60951ec1ed11f5ca0eeda2940466dc675d2fefa2bf3750c26b12c967d0c1fba4

General

Target

a0090a664165ba54933e2a9ca46ad35b.exe
Size

1.0MB
MD5

a0090a664165ba54933e2a9ca46ad35b
SHA1

30b6d5a362862055c5071c75d608d631e3a81018
SHA256

60951ec1ed11f5ca0eeda2940466dc675d2fefa2bf3750c26b12c967d0c1fba4
SHA512

f63196af68e8b4b7de79a811dd199b02e1d050c43d632baed2d1d90e7d97a380a62ab472ebdf9d4fe242dff5408a80fca4ec1668f7cb1d0da8bbd3cd1c7da8a1
SSDEEP

12288:eWfyC5oAYOvpa0rzg9l491wZjz5Kc5hgybPOOt60pH3RjnpOdhC:BfFHvpDzg9I1wZvzwyDOU6MBjnkj

Score

9^/10

evasion

Malware Config

Signatures

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

a0090a664165ba54933e2a9ca46ad35b.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions a0090a664165ba54933e2a9ca46ad35b.exe
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

a0090a664165ba54933e2a9ca46ad35b.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools a0090a664165ba54933e2a9ca46ad35b.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions	a0090a664165ba54933e2a9ca46ad35b.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools	a0090a664165ba54933e2a9ca46ad35b.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a0090a664165ba54933e2a9ca46ad35b.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	a0090a664165ba54933e2a9ca46ad35b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	a0090a664165ba54933e2a9ca46ad35b.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

a0090a664165ba54933e2a9ca46ad35b.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	a0090a664165ba54933e2a9ca46ad35b.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	a0090a664165ba54933e2a9ca46ad35b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1736 schtasks.exe

pid	process
1736	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

a0090a664165ba54933e2a9ca46ad35b.exepowershell.exe

pid	process
1376	a0090a664165ba54933e2a9ca46ad35b.exe
1376	a0090a664165ba54933e2a9ca46ad35b.exe
1376	a0090a664165ba54933e2a9ca46ad35b.exe
1376	a0090a664165ba54933e2a9ca46ad35b.exe
1376	a0090a664165ba54933e2a9ca46ad35b.exe
1376	a0090a664165ba54933e2a9ca46ad35b.exe
1376	a0090a664165ba54933e2a9ca46ad35b.exe
1376	a0090a664165ba54933e2a9ca46ad35b.exe
1376	a0090a664165ba54933e2a9ca46ad35b.exe
1376	a0090a664165ba54933e2a9ca46ad35b.exe
1376	a0090a664165ba54933e2a9ca46ad35b.exe
1376	a0090a664165ba54933e2a9ca46ad35b.exe
1376	a0090a664165ba54933e2a9ca46ad35b.exe
1176	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

a0090a664165ba54933e2a9ca46ad35b.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1376 a0090a664165ba54933e2a9ca46ad35b.exe
Token: SeDebugPrivilege 1176 powershell.exe

description	pid	process
Token: SeDebugPrivilege	1376	a0090a664165ba54933e2a9ca46ad35b.exe
Token: SeDebugPrivilege	1176	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

a0090a664165ba54933e2a9ca46ad35b.exe

C:\Users\Admin\AppData\Local\Temp\a0090a664165ba54933e2a9ca46ad35b.exe
"C:\Users\Admin\AppData\Local\Temp\a0090a664165ba54933e2a9ca46ad35b.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1376

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GUszqdnI.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1176

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GUszqdnI" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF873.tmp"
2⤵
- Creates scheduled task(s)
PID:1736

C:\Users\Admin\AppData\Local\Temp\a0090a664165ba54933e2a9ca46ad35b.exe
"C:\Users\Admin\AppData\Local\Temp\a0090a664165ba54933e2a9ca46ad35b.exe"
2⤵
PID:1568

C:\Users\Admin\AppData\Local\Temp\a0090a664165ba54933e2a9ca46ad35b.exe
"C:\Users\Admin\AppData\Local\Temp\a0090a664165ba54933e2a9ca46ad35b.exe"
2⤵
PID:1324

C:\Users\Admin\AppData\Local\Temp\a0090a664165ba54933e2a9ca46ad35b.exe
"C:\Users\Admin\AppData\Local\Temp\a0090a664165ba54933e2a9ca46ad35b.exe"
2⤵
PID:684

C:\Users\Admin\AppData\Local\Temp\a0090a664165ba54933e2a9ca46ad35b.exe
"C:\Users\Admin\AppData\Local\Temp\a0090a664165ba54933e2a9ca46ad35b.exe"
2⤵
PID:1316

C:\Users\Admin\AppData\Local\Temp\a0090a664165ba54933e2a9ca46ad35b.exe
"C:\Users\Admin\AppData\Local\Temp\a0090a664165ba54933e2a9ca46ad35b.exe"
2⤵
PID:1360

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

4

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpF873.tmp
Filesize
1KB

MD5
df698daa60f2fdaf25394da693472144

SHA1
0d3695c38f1d7b554f89e4f6a561565c4fbe20d3

SHA256
8de0156846cbff5819cfd0c267315926af95eb189546c5ac15f1900b41575097

SHA512
56e2af08deb06078a1b1239c1303649a34caa3d4b9f5a0e1491917dcf20da83b2f4ed203230167d3ea3ee547a171e488958abd5922ce047e1b28bdb6346a7db6

Download Submit
memory/1176-59-0x0000000000000000-mapping.dmp

Download
memory/1176-64-0x000000006E690000-0x000000006EC3B000-memory.dmp

Filesize
5.7MB

Download
memory/1176-65-0x000000006E690000-0x000000006EC3B000-memory.dmp

Filesize
5.7MB

Download
memory/1376-54-0x00000000003B0000-0x00000000004B8000-memory.dmp

Filesize
1.0MB

Download
memory/1376-55-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download
memory/1376-56-0x0000000000750000-0x0000000000766000-memory.dmp

Filesize
88KB

Download
memory/1376-57-0x0000000000A70000-0x0000000000A7C000-memory.dmp

Filesize
48KB

Download
memory/1376-58-0x0000000007D10000-0x0000000007DA6000-memory.dmp

Filesize
600KB

Download
memory/1376-63-0x0000000005020000-0x000000000505C000-memory.dmp

Filesize
240KB

Download
memory/1736-60-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 1376 wrote to memory of 1176	1376	a0090a664165ba54933e2a9ca46ad35b.exe	powershell.exe
PID 1376 wrote to memory of 1176	1376	a0090a664165ba54933e2a9ca46ad35b.exe	powershell.exe
PID 1376 wrote to memory of 1176	1376	a0090a664165ba54933e2a9ca46ad35b.exe	powershell.exe
PID 1376 wrote to memory of 1176	1376	a0090a664165ba54933e2a9ca46ad35b.exe	powershell.exe
PID 1376 wrote to memory of 1736	1376	a0090a664165ba54933e2a9ca46ad35b.exe	schtasks.exe
PID 1376 wrote to memory of 1736	1376	a0090a664165ba54933e2a9ca46ad35b.exe	schtasks.exe
PID 1376 wrote to memory of 1736	1376	a0090a664165ba54933e2a9ca46ad35b.exe	schtasks.exe
PID 1376 wrote to memory of 1736	1376	a0090a664165ba54933e2a9ca46ad35b.exe	schtasks.exe
PID 1376 wrote to memory of 1568	1376	a0090a664165ba54933e2a9ca46ad35b.exe	a0090a664165ba54933e2a9ca46ad35b.exe
PID 1376 wrote to memory of 1568	1376	a0090a664165ba54933e2a9ca46ad35b.exe	a0090a664165ba54933e2a9ca46ad35b.exe
PID 1376 wrote to memory of 1568	1376	a0090a664165ba54933e2a9ca46ad35b.exe	a0090a664165ba54933e2a9ca46ad35b.exe
PID 1376 wrote to memory of 1568	1376	a0090a664165ba54933e2a9ca46ad35b.exe	a0090a664165ba54933e2a9ca46ad35b.exe
PID 1376 wrote to memory of 1324	1376	a0090a664165ba54933e2a9ca46ad35b.exe	a0090a664165ba54933e2a9ca46ad35b.exe
PID 1376 wrote to memory of 1324	1376	a0090a664165ba54933e2a9ca46ad35b.exe	a0090a664165ba54933e2a9ca46ad35b.exe
PID 1376 wrote to memory of 1324	1376	a0090a664165ba54933e2a9ca46ad35b.exe	a0090a664165ba54933e2a9ca46ad35b.exe
PID 1376 wrote to memory of 1324	1376	a0090a664165ba54933e2a9ca46ad35b.exe	a0090a664165ba54933e2a9ca46ad35b.exe
PID 1376 wrote to memory of 684	1376	a0090a664165ba54933e2a9ca46ad35b.exe	a0090a664165ba54933e2a9ca46ad35b.exe
PID 1376 wrote to memory of 684	1376	a0090a664165ba54933e2a9ca46ad35b.exe	a0090a664165ba54933e2a9ca46ad35b.exe
PID 1376 wrote to memory of 684	1376	a0090a664165ba54933e2a9ca46ad35b.exe	a0090a664165ba54933e2a9ca46ad35b.exe
PID 1376 wrote to memory of 684	1376	a0090a664165ba54933e2a9ca46ad35b.exe	a0090a664165ba54933e2a9ca46ad35b.exe
PID 1376 wrote to memory of 1316	1376	a0090a664165ba54933e2a9ca46ad35b.exe	a0090a664165ba54933e2a9ca46ad35b.exe
PID 1376 wrote to memory of 1316	1376	a0090a664165ba54933e2a9ca46ad35b.exe	a0090a664165ba54933e2a9ca46ad35b.exe
PID 1376 wrote to memory of 1316	1376	a0090a664165ba54933e2a9ca46ad35b.exe	a0090a664165ba54933e2a9ca46ad35b.exe
PID 1376 wrote to memory of 1316	1376	a0090a664165ba54933e2a9ca46ad35b.exe	a0090a664165ba54933e2a9ca46ad35b.exe
PID 1376 wrote to memory of 1360	1376	a0090a664165ba54933e2a9ca46ad35b.exe	a0090a664165ba54933e2a9ca46ad35b.exe
PID 1376 wrote to memory of 1360	1376	a0090a664165ba54933e2a9ca46ad35b.exe	a0090a664165ba54933e2a9ca46ad35b.exe
PID 1376 wrote to memory of 1360	1376	a0090a664165ba54933e2a9ca46ad35b.exe	a0090a664165ba54933e2a9ca46ad35b.exe
PID 1376 wrote to memory of 1360	1376	a0090a664165ba54933e2a9ca46ad35b.exe	a0090a664165ba54933e2a9ca46ad35b.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads