Analysis
-
max time kernel
122s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
06/01/2024, 07:14
Behavioral task
behavioral1
Sample
459be5a092ca532ef7483d0e44b45682.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
459be5a092ca532ef7483d0e44b45682.exe
Resource
win10v2004-20231215-en
General
-
Target
459be5a092ca532ef7483d0e44b45682.exe
-
Size
682KB
-
MD5
459be5a092ca532ef7483d0e44b45682
-
SHA1
9ec5ea58e564574b1d1d1b468f23bcf886986ec6
-
SHA256
53d68027240357724fce907805266b9570ee3b423c9e79fb5009219a4147efcd
-
SHA512
de518ade72047b159078e0cf1062dc44e2c2dfcc88c8e677ce3f5c5c09a09b88729961c63fd08d6c0d9ae1c897c327a4dba7fabba62c013740d4d9cf63f8a873
-
SSDEEP
12288:oKmobmi5U59nbWPuCVWNi8yHaC4hL60xodq38Z6872OCTzKz8zNTzqzzzZzzz:oHoCi5mnbSudN1yHaCAxl848
Malware Config
Signatures
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Enumerates VirtualBox registry keys 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest 459be5a092ca532ef7483d0e44b45682.exe -
resource yara_rule behavioral1/memory/2072-0-0x0000000000400000-0x00000000004AC000-memory.dmp upx behavioral1/memory/2072-40-0x0000000000400000-0x00000000004AC000-memory.dmp upx -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2072 set thread context of 2952 2072 459be5a092ca532ef7483d0e44b45682.exe 28 -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2952 459be5a092ca532ef7483d0e44b45682.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2072 wrote to memory of 2952 2072 459be5a092ca532ef7483d0e44b45682.exe 28 PID 2072 wrote to memory of 2952 2072 459be5a092ca532ef7483d0e44b45682.exe 28 PID 2072 wrote to memory of 2952 2072 459be5a092ca532ef7483d0e44b45682.exe 28 PID 2072 wrote to memory of 2952 2072 459be5a092ca532ef7483d0e44b45682.exe 28 PID 2072 wrote to memory of 2952 2072 459be5a092ca532ef7483d0e44b45682.exe 28 PID 2072 wrote to memory of 2952 2072 459be5a092ca532ef7483d0e44b45682.exe 28 PID 2072 wrote to memory of 2952 2072 459be5a092ca532ef7483d0e44b45682.exe 28 PID 2072 wrote to memory of 2952 2072 459be5a092ca532ef7483d0e44b45682.exe 28 PID 2072 wrote to memory of 2952 2072 459be5a092ca532ef7483d0e44b45682.exe 28 PID 2072 wrote to memory of 2952 2072 459be5a092ca532ef7483d0e44b45682.exe 28 PID 2072 wrote to memory of 2952 2072 459be5a092ca532ef7483d0e44b45682.exe 28 PID 2072 wrote to memory of 2952 2072 459be5a092ca532ef7483d0e44b45682.exe 28 PID 2072 wrote to memory of 2952 2072 459be5a092ca532ef7483d0e44b45682.exe 28 PID 2072 wrote to memory of 2952 2072 459be5a092ca532ef7483d0e44b45682.exe 28 PID 2072 wrote to memory of 2952 2072 459be5a092ca532ef7483d0e44b45682.exe 28 PID 2072 wrote to memory of 2952 2072 459be5a092ca532ef7483d0e44b45682.exe 28 PID 2072 wrote to memory of 2952 2072 459be5a092ca532ef7483d0e44b45682.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\459be5a092ca532ef7483d0e44b45682.exe"C:\Users\Admin\AppData\Local\Temp\459be5a092ca532ef7483d0e44b45682.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Users\Admin\AppData\Local\Temp\459be5a092ca532ef7483d0e44b45682.exeC:\Users\Admin\AppData\Local\Temp\459be5a092ca532ef7483d0e44b45682.exe2⤵
- Enumerates VirtualBox registry keys
- Suspicious behavior: EnumeratesProcesses
PID:2952
-