b3dec1
SHA256

6d77d544364cdfaebd7252d14091653c903d0a11c34bddad60f5951da257a651
SHA512

ecaa88ae3a0b51ba9320870a6b7172a3f02c466571d79f7536ee3b557da14f0b268be39cc3fbeadae79f3de33d816a59737efdc7ce11d322d4891c82421d1de5

Score

8^/10

persistence

Malware Config

Signatures

Modifies service 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

Inte.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Windows Test My Test 1.0\Description = "This is Windows Test My Test Server 1.0"	Inte.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

vmware-vmx.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	vmware-vmx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	vmware-vmx.exe

Executes dropped EXE 1 IoCs

Processes:

vmware-vmx.exe

pid process

3668 vmware-vmx.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Inte.exe

description pid process

Token: SeIncBasePriorityPrivilege 3560 Inte.exe

pid	process
3668	vmware-vmx.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	3560	Inte.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

Inte.exe

description	pid	process	target process
PID 3560 wrote to memory of 3076	3560	Inte.exe	cmd.exe
PID 3560 wrote to memory of 3076	3560	Inte.exe	cmd.exe
PID 3560 wrote to memory of 3076	3560	Inte.exe	cmd.exe

Drops file in System32 directory 2 IoCs

Processes:

Inte.exe

description ioc process

File created C:\Windows\SysWOW64\vmware-vmx.exe Inte.exe
File opened for modification C:\Windows\SysWOW64\vmware-vmx.exe Inte.exe

description	ioc	process
File created	C:\Windows\SysWOW64\vmware-vmx.exe	Inte.exe
File opened for modification	C:\Windows\SysWOW64\vmware-vmx.exe	Inte.exe

C:\Users\Admin\AppData\Local\Temp\Inte.exe
"C:\Users\Admin\AppData\Local\Temp\Inte.exe"
1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Drops file in System32 directory
PID:3560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\Inte.exe > nul
2⤵
PID:3076

C:\Windows\SysWOW64\vmware-vmx.exe
C:\Windows\SysWOW64\vmware-vmx.exe
1⤵
- Checks processor information in registry
- Executes dropped EXE
PID:3668

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\vmware-vmx.exe

Download Submit
C:\Windows\SysWOW64\vmware-vmx.exe

Download Submit