01156bec33d1378d38aa16ae6605d4766f20ac5f48c9bb2c0744457ff9de3102

General

Target

aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe
Size

3.3MB
MD5

cc5fcae70f636b3ffa04811e2a6153f7
SHA1

3c1687cca2ffd48adf107e8eda1ffb06beb7ba7f
SHA256

01156bec33d1378d38aa16ae6605d4766f20ac5f48c9bb2c0744457ff9de3102
SHA512

c63fc634a7c85d67000e25afd359a51aa0af4c259b7c4366fa4c05b2c844132cb459bc399098de2d5060dabadae91b8f1f889b4c6a5fd0a172d3f43e14d47c2b
SSDEEP

98304:hHmVzuboSz63u94iSa7e1zLTdiVOiZMR+MJbZ5d:hH86qu94J1nTdiVOyMJbvd

Score

9^/10

evasion

Malware Config

Signatures

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions	aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools	aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1932 schtasks.exe

pid	process
1932	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe

pid	process
2036	aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe
2036	aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe
2036	aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe
2036	aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe
2036	aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe

description pid process

Token: SeDebugPrivilege 2036 aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe

description	pid	process
Token: SeDebugPrivilege	2036	aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe

C:\Users\Admin\AppData\Local\Temp\aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe
"C:\Users\Admin\AppData\Local\Temp\aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xeDloyk" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF49C.tmp"
2⤵
- Creates scheduled task(s)
PID:1932

C:\Users\Admin\AppData\Local\Temp\aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe
"{path}"
2⤵
PID:572

C:\Users\Admin\AppData\Local\Temp\aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe
"{path}"
2⤵
PID:560

C:\Users\Admin\AppData\Local\Temp\aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe
"{path}"
2⤵
PID:664

C:\Users\Admin\AppData\Local\Temp\aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe
"{path}"
2⤵
PID:1372

C:\Users\Admin\AppData\Local\Temp\aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe
"{path}"
2⤵
PID:1708

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

4

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpF49C.tmp
Filesize
1KB

MD5
c0f121af75daaa5b5795ffd81daddd55

SHA1
311fec6c2b619b42784e5bae96f29adb8395dd85

SHA256
7cdb6b72d92b6c4db2ed8e097c138a944c5346d8ed1490184ebbc89ac3840bc0

SHA512
c685a1fd957b605cf8ce3dc2d236b8fe08251eb6a2cee3f3e21c43b17816944bfbdc2ebc911b57f49e075f50df4be33a978293c4c58336592873ae7f544578c0

Download Submit
memory/1932-59-0x0000000000000000-mapping.dmp

Download
memory/2036-54-0x0000000000110000-0x0000000000464000-memory.dmp

Filesize
3.3MB

Download
memory/2036-55-0x0000000075C61000-0x0000000075C63000-memory.dmp

Filesize
8KB

Download
memory/2036-56-0x0000000000630000-0x0000000000642000-memory.dmp

Filesize
72KB

Download
memory/2036-57-0x0000000009200000-0x00000000094D0000-memory.dmp

Filesize
2.8MB

Download
memory/2036-58-0x000000000B8A0000-0x000000000BB22000-memory.dmp

Filesize
2.5MB

Download

description	pid	process	target process
PID 2036 wrote to memory of 1932	2036	aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe	schtasks.exe
PID 2036 wrote to memory of 1932	2036	aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe	schtasks.exe
PID 2036 wrote to memory of 1932	2036	aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe	schtasks.exe
PID 2036 wrote to memory of 1932	2036	aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe	schtasks.exe
PID 2036 wrote to memory of 572	2036	aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe	aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe
PID 2036 wrote to memory of 572	2036	aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe	aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe
PID 2036 wrote to memory of 572	2036	aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe	aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe
PID 2036 wrote to memory of 572	2036	aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe	aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe
PID 2036 wrote to memory of 560	2036	aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe	aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe
PID 2036 wrote to memory of 560	2036	aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe	aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe
PID 2036 wrote to memory of 560	2036	aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe	aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe
PID 2036 wrote to memory of 560	2036	aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe	aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe
PID 2036 wrote to memory of 664	2036	aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe	aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe
PID 2036 wrote to memory of 664	2036	aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe	aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe
PID 2036 wrote to memory of 664	2036	aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe	aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe
PID 2036 wrote to memory of 664	2036	aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe	aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe
PID 2036 wrote to memory of 1372	2036	aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe	aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe
PID 2036 wrote to memory of 1372	2036	aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe	aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe
PID 2036 wrote to memory of 1372	2036	aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe	aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe
PID 2036 wrote to memory of 1372	2036	aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe	aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe
PID 2036 wrote to memory of 1708	2036	aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe	aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe
PID 2036 wrote to memory of 1708	2036	aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe	aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe
PID 2036 wrote to memory of 1708	2036	aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe	aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe
PID 2036 wrote to memory of 1708	2036	aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe	aa0fcd6a-7e83-40be-bdaa-a81e626b9ffe.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads