d342b61492c9caaf4256cf58954641755f1f88c920b85b42d6ef5973c96c3933

General

Target

d342b61492c9caaf4256cf58954641755f1f88c920b85b42d6ef5973c96c3933.exe
Size

635KB
MD5

0909c5df851d41ae6397e671db6a09ca
SHA1

6bba9080d9bf14866108138dbebf1c8078b9b834
SHA256

d342b61492c9caaf4256cf58954641755f1f88c920b85b42d6ef5973c96c3933
SHA512

b42138720509930756498e9f21ce7e5bc7fca933491262c88384433351695cfdccb6a96e6f356476091041348cb21166f7de8eee4171f60cd524c4ef3e1be3ca
SSDEEP

12288:H+NBBMSiogVNn+HOOq1rrkoY4fZemkzYKqb6EbCJ0uBj4fiHhPONHhEOGq+ZAdu:H0BBrGNn+HOOq1rrkd4fZOzrqb6EbCJh

Score

9^/10

evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	d342b61492c9caaf4256cf58954641755f1f88c920b85b42d6ef5973c96c3933.exe

Executes dropped EXE 1 IoCs

pid	Process
1212	s5349.exe

Loads dropped DLL 4 IoCs

pid	Process
1352	d342b61492c9caaf4256cf58954641755f1f88c920b85b42d6ef5973c96c3933.exe
1352	d342b61492c9caaf4256cf58954641755f1f88c920b85b42d6ef5973c96c3933.exe
1352	d342b61492c9caaf4256cf58954641755f1f88c920b85b42d6ef5973c96c3933.exe
1352	d342b61492c9caaf4256cf58954641755f1f88c920b85b42d6ef5973c96c3933.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	d342b61492c9caaf4256cf58954641755f1f88c920b85b42d6ef5973c96c3933.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	d342b61492c9caaf4256cf58954641755f1f88c920b85b42d6ef5973c96c3933.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1352	d342b61492c9caaf4256cf58954641755f1f88c920b85b42d6ef5973c96c3933.exe
1212	s5349.exe
1212	s5349.exe
1212	s5349.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1212	s5349.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1212	s5349.exe
1212	s5349.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1352 wrote to memory of 1212	1352	d342b61492c9caaf4256cf58954641755f1f88c920b85b42d6ef5973c96c3933.exe	28
PID 1352 wrote to memory of 1212	1352	d342b61492c9caaf4256cf58954641755f1f88c920b85b42d6ef5973c96c3933.exe	28
PID 1352 wrote to memory of 1212	1352	d342b61492c9caaf4256cf58954641755f1f88c920b85b42d6ef5973c96c3933.exe	28
PID 1352 wrote to memory of 1212	1352	d342b61492c9caaf4256cf58954641755f1f88c920b85b42d6ef5973c96c3933.exe	28

C:\Users\Admin\AppData\Local\Temp\d342b61492c9caaf4256cf58954641755f1f88c920b85b42d6ef5973c96c3933.exe
"C:\Users\Admin\AppData\Local\Temp\d342b61492c9caaf4256cf58954641755f1f88c920b85b42d6ef5973c96c3933.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Users\Admin\AppData\Local\Temp\n5349\s5349.exe
  "C:\Users\Admin\AppData\Local\Temp\n5349\s5349.exe" e921408e819d29bbb06e8343qjIv7Syyy3N6avxzW+Ov3SlHIdwjK7BO3Svecjfwsza4o/GNjmuOJw1Nn8LGAEpU8LJrFYt0pFJKCfClfjSX7TIrgTlWnXXZUPpnkVg+PYLoHGWIwdzPMNMKSyyWODV9uQ96ChbIr3qDfBTOLYPW4u7NkQ+xAWdLEoAMYfU+65YxUOZOA4bKDg== /v "C:\Users\Admin\AppData\Local\Temp\d342b61492c9caaf4256cf58954641755f1f88c920b85b42d6ef5973c96c3933.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1212

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\n5349\s5349.exe

Filesize
345KB

MD5
33e9d86a31f6e31d1cee55352a0f392b

SHA1
a06919f898b3ac2225f093c1f53cdb9925ea0c29

SHA256
56ccb63837e15d00a7efccd163a54f50276352607e5100dac95e32553f72b9d5

SHA512
bd88a65860d49d62bc4f2963fef277fa24d5877095e212d0f3db8f72d08b37b9a51309d666e46e7a39a597e729be27aeab96d92213f5b3f55130fb3626f925e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\n5349\s5349.exe

Filesize
345KB

MD5
33e9d86a31f6e31d1cee55352a0f392b

SHA1
a06919f898b3ac2225f093c1f53cdb9925ea0c29

SHA256
56ccb63837e15d00a7efccd163a54f50276352607e5100dac95e32553f72b9d5

SHA512
bd88a65860d49d62bc4f2963fef277fa24d5877095e212d0f3db8f72d08b37b9a51309d666e46e7a39a597e729be27aeab96d92213f5b3f55130fb3626f925e7

Download Submit
\Users\Admin\AppData\Local\Temp\n5349\s5349.exe

Filesize
345KB

MD5
33e9d86a31f6e31d1cee55352a0f392b

SHA1
a06919f898b3ac2225f093c1f53cdb9925ea0c29

SHA256
56ccb63837e15d00a7efccd163a54f50276352607e5100dac95e32553f72b9d5

SHA512
bd88a65860d49d62bc4f2963fef277fa24d5877095e212d0f3db8f72d08b37b9a51309d666e46e7a39a597e729be27aeab96d92213f5b3f55130fb3626f925e7

Download Submit
\Users\Admin\AppData\Local\Temp\n5349\s5349.exe

Filesize
345KB

MD5
33e9d86a31f6e31d1cee55352a0f392b

SHA1
a06919f898b3ac2225f093c1f53cdb9925ea0c29

SHA256
56ccb63837e15d00a7efccd163a54f50276352607e5100dac95e32553f72b9d5

SHA512
bd88a65860d49d62bc4f2963fef277fa24d5877095e212d0f3db8f72d08b37b9a51309d666e46e7a39a597e729be27aeab96d92213f5b3f55130fb3626f925e7

Download Submit
\Users\Admin\AppData\Local\Temp\n5349\s5349.exe

Filesize
345KB

MD5
33e9d86a31f6e31d1cee55352a0f392b

SHA1
a06919f898b3ac2225f093c1f53cdb9925ea0c29

SHA256
56ccb63837e15d00a7efccd163a54f50276352607e5100dac95e32553f72b9d5

SHA512
bd88a65860d49d62bc4f2963fef277fa24d5877095e212d0f3db8f72d08b37b9a51309d666e46e7a39a597e729be27aeab96d92213f5b3f55130fb3626f925e7

Download Submit
\Users\Admin\AppData\Local\Temp\n5349\s5349.exe

Filesize
345KB

MD5
33e9d86a31f6e31d1cee55352a0f392b

SHA1
a06919f898b3ac2225f093c1f53cdb9925ea0c29

SHA256
56ccb63837e15d00a7efccd163a54f50276352607e5100dac95e32553f72b9d5

SHA512
bd88a65860d49d62bc4f2963fef277fa24d5877095e212d0f3db8f72d08b37b9a51309d666e46e7a39a597e729be27aeab96d92213f5b3f55130fb3626f925e7

Download Submit
memory/1212-62-0x000007FEF4150000-0x000007FEF4B73000-memory.dmp

Filesize
10.1MB

Download
memory/1212-63-0x000007FEF30B0000-0x000007FEF4146000-memory.dmp

Filesize
16.6MB

Download
memory/1212-64-0x0000000000976000-0x0000000000995000-memory.dmp

Filesize
124KB

Download
memory/1212-65-0x0000000000976000-0x0000000000995000-memory.dmp

Filesize
124KB

Download
memory/1212-66-0x000007FEEEB30000-0x000007FEEF9BF000-memory.dmp

Filesize
14.6MB

Download
memory/1212-67-0x000007FEEE840000-0x000007FEEEB2A000-memory.dmp

Filesize
2.9MB

Download
memory/1212-68-0x0000000000976000-0x0000000000995000-memory.dmp

Filesize
124KB

Download
memory/1352-54-0x0000000075F51000-0x0000000075F53000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads