11c3b03042d90c24dc2c60f82be768107c8fb5a3d94c365ae38ed0e973d5834d

General

Target

01d6c5df1bb72d7cf24a4ac1a0c183ed.exe
Size

500KB
MD5

01d6c5df1bb72d7cf24a4ac1a0c183ed
SHA1

a6663fab9323a3b13eae431b254a40e048279ee0
SHA256

11c3b03042d90c24dc2c60f82be768107c8fb5a3d94c365ae38ed0e973d5834d
SHA512

7dae4519f9623fb648bf9f163030092f585e1b222622bf4160c2d6c78c4f8bfc393aa332d83790e9d4fe0fe05ddec678feb8016aa6aefaaefbdb103a11d6960b
SSDEEP

12288:S2HfeXGzugzgbQe8tXRLaKXAZ7TGNB0vmBAZoc87:SMG0urvQXdaXZ+NUuAX87

Score

9^/10

evasion upx

Malware Config

Signatures

Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518
Enumerates VirtualBox registry keys 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

01d6c5df1bb72d7cf24a4ac1a0c183ed.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest 01d6c5df1bb72d7cf24a4ac1a0c183ed.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest	01d6c5df1bb72d7cf24a4ac1a0c183ed.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1632-0-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral1/memory/1632-2-0x0000000002070000-0x0000000002134000-memory.dmp	upx
behavioral1/memory/1632-40-0x0000000000400000-0x00000000004C4000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

Processes:

01d6c5df1bb72d7cf24a4ac1a0c183ed.exe

description pid process target process

PID 1632 set thread context of 2316 1632 01d6c5df1bb72d7cf24a4ac1a0c183ed.exe 01d6c5df1bb72d7cf24a4ac1a0c183ed.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

01d6c5df1bb72d7cf24a4ac1a0c183ed.exe

pid process

2316 01d6c5df1bb72d7cf24a4ac1a0c183ed.exe

description	pid	process	target process
PID 1632 set thread context of 2316	1632	01d6c5df1bb72d7cf24a4ac1a0c183ed.exe	01d6c5df1bb72d7cf24a4ac1a0c183ed.exe

pid	process
2316	01d6c5df1bb72d7cf24a4ac1a0c183ed.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

01d6c5df1bb72d7cf24a4ac1a0c183ed.exe

C:\Users\Admin\AppData\Local\Temp\01d6c5df1bb72d7cf24a4ac1a0c183ed.exe
"C:\Users\Admin\AppData\Local\Temp\01d6c5df1bb72d7cf24a4ac1a0c183ed.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1632

C:\Users\Admin\AppData\Local\Temp\01d6c5df1bb72d7cf24a4ac1a0c183ed.exe
C:\Users\Admin\AppData\Local\Temp\01d6c5df1bb72d7cf24a4ac1a0c183ed.exe
2⤵
- Enumerates VirtualBox registry keys
- Suspicious behavior: EnumeratesProcesses
PID:2316

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Software Discovery

1

T1518

Query Registry

1

T1012

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1632-40-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/1632-2-0x0000000002070000-0x0000000002134000-memory.dmp

Filesize
784KB

Download
memory/1632-0-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2316-30-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2316-21-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2316-37-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2316-36-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2316-33-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2316-24-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2316-27-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2316-41-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2316-18-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2316-15-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2316-12-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2316-9-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2316-6-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2316-4-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2316-1-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2316-42-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download

description	pid	process	target process
PID 1632 wrote to memory of 2316	1632	01d6c5df1bb72d7cf24a4ac1a0c183ed.exe	01d6c5df1bb72d7cf24a4ac1a0c183ed.exe
PID 1632 wrote to memory of 2316	1632	01d6c5df1bb72d7cf24a4ac1a0c183ed.exe	01d6c5df1bb72d7cf24a4ac1a0c183ed.exe
PID 1632 wrote to memory of 2316	1632	01d6c5df1bb72d7cf24a4ac1a0c183ed.exe	01d6c5df1bb72d7cf24a4ac1a0c183ed.exe
PID 1632 wrote to memory of 2316	1632	01d6c5df1bb72d7cf24a4ac1a0c183ed.exe	01d6c5df1bb72d7cf24a4ac1a0c183ed.exe
PID 1632 wrote to memory of 2316	1632	01d6c5df1bb72d7cf24a4ac1a0c183ed.exe	01d6c5df1bb72d7cf24a4ac1a0c183ed.exe
PID 1632 wrote to memory of 2316	1632	01d6c5df1bb72d7cf24a4ac1a0c183ed.exe	01d6c5df1bb72d7cf24a4ac1a0c183ed.exe
PID 1632 wrote to memory of 2316	1632	01d6c5df1bb72d7cf24a4ac1a0c183ed.exe	01d6c5df1bb72d7cf24a4ac1a0c183ed.exe
PID 1632 wrote to memory of 2316	1632	01d6c5df1bb72d7cf24a4ac1a0c183ed.exe	01d6c5df1bb72d7cf24a4ac1a0c183ed.exe
PID 1632 wrote to memory of 2316	1632	01d6c5df1bb72d7cf24a4ac1a0c183ed.exe	01d6c5df1bb72d7cf24a4ac1a0c183ed.exe
PID 1632 wrote to memory of 2316	1632	01d6c5df1bb72d7cf24a4ac1a0c183ed.exe	01d6c5df1bb72d7cf24a4ac1a0c183ed.exe
PID 1632 wrote to memory of 2316	1632	01d6c5df1bb72d7cf24a4ac1a0c183ed.exe	01d6c5df1bb72d7cf24a4ac1a0c183ed.exe
PID 1632 wrote to memory of 2316	1632	01d6c5df1bb72d7cf24a4ac1a0c183ed.exe	01d6c5df1bb72d7cf24a4ac1a0c183ed.exe
PID 1632 wrote to memory of 2316	1632	01d6c5df1bb72d7cf24a4ac1a0c183ed.exe	01d6c5df1bb72d7cf24a4ac1a0c183ed.exe
PID 1632 wrote to memory of 2316	1632	01d6c5df1bb72d7cf24a4ac1a0c183ed.exe	01d6c5df1bb72d7cf24a4ac1a0c183ed.exe
PID 1632 wrote to memory of 2316	1632	01d6c5df1bb72d7cf24a4ac1a0c183ed.exe	01d6c5df1bb72d7cf24a4ac1a0c183ed.exe
PID 1632 wrote to memory of 2316	1632	01d6c5df1bb72d7cf24a4ac1a0c183ed.exe	01d6c5df1bb72d7cf24a4ac1a0c183ed.exe
PID 1632 wrote to memory of 2316	1632	01d6c5df1bb72d7cf24a4ac1a0c183ed.exe	01d6c5df1bb72d7cf24a4ac1a0c183ed.exe

Analysis

Sharing