Overview

overview

10

Static

static

1

PO 5519275...xE.exe

windows7-x64

9

PO 5519275...xE.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    42s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    13-02-2023 11:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PO 55192752_PDF Dalian Hiscien Engineering Co Ltd iGST_eH2mYaM.exE.exe

  • Size

    973KB

  • MD5

    76af89cc6f06552cf6815efa1b407161

  • SHA1

    1bdab78ec87c979938c4fd4645961a061abaf80b

  • SHA256

    f0e2be29b4f60291bb5e95eb8e23794502c74d7daff6754762ba486cf92f4c4f

  • SHA512

    2e675e58a5ed9c8f9955b9c0135f754f2965d1d21611826b3e71a8288082a2573c586e901a800f304a2e93ee557657432aa02af990e63813cf470cb0de2356e9

  • SSDEEP

    24576:PSzS0v+YHOtLnTtSnm0Do7BtQKft+pasie3G0iwUI3lN9nZ9GL0/+RA:x1/V+3B20TUGlPZ9GL1A

Score
9/10
evasion

Malware Config

Signatures

  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PO 55192752_PDF Dalian Hiscien Engineering Co Ltd iGST_eH2mYaM.exE.exe
    "C:\Users\Admin\AppData\Local\Temp\PO 55192752_PDF Dalian Hiscien Engineering Co Ltd iGST_eH2mYaM.exE.exe"
    1⤵
    • Looks for VirtualBox Guest Additions in registry
    • Looks for VMWare Tools registry key
    • Checks BIOS information in registry
    • Maps connected drives based on registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:604
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iSEpzGuD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBC5E.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1836
    • C:\Users\Admin\AppData\Local\Temp\PO 55192752_PDF Dalian Hiscien Engineering Co Ltd iGST_eH2mYaM.exE.exe
      "{path}"
      2⤵
        PID:468
      • C:\Users\Admin\AppData\Local\Temp\PO 55192752_PDF Dalian Hiscien Engineering Co Ltd iGST_eH2mYaM.exE.exe
        "{path}"
        2⤵
          PID:560
        • C:\Users\Admin\AppData\Local\Temp\PO 55192752_PDF Dalian Hiscien Engineering Co Ltd iGST_eH2mYaM.exE.exe
          "{path}"
          2⤵
            PID:1492
          • C:\Users\Admin\AppData\Local\Temp\PO 55192752_PDF Dalian Hiscien Engineering Co Ltd iGST_eH2mYaM.exE.exe
            "{path}"
            2⤵
              PID:912
            • C:\Users\Admin\AppData\Local\Temp\PO 55192752_PDF Dalian Hiscien Engineering Co Ltd iGST_eH2mYaM.exE.exe
              "{path}"
              2⤵
                PID:908

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Scheduled Task

            1
            T1053

            Persistence

            Scheduled Task

            1
            T1053

            Privilege Escalation

            Scheduled Task

            1
            T1053

            Defense Evasion

            Virtualization/Sandbox Evasion

            2
            T1497

            Credential Access

            Discovery

            Query Registry

            4
            T1012

            Virtualization/Sandbox Evasion

            2
            T1497

            System Information Discovery

            3
            T1082

            Peripheral Device Discovery

            1
            T1120

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\tmpBC5E.tmp
              Filesize

              1KB

              MD5

              84e757b47ab513887f39035b5376806a

              SHA1

              4ac83047f892bebc822be719ae1ba19fe7b66e53

              SHA256

              820c0c9bb9750f0abbd7ac9fe4e03b8bc27cca616e30c2ee4539d57cc024f5a7

              SHA512

              8a262cc083e65833857b80bd408f1fd3e4e51e6141edb468a6c4756571c79ecd6d15c0013dbef58b51882af08ef5377b0ea7f78da43e6bc1b528184897db0a34

              Download Submit
            • memory/604-54-0x0000000000360000-0x000000000045A000-memory.dmp
              Filesize

              1000KB

              Download
            • memory/604-55-0x0000000075F81000-0x0000000075F83000-memory.dmp
              Filesize

              8KB

              Download
            • memory/604-56-0x00000000005F0000-0x00000000005FE000-memory.dmp
              Filesize

              56KB

              Download
            • memory/604-57-0x00000000051A0000-0x0000000005266000-memory.dmp
              Filesize

              792KB

              Download
            • memory/604-58-0x0000000005890000-0x0000000005918000-memory.dmp
              Filesize

              544KB

              Download
            • memory/1836-59-0x0000000000000000-mapping.dmp
              Download