Analysis
-
max time kernel
45s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 00:02
Static task
static1
Behavioral task
behavioral1
Sample
BL PL.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
BL PL.exe
-
Size
567KB
-
MD5
4cc9a0255352e0410c74eeeb1c64ba67
-
SHA1
a3b5dd3aebf2e427cc7da89aff59575099f106fa
-
SHA256
718524efef50f9e043f3db594db14aa1f5e3fba213539b5b219638d089937afe
-
SHA512
6f1de62ec8b8c15352feb86a9f2f8839f29740da7ceae50c4ae3fe4951cdfd79131607fbb50aa0f5d64151513ed26d436a8f162ce17368b37f01e747d833ba94
Score
9/10
Malware Config
Signatures
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
BL PL.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion BL PL.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion BL PL.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
BL PL.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum BL PL.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 BL PL.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
BL PL.exepid process 1212 BL PL.exe 1212 BL PL.exe 1212 BL PL.exe 1212 BL PL.exe 1212 BL PL.exe 1212 BL PL.exe 1212 BL PL.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
BL PL.exedescription pid process Token: SeDebugPrivilege 1212 BL PL.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
BL PL.exedescription pid process target process PID 1212 wrote to memory of 1564 1212 BL PL.exe BL PL.exe PID 1212 wrote to memory of 1564 1212 BL PL.exe BL PL.exe PID 1212 wrote to memory of 1564 1212 BL PL.exe BL PL.exe PID 1212 wrote to memory of 1564 1212 BL PL.exe BL PL.exe PID 1212 wrote to memory of 904 1212 BL PL.exe BL PL.exe PID 1212 wrote to memory of 904 1212 BL PL.exe BL PL.exe PID 1212 wrote to memory of 904 1212 BL PL.exe BL PL.exe PID 1212 wrote to memory of 904 1212 BL PL.exe BL PL.exe PID 1212 wrote to memory of 1408 1212 BL PL.exe BL PL.exe PID 1212 wrote to memory of 1408 1212 BL PL.exe BL PL.exe PID 1212 wrote to memory of 1408 1212 BL PL.exe BL PL.exe PID 1212 wrote to memory of 1408 1212 BL PL.exe BL PL.exe PID 1212 wrote to memory of 300 1212 BL PL.exe BL PL.exe PID 1212 wrote to memory of 300 1212 BL PL.exe BL PL.exe PID 1212 wrote to memory of 300 1212 BL PL.exe BL PL.exe PID 1212 wrote to memory of 300 1212 BL PL.exe BL PL.exe PID 1212 wrote to memory of 804 1212 BL PL.exe BL PL.exe PID 1212 wrote to memory of 804 1212 BL PL.exe BL PL.exe PID 1212 wrote to memory of 804 1212 BL PL.exe BL PL.exe PID 1212 wrote to memory of 804 1212 BL PL.exe BL PL.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\BL PL.exe"C:\Users\Admin\AppData\Local\Temp\BL PL.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Users\Admin\AppData\Local\Temp\BL PL.exe"{path}"2⤵PID:1564
-
C:\Users\Admin\AppData\Local\Temp\BL PL.exe"{path}"2⤵PID:904
-
C:\Users\Admin\AppData\Local\Temp\BL PL.exe"{path}"2⤵PID:1408
-
C:\Users\Admin\AppData\Local\Temp\BL PL.exe"{path}"2⤵PID:300
-
C:\Users\Admin\AppData\Local\Temp\BL PL.exe"{path}"2⤵PID:804
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1212-54-0x00000000003A0000-0x0000000000434000-memory.dmpFilesize
592KB
-
memory/1212-55-0x0000000000380000-0x0000000000388000-memory.dmpFilesize
32KB
-
memory/1212-56-0x0000000001F60000-0x0000000001FC4000-memory.dmpFilesize
400KB
-
memory/1212-57-0x0000000004650000-0x000000000468E000-memory.dmpFilesize
248KB