4c20eae868cdbc9b87492830b017e966006cd73ced9bd2470c3671505245d0be

General

Target

4c20eae868cdbc9b87492830b017e966006cd73ced9bd2470c3671505245d0be.exe
Size

885KB
MD5

fee513bac5f939d2cc391f8bb8cfe1ed
SHA1

b038192367b2b18b3edaac72b8d05a3558f029ce
SHA256

4c20eae868cdbc9b87492830b017e966006cd73ced9bd2470c3671505245d0be
SHA512

5816a23c2c9564403ba771de189b07c9749e28540b6e0b588690f6b53f472e3437a4d9e7fdb304137296c557dc4769744fe0dcd4c6315341fe7361ed8a649946
SSDEEP

12288:7x8Q/oWtPr0Ey9dr+RGiyur2E6FJxv1wFtPu369+I5uwdONzE/AA6VZDJTj4O:7lloEyXkXrr2hJxv1n36sIJM9U6PW

Score

9^/10

evasion

Malware Config

Signatures

Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518

Enumerates VirtualBox registry keys 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

4c20eae868cdbc9b87492830b017e966006cd73ced9bd2470c3671505245d0be.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest	4c20eae868cdbc9b87492830b017e966006cd73ced9bd2470c3671505245d0be.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

4c20eae868cdbc9b87492830b017e966006cd73ced9bd2470c3671505245d0be.exe

description	pid	process	target process
PID 1220 set thread context of 1996	1220	4c20eae868cdbc9b87492830b017e966006cd73ced9bd2470c3671505245d0be.exe	4c20eae868cdbc9b87492830b017e966006cd73ced9bd2470c3671505245d0be.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

4c20eae868cdbc9b87492830b017e966006cd73ced9bd2470c3671505245d0be.exe

pid process

1996 4c20eae868cdbc9b87492830b017e966006cd73ced9bd2470c3671505245d0be.exe

pid	process
1996	4c20eae868cdbc9b87492830b017e966006cd73ced9bd2470c3671505245d0be.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

4c20eae868cdbc9b87492830b017e966006cd73ced9bd2470c3671505245d0be.exe

description	pid	process
Token: SeDebugPrivilege	1996	4c20eae868cdbc9b87492830b017e966006cd73ced9bd2470c3671505245d0be.exe
Token: SeCreateGlobalPrivilege	1996	4c20eae868cdbc9b87492830b017e966006cd73ced9bd2470c3671505245d0be.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

4c20eae868cdbc9b87492830b017e966006cd73ced9bd2470c3671505245d0be.exe

C:\Users\Admin\AppData\Local\Temp\4c20eae868cdbc9b87492830b017e966006cd73ced9bd2470c3671505245d0be.exe
"C:\Users\Admin\AppData\Local\Temp\4c20eae868cdbc9b87492830b017e966006cd73ced9bd2470c3671505245d0be.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1220

C:\Users\Admin\AppData\Local\Temp\4c20eae868cdbc9b87492830b017e966006cd73ced9bd2470c3671505245d0be.exe
"C:\Users\Admin\AppData\Local\Temp\4c20eae868cdbc9b87492830b017e966006cd73ced9bd2470c3671505245d0be.exe"
2⤵
- Enumerates VirtualBox registry keys
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1996

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

Software Discovery

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1220-65-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/1996-60-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/1996-62-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/1996-56-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/1996-59-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/1996-58-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/1996-54-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/1996-61-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/1996-57-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/1996-63-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/1996-55-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/1996-66-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/1996-67-0x0000000074D81000-0x0000000074D83000-memory.dmp

