23dc29c21e9b12bfea4578988908c8a810b5d0a4a2d1922ca2de73a2d0f53285

Analysis

max time kernel
148s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
28/12/2023, 20:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f770c2d1cdf5342b4d4ab125dc7d579d.exe
Size

899KB
MD5

f770c2d1cdf5342b4d4ab125dc7d579d
SHA1

5d134911b22a90260f6afe0d1e8011ac6eed4736
SHA256

23dc29c21e9b12bfea4578988908c8a810b5d0a4a2d1922ca2de73a2d0f53285
SHA512

0e1f89b9e0e5f0ee4dfa5f6c18900709c92a6c51e83dcab3b6f46ca96538f2d77af3b640b35edebd06e01549419eeb9c45cc6707b376d32175597c80c5e5b285
SSDEEP

24576:JxGa4DpzkdGp9JcK68JlCYRK+ILTfBLXSYoy:Caq9GKC7+CK

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
532	f770c2d1cdf5342b4d4ab125dc7d579d.tmp

Loads dropped DLL 9 IoCs

pid	Process
532	f770c2d1cdf5342b4d4ab125dc7d579d.tmp
532	f770c2d1cdf5342b4d4ab125dc7d579d.tmp
532	f770c2d1cdf5342b4d4ab125dc7d579d.tmp
532	f770c2d1cdf5342b4d4ab125dc7d579d.tmp
532	f770c2d1cdf5342b4d4ab125dc7d579d.tmp
532	f770c2d1cdf5342b4d4ab125dc7d579d.tmp
532	f770c2d1cdf5342b4d4ab125dc7d579d.tmp
532	f770c2d1cdf5342b4d4ab125dc7d579d.tmp
532	f770c2d1cdf5342b4d4ab125dc7d579d.tmp

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	f770c2d1cdf5342b4d4ab125dc7d579d.tmp

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	532	f770c2d1cdf5342b4d4ab125dc7d579d.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3412 wrote to memory of 532	3412	f770c2d1cdf5342b4d4ab125dc7d579d.exe	24
PID 3412 wrote to memory of 532	3412	f770c2d1cdf5342b4d4ab125dc7d579d.exe	24
PID 3412 wrote to memory of 532	3412	f770c2d1cdf5342b4d4ab125dc7d579d.exe	24

C:\Users\Admin\AppData\Local\Temp\f770c2d1cdf5342b4d4ab125dc7d579d.exe
"C:\Users\Admin\AppData\Local\Temp\f770c2d1cdf5342b4d4ab125dc7d579d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3412
- C:\Users\Admin\AppData\Local\Temp\is-5O0KH.tmp\f770c2d1cdf5342b4d4ab125dc7d579d.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-5O0KH.tmp\f770c2d1cdf5342b4d4ab125dc7d579d.tmp" /SL5="$401D6,500774,146432,C:\Users\Admin\AppData\Local\Temp\f770c2d1cdf5342b4d4ab125dc7d579d.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks for VirtualBox DLLs, possible anti-VM trick
  - Suspicious use of AdjustPrivilegeToken
  PID:532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-5O0KH.tmp\f770c2d1cdf5342b4d4ab125dc7d579d.tmp

Filesize
320KB

MD5
656c9643a4b94afe3348cde2778b1143

SHA1
3a48e45010994b54edda17dc68241adaef469ff4

SHA256
c7f1cac86c81c10ea0b3288ad58c086d199bd365e7adcfe92685e9127005914e

SHA512
c4bf1eaf9121738f1203f2f583b4ede84c4db0b9bf3e125865fa2858bf37755d506dcc1b0cbbdc77bcead0998e647d99dcc733cc20a9e02130c30b830bd70cf1

Download Submit
memory/532-51-0x0000000005960000-0x0000000005970000-memory.dmp

Filesize
64KB

Download
memory/532-54-0x0000000003370000-0x00000000033E0000-memory.dmp

Filesize
448KB

Download
memory/532-21-0x0000000003370000-0x00000000033E0000-memory.dmp

Filesize
448KB

Download
memory/532-39-0x0000000005960000-0x0000000005970000-memory.dmp

Filesize
64KB

Download
memory/532-43-0x0000000073500000-0x0000000073AB1000-memory.dmp

Filesize
5.7MB

Download
memory/532-44-0x0000000073500000-0x0000000073AB1000-memory.dmp

Filesize
5.7MB

Download
memory/532-45-0x0000000005960000-0x0000000005970000-memory.dmp

Filesize
64KB

Download
memory/532-28-0x0000000005650000-0x0000000005665000-memory.dmp

Filesize
84KB

Download
memory/532-73-0x0000000005670000-0x0000000005770000-memory.dmp

Filesize
1024KB

Download
memory/532-7-0x0000000000750000-0x0000000000751000-memory.dmp

Filesize
4KB

Download
memory/532-55-0x0000000005650000-0x0000000005665000-memory.dmp

Filesize
84KB

Download
memory/532-53-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/532-66-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/532-57-0x0000000073500000-0x0000000073AB1000-memory.dmp

Filesize
5.7MB

Download
memory/532-56-0x0000000005960000-0x0000000005970000-memory.dmp

Filesize
64KB

Download
memory/532-63-0x0000000005960000-0x0000000005970000-memory.dmp

Filesize
64KB

Download
memory/532-64-0x0000000005670000-0x0000000005770000-memory.dmp

Filesize
1024KB

Download
memory/532-68-0x0000000005650000-0x0000000005665000-memory.dmp

Filesize
84KB

Download
memory/3412-52-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3412-1-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download