5772340cf31a79bda48233f83129000e1251729177d89f673c78a03611d478ce

General

Target

5772340cf31a79bda48233f83129000e1251729177d89f673c78a03611d478ce.exe
Size

494KB
MD5

1b877b7ef603ff7b253dec28404d1a39
SHA1

b5e184b39159b9a7c05993e8aaa3fd405bf5b27a
SHA256

5772340cf31a79bda48233f83129000e1251729177d89f673c78a03611d478ce
SHA512

0eae1eceb638fc3df6d8a9a23ef1b69f4ae2ab49aa11496fb8a5261045704bf76e58ccc1a4e9e2dc1f50dc98d1ae582de6f37366432e558fab0b0ebb0f3961fd

Score

9^/10

evasion

Malware Config

Signatures

Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5772340cf31a79bda48233f83129000e1251729177d89f673c78a03611d478ce.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5772340cf31a79bda48233f83129000e1251729177d89f673c78a03611d478ce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5772340cf31a79bda48233f83129000e1251729177d89f673c78a03611d478ce.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

5772340cf31a79bda48233f83129000e1251729177d89f673c78a03611d478ce.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	5772340cf31a79bda48233f83129000e1251729177d89f673c78a03611d478ce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	5772340cf31a79bda48233f83129000e1251729177d89f673c78a03611d478ce.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

5772340cf31a79bda48233f83129000e1251729177d89f673c78a03611d478ce.exe

pid	process
1972	5772340cf31a79bda48233f83129000e1251729177d89f673c78a03611d478ce.exe
1972	5772340cf31a79bda48233f83129000e1251729177d89f673c78a03611d478ce.exe
1972	5772340cf31a79bda48233f83129000e1251729177d89f673c78a03611d478ce.exe
1972	5772340cf31a79bda48233f83129000e1251729177d89f673c78a03611d478ce.exe
1972	5772340cf31a79bda48233f83129000e1251729177d89f673c78a03611d478ce.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

5772340cf31a79bda48233f83129000e1251729177d89f673c78a03611d478ce.exe

description pid process

Token: SeDebugPrivilege 1972 5772340cf31a79bda48233f83129000e1251729177d89f673c78a03611d478ce.exe

description	pid	process
Token: SeDebugPrivilege	1972	5772340cf31a79bda48233f83129000e1251729177d89f673c78a03611d478ce.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

5772340cf31a79bda48233f83129000e1251729177d89f673c78a03611d478ce.exe

C:\Users\Admin\AppData\Local\Temp\5772340cf31a79bda48233f83129000e1251729177d89f673c78a03611d478ce.exe
"C:\Users\Admin\AppData\Local\Temp\5772340cf31a79bda48233f83129000e1251729177d89f673c78a03611d478ce.exe"
1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972

C:\Users\Admin\AppData\Local\Temp\5772340cf31a79bda48233f83129000e1251729177d89f673c78a03611d478ce.exe
"C:\Users\Admin\AppData\Local\Temp\5772340cf31a79bda48233f83129000e1251729177d89f673c78a03611d478ce.exe"
2⤵
PID:1912

C:\Users\Admin\AppData\Local\Temp\5772340cf31a79bda48233f83129000e1251729177d89f673c78a03611d478ce.exe
"C:\Users\Admin\AppData\Local\Temp\5772340cf31a79bda48233f83129000e1251729177d89f673c78a03611d478ce.exe"
2⤵
PID:2028

C:\Users\Admin\AppData\Local\Temp\5772340cf31a79bda48233f83129000e1251729177d89f673c78a03611d478ce.exe
"C:\Users\Admin\AppData\Local\Temp\5772340cf31a79bda48233f83129000e1251729177d89f673c78a03611d478ce.exe"
2⤵
PID:1740

C:\Users\Admin\AppData\Local\Temp\5772340cf31a79bda48233f83129000e1251729177d89f673c78a03611d478ce.exe
"C:\Users\Admin\AppData\Local\Temp\5772340cf31a79bda48233f83129000e1251729177d89f673c78a03611d478ce.exe"
2⤵
PID:1704

C:\Users\Admin\AppData\Local\Temp\5772340cf31a79bda48233f83129000e1251729177d89f673c78a03611d478ce.exe
"C:\Users\Admin\AppData\Local\Temp\5772340cf31a79bda48233f83129000e1251729177d89f673c78a03611d478ce.exe"
2⤵
PID:2008

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

4

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

2

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1972-54-0x0000000000250000-0x00000000002D2000-memory.dmp

Filesize
520KB

Download
memory/1972-55-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

Filesize
8KB

Download
memory/1972-56-0x00000000002E0000-0x00000000002EA000-memory.dmp

Filesize
40KB

Download
memory/1972-57-0x0000000007340000-0x00000000073A8000-memory.dmp

Filesize
416KB

Download
memory/1972-58-0x00000000076D0000-0x0000000007746000-memory.dmp

Filesize
472KB

Download

description	pid	process	target process
PID 1972 wrote to memory of 1912	1972	5772340cf31a79bda48233f83129000e1251729177d89f673c78a03611d478ce.exe	5772340cf31a79bda48233f83129000e1251729177d89f673c78a03611d478ce.exe
PID 1972 wrote to memory of 1912	1972	5772340cf31a79bda48233f83129000e1251729177d89f673c78a03611d478ce.exe	5772340cf31a79bda48233f83129000e1251729177d89f673c78a03611d478ce.exe
PID 1972 wrote to memory of 1912	1972	5772340cf31a79bda48233f83129000e1251729177d89f673c78a03611d478ce.exe	5772340cf31a79bda48233f83129000e1251729177d89f673c78a03611d478ce.exe
PID 1972 wrote to memory of 1912	1972	5772340cf31a79bda48233f83129000e1251729177d89f673c78a03611d478ce.exe	5772340cf31a79bda48233f83129000e1251729177d89f673c78a03611d478ce.exe
PID 1972 wrote to memory of 2028	1972	5772340cf31a79bda48233f83129000e1251729177d89f673c78a03611d478ce.exe	5772340cf31a79bda48233f83129000e1251729177d89f673c78a03611d478ce.exe
PID 1972 wrote to memory of 2028	1972	5772340cf31a79bda48233f83129000e1251729177d89f673c78a03611d478ce.exe	5772340cf31a79bda48233f83129000e1251729177d89f673c78a03611d478ce.exe
PID 1972 wrote to memory of 2028	1972	5772340cf31a79bda48233f83129000e1251729177d89f673c78a03611d478ce.exe	5772340cf31a79bda48233f83129000e1251729177d89f673c78a03611d478ce.exe
PID 1972 wrote to memory of 2028	1972	5772340cf31a79bda48233f83129000e1251729177d89f673c78a03611d478ce.exe	5772340cf31a79bda48233f83129000e1251729177d89f673c78a03611d478ce.exe
PID 1972 wrote to memory of 1740	1972	5772340cf31a79bda48233f83129000e1251729177d89f673c78a03611d478ce.exe	5772340cf31a79bda48233f83129000e1251729177d89f673c78a03611d478ce.exe
PID 1972 wrote to memory of 1740	1972	5772340cf31a79bda48233f83129000e1251729177d89f673c78a03611d478ce.exe	5772340cf31a79bda48233f83129000e1251729177d89f673c78a03611d478ce.exe
PID 1972 wrote to memory of 1740	1972	5772340cf31a79bda48233f83129000e1251729177d89f673c78a03611d478ce.exe	5772340cf31a79bda48233f83129000e1251729177d89f673c78a03611d478ce.exe
PID 1972 wrote to memory of 1740	1972	5772340cf31a79bda48233f83129000e1251729177d89f673c78a03611d478ce.exe	5772340cf31a79bda48233f83129000e1251729177d89f673c78a03611d478ce.exe
PID 1972 wrote to memory of 1704	1972	5772340cf31a79bda48233f83129000e1251729177d89f673c78a03611d478ce.exe	5772340cf31a79bda48233f83129000e1251729177d89f673c78a03611d478ce.exe
PID 1972 wrote to memory of 1704	1972	5772340cf31a79bda48233f83129000e1251729177d89f673c78a03611d478ce.exe	5772340cf31a79bda48233f83129000e1251729177d89f673c78a03611d478ce.exe
PID 1972 wrote to memory of 1704	1972	5772340cf31a79bda48233f83129000e1251729177d89f673c78a03611d478ce.exe	5772340cf31a79bda48233f83129000e1251729177d89f673c78a03611d478ce.exe
PID 1972 wrote to memory of 1704	1972	5772340cf31a79bda48233f83129000e1251729177d89f673c78a03611d478ce.exe	5772340cf31a79bda48233f83129000e1251729177d89f673c78a03611d478ce.exe
PID 1972 wrote to memory of 2008	1972	5772340cf31a79bda48233f83129000e1251729177d89f673c78a03611d478ce.exe	5772340cf31a79bda48233f83129000e1251729177d89f673c78a03611d478ce.exe
PID 1972 wrote to memory of 2008	1972	5772340cf31a79bda48233f83129000e1251729177d89f673c78a03611d478ce.exe	5772340cf31a79bda48233f83129000e1251729177d89f673c78a03611d478ce.exe
PID 1972 wrote to memory of 2008	1972	5772340cf31a79bda48233f83129000e1251729177d89f673c78a03611d478ce.exe	5772340cf31a79bda48233f83129000e1251729177d89f673c78a03611d478ce.exe
PID 1972 wrote to memory of 2008	1972	5772340cf31a79bda48233f83129000e1251729177d89f673c78a03611d478ce.exe	5772340cf31a79bda48233f83129000e1251729177d89f673c78a03611d478ce.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads