Analysis
-
max time kernel
108s -
max time network
131s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
09-07-2020 13:44
Static task
static1
Behavioral task
behavioral1
Sample
PO.PAK220050019.exe
Resource
win7
Behavioral task
behavioral2
Sample
PO.PAK220050019.exe
Resource
win10v200430
General
-
Target
PO.PAK220050019.exe
-
Size
572KB
-
MD5
28ee824cd3b33dbf89e42445185c94b8
-
SHA1
805b78c882e54850e18b2a205a86e32019bc1e7f
-
SHA256
3ca89270a1e4ae27056087ab556bdadd89ba1ab27b505afa53a812c5f2acabc8
-
SHA512
2ba75b1cb687c00944e6ef08f32c9942c495647a811980933180f2f201bd16d1a1e19d17fe04c4d2055560d9db1450d365a82c470237a63002648cfceb6fc02f
Malware Config
Signatures
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
PO.PAK220050019.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 PO.PAK220050019.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum PO.PAK220050019.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
PO.PAK220050019.exedescription pid process target process PID 2416 wrote to memory of 2308 2416 PO.PAK220050019.exe PO.PAK220050019.exe PID 2416 wrote to memory of 2308 2416 PO.PAK220050019.exe PO.PAK220050019.exe PID 2416 wrote to memory of 2308 2416 PO.PAK220050019.exe PO.PAK220050019.exe PID 2416 wrote to memory of 2308 2416 PO.PAK220050019.exe PO.PAK220050019.exe PID 2416 wrote to memory of 2308 2416 PO.PAK220050019.exe PO.PAK220050019.exe PID 2416 wrote to memory of 2308 2416 PO.PAK220050019.exe PO.PAK220050019.exe PID 2416 wrote to memory of 2308 2416 PO.PAK220050019.exe PO.PAK220050019.exe PID 2416 wrote to memory of 2308 2416 PO.PAK220050019.exe PO.PAK220050019.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PO.PAK220050019.exedescription pid process target process PID 2416 set thread context of 2308 2416 PO.PAK220050019.exe PO.PAK220050019.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
PO.PAK220050019.exedescription pid process Token: SeDebugPrivilege 2308 PO.PAK220050019.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
PO.PAK220050019.exepid process 2308 PO.PAK220050019.exe 2308 PO.PAK220050019.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
PO.PAK220050019.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion PO.PAK220050019.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion PO.PAK220050019.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
Processes:
PO.PAK220050019.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions PO.PAK220050019.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
Processes:
PO.PAK220050019.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools PO.PAK220050019.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO.PAK220050019.exe"C:\Users\Admin\AppData\Local\Temp\PO.PAK220050019.exe"1⤵
- Maps connected drives based on registry
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Checks BIOS information in registry
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
PID:2416 -
C:\Users\Admin\AppData\Local\Temp\PO.PAK220050019.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:2308