Analysis
-
max time kernel
61s -
max time network
53s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
09-07-2020 13:43
Static task
static1
Behavioral task
behavioral1
Sample
PO.PAK220050019.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
PO.PAK220050019.exe
Resource
win10
General
-
Target
PO.PAK220050019.exe
-
Size
572KB
-
MD5
28ee824cd3b33dbf89e42445185c94b8
-
SHA1
805b78c882e54850e18b2a205a86e32019bc1e7f
-
SHA256
3ca89270a1e4ae27056087ab556bdadd89ba1ab27b505afa53a812c5f2acabc8
-
SHA512
2ba75b1cb687c00944e6ef08f32c9942c495647a811980933180f2f201bd16d1a1e19d17fe04c4d2055560d9db1450d365a82c470237a63002648cfceb6fc02f
Malware Config
Signatures
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
PO.PAK220050019.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum PO.PAK220050019.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 PO.PAK220050019.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
PO.PAK220050019.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion PO.PAK220050019.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion PO.PAK220050019.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
PO.PAK220050019.exedescription pid process target process PID 1388 wrote to memory of 1856 1388 PO.PAK220050019.exe PO.PAK220050019.exe PID 1388 wrote to memory of 1856 1388 PO.PAK220050019.exe PO.PAK220050019.exe PID 1388 wrote to memory of 1856 1388 PO.PAK220050019.exe PO.PAK220050019.exe PID 1388 wrote to memory of 1856 1388 PO.PAK220050019.exe PO.PAK220050019.exe PID 1388 wrote to memory of 1856 1388 PO.PAK220050019.exe PO.PAK220050019.exe PID 1388 wrote to memory of 1856 1388 PO.PAK220050019.exe PO.PAK220050019.exe PID 1388 wrote to memory of 1856 1388 PO.PAK220050019.exe PO.PAK220050019.exe PID 1388 wrote to memory of 1856 1388 PO.PAK220050019.exe PO.PAK220050019.exe PID 1388 wrote to memory of 1856 1388 PO.PAK220050019.exe PO.PAK220050019.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PO.PAK220050019.exedescription pid process target process PID 1388 set thread context of 1856 1388 PO.PAK220050019.exe PO.PAK220050019.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
PO.PAK220050019.exedescription pid process Token: SeDebugPrivilege 1856 PO.PAK220050019.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
PO.PAK220050019.exepid process 1856 PO.PAK220050019.exe 1856 PO.PAK220050019.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
Processes:
PO.PAK220050019.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions PO.PAK220050019.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
Processes:
PO.PAK220050019.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools PO.PAK220050019.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO.PAK220050019.exe"C:\Users\Admin\AppData\Local\Temp\PO.PAK220050019.exe"1⤵
- Maps connected drives based on registry
- Checks BIOS information in registry
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
PID:1388 -
C:\Users\Admin\AppData\Local\Temp\PO.PAK220050019.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1856