Overview

overview

10

Static

static

PO102.exe

windows7_x64

9

PO102.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    68s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-05-2022 02:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PO102.exe

  • Size

    368KB

  • MD5

    544f97d08c44accf6feb140704686ad9

  • SHA1

    198054b26aa1895ae9e6533a449d52dadbbcd0b5

  • SHA256

    548f6937985adb04cce6bda4127f3d2af247feada21eda348d1d6a0e8dd7d2c7

  • SHA512

    1acc9b9bae1f369d0e717bbd22e2861455b91e942398833004cdf4d8022230a144ea81126a094bb76f509b1281cacffa7e069b2f5c99e6b19621887b904164bc

Score
9/10
evasion

Malware Config

Signatures

  • Looks for VirtualBox Guest Additions in registry 2 TTPs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PO102.exe
    "C:\Users\Admin\AppData\Local\Temp\PO102.exe"
    1⤵
    • Checks BIOS information in registry
    • Maps connected drives based on registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1912
    • C:\Users\Admin\AppData\Local\Temp\PO102.exe
      "C:\Users\Admin\AppData\Local\Temp\PO102.exe"
      2⤵
        PID:596
      • C:\Users\Admin\AppData\Local\Temp\PO102.exe
        "C:\Users\Admin\AppData\Local\Temp\PO102.exe"
        2⤵
          PID:1824
        • C:\Users\Admin\AppData\Local\Temp\PO102.exe
          "C:\Users\Admin\AppData\Local\Temp\PO102.exe"
          2⤵
            PID:380
          • C:\Users\Admin\AppData\Local\Temp\PO102.exe
            "C:\Users\Admin\AppData\Local\Temp\PO102.exe"
            2⤵
              PID:528
            • C:\Users\Admin\AppData\Local\Temp\PO102.exe
              "C:\Users\Admin\AppData\Local\Temp\PO102.exe"
              2⤵
                PID:1736

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Persistence

            Privilege Escalation

            Defense Evasion

            Virtualization/Sandbox Evasion

            2
            T1497

            Credential Access

            Discovery

            Query Registry

            4
            T1012

            Virtualization/Sandbox Evasion

            2
            T1497

            System Information Discovery

            2
            T1082

            Peripheral Device Discovery

            1
            T1120

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/1912-54-0x00000000003F0000-0x0000000000450000-memory.dmp
              Filesize

              384KB

              Download
            • memory/1912-55-0x0000000075F61000-0x0000000075F63000-memory.dmp
              Filesize

              8KB

              Download
            • memory/1912-56-0x0000000000320000-0x000000000032A000-memory.dmp
              Filesize

              40KB

              Download
            • memory/1912-57-0x0000000000920000-0x000000000096C000-memory.dmp
              Filesize

              304KB

              Download
            • memory/1912-58-0x00000000020D0000-0x0000000002104000-memory.dmp
              Filesize

              208KB

              Download