45ab4270d58e1ae1a7d02eb2dd09bed4f1108c4f3ac2e4c54f67a06535e2e93e

Analysis

max time kernel
143s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231025-en
resource tags

arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
submitted
27/11/2023, 15:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Screenshare.Tool.exe
Size

360KB
MD5

9e94eaa1b58407d16fe4ccbbfc503ec7
SHA1

f8fe60e55429511c5406f6d92d2bfed711d125ea
SHA256

45ab4270d58e1ae1a7d02eb2dd09bed4f1108c4f3ac2e4c54f67a06535e2e93e
SHA512

07cc9494448c52c22de31f0d4b222b97b8f1dc24162e2bbc29869951b196a046562a6c1dd041a97c70b8e2be150ad0b44e249265b765e1df909cd1076525974d
SSDEEP

6144:Nkr9uw11dnO9UOAV6OtQVzPpDUJ7o0HqAaGWqoJwXd9/mczHcma/iXdgaeFjSee:NO1OIV96Pe7o0Hq9GWqOcd9HzHYaXdgR

Score

8^/10

evasion

Malware Config

Signatures

Looks for VMWare Tools registry key 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools	Screenshare.Tool.exe

Enumerates connected drives 3 TTPs 7 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	fsutil.exe
File opened (read-only)	\??\F:	fsutil.exe
File opened (read-only)	\??\F:	fsutil.exe
File opened (read-only)	\??\F:	fsutil.exe
File opened (read-only)	\??\F:	fsutil.exe
File opened (read-only)	\??\F:	fsutil.exe
File opened (read-only)	\??\F:	fsutil.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	Screenshare.Tool.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

pid	Process
696	Screenshare.Tool.exe
696	Screenshare.Tool.exe
696	Screenshare.Tool.exe
696	Screenshare.Tool.exe
696	Screenshare.Tool.exe
696	Screenshare.Tool.exe
696	Screenshare.Tool.exe
696	Screenshare.Tool.exe
696	Screenshare.Tool.exe
696	Screenshare.Tool.exe
696	Screenshare.Tool.exe
696	Screenshare.Tool.exe
696	Screenshare.Tool.exe
696	Screenshare.Tool.exe
696	Screenshare.Tool.exe
696	Screenshare.Tool.exe
696	Screenshare.Tool.exe
696	Screenshare.Tool.exe
696	Screenshare.Tool.exe
696	Screenshare.Tool.exe
696	Screenshare.Tool.exe
696	Screenshare.Tool.exe
696	Screenshare.Tool.exe
696	Screenshare.Tool.exe
696	Screenshare.Tool.exe
696	Screenshare.Tool.exe
696	Screenshare.Tool.exe
696	Screenshare.Tool.exe
696	Screenshare.Tool.exe
696	Screenshare.Tool.exe
696	Screenshare.Tool.exe
696	Screenshare.Tool.exe
696	Screenshare.Tool.exe
696	Screenshare.Tool.exe
696	Screenshare.Tool.exe
696	Screenshare.Tool.exe
696	Screenshare.Tool.exe
696	Screenshare.Tool.exe
696	Screenshare.Tool.exe
696	Screenshare.Tool.exe
696	Screenshare.Tool.exe
696	Screenshare.Tool.exe
696	Screenshare.Tool.exe
696	Screenshare.Tool.exe
696	Screenshare.Tool.exe
696	Screenshare.Tool.exe
696	Screenshare.Tool.exe
696	Screenshare.Tool.exe
696	Screenshare.Tool.exe
696	Screenshare.Tool.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 696 wrote to memory of 4156	696	Screenshare.Tool.exe	88
PID 696 wrote to memory of 4156	696	Screenshare.Tool.exe	88
PID 4156 wrote to memory of 752	4156	cmd.exe	89
PID 4156 wrote to memory of 752	4156	cmd.exe	89
PID 4156 wrote to memory of 2452	4156	cmd.exe	90
PID 4156 wrote to memory of 2452	4156	cmd.exe	90
PID 696 wrote to memory of 848	696	Screenshare.Tool.exe	97
PID 696 wrote to memory of 848	696	Screenshare.Tool.exe	97
PID 848 wrote to memory of 5096	848	cmd.exe	98
PID 848 wrote to memory of 5096	848	cmd.exe	98
PID 848 wrote to memory of 2396	848	cmd.exe	99
PID 848 wrote to memory of 2396	848	cmd.exe	99
PID 696 wrote to memory of 528	696	Screenshare.Tool.exe	100
PID 696 wrote to memory of 528	696	Screenshare.Tool.exe	100
PID 528 wrote to memory of 2988	528	cmd.exe	101
PID 528 wrote to memory of 2988	528	cmd.exe	101
PID 528 wrote to memory of 3280	528	cmd.exe	102
PID 528 wrote to memory of 3280	528	cmd.exe	102
PID 696 wrote to memory of 3124	696	Screenshare.Tool.exe	104
PID 696 wrote to memory of 3124	696	Screenshare.Tool.exe	104
PID 3124 wrote to memory of 1920	3124	cmd.exe	105
PID 3124 wrote to memory of 1920	3124	cmd.exe	105
PID 3124 wrote to memory of 1436	3124	cmd.exe	106
PID 3124 wrote to memory of 1436	3124	cmd.exe	106
PID 696 wrote to memory of 4828	696	Screenshare.Tool.exe	107
PID 696 wrote to memory of 4828	696	Screenshare.Tool.exe	107
PID 4828 wrote to memory of 4220	4828	cmd.exe	108
PID 4828 wrote to memory of 4220	4828	cmd.exe	108
PID 4828 wrote to memory of 1432	4828	cmd.exe	109
PID 4828 wrote to memory of 1432	4828	cmd.exe	109
PID 696 wrote to memory of 3492	696	Screenshare.Tool.exe	110
PID 696 wrote to memory of 3492	696	Screenshare.Tool.exe	110
PID 3492 wrote to memory of 2704	3492	cmd.exe	111
PID 3492 wrote to memory of 2704	3492	cmd.exe	111
PID 3492 wrote to memory of 3236	3492	cmd.exe	112
PID 3492 wrote to memory of 3236	3492	cmd.exe	112
PID 696 wrote to memory of 1276	696	Screenshare.Tool.exe	113
PID 696 wrote to memory of 1276	696	Screenshare.Tool.exe	113
PID 1276 wrote to memory of 3792	1276	cmd.exe	114
PID 1276 wrote to memory of 3792	1276	cmd.exe	114
PID 1276 wrote to memory of 4496	1276	cmd.exe	115
PID 1276 wrote to memory of 4496	1276	cmd.exe	115
PID 696 wrote to memory of 2308	696	Screenshare.Tool.exe	116
PID 696 wrote to memory of 2308	696	Screenshare.Tool.exe	116
PID 2308 wrote to memory of 3872	2308	cmd.exe	117
PID 2308 wrote to memory of 3872	2308	cmd.exe	117
PID 2308 wrote to memory of 3484	2308	cmd.exe	118
PID 2308 wrote to memory of 3484	2308	cmd.exe	118
PID 696 wrote to memory of 4524	696	Screenshare.Tool.exe	119
PID 696 wrote to memory of 4524	696	Screenshare.Tool.exe	119
PID 4524 wrote to memory of 2312	4524	cmd.exe	120
PID 4524 wrote to memory of 2312	4524	cmd.exe	120
PID 4524 wrote to memory of 4760	4524	cmd.exe	121
PID 4524 wrote to memory of 4760	4524	cmd.exe	121
PID 696 wrote to memory of 2292	696	Screenshare.Tool.exe	122
PID 696 wrote to memory of 2292	696	Screenshare.Tool.exe	122
PID 2292 wrote to memory of 3008	2292	cmd.exe	123
PID 2292 wrote to memory of 3008	2292	cmd.exe	123
PID 2292 wrote to memory of 1648	2292	cmd.exe	124
PID 2292 wrote to memory of 1648	2292	cmd.exe	124
PID 696 wrote to memory of 4580	696	Screenshare.Tool.exe	125
PID 696 wrote to memory of 4580	696	Screenshare.Tool.exe	125
PID 4580 wrote to memory of 3024	4580	cmd.exe	126
PID 4580 wrote to memory of 3024	4580	cmd.exe	126

C:\Users\Admin\AppData\Local\Temp\Screenshare.Tool.exe
"C:\Users\Admin\AppData\Local\Temp\Screenshare.Tool.exe"
1⤵
- Looks for VMWare Tools registry key
- Checks for VirtualBox DLLs, possible anti-VM trick
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c fsutil usn readjournal C: csv | findstr /i /c:0x00001000 >> .\old_renamed_files.txt
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4156
- - C:\Windows\system32\fsutil.exe
    fsutil usn readjournal C: csv
    3⤵
    PID:752
- - C:\Windows\system32\findstr.exe
    findstr /i /c:0x00001000
    3⤵
    PID:2452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c fsutil usn readjournal C: csv | findstr /i /c:0x00002000 >> .\new_renamed_files.txt
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:848
- - C:\Windows\system32\fsutil.exe
    fsutil usn readjournal C: csv
    3⤵
    PID:5096
- - C:\Windows\system32\findstr.exe
    findstr /i /c:0x00002000
    3⤵
    PID:2396
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c fsutil usn readjournal C: csv | findstr /i /C:"?" >> .\special_characters.txt
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:528
- - C:\Windows\system32\fsutil.exe
    fsutil usn readjournal C: csv
    3⤵
    PID:2988
- - C:\Windows\system32\findstr.exe
    findstr /i /C:"?"
    3⤵
    PID:3280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c fsutil usn readjournal C: csv | findstr /i /C:".mcf" >> .\glorious.txt
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3124
- - C:\Windows\system32\fsutil.exe
    fsutil usn readjournal C: csv
    3⤵
    PID:1920
- - C:\Windows\system32\findstr.exe
    findstr /i /C:".mcf"
    3⤵
    PID:1436
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c fsutil usn readjournal C: csv | findstr /i /C:"settings\.db" >> .\logitech.txt
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4828
- - C:\Windows\system32\fsutil.exe
    fsutil usn readjournal C: csv
    3⤵
    PID:4220
- - C:\Windows\system32\findstr.exe
    findstr /i /C:"settings\.db"
    3⤵
    PID:1432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c fsutil usn readjournal C: csv | findstr /i /C:".amc2" >> .\bloody.txt
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3492
- - C:\Windows\system32\fsutil.exe
    fsutil usn readjournal C: csv
    3⤵
    PID:2704
- - C:\Windows\system32\findstr.exe
    findstr /i /C:".amc2"
    3⤵
    PID:3236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c fsutil usn readjournal C: csv | findstr /i /C:".cuecfg" >> .\corsair.txt
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1276
- - C:\Windows\system32\fsutil.exe
    fsutil usn readjournal C: csv
    3⤵
    PID:3792
- - C:\Windows\system32\findstr.exe
    findstr /i /C:".cuecfg"
    3⤵
    PID:4496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c fsutil usn readjournal F: csv | findstr /i /c:0x00001000 >> .\old_renamed_files.txt
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Windows\system32\fsutil.exe
    fsutil usn readjournal F: csv
    3⤵
    - Enumerates connected drives
    PID:3872
- - C:\Windows\system32\findstr.exe
    findstr /i /c:0x00001000
    3⤵
    PID:3484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c fsutil usn readjournal F: csv | findstr /i /c:0x00002000 >> .\new_renamed_files.txt
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4524
- - C:\Windows\system32\fsutil.exe
    fsutil usn readjournal F: csv
    3⤵
    - Enumerates connected drives
    PID:2312
- - C:\Windows\system32\findstr.exe
    findstr /i /c:0x00002000
    3⤵
    PID:4760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c fsutil usn readjournal F: csv | findstr /i /C:"?" >> .\special_characters.txt
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2292
- - C:\Windows\system32\fsutil.exe
    fsutil usn readjournal F: csv
    3⤵
    - Enumerates connected drives
    PID:3008
- - C:\Windows\system32\findstr.exe
    findstr /i /C:"?"
    3⤵
    PID:1648
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c fsutil usn readjournal F: csv | findstr /i /C:".mcf" >> .\glorious.txt
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4580
- - C:\Windows\system32\fsutil.exe
    fsutil usn readjournal F: csv
    3⤵
    - Enumerates connected drives
    PID:3024
- - C:\Windows\system32\findstr.exe
    findstr /i /C:".mcf"
    3⤵
    PID:1704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c fsutil usn readjournal F: csv | findstr /i /C:"settings\.db" >> .\logitech.txt
  2⤵
  PID:4420
- - C:\Windows\system32\fsutil.exe
    fsutil usn readjournal F: csv
    3⤵
    - Enumerates connected drives
    PID:2728
- - C:\Windows\system32\findstr.exe
    findstr /i /C:"settings\.db"
    3⤵
    PID:2924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c fsutil usn readjournal F: csv | findstr /i /C:".amc2" >> .\bloody.txt
  2⤵
  PID:4864
- - C:\Windows\system32\fsutil.exe
    fsutil usn readjournal F: csv
    3⤵
    - Enumerates connected drives
    PID:1244
- - C:\Windows\system32\findstr.exe
    findstr /i /C:".amc2"
    3⤵
    PID:732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c fsutil usn readjournal F: csv | findstr /i /C:".cuecfg" >> .\corsair.txt
  2⤵
  PID:4400
- - C:\Windows\system32\fsutil.exe
    fsutil usn readjournal F: csv
    3⤵
    - Enumerates connected drives
    PID:1640
- - C:\Windows\system32\findstr.exe
    findstr /i /C:".cuecfg"
    3⤵
    PID:2768
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c fsutil usn readjournal c: csv | findstr /i /c:0x80000200 /c:0x00001000 >> journal.txt
  2⤵
  PID:4312
- - C:\Windows\system32\fsutil.exe
    fsutil usn readjournal c: csv
    3⤵
    PID:1908
- - C:\Windows\system32\findstr.exe
    findstr /i /c:0x80000200 /c:0x00001000
    3⤵
    PID:2456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\journal.txt

Filesize
4.9MB

MD5
094236789844111288f93c77e75debc5

SHA1
f42e4585d6e7e966bd849bf843c4b2ac50fc0abe

SHA256
233c8322a269588a3ec0e6e4bd1fc46d26d3f5665d902a1b689ed61c6711fe15

SHA512
c53aec29eae15f3f796b0ae738b98d1b1f3fd9feeee9c7f68cd4a71656c300987712e30256ceaa77e52a7f162d2ab57f8d2fe4de0cfe02048df50a7e9dcbcccf

Download Submit
C:\Users\Admin\AppData\Local\Temp\new_renamed_files.txt

Filesize
8.6MB

MD5
5e2ffeaccee704948cd8cf94e9902538

SHA1
68fa8cf6fe7b2bd7144a1050ea755af9a2bb41a9

SHA256
5b11dbced5a2cddbf42e376a02824dd48bc81d5414c7dd185948bcf4e01ed893

SHA512
a90cb21a64807b589a3032928ef6e80e68c59d8599b96a78ec786493bf629f8847298ab2c7c8db054033dd6d0c7adada1cc4fb10d6566034b6e4680587a9061f

Download Submit
C:\Users\Admin\AppData\Local\Temp\old_renamed_files.txt

Filesize
2.1MB

MD5
b81ef2808346cc6a7eeb3a6911b41154

SHA1
b21a4e0a790aea38f30edf0daa66eb9f36a009b3

SHA256
434b5f4c3d8d82eda66bf9d031eed80d93b6d0031b1120fb33c1d54465701e4c

SHA512
1db7a86f1d50e6d781575bc74d9d8da6b618e5cb4ca69653d07c383eb741942c0ec09bba79c692050b46c5960e57f32cb90353acc0d560bd40ed50d0063a53b2

Download Submit