87513157828305d4d09ff58df2a39eb9e2bdcaa72bd01f11bb86dc56dc164fb2

General

Target

tmp.exe
Size

623KB
MD5

63d2ab075242a38f5c6240cb7eafbd35
SHA1

36621dbe302900010d8dc1916f0fa022885d4d59
SHA256

87513157828305d4d09ff58df2a39eb9e2bdcaa72bd01f11bb86dc56dc164fb2
SHA512

a36109647c4eabfd8c270adf11a0cfd05284c5e411e0ebd3427bffa104eed2337857ebbcbecf29e847a10f76731023d54462d24934e7719e90a60d3bb414035f
SSDEEP

12288:vV38R0oK/pYZ5ptdxOSGd4+A9UfzAddKwlyrq+tZ5mX6h:vV38R0c5HCSGd4+iUfzKsLT5mKh

Score

9^/10

evasion

Malware Config

Signatures

Enumerates VirtualBox registry keys 2 TTPs 5 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo	AppLaunch.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__	AppLaunch.exe

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions	AppLaunch.exe

Looks for VMWare Tools registry key 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools	AppLaunch.exe

Checks BIOS information in registry 2 TTPs 3 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	AppLaunch.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	AppLaunch.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	AppLaunch.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1148 set thread context of 1228	1148	tmp.exe	29

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	AppLaunch.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1228	AppLaunch.exe
1228	AppLaunch.exe
1228	AppLaunch.exe
1228	AppLaunch.exe
1228	AppLaunch.exe
1228	AppLaunch.exe
1228	AppLaunch.exe
1228	AppLaunch.exe
1228	AppLaunch.exe
1228	AppLaunch.exe
1228	AppLaunch.exe
1228	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1228	AppLaunch.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1148 wrote to memory of 1228	1148	tmp.exe	29
PID 1148 wrote to memory of 1228	1148	tmp.exe	29
PID 1148 wrote to memory of 1228	1148	tmp.exe	29
PID 1148 wrote to memory of 1228	1148	tmp.exe	29
PID 1148 wrote to memory of 1228	1148	tmp.exe	29
PID 1148 wrote to memory of 1228	1148	tmp.exe	29
PID 1148 wrote to memory of 1228	1148	tmp.exe	29
PID 1148 wrote to memory of 1228	1148	tmp.exe	29
PID 1148 wrote to memory of 1228	1148	tmp.exe	29

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1148
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
  2⤵
  - Enumerates VirtualBox registry keys
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Looks for VirtualBox Guest Additions in registry
  - Looks for VMWare Tools registry key
  - Checks BIOS information in registry
  - Checks for VirtualBox DLLs, possible anti-VM trick
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1228

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

4

T1497

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Virtualization/Sandbox Evasion

4

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1228-55-0x0000000000090000-0x0000000000100000-memory.dmp

Filesize
448KB

Download
memory/1228-56-0x0000000000090000-0x0000000000100000-memory.dmp

Filesize
448KB

Download
memory/1228-61-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1228-63-0x0000000000090000-0x0000000000100000-memory.dmp

Filesize
448KB

Download
memory/1228-64-0x0000000000090000-0x0000000000100000-memory.dmp

Filesize
448KB

Download
memory/1228-65-0x0000000000180000-0x0000000000187000-memory.dmp

Filesize
28KB

Download
memory/1228-66-0x0000000002170000-0x0000000002570000-memory.dmp

Filesize
4.0MB

Download
memory/1228-67-0x0000000002170000-0x0000000002570000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads