3a101eabbc7a34f6f8257642cace066675a5cce75b81a8371b0d83f00bb6fa81

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
24/05/2024, 08:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a101eabbc7a34f6f8257642cace066675a5cce75b81a8371b0d83f00bb6fa81.exe
Size

5.7MB
MD5

f1dc3b202c1f1fed1b762c77e783fb91
SHA1

df9bd55296aec249da1a0a3164b54d91e91478f8
SHA256

3a101eabbc7a34f6f8257642cace066675a5cce75b81a8371b0d83f00bb6fa81
SHA512

a71249a709560b7509693f03a6f90f61b2f88dc5905aff6c3aeae47378b357a267efb67954696efb050ce35609a6e173d1fdbf8c69162aa836bda36b2ac9fad8
SSDEEP

98304:j/6n94bDY2EBcBuq62V///4nAWakrn7S/IhWoaVVfs/VIsMF4JD8iulhq7NmjkV4:mMD+cpvJ/4H3nmghWoa/fsysMF4JD85D

Score

9^/10

evasion

Malware Config

Signatures

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions	3a101eabbc7a34f6f8257642cace066675a5cce75b81a8371b0d83f00bb6fa81.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
2864	3a101eabbc7a34f6f8257642cace066675a5cce75b81a8371b0d83f00bb6fa81.exe
2864	3a101eabbc7a34f6f8257642cace066675a5cce75b81a8371b0d83f00bb6fa81.exe
2864	3a101eabbc7a34f6f8257642cace066675a5cce75b81a8371b0d83f00bb6fa81.exe
2864	3a101eabbc7a34f6f8257642cace066675a5cce75b81a8371b0d83f00bb6fa81.exe
2864	3a101eabbc7a34f6f8257642cace066675a5cce75b81a8371b0d83f00bb6fa81.exe
2864	3a101eabbc7a34f6f8257642cace066675a5cce75b81a8371b0d83f00bb6fa81.exe
2864	3a101eabbc7a34f6f8257642cace066675a5cce75b81a8371b0d83f00bb6fa81.exe
2864	3a101eabbc7a34f6f8257642cace066675a5cce75b81a8371b0d83f00bb6fa81.exe
2864	3a101eabbc7a34f6f8257642cace066675a5cce75b81a8371b0d83f00bb6fa81.exe
2864	3a101eabbc7a34f6f8257642cace066675a5cce75b81a8371b0d83f00bb6fa81.exe
2864	3a101eabbc7a34f6f8257642cace066675a5cce75b81a8371b0d83f00bb6fa81.exe
2864	3a101eabbc7a34f6f8257642cace066675a5cce75b81a8371b0d83f00bb6fa81.exe
2864	3a101eabbc7a34f6f8257642cace066675a5cce75b81a8371b0d83f00bb6fa81.exe
2864	3a101eabbc7a34f6f8257642cace066675a5cce75b81a8371b0d83f00bb6fa81.exe
2864	3a101eabbc7a34f6f8257642cace066675a5cce75b81a8371b0d83f00bb6fa81.exe
2864	3a101eabbc7a34f6f8257642cace066675a5cce75b81a8371b0d83f00bb6fa81.exe
2864	3a101eabbc7a34f6f8257642cace066675a5cce75b81a8371b0d83f00bb6fa81.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2864	3a101eabbc7a34f6f8257642cace066675a5cce75b81a8371b0d83f00bb6fa81.exe
Token: SeShutdownPrivilege	2864	3a101eabbc7a34f6f8257642cace066675a5cce75b81a8371b0d83f00bb6fa81.exe
Token: SeShutdownPrivilege	2864	3a101eabbc7a34f6f8257642cace066675a5cce75b81a8371b0d83f00bb6fa81.exe
Token: SeShutdownPrivilege	2864	3a101eabbc7a34f6f8257642cace066675a5cce75b81a8371b0d83f00bb6fa81.exe
Token: SeShutdownPrivilege	2864	3a101eabbc7a34f6f8257642cace066675a5cce75b81a8371b0d83f00bb6fa81.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2864	3a101eabbc7a34f6f8257642cace066675a5cce75b81a8371b0d83f00bb6fa81.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2864	3a101eabbc7a34f6f8257642cace066675a5cce75b81a8371b0d83f00bb6fa81.exe

C:\Users\Admin\AppData\Local\Temp\3a101eabbc7a34f6f8257642cace066675a5cce75b81a8371b0d83f00bb6fa81.exe
"C:\Users\Admin\AppData\Local\Temp\3a101eabbc7a34f6f8257642cace066675a5cce75b81a8371b0d83f00bb6fa81.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

Filesize
6KB

MD5
9af399807d86d381b752c558b98fddbc

SHA1
768f624b7384e727de7f38bc91e0da9a8a47b6b9

SHA256
799eaf3f7e043ee58e42551e358111ad1d1fe381714df96be484bbaed0bd56a2

SHA512
a8f75cfa2b924e10717aebaae45ba1c4a633ba6d0df8f5758891c18b53e819042c9bc3a35989adff04262a6563c2e3e4427962df8f7d0a90a51d323b318d3013

Download Submit