Analysis
-
max time kernel
294s -
max time network
346s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 15:39
Static task
static1
Behavioral task
behavioral1
Sample
0545470832a04cf80da44a928419f9b771120af69d1c38ea7670767856bbc7e5.exe
Resource
win7-20221111-en
General
-
Target
0545470832a04cf80da44a928419f9b771120af69d1c38ea7670767856bbc7e5.exe
-
Size
606KB
-
MD5
b1f752e49f691b3597e1a3b20ba49759
-
SHA1
3b6eb96a4dc671904e65f456f5e8a2927d18735a
-
SHA256
0545470832a04cf80da44a928419f9b771120af69d1c38ea7670767856bbc7e5
-
SHA512
f7eb72fb8db2c65a11476a46718dd8af8f16a65d79455f03f2218d27f9461415f98269acd1578f64af0110e802a425ce2f10e4cb193f27aa78077e3ad70e0949
-
SSDEEP
12288:qlbzkAXD21n/WaK7x5NCfQkNVHHjJ8dkE7QT6CJfiO3YN4:qlB21OtCfQCeyT6IB
Malware Config
Signatures
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Enumerates VirtualBox registry keys 2 TTPs 1 IoCs
Processes:
0545470832a04cf80da44a928419f9b771120af69d1c38ea7670767856bbc7e5.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest 0545470832a04cf80da44a928419f9b771120af69d1c38ea7670767856bbc7e5.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
0545470832a04cf80da44a928419f9b771120af69d1c38ea7670767856bbc7e5.exepid process 5100 0545470832a04cf80da44a928419f9b771120af69d1c38ea7670767856bbc7e5.exe 5100 0545470832a04cf80da44a928419f9b771120af69d1c38ea7670767856bbc7e5.exe 5100 0545470832a04cf80da44a928419f9b771120af69d1c38ea7670767856bbc7e5.exe 5100 0545470832a04cf80da44a928419f9b771120af69d1c38ea7670767856bbc7e5.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
0545470832a04cf80da44a928419f9b771120af69d1c38ea7670767856bbc7e5.exedescription pid process Token: SeDebugPrivilege 5100 0545470832a04cf80da44a928419f9b771120af69d1c38ea7670767856bbc7e5.exe Token: SeCreateGlobalPrivilege 5100 0545470832a04cf80da44a928419f9b771120af69d1c38ea7670767856bbc7e5.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0545470832a04cf80da44a928419f9b771120af69d1c38ea7670767856bbc7e5.exe"C:\Users\Admin\AppData\Local\Temp\0545470832a04cf80da44a928419f9b771120af69d1c38ea7670767856bbc7e5.exe"1⤵
- Enumerates VirtualBox registry keys
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5100