67c5cab06eb864d30cfed863f142fc4d80e3e324b7b30d46e37e38451f306679

General

Target

1.exe
Size

622KB
MD5

26bdf798d94b9a8cde3a7baf41c119c7
SHA1

54583e962e90d5af8ab1f5d2dd43284dc5ee88c3
SHA256

67c5cab06eb864d30cfed863f142fc4d80e3e324b7b30d46e37e38451f306679
SHA512

13f9baad5e0b929757ab2baad1e8c599c4f8974899aceaa8852784558f3676458000b2de4ffc0e2e37393989a52084590c0cc586fea47a1f8e7d238bba2b0f6c

Score

9^/10

evasion

Malware Config

Signatures

Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	1.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

dw20.exe

pid process

804 dw20.exe
804 dw20.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

dw20.exe

description pid process

Token: SeRestorePrivilege 804 dw20.exe
Token: SeBackupPrivilege 804 dw20.exe

pid	process
804	dw20.exe
804	dw20.exe

description	pid	process
Token: SeRestorePrivilege	804	dw20.exe
Token: SeBackupPrivilege	804	dw20.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

1.exe

description	pid	process	target process
PID 4760 wrote to memory of 804	4760	1.exe	dw20.exe
PID 4760 wrote to memory of 804	4760	1.exe	dw20.exe
PID 4760 wrote to memory of 804	4760	1.exe	dw20.exe

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of WriteProcessMemory
PID:4760

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 1280
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:804

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/804-2-0x0000000000000000-mapping.dmp

Download
memory/804-3-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/804-4-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/804-7-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/804-6-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/804-8-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/804-9-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/804-10-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/804-11-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/804-12-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/804-14-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/804-15-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/804-16-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/804-17-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/804-18-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/804-19-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/804-20-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/804-13-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/804-22-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/804-21-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/804-23-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/804-24-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/804-25-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/804-26-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/804-27-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/804-28-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/804-29-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/804-31-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/804-33-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/804-34-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/804-36-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/804-37-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/804-38-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/804-39-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/804-40-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/804-41-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/804-42-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/804-35-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/804-43-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/804-45-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/804-46-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/804-44-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/804-32-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/804-47-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/804-48-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/804-49-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/804-51-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/804-50-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/804-52-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/804-53-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/804-55-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/804-54-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/804-30-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/804-56-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/804-57-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/804-58-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/804-59-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/804-60-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/804-61-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/804-63-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/804-64-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/804-65-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/804-62-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads