Analysis
-
max time kernel
86s -
max time network
94s -
platform
windows7_x64 -
resource
win7 -
submitted
09-07-2020 13:44
Static task
static1
Behavioral task
behavioral1
Sample
PO.PAK220050019.exe
Resource
win7
Behavioral task
behavioral2
Sample
PO.PAK220050019.exe
Resource
win10v200430
General
-
Target
PO.PAK220050019.exe
-
Size
572KB
-
MD5
28ee824cd3b33dbf89e42445185c94b8
-
SHA1
805b78c882e54850e18b2a205a86e32019bc1e7f
-
SHA256
3ca89270a1e4ae27056087ab556bdadd89ba1ab27b505afa53a812c5f2acabc8
-
SHA512
2ba75b1cb687c00944e6ef08f32c9942c495647a811980933180f2f201bd16d1a1e19d17fe04c4d2055560d9db1450d365a82c470237a63002648cfceb6fc02f
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
PO.PAK220050019.exepid process 1692 PO.PAK220050019.exe 1692 PO.PAK220050019.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
Processes:
PO.PAK220050019.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions PO.PAK220050019.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
Processes:
PO.PAK220050019.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools PO.PAK220050019.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
PO.PAK220050019.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum PO.PAK220050019.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 PO.PAK220050019.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
PO.PAK220050019.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion PO.PAK220050019.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion PO.PAK220050019.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
PO.PAK220050019.exedescription pid process target process PID 896 wrote to memory of 1692 896 PO.PAK220050019.exe PO.PAK220050019.exe PID 896 wrote to memory of 1692 896 PO.PAK220050019.exe PO.PAK220050019.exe PID 896 wrote to memory of 1692 896 PO.PAK220050019.exe PO.PAK220050019.exe PID 896 wrote to memory of 1692 896 PO.PAK220050019.exe PO.PAK220050019.exe PID 896 wrote to memory of 1692 896 PO.PAK220050019.exe PO.PAK220050019.exe PID 896 wrote to memory of 1692 896 PO.PAK220050019.exe PO.PAK220050019.exe PID 896 wrote to memory of 1692 896 PO.PAK220050019.exe PO.PAK220050019.exe PID 896 wrote to memory of 1692 896 PO.PAK220050019.exe PO.PAK220050019.exe PID 896 wrote to memory of 1692 896 PO.PAK220050019.exe PO.PAK220050019.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PO.PAK220050019.exedescription pid process target process PID 896 set thread context of 1692 896 PO.PAK220050019.exe PO.PAK220050019.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
PO.PAK220050019.exedescription pid process Token: SeDebugPrivilege 1692 PO.PAK220050019.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO.PAK220050019.exe"C:\Users\Admin\AppData\Local\Temp\PO.PAK220050019.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Maps connected drives based on registry
- Checks BIOS information in registry
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:896 -
C:\Users\Admin\AppData\Local\Temp\PO.PAK220050019.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1692