dafffd794ddbe233d894d0736a5806050c6eefa30ed9d2ef25a4a23ec664d0b9

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
23/05/2024, 20:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

dafffd794ddbe233d894d0736a5806050c6eefa30ed9d2ef25a4a23ec664d0b9.exe
Size

5.7MB
MD5

a03564c6de1776523a4f9c7154d6c8a4
SHA1

b62315581108cf1b8f574eac78a3a9a7c664da1d
SHA256

dafffd794ddbe233d894d0736a5806050c6eefa30ed9d2ef25a4a23ec664d0b9
SHA512

b78133298bf8cfc176a0d905669936491d0f6e2be5280042636437fbdca96e0f833b90eb620a03c98bf904504fe96c0b26fabc0ced7258870275bdedf12a599c
SSDEEP

98304:b/6n94bDY2EBcBuq62V///4nAWakrn7S/IhWoaVVfs/VIsMF4JD8iulhq7NmkkVX:uMD+cpvJ/4H3nmghWoa/fsysMF4JD85z

Score

9^/10

evasion

Malware Config

Signatures

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions	dafffd794ddbe233d894d0736a5806050c6eefa30ed9d2ef25a4a23ec664d0b9.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
2424	dafffd794ddbe233d894d0736a5806050c6eefa30ed9d2ef25a4a23ec664d0b9.exe
2424	dafffd794ddbe233d894d0736a5806050c6eefa30ed9d2ef25a4a23ec664d0b9.exe
2424	dafffd794ddbe233d894d0736a5806050c6eefa30ed9d2ef25a4a23ec664d0b9.exe
2424	dafffd794ddbe233d894d0736a5806050c6eefa30ed9d2ef25a4a23ec664d0b9.exe
2424	dafffd794ddbe233d894d0736a5806050c6eefa30ed9d2ef25a4a23ec664d0b9.exe
2424	dafffd794ddbe233d894d0736a5806050c6eefa30ed9d2ef25a4a23ec664d0b9.exe
2424	dafffd794ddbe233d894d0736a5806050c6eefa30ed9d2ef25a4a23ec664d0b9.exe
2424	dafffd794ddbe233d894d0736a5806050c6eefa30ed9d2ef25a4a23ec664d0b9.exe
2424	dafffd794ddbe233d894d0736a5806050c6eefa30ed9d2ef25a4a23ec664d0b9.exe
2424	dafffd794ddbe233d894d0736a5806050c6eefa30ed9d2ef25a4a23ec664d0b9.exe
2424	dafffd794ddbe233d894d0736a5806050c6eefa30ed9d2ef25a4a23ec664d0b9.exe
2424	dafffd794ddbe233d894d0736a5806050c6eefa30ed9d2ef25a4a23ec664d0b9.exe
2424	dafffd794ddbe233d894d0736a5806050c6eefa30ed9d2ef25a4a23ec664d0b9.exe
2424	dafffd794ddbe233d894d0736a5806050c6eefa30ed9d2ef25a4a23ec664d0b9.exe
2424	dafffd794ddbe233d894d0736a5806050c6eefa30ed9d2ef25a4a23ec664d0b9.exe
2424	dafffd794ddbe233d894d0736a5806050c6eefa30ed9d2ef25a4a23ec664d0b9.exe
2424	dafffd794ddbe233d894d0736a5806050c6eefa30ed9d2ef25a4a23ec664d0b9.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2424	dafffd794ddbe233d894d0736a5806050c6eefa30ed9d2ef25a4a23ec664d0b9.exe
Token: SeShutdownPrivilege	2424	dafffd794ddbe233d894d0736a5806050c6eefa30ed9d2ef25a4a23ec664d0b9.exe
Token: SeShutdownPrivilege	2424	dafffd794ddbe233d894d0736a5806050c6eefa30ed9d2ef25a4a23ec664d0b9.exe
Token: SeShutdownPrivilege	2424	dafffd794ddbe233d894d0736a5806050c6eefa30ed9d2ef25a4a23ec664d0b9.exe
Token: SeShutdownPrivilege	2424	dafffd794ddbe233d894d0736a5806050c6eefa30ed9d2ef25a4a23ec664d0b9.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2424	dafffd794ddbe233d894d0736a5806050c6eefa30ed9d2ef25a4a23ec664d0b9.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2424	dafffd794ddbe233d894d0736a5806050c6eefa30ed9d2ef25a4a23ec664d0b9.exe

C:\Users\Admin\AppData\Local\Temp\dafffd794ddbe233d894d0736a5806050c6eefa30ed9d2ef25a4a23ec664d0b9.exe
"C:\Users\Admin\AppData\Local\Temp\dafffd794ddbe233d894d0736a5806050c6eefa30ed9d2ef25a4a23ec664d0b9.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

Filesize
3KB

MD5
51fc567f952883108b35b8fa14bb6692

SHA1
f270f6e90522780a6af8e31e919989a150cad885

SHA256
5e348dee358054ab3329ddbb2536d384ea5b7b39cb7736a39a39ead57d197ca1

SHA512
08edb31afcd8733bf7051133bb6bb5336c934d875b648f738f4ca43f30dba8e200bb353ad80d98f574e3a0499bd4aa19e5dd39a75a2a13de590480c9e61163b2

Download Submit