e60131e245aac591c455594f208de438d18da96de8cd08c4990c973c7956c38f

Analysis

max time kernel
135s
max time network
50s
platform
windows10_x64
resource
win10v200430
submitted
07/07/2020, 17:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

PAK452431.exe
Size

661KB
MD5

1bbfcc115bf97ec1d010b3b9f1ad34b9
SHA1

2e405d2142fb937bb8fcb3c71aa6f192e863d40c
SHA256

e60131e245aac591c455594f208de438d18da96de8cd08c4990c973c7956c38f
SHA512

7f69595b050cdb5f5f93078c0a843cbe3d7b8ff5af2be90b5927ff0098ea5bd86cf5948d3ac05ad4c8a6a23c69db3c9e4c352621fb48afb26b875bb73c63b513

Score

9^/10

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3004	PAK452431.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3004	PAK452431.exe
3004	PAK452431.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	PAK452431.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	PAK452431.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	PAK452431.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	PAK452431.exe

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions	PAK452431.exe

Looks for VMWare Tools registry key 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	PAK452431.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 3004	2804	PAK452431.exe	73
PID 2804 wrote to memory of 3004	2804	PAK452431.exe	73
PID 2804 wrote to memory of 3004	2804	PAK452431.exe	73
PID 2804 wrote to memory of 3004	2804	PAK452431.exe	73
PID 2804 wrote to memory of 3004	2804	PAK452431.exe	73
PID 2804 wrote to memory of 3004	2804	PAK452431.exe	73
PID 2804 wrote to memory of 3004	2804	PAK452431.exe	73
PID 2804 wrote to memory of 3004	2804	PAK452431.exe	73

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2804 set thread context of 3004	2804	PAK452431.exe	73

C:\Users\Admin\AppData\Local\Temp\PAK452431.exe
"C:\Users\Admin\AppData\Local\Temp\PAK452431.exe"
1⤵
- Maps connected drives based on registry
- Checks BIOS information in registry
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:2804
- C:\Users\Admin\AppData\Local\Temp\PAK452431.exe
  "{path}"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  PID:3004

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3004-0-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download