Filesize
8KB

Download
memory/1996-68-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/1996-70-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download

description	pid	process	target process
PID 1220 wrote to memory of 1996	1220	4c20eae868cdbc9b87492830b017e966006cd73ced9bd2470c3671505245d0be.exe	4c20eae868cdbc9b87492830b017e966006cd73ced9bd2470c3671505245d0be.exe
PID 1220 wrote to memory of 1996	1220	4c20eae868cdbc9b87492830b017e966006cd73ced9bd2470c3671505245d0be.exe	4c20eae868cdbc9b87492830b017e966006cd73ced9bd2470c3671505245d0be.exe
PID 1220 wrote to memory of 1996	1220	4c20eae868cdbc9b87492830b017e966006cd73ced9bd2470c3671505245d0be.exe	4c20eae868cdbc9b87492830b017e966006cd73ced9bd2470c3671505245d0be.exe
PID 1220 wrote to memory of 1996	1220	4c20eae868cdbc9b87492830b017e966006cd73ced9bd2470c3671505245d0be.exe	4c20eae868cdbc9b87492830b017e966006cd73ced9bd2470c3671505245d0be.exe
PID 1220 wrote to memory of 1996	1220	4c20eae868cdbc9b87492830b017e966006cd73ced9bd2470c3671505245d0be.exe	4c20eae868cdbc9b87492830b017e966006cd73ced9bd2470c3671505245d0be.exe
PID 1220 wrote to memory of 1996	1220	4c20eae868cdbc9b87492830b017e966006cd73ced9bd2470c3671505245d0be.exe	4c20eae868cdbc9b87492830b017e966006cd73ced9bd2470c3671505245d0be.exe
PID 1220 wrote to memory of 1996	1220	4c20eae868cdbc9b87492830b017e966006cd73ced9bd2470c3671505245d0be.exe	4c20eae868cdbc9b87492830b017e966006cd73ced9bd2470c3671505245d0be.exe
PID 1220 wrote to memory of 1996	1220	4c20eae868cdbc9b87492830b017e966006cd73ced9bd2470c3671505245d0be.exe	4c20eae868cdbc9b87492830b017e966006cd73ced9bd2470c3671505245d0be.exe
PID 1220 wrote to memory of 1996	1220	4c20eae868cdbc9b87492830b017e966006cd73ced9bd2470c3671505245d0be.exe	4c20eae868cdbc9b87492830b017e966006cd73ced9bd2470c3671505245d0be.exe
PID 1220 wrote to memory of 1996	1220	4c20eae868cdbc9b87492830b017e966006cd73ced9bd2470c3671505245d0be.exe	4c20eae868cdbc9b87492830b017e966006cd73ced9bd2470c3671505245d0be.exe
PID 1220 wrote to memory of 1996	1220	4c20eae868cdbc9b87492830b017e966006cd73ced9bd2470c3671505245d0be.exe	4c20eae868cdbc9b87492830b017e966006cd73ced9bd2470c3671505245d0be.exe
PID 1220 wrote to memory of 1996	1220	4c20eae868cdbc9b87492830b017e966006cd73ced9bd2470c3671505245d0be.exe	4c20eae868cdbc9b87492830b017e966006cd73ced9bd2470c3671505245d0be.exe
PID 1220 wrote to memory of 1996	1220	4c20eae868cdbc9b87492830b017e966006cd73ced9bd2470c3671505245d0be.exe	4c20eae868cdbc9b87492830b017e966006cd73ced9bd2470c3671505245d0be.exe
PID 1220 wrote to memory of 1996	1220	4c20eae868cdbc9b87492830b017e966006cd73ced9bd2470c3671505245d0be.exe	4c20eae868cdbc9b87492830b017e966006cd73ced9bd2470c3671505245d0be.exe
PID 1220 wrote to memory of 1996	1220	4c20eae868cdbc9b87492830b017e966006cd73ced9bd2470c3671505245d0be.exe	4c20eae868cdbc9b87492830b017e966006cd73ced9bd2470c3671505245d0be.exe
PID 1220 wrote to memory of 1996	1220	4c20eae868cdbc9b87492830b017e966006cd73ced9bd2470c3671505245d0be.exe	4c20eae868cdbc9b87492830b017e966006cd73ced9bd2470c3671505245d0be.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads