3ed9b32f503de26cdcff6eff07e0b79dfe8d659c97531e9145bf54fbdbb02aa9

Analysis

max time kernel
152s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 14:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ed9b32f503de26cdcff6eff07e0b79dfe8d659c97531e9145bf54fbdbb02aa9.exe
Size

112KB
MD5

2ddbfd9e906a03e58a8319b0cebcd520
SHA1

c277c344031bc7da67b552fccd15eca5eeab44c2
SHA256

3ed9b32f503de26cdcff6eff07e0b79dfe8d659c97531e9145bf54fbdbb02aa9
SHA512

1b0e89dfd89041e4335b9a3e30fdd546734a53c9e6ceb4286f71cbdb69cccdb8030887df7452f26e2065a2135ae77a191b981042b74c5e75f5a10a959868955c
SSDEEP

1536:u/lDtQVFbl4L1bJ2pVHbT5LUk6f2z6Du9vdoER7r+nqHA10sMGt8XNfTSEiuSTan:u/lOlM1N2LTVUkc2z6DMljXG5WYByeQ

Score

9^/10

evasion

Malware Config

Signatures

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

3ed9b32f503de26cdcff6eff07e0b79dfe8d659c97531e9145bf54fbdbb02aa9.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions	3ed9b32f503de26cdcff6eff07e0b79dfe8d659c97531e9145bf54fbdbb02aa9.exe

Looks for VMWare Tools registry key 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

3ed9b32f503de26cdcff6eff07e0b79dfe8d659c97531e9145bf54fbdbb02aa9.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools	3ed9b32f503de26cdcff6eff07e0b79dfe8d659c97531e9145bf54fbdbb02aa9.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3ed9b32f503de26cdcff6eff07e0b79dfe8d659c97531e9145bf54fbdbb02aa9.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3ed9b32f503de26cdcff6eff07e0b79dfe8d659c97531e9145bf54fbdbb02aa9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3ed9b32f503de26cdcff6eff07e0b79dfe8d659c97531e9145bf54fbdbb02aa9.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

3ed9b32f503de26cdcff6eff07e0b79dfe8d659c97531e9145bf54fbdbb02aa9.exe

description pid process

Token: SeDebugPrivilege 1556 3ed9b32f503de26cdcff6eff07e0b79dfe8d659c97531e9145bf54fbdbb02aa9.exe

description	pid	process
Token: SeDebugPrivilege	1556	3ed9b32f503de26cdcff6eff07e0b79dfe8d659c97531e9145bf54fbdbb02aa9.exe

C:\Users\Admin\AppData\Local\Temp\3ed9b32f503de26cdcff6eff07e0b79dfe8d659c97531e9145bf54fbdbb02aa9.exe
"C:\Users\Admin\AppData\Local\Temp\3ed9b32f503de26cdcff6eff07e0b79dfe8d659c97531e9145bf54fbdbb02aa9.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1556

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1556-132-0x00000000004A0000-0x00000000004AC000-memory.dmp

Filesize
48KB

Download
memory/1556-133-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1556-134-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download