Analysis
-
max time kernel
139s -
max time network
20s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
09-07-2020 07:38
Static task
static1
Behavioral task
behavioral1
Sample
bảng báo giá.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
bảng báo giá.exe
Resource
win10
General
-
Target
bảng báo giá.exe
-
Size
550KB
-
MD5
355d59a43d4f1a80187564d0c9145ad9
-
SHA1
d4d3ed132d4bf6782ab4b48a9020e5427133850f
-
SHA256
f782488d6cffc08636ce326d9ab116f99c7abb7a6ced4391f9341e709144d100
-
SHA512
73f5e402ecefb4b28aeafc3a1ddfaeae5a456735d9655178e0c2c1baad6152c994e3f21cbd01471d77fd4ce896f167174822beafc3874a740e23b167e3f30491
Malware Config
Signatures
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
Processes:
bảng báo giá.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools bảng báo giá.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
bảng báo giá.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum bảng báo giá.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 bảng báo giá.exe -
Suspicious use of WriteProcessMemory 39 IoCs
Processes:
bảng báo giá.exedescription pid process target process PID 240 wrote to memory of 1744 240 bảng báo giá.exe schtasks.exe PID 240 wrote to memory of 1744 240 bảng báo giá.exe schtasks.exe PID 240 wrote to memory of 1744 240 bảng báo giá.exe schtasks.exe PID 240 wrote to memory of 1744 240 bảng báo giá.exe schtasks.exe PID 240 wrote to memory of 548 240 bảng báo giá.exe RegSvcs.exe PID 240 wrote to memory of 548 240 bảng báo giá.exe RegSvcs.exe PID 240 wrote to memory of 548 240 bảng báo giá.exe RegSvcs.exe PID 240 wrote to memory of 548 240 bảng báo giá.exe RegSvcs.exe PID 240 wrote to memory of 548 240 bảng báo giá.exe RegSvcs.exe PID 240 wrote to memory of 548 240 bảng báo giá.exe RegSvcs.exe PID 240 wrote to memory of 548 240 bảng báo giá.exe RegSvcs.exe PID 240 wrote to memory of 872 240 bảng báo giá.exe RegSvcs.exe PID 240 wrote to memory of 872 240 bảng báo giá.exe RegSvcs.exe PID 240 wrote to memory of 872 240 bảng báo giá.exe RegSvcs.exe PID 240 wrote to memory of 872 240 bảng báo giá.exe RegSvcs.exe PID 240 wrote to memory of 872 240 bảng báo giá.exe RegSvcs.exe PID 240 wrote to memory of 872 240 bảng báo giá.exe RegSvcs.exe PID 240 wrote to memory of 872 240 bảng báo giá.exe RegSvcs.exe PID 240 wrote to memory of 1052 240 bảng báo giá.exe RegSvcs.exe PID 240 wrote to memory of 1052 240 bảng báo giá.exe RegSvcs.exe PID 240 wrote to memory of 1052 240 bảng báo giá.exe RegSvcs.exe PID 240 wrote to memory of 1052 240 bảng báo giá.exe RegSvcs.exe PID 240 wrote to memory of 1052 240 bảng báo giá.exe RegSvcs.exe PID 240 wrote to memory of 1052 240 bảng báo giá.exe RegSvcs.exe PID 240 wrote to memory of 1052 240 bảng báo giá.exe RegSvcs.exe PID 240 wrote to memory of 1204 240 bảng báo giá.exe RegSvcs.exe PID 240 wrote to memory of 1204 240 bảng báo giá.exe RegSvcs.exe PID 240 wrote to memory of 1204 240 bảng báo giá.exe RegSvcs.exe PID 240 wrote to memory of 1204 240 bảng báo giá.exe RegSvcs.exe PID 240 wrote to memory of 1204 240 bảng báo giá.exe RegSvcs.exe PID 240 wrote to memory of 1204 240 bảng báo giá.exe RegSvcs.exe PID 240 wrote to memory of 1204 240 bảng báo giá.exe RegSvcs.exe PID 240 wrote to memory of 568 240 bảng báo giá.exe RegSvcs.exe PID 240 wrote to memory of 568 240 bảng báo giá.exe RegSvcs.exe PID 240 wrote to memory of 568 240 bảng báo giá.exe RegSvcs.exe PID 240 wrote to memory of 568 240 bảng báo giá.exe RegSvcs.exe PID 240 wrote to memory of 568 240 bảng báo giá.exe RegSvcs.exe PID 240 wrote to memory of 568 240 bảng báo giá.exe RegSvcs.exe PID 240 wrote to memory of 568 240 bảng báo giá.exe RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
bảng báo giá.exedescription pid process Token: SeDebugPrivilege 240 bảng báo giá.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
bảng báo giá.exepid process 240 bảng báo giá.exe 240 bảng báo giá.exe 240 bảng báo giá.exe 240 bảng báo giá.exe 240 bảng báo giá.exe 240 bảng báo giá.exe 240 bảng báo giá.exe 240 bảng báo giá.exe 240 bảng báo giá.exe 240 bảng báo giá.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
bảng báo giá.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion bảng báo giá.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion bảng báo giá.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
Processes:
bảng báo giá.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions bảng báo giá.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bảng báo giá.exe"C:\Users\Admin\AppData\Local\Temp\bảng báo giá.exe"1⤵
- Looks for VMWare Tools registry key
- Maps connected drives based on registry
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Checks BIOS information in registry
- Looks for VirtualBox Guest Additions in registry
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JajPISlZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp59C2.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