40dd8eaafcf65137d7f66f7153335a9a01df868c6891b5d8ab5a4f23ec759cc8

General

Target

40dd8eaafcf65137d7f66f7153335a9a01df868c6891b5d8ab5a4f23ec759cc8.exe
Size

687KB
MD5

544e33c71e69c5610572c31970819400
SHA1

c85501e6ae7f4f13c69cbe06d180fce1f40cc886
SHA256

40dd8eaafcf65137d7f66f7153335a9a01df868c6891b5d8ab5a4f23ec759cc8
SHA512

54737631f9d11e3bef1ca83abdd559aad11f99121553adca73be9dc0470c5e4e48663083000bf79866a2a8439ca9acf0c821657590e1f4eaf67ac674723b0ef2
SSDEEP

12288:0DIxsNvzUtyOM0JcdsfAsRT9ZSXGAmRR5DUrqfrTrpinH788bsxOPo9ho:EIxsNL4W4XoQimBD2qH+HiYOho

Score

9^/10

evasion

Malware Config

Signatures

Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518

Enumerates VirtualBox registry keys 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest	40dd8eaafcf65137d7f66f7153335a9a01df868c6891b5d8ab5a4f23ec759cc8.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	40dd8eaafcf65137d7f66f7153335a9a01df868c6891b5d8ab5a4f23ec759cc8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	40dd8eaafcf65137d7f66f7153335a9a01df868c6891b5d8ab5a4f23ec759cc8.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
240	40dd8eaafcf65137d7f66f7153335a9a01df868c6891b5d8ab5a4f23ec759cc8.exe
240	40dd8eaafcf65137d7f66f7153335a9a01df868c6891b5d8ab5a4f23ec759cc8.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	240	40dd8eaafcf65137d7f66f7153335a9a01df868c6891b5d8ab5a4f23ec759cc8.exe
Token: SeSecurityPrivilege	240	40dd8eaafcf65137d7f66f7153335a9a01df868c6891b5d8ab5a4f23ec759cc8.exe
Token: SeTakeOwnershipPrivilege	240	40dd8eaafcf65137d7f66f7153335a9a01df868c6891b5d8ab5a4f23ec759cc8.exe
Token: SeLoadDriverPrivilege	240	40dd8eaafcf65137d7f66f7153335a9a01df868c6891b5d8ab5a4f23ec759cc8.exe
Token: SeSystemProfilePrivilege	240	40dd8eaafcf65137d7f66f7153335a9a01df868c6891b5d8ab5a4f23ec759cc8.exe
Token: SeSystemtimePrivilege	240	40dd8eaafcf65137d7f66f7153335a9a01df868c6891b5d8ab5a4f23ec759cc8.exe
Token: SeProfSingleProcessPrivilege	240	40dd8eaafcf65137d7f66f7153335a9a01df868c6891b5d8ab5a4f23ec759cc8.exe
Token: SeIncBasePriorityPrivilege	240	40dd8eaafcf65137d7f66f7153335a9a01df868c6891b5d8ab5a4f23ec759cc8.exe
Token: SeCreatePagefilePrivilege	240	40dd8eaafcf65137d7f66f7153335a9a01df868c6891b5d8ab5a4f23ec759cc8.exe
Token: SeBackupPrivilege	240	40dd8eaafcf65137d7f66f7153335a9a01df868c6891b5d8ab5a4f23ec759cc8.exe
Token: SeRestorePrivilege	240	40dd8eaafcf65137d7f66f7153335a9a01df868c6891b5d8ab5a4f23ec759cc8.exe
Token: SeShutdownPrivilege	240	40dd8eaafcf65137d7f66f7153335a9a01df868c6891b5d8ab5a4f23ec759cc8.exe
Token: SeDebugPrivilege	240	40dd8eaafcf65137d7f66f7153335a9a01df868c6891b5d8ab5a4f23ec759cc8.exe
Token: SeSystemEnvironmentPrivilege	240	40dd8eaafcf65137d7f66f7153335a9a01df868c6891b5d8ab5a4f23ec759cc8.exe
Token: SeChangeNotifyPrivilege	240	40dd8eaafcf65137d7f66f7153335a9a01df868c6891b5d8ab5a4f23ec759cc8.exe
Token: SeRemoteShutdownPrivilege	240	40dd8eaafcf65137d7f66f7153335a9a01df868c6891b5d8ab5a4f23ec759cc8.exe
Token: SeUndockPrivilege	240	40dd8eaafcf65137d7f66f7153335a9a01df868c6891b5d8ab5a4f23ec759cc8.exe
Token: SeManageVolumePrivilege	240	40dd8eaafcf65137d7f66f7153335a9a01df868c6891b5d8ab5a4f23ec759cc8.exe
Token: SeImpersonatePrivilege	240	40dd8eaafcf65137d7f66f7153335a9a01df868c6891b5d8ab5a4f23ec759cc8.exe
Token: SeCreateGlobalPrivilege	240	40dd8eaafcf65137d7f66f7153335a9a01df868c6891b5d8ab5a4f23ec759cc8.exe
Token: 33	240	40dd8eaafcf65137d7f66f7153335a9a01df868c6891b5d8ab5a4f23ec759cc8.exe
Token: 34	240	40dd8eaafcf65137d7f66f7153335a9a01df868c6891b5d8ab5a4f23ec759cc8.exe
Token: 35	240	40dd8eaafcf65137d7f66f7153335a9a01df868c6891b5d8ab5a4f23ec759cc8.exe

C:\Users\Admin\AppData\Local\Temp\40dd8eaafcf65137d7f66f7153335a9a01df868c6891b5d8ab5a4f23ec759cc8.exe
"C:\Users\Admin\AppData\Local\Temp\40dd8eaafcf65137d7f66f7153335a9a01df868c6891b5d8ab5a4f23ec759cc8.exe"
1⤵
- Enumerates VirtualBox registry keys
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:240

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

Software Discovery

System Information Discovery

1

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/240-54-0x0000000001CB0000-0x0000000001DA8000-memory.dmp

Filesize
992KB

Download
memory/240-55-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

Filesize
8KB

Download
memory/240-56-0x0000000001CB0000-0x0000000001DA8000-memory.dmp

Filesize
992KB

Download
memory/240-57-0x0000000001CB0000-0x0000000001CB7000-memory.dmp

Filesize
28KB

Download
memory/240-58-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/240-59-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads