731c7524666184bab42f44b92d1b43065b0f01924b3146d011fecc42be8d92f9

General

Target

731c7524666184bab42f44b92d1b43065b0f01924b3146d011fecc42be8d92f9.exe
Size

15.8MB
MD5

e188bafe994a2e8244f5a8646f735b0b
SHA1

38fd6e8008934d8704f9ca93d1ae90cdc503aa9e
SHA256

731c7524666184bab42f44b92d1b43065b0f01924b3146d011fecc42be8d92f9
SHA512

0d9fb5efffbd9eb534b7c3451fb8c1160497039837b3a6c4a3e76afac32aff272e87a9b248e621ab4b3ed2eddb260db857dfa057d48147e8e65b8037ef9728f0
SSDEEP

393216:CN4H3eIciIIFlooiZ/Cp2YMr28AZmd2jMFgXnU7sEloy:CNcuP8orwpHMrkmd6tXnas

Score

9^/10

evasion

Malware Config

Signatures

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions	HObQRWKJu2ltDyw.exe

Executes dropped EXE 2 IoCs

pid	Process
4548	HObQRWKJu2ltDyw.exe
992	launch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4548	HObQRWKJu2ltDyw.exe
4548	HObQRWKJu2ltDyw.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4548	HObQRWKJu2ltDyw.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
4548	HObQRWKJu2ltDyw.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3612 wrote to memory of 4548	3612	731c7524666184bab42f44b92d1b43065b0f01924b3146d011fecc42be8d92f9.exe	89
PID 3612 wrote to memory of 4548	3612	731c7524666184bab42f44b92d1b43065b0f01924b3146d011fecc42be8d92f9.exe	89
PID 3612 wrote to memory of 4548	3612	731c7524666184bab42f44b92d1b43065b0f01924b3146d011fecc42be8d92f9.exe	89
PID 3612 wrote to memory of 992	3612	731c7524666184bab42f44b92d1b43065b0f01924b3146d011fecc42be8d92f9.exe	91
PID 3612 wrote to memory of 992	3612	731c7524666184bab42f44b92d1b43065b0f01924b3146d011fecc42be8d92f9.exe	91

C:\Users\Admin\AppData\Local\Temp\731c7524666184bab42f44b92d1b43065b0f01924b3146d011fecc42be8d92f9.exe
"C:\Users\Admin\AppData\Local\Temp\731c7524666184bab42f44b92d1b43065b0f01924b3146d011fecc42be8d92f9.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3612
- C:\Users\Admin\AppData\Local\Temp\ytool\HObQRWKJu2ltDyw.exe
  "C:\Users\Admin\AppData\Local\Temp\731c7524666184bab42f44b92d1b43065b0f01924b3146d011fecc42be8d92f9.exe" "C:\Users\Admin\AppData\Local\Temp\731c7524666184bab42f44b92d1b43065b0f01924b3146d011fecc42be8d92f9.exe"
  2⤵
  - Looks for VirtualBox Guest Additions in registry
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4548
- C:\Users\Admin\AppData\Local\Temp\launch.exe
  "C:\Users\Admin\AppData\Local\Temp\launch.exe"
  2⤵
  - Executes dropped EXE
  PID:992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\launch.exe

Filesize
7.2MB

MD5
4d318ec5c6305c94fdd634be8506ae51

SHA1
29d01ddb8a76b8830d85d98e6800efbbe4ea71f2

SHA256
bdce49c151318af3d436529999e5140a0f8928921570c4a6b7d2e5119b797983

SHA512
927007567428abbf0701a080623c741d73248669fe0721eb7d0a2d8d3acd659b7ba0a73e5f09bd81d2885dd173764e3eb9268beb7e74822598f8b21c6bbf8950

Download Submit
C:\Users\Admin\AppData\Local\Temp\launch.exe

Filesize
7.2MB

MD5
4d318ec5c6305c94fdd634be8506ae51

SHA1
29d01ddb8a76b8830d85d98e6800efbbe4ea71f2

SHA256
bdce49c151318af3d436529999e5140a0f8928921570c4a6b7d2e5119b797983

SHA512
927007567428abbf0701a080623c741d73248669fe0721eb7d0a2d8d3acd659b7ba0a73e5f09bd81d2885dd173764e3eb9268beb7e74822598f8b21c6bbf8950

Download Submit
C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

Filesize
316B

MD5
247e172277baf5a39e6476a056f0d097

SHA1
61c24f846e7f035655384b336a0bbbba084ed08d

SHA256
9fc04c48e12971b5f4a94fa0e1c8ae61f2691da0a91c95f9874d1779c00fcc8c

SHA512
bad8cdaeec9376155d64b1f0e30fba3058ed2a13f830493c8b1a06ddacf52fa1386f4e1ca370d1b0b395700cd7a7b083f10a2150a5ef4d0a88c0c4fde25dabe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

Filesize
919B

MD5
81ddf2aa9529d0f56f167f2b852ac76f

SHA1
356ee822f05f936b2cef5fd814c779f6cc16638d

SHA256
6a6264d2e6f3b180d63c5b90e3950d505aaca765125f5e9cfaac3084aa3bc859

SHA512
b47b2353a66c7e4742718082b2a1a2fa33d05fcd2e352fb282d95ba526881caf39ea540776bd3657ec0b78fd48faa30c68560c0171601a2334c6d5c443a315a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

Filesize
3KB

MD5
0676fa7ccfec7ade9b9b3eab2516663b

SHA1
bf9bb49b8b14d8dc64bdd276f98bd0887c02c096

SHA256
76c60c51aa7f5d068c0874fa3e20969861d06b02457115e03037857c96603290

SHA512
cf77a266aef920dcee94a10f3a0018a943d6e12e76ec5adbd5fe0442e3b128a1a8b35230f361ed7a7ac1a940918f3343ad8853721f73177a9f5097b121d921c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

Filesize
5KB

MD5
2e37692574bdbed6fc73240178f73103

SHA1
78a7f2bfd2aa2fcdc1a6ccf400c67a6637bcc3fa

SHA256
2fa4be46b276287b9a5abcce057b0860698b3c8b053c40fee1877446c7aea057

SHA512
353920be8b572bcfe5f3460c3c291a24eecc7a97585d3ee452a2e0d03d0561706eab1792f87ae8517c04db61bc51dfdfb46e870d63483dd84bf894d042bbeaaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ytool\HObQRWKJu2ltDyw.exe

Filesize
5.7MB

MD5
fe423bab879b3c08180dc8349f124e12

SHA1
abc3261e324b1a76e7d43e25bcb512a625c0b58d

SHA256
237ac5ce9649031d650f7f1b51af191fe83120cad3182ea0d8bbe8854e664cd1

SHA512
aa8d38ae1b7984bd76a4694aab3f9b5577aa917867e9e9eecefa61277d519e40f3399dc1b266f02c84f1ad7b3bf766dad346263b740d00fb165c7db1677b5549

Download Submit
C:\Users\Admin\AppData\Local\Temp\ytool\HObQRWKJu2ltDyw.exe

Filesize
5.7MB

MD5
fe423bab879b3c08180dc8349f124e12

SHA1
abc3261e324b1a76e7d43e25bcb512a625c0b58d

SHA256
237ac5ce9649031d650f7f1b51af191fe83120cad3182ea0d8bbe8854e664cd1

SHA512
aa8d38ae1b7984bd76a4694aab3f9b5577aa917867e9e9eecefa61277d519e40f3399dc1b266f02c84f1ad7b3bf766dad346263b740d00fb165c7db1677b5549

Download Submit
memory/992-1636-0x00007FF660770000-0x00007FF6617FB000-memory.dmp

Filesize
16.5MB

Download
memory/992-1637-0x00007FF660770000-0x00007FF6617FB000-memory.dmp

Filesize
16.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads