Analysis
-
max time kernel
186s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
-
submitted
01/11/2023, 13:02
General
-
Target
cb4177d5af25492f761ba914ab1a2d5b.exe
-
Size
484KB
-
MD5
cb4177d5af25492f761ba914ab1a2d5b
-
SHA1
533d6af9aefacb4dc542d11f580e74e0094d78cc
-
SHA256
aa081fdd4b1447f50679f0fa3c2822d35488d566aa4f4b546cb34398a29a9c28
-
SHA512
eec1b4b638afbe1810a2ef11a25c77b0aabfa2bef29d842a56271d96ca487877dbdef401d2e2e83d255299bbfe0def548634a985814bb8d3e5b3e689c3c1320d
-
SSDEEP
12288:UDfhQdWP5zZDSakeGD3PPWIAuIejQFXTJxWn:Nd0lEakeGD1hktTJxg
Malware Config
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Windows security modification 2 TTPs 2 IoCs
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\cb4177d5af25492f761ba914ab1a2d5b.exe"C:\Users\Admin\AppData\Local\Temp\cb4177d5af25492f761ba914ab1a2d5b.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Windows security modification
- Maps connected drives based on registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eNHfyKAUV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp70FB.tmp"2⤵
- Creates scheduled task(s)
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Impair Defenses
2Disable or Modify Tools
2Modify Registry
2Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5d52ca1abb5ef557e4b169706e6fc8269
SHA1bfeda109d9d4d36a51d6b23131233ae6da1c6a0c
SHA2562236670968e8d8901dbba91486acedecdb3036530be28cbaba9443227d670293
SHA51252634b417c2552c14fd33a2a92510f5ea1839f808c4f187417933f10d8dda272fd9adf2e4bb3cd38df072d12773d39a982ddee16b0b97446f3fa6478957ca661
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
5.7MB
-
Filesize
6.9MB
-
Filesize
256KB
-
Filesize
384KB
-
Filesize
32KB
-
Filesize
256KB
-
Filesize
504KB
-
Filesize
256KB
-
Filesize
6.9MB