87a9991308ae965974629c621fd47467b19db9e850fe27cc2a62feaa8953ae02

Analysis

max time kernel
163s
max time network
187s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 13:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

87a9991308ae965974629c621fd47467b19db9e850fe27cc2a62feaa8953ae02.exe
Size

1.0MB
MD5

aab73674c51fcd3af16c7a20c6ebea1f
SHA1

22564b33c78ab9ea2d5ba69e9bfe784e4ad8adc5
SHA256

87a9991308ae965974629c621fd47467b19db9e850fe27cc2a62feaa8953ae02
SHA512

84f426fdd040d8ecb436be0b3abf2e36f1a2441ff9d1f0c3be89bc94ab837943189e5da088c96526bf7d8ff9918023e1087dfebfe2522de55b4017ca4397ceda
SSDEEP

24576:z+4IVahSl8iJj7QkU+d7zt9oeB4yXcoe0:zGE4l8iJj7Qkv7B9oV0

Score

9^/10

discovery evasion

Malware Config

Signatures

Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518

Enumerates VirtualBox registry keys 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

87a9991308ae965974629c621fd47467b19db9e850fe27cc2a62feaa8953ae02.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest	87a9991308ae965974629c621fd47467b19db9e850fe27cc2a62feaa8953ae02.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

87a9991308ae965974629c621fd47467b19db9e850fe27cc2a62feaa8953ae02.exe

pid	process
1032	87a9991308ae965974629c621fd47467b19db9e850fe27cc2a62feaa8953ae02.exe
1032	87a9991308ae965974629c621fd47467b19db9e850fe27cc2a62feaa8953ae02.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

87a9991308ae965974629c621fd47467b19db9e850fe27cc2a62feaa8953ae02.exe

description	pid	process
Token: SeDebugPrivilege	1032	87a9991308ae965974629c621fd47467b19db9e850fe27cc2a62feaa8953ae02.exe
Token: SeCreateGlobalPrivilege	1032	87a9991308ae965974629c621fd47467b19db9e850fe27cc2a62feaa8953ae02.exe

C:\Users\Admin\AppData\Local\Temp\87a9991308ae965974629c621fd47467b19db9e850fe27cc2a62feaa8953ae02.exe
"C:\Users\Admin\AppData\Local\Temp\87a9991308ae965974629c621fd47467b19db9e850fe27cc2a62feaa8953ae02.exe"
1⤵
- Enumerates VirtualBox registry keys
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1032

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Software Discovery

T1518

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1032-55-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/1032-54-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/1032-56-0x0000000075601000-0x0000000075603000-memory.dmp

Filesize
8KB

Download
memory/1032-57-0x0000000000510000-0x0000000000616000-memory.dmp

Filesize
1.0MB

Download
memory/1032-58-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download