54769c2eb6e2f64800d226f89127ef179d5c0a6c490f6ebf966d40dde609306d

General

Target

54769c2eb6e2f64800d226f89127ef179d5c0a6c490f6ebf966d40dde609306d.exe
Size

176KB
MD5

000e360e57fa1269131e642aa2ac6141
SHA1

c4a76cffecd37b368263b56ecfe8e496a41a681f
SHA256

54769c2eb6e2f64800d226f89127ef179d5c0a6c490f6ebf966d40dde609306d
SHA512

1a0d537893eec606e2f2779a33499ee878520fd0d7ceff3177839ec562fc4d86a5dc8574b40adffc8c2adeaa50d0dff732ac4450f414c66ed9653d04da5a5fbd
SSDEEP

3072:74JSjtsK3ez48vAmXt6eu1otSHbotSHIu:78TKOs8vAy6e+n

Score

9^/10

evasion persistence

Malware Config

Signatures

Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions	54769c2eb6e2f64800d226f89127ef179d5c0a6c490f6ebf966d40dde609306d.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions	notepad.exe

Executes dropped EXE 2 IoCs

pid	Process
4996	notepad.exe
4952	notepad.exe

Looks for VMWare Tools registry key 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	notepad.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	54769c2eb6e2f64800d226f89127ef179d5c0a6c490f6ebf966d40dde609306d.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	54769c2eb6e2f64800d226f89127ef179d5c0a6c490f6ebf966d40dde609306d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	54769c2eb6e2f64800d226f89127ef179d5c0a6c490f6ebf966d40dde609306d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	notepad.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	notepad.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	54769c2eb6e2f64800d226f89127ef179d5c0a6c490f6ebf966d40dde609306d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\notepad.exe = "C:\\Users\\Admin\\AppData\\Roaming\\SHFLLZ223\\notepad.exe"	54769c2eb6e2f64800d226f89127ef179d5c0a6c490f6ebf966d40dde609306d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\notepad.exe = "C:\\Users\\Admin\\AppData\\Roaming\\SHFLLZ223\\notepad.exe"	notepad.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1788 set thread context of 1928	1788	54769c2eb6e2f64800d226f89127ef179d5c0a6c490f6ebf966d40dde609306d.exe	82
PID 4996 set thread context of 4952	4996	notepad.exe	84

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1928	54769c2eb6e2f64800d226f89127ef179d5c0a6c490f6ebf966d40dde609306d.exe
Token: SeDebugPrivilege	4952	notepad.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1788	54769c2eb6e2f64800d226f89127ef179d5c0a6c490f6ebf966d40dde609306d.exe
4996	notepad.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1788 wrote to memory of 1928	1788	54769c2eb6e2f64800d226f89127ef179d5c0a6c490f6ebf966d40dde609306d.exe	82
PID 1788 wrote to memory of 1928	1788	54769c2eb6e2f64800d226f89127ef179d5c0a6c490f6ebf966d40dde609306d.exe	82
PID 1788 wrote to memory of 1928	1788	54769c2eb6e2f64800d226f89127ef179d5c0a6c490f6ebf966d40dde609306d.exe	82
PID 1788 wrote to memory of 1928	1788	54769c2eb6e2f64800d226f89127ef179d5c0a6c490f6ebf966d40dde609306d.exe	82
PID 1788 wrote to memory of 1928	1788	54769c2eb6e2f64800d226f89127ef179d5c0a6c490f6ebf966d40dde609306d.exe	82
PID 1788 wrote to memory of 1928	1788	54769c2eb6e2f64800d226f89127ef179d5c0a6c490f6ebf966d40dde609306d.exe	82
PID 1788 wrote to memory of 1928	1788	54769c2eb6e2f64800d226f89127ef179d5c0a6c490f6ebf966d40dde609306d.exe	82
PID 1788 wrote to memory of 1928	1788	54769c2eb6e2f64800d226f89127ef179d5c0a6c490f6ebf966d40dde609306d.exe	82
PID 1788 wrote to memory of 1928	1788	54769c2eb6e2f64800d226f89127ef179d5c0a6c490f6ebf966d40dde609306d.exe	82
PID 1928 wrote to memory of 4996	1928	54769c2eb6e2f64800d226f89127ef179d5c0a6c490f6ebf966d40dde609306d.exe	83
PID 1928 wrote to memory of 4996	1928	54769c2eb6e2f64800d226f89127ef179d5c0a6c490f6ebf966d40dde609306d.exe	83
PID 1928 wrote to memory of 4996	1928	54769c2eb6e2f64800d226f89127ef179d5c0a6c490f6ebf966d40dde609306d.exe	83
PID 4996 wrote to memory of 4952	4996	notepad.exe	84
PID 4996 wrote to memory of 4952	4996	notepad.exe	84
PID 4996 wrote to memory of 4952	4996	notepad.exe	84
PID 4996 wrote to memory of 4952	4996	notepad.exe	84
PID 4996 wrote to memory of 4952	4996	notepad.exe	84
PID 4996 wrote to memory of 4952	4996	notepad.exe	84
PID 4996 wrote to memory of 4952	4996	notepad.exe	84
PID 4996 wrote to memory of 4952	4996	notepad.exe	84
PID 4996 wrote to memory of 4952	4996	notepad.exe	84

C:\Users\Admin\AppData\Local\Temp\54769c2eb6e2f64800d226f89127ef179d5c0a6c490f6ebf966d40dde609306d.exe
"C:\Users\Admin\AppData\Local\Temp\54769c2eb6e2f64800d226f89127ef179d5c0a6c490f6ebf966d40dde609306d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1788
- C:\Users\Admin\AppData\Local\Temp\54769c2eb6e2f64800d226f89127ef179d5c0a6c490f6ebf966d40dde609306d.exe
  "C:\Users\Admin\AppData\Local\Temp\54769c2eb6e2f64800d226f89127ef179d5c0a6c490f6ebf966d40dde609306d.exe"
  2⤵
  - Looks for VirtualBox Guest Additions in registry
  - Looks for VMWare Tools registry key
  - Checks BIOS information in registry
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1928
- - C:\Users\Admin\AppData\Roaming\SHFLLZ223\notepad.exe
    C:\Users\Admin\AppData\Roaming\SHFLLZ223\notepad.exe C:\Users\Admin\AppData\Local\Temp\54769C~1.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4996
  - - C:\Users\Admin\AppData\Roaming\SHFLLZ223\notepad.exe
      "C:\Users\Admin\AppData\Roaming\SHFLLZ223\notepad.exe"
      4⤵
      Looks for VirtualBox Guest Additions in registry
      Executes dropped EXE
      Looks for VMWare Tools registry key
      Checks BIOS information in registry
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      PID:4952

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

1

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\SHFLLZ223\notepad.exe

Filesize
176KB

MD5
000e360e57fa1269131e642aa2ac6141

SHA1
c4a76cffecd37b368263b56ecfe8e496a41a681f

SHA256
54769c2eb6e2f64800d226f89127ef179d5c0a6c490f6ebf966d40dde609306d

SHA512
1a0d537893eec606e2f2779a33499ee878520fd0d7ceff3177839ec562fc4d86a5dc8574b40adffc8c2adeaa50d0dff732ac4450f414c66ed9653d04da5a5fbd

Download Submit
C:\Users\Admin\AppData\Roaming\SHFLLZ223\notepad.exe

Filesize
176KB

MD5
000e360e57fa1269131e642aa2ac6141

SHA1
c4a76cffecd37b368263b56ecfe8e496a41a681f

SHA256
54769c2eb6e2f64800d226f89127ef179d5c0a6c490f6ebf966d40dde609306d

SHA512
1a0d537893eec606e2f2779a33499ee878520fd0d7ceff3177839ec562fc4d86a5dc8574b40adffc8c2adeaa50d0dff732ac4450f414c66ed9653d04da5a5fbd

Download Submit
C:\Users\Admin\AppData\Roaming\SHFLLZ223\notepad.exe

Filesize
176KB

MD5
000e360e57fa1269131e642aa2ac6141

SHA1
c4a76cffecd37b368263b56ecfe8e496a41a681f

SHA256
54769c2eb6e2f64800d226f89127ef179d5c0a6c490f6ebf966d40dde609306d

SHA512
1a0d537893eec606e2f2779a33499ee878520fd0d7ceff3177839ec562fc4d86a5dc8574b40adffc8c2adeaa50d0dff732ac4450f414c66ed9653d04da5a5fbd

Download Submit
memory/1928-138-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1928-137-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1928-135-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1928-141-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4952-149-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4952-150-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4952-151-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads