53d68027240357724fce907805266b9570ee3b423c9e79fb5009219a4147efcd

General

Target

459be5a092ca532ef7483d0e44b45682.exe
Size

682KB
MD5

459be5a092ca532ef7483d0e44b45682
SHA1

9ec5ea58e564574b1d1d1b468f23bcf886986ec6
SHA256

53d68027240357724fce907805266b9570ee3b423c9e79fb5009219a4147efcd
SHA512

de518ade72047b159078e0cf1062dc44e2c2dfcc88c8e677ce3f5c5c09a09b88729961c63fd08d6c0d9ae1c897c327a4dba7fabba62c013740d4d9cf63f8a873
SSDEEP

12288:oKmobmi5U59nbWPuCVWNi8yHaC4hL60xodq38Z6872OCTzKz8zNTzqzzzZzzz:oHoCi5mnbSudN1yHaCAxl848

Score

9^/10

evasion upx

Malware Config

Signatures

Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518

Enumerates VirtualBox registry keys 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest	459be5a092ca532ef7483d0e44b45682.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2072-0-0x0000000000400000-0x00000000004AC000-memory.dmp	upx
behavioral1/memory/2072-40-0x0000000000400000-0x00000000004AC000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2072 set thread context of 2952	2072	459be5a092ca532ef7483d0e44b45682.exe	28

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2952	459be5a092ca532ef7483d0e44b45682.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 2952	2072	459be5a092ca532ef7483d0e44b45682.exe	28
PID 2072 wrote to memory of 2952	2072	459be5a092ca532ef7483d0e44b45682.exe	28
PID 2072 wrote to memory of 2952	2072	459be5a092ca532ef7483d0e44b45682.exe	28
PID 2072 wrote to memory of 2952	2072	459be5a092ca532ef7483d0e44b45682.exe	28
PID 2072 wrote to memory of 2952	2072	459be5a092ca532ef7483d0e44b45682.exe	28
PID 2072 wrote to memory of 2952	2072	459be5a092ca532ef7483d0e44b45682.exe	28
PID 2072 wrote to memory of 2952	2072	459be5a092ca532ef7483d0e44b45682.exe	28
PID 2072 wrote to memory of 2952	2072	459be5a092ca532ef7483d0e44b45682.exe	28
PID 2072 wrote to memory of 2952	2072	459be5a092ca532ef7483d0e44b45682.exe	28
PID 2072 wrote to memory of 2952	2072	459be5a092ca532ef7483d0e44b45682.exe	28
PID 2072 wrote to memory of 2952	2072	459be5a092ca532ef7483d0e44b45682.exe	28
PID 2072 wrote to memory of 2952	2072	459be5a092ca532ef7483d0e44b45682.exe	28
PID 2072 wrote to memory of 2952	2072	459be5a092ca532ef7483d0e44b45682.exe	28
PID 2072 wrote to memory of 2952	2072	459be5a092ca532ef7483d0e44b45682.exe	28
PID 2072 wrote to memory of 2952	2072	459be5a092ca532ef7483d0e44b45682.exe	28
PID 2072 wrote to memory of 2952	2072	459be5a092ca532ef7483d0e44b45682.exe	28
PID 2072 wrote to memory of 2952	2072	459be5a092ca532ef7483d0e44b45682.exe	28

C:\Users\Admin\AppData\Local\Temp\459be5a092ca532ef7483d0e44b45682.exe
"C:\Users\Admin\AppData\Local\Temp\459be5a092ca532ef7483d0e44b45682.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Users\Admin\AppData\Local\Temp\459be5a092ca532ef7483d0e44b45682.exe
  C:\Users\Admin\AppData\Local\Temp\459be5a092ca532ef7483d0e44b45682.exe
  2⤵
  - Enumerates VirtualBox registry keys
  - Suspicious behavior: EnumeratesProcesses
  PID:2952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

Software Discovery

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2072-0-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/2072-40-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/2072-3-0x0000000000340000-0x00000000003EC000-memory.dmp

Filesize
688KB

Download
memory/2952-6-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2952-12-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2952-15-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2952-24-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2952-27-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2952-21-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2952-18-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2952-4-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2952-9-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2952-1-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2952-37-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2952-41-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2952-36-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2952-33-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2952-30-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2952-42-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads