ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0

General

Target

ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exe
Size

141KB
MD5

048281c0731edf101f02abb1b69a2226
SHA1

a6ea5595847d3cbc13c3728c284357bf52a1b945
SHA256

ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0
SHA512

285e6d46f073c8b2aeb67bc938ebf20829cf383961c564a7a5258bcc3bdb66a163ce15c9cc6400ed4a501bf6195e2699f96baa840bcf628f8b94d6b51de6fc85
SSDEEP

3072:VNRIUQ7gJGR4AVYZ0Ictpyt28+nqlBB01Qs3wsE:Cg7AVy0Imo8vwsE

Score

9^/10

evasion

Malware Config

Signatures

Enumerates VirtualBox registry keys 2 TTPs 5 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService	ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF	ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo	ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest	ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse	ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__	ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__	ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exe

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions	ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exe

Looks for VMWare Tools registry key 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools	ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exe

Checks BIOS information in registry 2 TTPs 3 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exe

pid	process
1824	ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exe
1824	ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exe
1824	ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exe

pid	process
1824	ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exe
1824	ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exe
1824	ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exe
1824	ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exe
1824	ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exe
1824	ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exe
1824	ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exe
1824	ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exe
1824	ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exe
1824	ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exe

description pid process

Token: SeShutdownPrivilege 1824 ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exe

description	pid	process
Token: SeShutdownPrivilege	1824	ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exe

C:\Users\Admin\AppData\Local\Temp\ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exe
"C:\Users\Admin\AppData\Local\Temp\ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exe"
1⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1824

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

4

T1497

Credential Access

Discovery

Query Registry

6

T1012

Virtualization/Sandbox Evasion

4

T1497

System Information Discovery

2

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1824-54-0x0000000075571000-0x0000000075573000-memory.dmp

Filesize
8KB

Download
memory/1824-56-0x00000000001B0000-0x00000000001C2000-memory.dmp

Filesize
72KB

Download
memory/1824-55-0x00000000002CD000-0x00000000002DE000-memory.dmp

Filesize
68KB

Download
memory/1824-57-0x0000000000400000-0x0000000000580000-memory.dmp

Filesize
1.5MB

Download
memory/1824-58-0x0000000002870000-0x0000000002877000-memory.dmp

Filesize
28KB

Download
memory/1824-59-0x00000000002CD000-0x00000000002DE000-memory.dmp

Filesize
68KB

Download
memory/1824-61-0x000000007EF80000-0x000000007EF95000-memory.dmp

Filesize
84KB

Download
memory/1824-60-0x0000000002870000-0x0000000002877000-memory.dmp

Filesize
28KB

Download
memory/1824-62-0x000000007EF60000-0x000000007EF75000-memory.dmp

Filesize
84KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads