Analysis
-
max time kernel
311s -
max time network
356s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 15:39
Static task
static1
Behavioral task
behavioral1
Sample
e0c3c7131e2f24a6f010938bc25b1dc54a8b888ab5b39cfaf1b864a01294d902.exe
Resource
win7-20220812-en
General
-
Target
e0c3c7131e2f24a6f010938bc25b1dc54a8b888ab5b39cfaf1b864a01294d902.exe
-
Size
700KB
-
MD5
a062a4782ea67e8ef3b3336286a9d741
-
SHA1
a486bed438443815ffd7b6c26099161052fa7992
-
SHA256
e0c3c7131e2f24a6f010938bc25b1dc54a8b888ab5b39cfaf1b864a01294d902
-
SHA512
c26288872361d9babc41a906b9d7ac086b55e449980ed2eb9d3ec79185c18931dfc364265504d84b32e767e8b6ef2e7f4e19ec8be637efc2a4e6f7f7a4b4b890
-
SSDEEP
12288:IPaPUnR65Sa44S5zJKWdGGIBOX7LzuWLGAOB0BIbdwVrGXOgBgNjb:IPamUOKMGdBu3sAA+gdaKXBM
Malware Config
Signatures
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Enumerates VirtualBox registry keys 2 TTPs 1 IoCs
Processes:
e0c3c7131e2f24a6f010938bc25b1dc54a8b888ab5b39cfaf1b864a01294d902.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest e0c3c7131e2f24a6f010938bc25b1dc54a8b888ab5b39cfaf1b864a01294d902.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
e0c3c7131e2f24a6f010938bc25b1dc54a8b888ab5b39cfaf1b864a01294d902.exepid process 3156 e0c3c7131e2f24a6f010938bc25b1dc54a8b888ab5b39cfaf1b864a01294d902.exe 3156 e0c3c7131e2f24a6f010938bc25b1dc54a8b888ab5b39cfaf1b864a01294d902.exe 3156 e0c3c7131e2f24a6f010938bc25b1dc54a8b888ab5b39cfaf1b864a01294d902.exe 3156 e0c3c7131e2f24a6f010938bc25b1dc54a8b888ab5b39cfaf1b864a01294d902.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
e0c3c7131e2f24a6f010938bc25b1dc54a8b888ab5b39cfaf1b864a01294d902.exedescription pid process Token: SeDebugPrivilege 3156 e0c3c7131e2f24a6f010938bc25b1dc54a8b888ab5b39cfaf1b864a01294d902.exe Token: SeCreateGlobalPrivilege 3156 e0c3c7131e2f24a6f010938bc25b1dc54a8b888ab5b39cfaf1b864a01294d902.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e0c3c7131e2f24a6f010938bc25b1dc54a8b888ab5b39cfaf1b864a01294d902.exe"C:\Users\Admin\AppData\Local\Temp\e0c3c7131e2f24a6f010938bc25b1dc54a8b888ab5b39cfaf1b864a01294d902.exe"1⤵
- Enumerates VirtualBox registry keys
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3156