f5fbd66fa754b518289e512f61ed872924ff06f80ec48dc08bd270b179d783cd

General

Target

d345138f48b7d610e4f7d280504a5a36.exe
Size

2.7MB
MD5

d345138f48b7d610e4f7d280504a5a36
SHA1

f4f24851b4249d37bcddebbe3a6084266f7dcf2a
SHA256

f5fbd66fa754b518289e512f61ed872924ff06f80ec48dc08bd270b179d783cd
SHA512

3e4fe2ad60059e1bfc696dfaeb1399c3a9c01ff44a6728fe6244dc7ebf27d18429c9e0e9b72a05727911ed6337eece15a242b8d5ce0d723350ad459772069c69
SSDEEP

49152:6PbUDBy6zxsQZr5nGoL6DGrfTt5L5S2+F96XDumJBAwI8KSWBDfUHM6M6a/9K9zE:68r19k6SGeeKD9fUs6Fa/Y9zztzzK

Score

9^/10

evasion upx

Malware Config

Signatures

CustAttr .NET packer 1 IoCs

Detects CustAttr .NET packer in memory.

Processes:

resource	yara_rule
behavioral1/memory/2244-3-0x0000000000430000-0x0000000000442000-memory.dmp	CustAttr

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

d345138f48b7d610e4f7d280504a5a36.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions d345138f48b7d610e4f7d280504a5a36.exe
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

d345138f48b7d610e4f7d280504a5a36.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools d345138f48b7d610e4f7d280504a5a36.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions	d345138f48b7d610e4f7d280504a5a36.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools	d345138f48b7d610e4f7d280504a5a36.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d345138f48b7d610e4f7d280504a5a36.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	d345138f48b7d610e4f7d280504a5a36.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	d345138f48b7d610e4f7d280504a5a36.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1656-14-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/1656-15-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

d345138f48b7d610e4f7d280504a5a36.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	d345138f48b7d610e4f7d280504a5a36.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	d345138f48b7d610e4f7d280504a5a36.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2912 schtasks.exe

pid	process
2912	schtasks.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

d345138f48b7d610e4f7d280504a5a36.exe

description	pid	process	target process
PID 2244 wrote to memory of 2912	2244	d345138f48b7d610e4f7d280504a5a36.exe	schtasks.exe
PID 2244 wrote to memory of 2912	2244	d345138f48b7d610e4f7d280504a5a36.exe	schtasks.exe
PID 2244 wrote to memory of 2912	2244	d345138f48b7d610e4f7d280504a5a36.exe	schtasks.exe
PID 2244 wrote to memory of 2912	2244	d345138f48b7d610e4f7d280504a5a36.exe	schtasks.exe
PID 2244 wrote to memory of 1656	2244	d345138f48b7d610e4f7d280504a5a36.exe	d345138f48b7d610e4f7d280504a5a36.exe
PID 2244 wrote to memory of 1656	2244	d345138f48b7d610e4f7d280504a5a36.exe	d345138f48b7d610e4f7d280504a5a36.exe
PID 2244 wrote to memory of 1656	2244	d345138f48b7d610e4f7d280504a5a36.exe	d345138f48b7d610e4f7d280504a5a36.exe
PID 2244 wrote to memory of 1656	2244	d345138f48b7d610e4f7d280504a5a36.exe	d345138f48b7d610e4f7d280504a5a36.exe
PID 2244 wrote to memory of 1656	2244	d345138f48b7d610e4f7d280504a5a36.exe	d345138f48b7d610e4f7d280504a5a36.exe
PID 2244 wrote to memory of 1656	2244	d345138f48b7d610e4f7d280504a5a36.exe	d345138f48b7d610e4f7d280504a5a36.exe
PID 2244 wrote to memory of 1656	2244	d345138f48b7d610e4f7d280504a5a36.exe	d345138f48b7d610e4f7d280504a5a36.exe

C:\Users\Admin\AppData\Local\Temp\d345138f48b7d610e4f7d280504a5a36.exe
"C:\Users\Admin\AppData\Local\Temp\d345138f48b7d610e4f7d280504a5a36.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of WriteProcessMemory
PID:2244

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NWKQwZWIgp" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDB61.tmp"
2⤵
- Creates scheduled task(s)
PID:2912

C:\Users\Admin\AppData\Local\Temp\d345138f48b7d610e4f7d280504a5a36.exe
"C:\Users\Admin\AppData\Local\Temp\d345138f48b7d610e4f7d280504a5a36.exe"
2⤵
PID:1656

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

4

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpDB61.tmp
Filesize
1KB

MD5
88d6e7f94927581c2824d4b280e9dbbb

SHA1
eaa67bb91d33d6da411a0a74304719fcd3fc1e2f

SHA256
5bd8e282e2fbf70fe4dfc625fe9c7496fa350fe7d28ce05652269bcec98e5618

SHA512
ae626624eee7f87039d48fb8a115c1ecc136c19048789b5221f90463b10904f2c7aa31dc4c53fca65f56bc40480549988a243f419330f3348c24b0779d9ad730

Download Submit
memory/1656-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1656-15-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1656-14-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/1656-13-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2244-3-0x0000000000430000-0x0000000000442000-memory.dmp

Filesize
72KB

Download
memory/2244-6-0x00000000056F0000-0x00000000058B0000-memory.dmp

Filesize
1.8MB

Download
memory/2244-7-0x00000000059B0000-0x0000000005B28000-memory.dmp

Filesize
1.5MB

Download
memory/2244-5-0x0000000007530000-0x0000000007570000-memory.dmp

Filesize
256KB

Download
memory/2244-4-0x0000000074B40000-0x000000007522E000-memory.dmp

Filesize
6.9MB

Download
memory/2244-0-0x0000000001240000-0x0000000001506000-memory.dmp

Filesize
2.8MB

Download
memory/2244-2-0x0000000007530000-0x0000000007570000-memory.dmp

Filesize
256KB

Download
memory/2244-1-0x0000000074B40000-0x000000007522E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads