Analysis
-
max time kernel
42s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03-10-2022 04:47
Static task
static1
Behavioral task
behavioral1
Sample
ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exe
Resource
win10-20220812-en
General
-
Target
ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exe
-
Size
141KB
-
MD5
048281c0731edf101f02abb1b69a2226
-
SHA1
a6ea5595847d3cbc13c3728c284357bf52a1b945
-
SHA256
ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0
-
SHA512
285e6d46f073c8b2aeb67bc938ebf20829cf383961c564a7a5258bcc3bdb66a163ce15c9cc6400ed4a501bf6195e2699f96baa840bcf628f8b94d6b51de6fc85
-
SSDEEP
3072:VNRIUQ7gJGR4AVYZ0Ictpyt28+nqlBB01Qs3wsE:Cg7AVy0Imo8vwsE
Malware Config
Signatures
-
Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
Processes:
ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
Processes:
ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__ ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__ ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
Processes:
ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
Processes:
ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exe -
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exepid process 1824 ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exe 1824 ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exe 1824 ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exedescription ioc process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exepid process 1824 ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exe 1824 ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exe 1824 ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exe 1824 ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exe 1824 ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exe 1824 ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exe 1824 ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exe 1824 ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exe 1824 ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exe 1824 ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exedescription pid process Token: SeShutdownPrivilege 1824 ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exe"C:\Users\Admin\AppData\Local\Temp\ff5ff082f27b757b72d80e2c78a5937a3e57c48c57a0b7f566e1187cd4b371e0.exe"1⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1824-54-0x0000000075571000-0x0000000075573000-memory.dmpFilesize
8KB
-
memory/1824-56-0x00000000001B0000-0x00000000001C2000-memory.dmpFilesize
72KB
-
memory/1824-55-0x00000000002CD000-0x00000000002DE000-memory.dmpFilesize
68KB
-
memory/1824-57-0x0000000000400000-0x0000000000580000-memory.dmpFilesize
1.5MB
-
memory/1824-58-0x0000000002870000-0x0000000002877000-memory.dmpFilesize
28KB
-
memory/1824-59-0x00000000002CD000-0x00000000002DE000-memory.dmpFilesize
68KB
-
memory/1824-61-0x000000007EF80000-0x000000007EF95000-memory.dmpFilesize
84KB
-
memory/1824-60-0x0000000002870000-0x0000000002877000-memory.dmpFilesize
28KB
-
memory/1824-62-0x000000007EF60000-0x000000007EF75000-memory.dmpFilesize
84KB