Analysis
-
max time kernel
40s -
max time network
43s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
22-03-2023 17:38
General
-
Target
Notepad++.exe
-
Size
9.5MB
-
MD5
53e4fa88bd8c51ba2d913380e3de6a2c
-
SHA1
9b4b91444e9ead8c667e87c36f08a7d2ebf3309b
-
SHA256
e8ae1f376e40875ff96c2b322faecee3b7f013b36662d9e45eed733f870994d0
-
SHA512
b48fab3b7aba5aa22b4d0d536cb7919d6a515c4450d2416ee029ad1fcda6933eb72a5658d9e1e1638bb377e84e1a397e922fbfe34e18522b1d3855208fbea97c
-
SSDEEP
196608:o1wjFLQPnIGNOfhw3tMGo6ysjLf0qCgFMh9uF9CeQ0mHEDzg/aymNd7t7:ljFUmW3tMTXGz7A5vHEDzMaB
Score
9/10
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Themida packer 2 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Notepad++.exe"C:\Users\Admin\AppData\Local\Temp\Notepad++.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1836-133-0x0000000000400000-0x0000000001A96000-memory.dmpFilesize
22.6MB
-
memory/1836-141-0x0000000000400000-0x0000000001A96000-memory.dmpFilesize
22.6MB
-
memory/1836-142-0x0000000000400000-0x0000000001A96000-memory.dmpFilesize
22.6MB
-
memory/1836-143-0x00000000064D0000-0x0000000006A74000-memory.dmpFilesize
5.6MB
-
memory/1836-144-0x0000000006160000-0x00000000061F2000-memory.dmpFilesize
584KB
-
memory/1836-145-0x0000000006200000-0x0000000006266000-memory.dmpFilesize
408KB
-
memory/1836-146-0x00000000064C0000-0x00000000064D0000-memory.dmpFilesize
64KB
-
memory/1836-147-0x0000000006E80000-0x0000000006E92000-memory.dmpFilesize
72KB
-
memory/1836-148-0x00000000072F0000-0x00000000072FA000-memory.dmpFilesize
40KB
-
memory/1836-159-0x0000000000400000-0x0000000001A96000-memory.dmpFilesize
22.6MB
-
memory/1836-160-0x00000000064C0000-0x00000000064D0000-memory.dmpFilesize
64KB
-
memory/1836-167-0x000000000BE70000-0x000000000BEAC000-memory.dmpFilesize
240KB
-
memory/1836-168-0x00000000064C0000-0x00000000064D0000-memory.dmpFilesize
64KB
-
memory/1836-170-0x00000000064C0000-0x00000000064D0000-memory.dmpFilesize
64KB