Analysis
-
max time kernel
63s -
max time network
25s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
13-01-2021 12:07
Static task
static1
Behavioral task
behavioral1
Sample
67c5cab06eb864d30cfed863f142fc4d80e3e324b7b30d46e37e38451f306679.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
67c5cab06eb864d30cfed863f142fc4d80e3e324b7b30d46e37e38451f306679.exe
Resource
win10v20201028
General
-
Target
67c5cab06eb864d30cfed863f142fc4d80e3e324b7b30d46e37e38451f306679.exe
-
Size
622KB
-
MD5
26bdf798d94b9a8cde3a7baf41c119c7
-
SHA1
54583e962e90d5af8ab1f5d2dd43284dc5ee88c3
-
SHA256
67c5cab06eb864d30cfed863f142fc4d80e3e324b7b30d46e37e38451f306679
-
SHA512
13f9baad5e0b929757ab2baad1e8c599c4f8974899aceaa8852784558f3676458000b2de4ffc0e2e37393989a52084590c0cc586fea47a1f8e7d238bba2b0f6c
Malware Config
Signatures
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
67c5cab06eb864d30cfed863f142fc4d80e3e324b7b30d46e37e38451f306679.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 67c5cab06eb864d30cfed863f142fc4d80e3e324b7b30d46e37e38451f306679.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 67c5cab06eb864d30cfed863f142fc4d80e3e324b7b30d46e37e38451f306679.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
67c5cab06eb864d30cfed863f142fc4d80e3e324b7b30d46e37e38451f306679.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 67c5cab06eb864d30cfed863f142fc4d80e3e324b7b30d46e37e38451f306679.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 67c5cab06eb864d30cfed863f142fc4d80e3e324b7b30d46e37e38451f306679.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
67c5cab06eb864d30cfed863f142fc4d80e3e324b7b30d46e37e38451f306679.exedescription pid process target process PID 336 wrote to memory of 1456 336 67c5cab06eb864d30cfed863f142fc4d80e3e324b7b30d46e37e38451f306679.exe dw20.exe PID 336 wrote to memory of 1456 336 67c5cab06eb864d30cfed863f142fc4d80e3e324b7b30d46e37e38451f306679.exe dw20.exe PID 336 wrote to memory of 1456 336 67c5cab06eb864d30cfed863f142fc4d80e3e324b7b30d46e37e38451f306679.exe dw20.exe PID 336 wrote to memory of 1456 336 67c5cab06eb864d30cfed863f142fc4d80e3e324b7b30d46e37e38451f306679.exe dw20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\67c5cab06eb864d30cfed863f142fc4d80e3e324b7b30d46e37e38451f306679.exe"C:\Users\Admin\AppData\Local\Temp\67c5cab06eb864d30cfed863f142fc4d80e3e324b7b30d46e37e38451f306679.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of WriteProcessMemory
PID:336 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 8602⤵PID:1456