a0e192bfdacf4fbe94108646e45c22a3d827e0bcda3aa5c856f02a4716c4adb4

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
24/05/2024, 12:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a0e192bfdacf4fbe94108646e45c22a3d827e0bcda3aa5c856f02a4716c4adb4.exe
Size

5.7MB
MD5

8807041f13b3ccffde2447e287f9eb9a
SHA1

a78b7a35a1e2dbdafa256de0685cc89b86061f76
SHA256

a0e192bfdacf4fbe94108646e45c22a3d827e0bcda3aa5c856f02a4716c4adb4
SHA512

d21c4f604199d671c0848c5b1558c953126e11d861f68a418897f5668f5dcf141cea89170202abe5a4335cf1a0f526e1a8b2f00d341f97d5a081756c1afb0337
SSDEEP

98304:j/6n94bDY2EBcBuq62V///4nAWakrn7S/IhWoaVVfs/VIsMF4JD8iulhq7NmVkVK:mMD+cpvJ/4H3nmghWoa/fsysMF4JD85P

Score

9^/10

evasion

Malware Config

Signatures

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions	a0e192bfdacf4fbe94108646e45c22a3d827e0bcda3aa5c856f02a4716c4adb4.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
2400	a0e192bfdacf4fbe94108646e45c22a3d827e0bcda3aa5c856f02a4716c4adb4.exe
2400	a0e192bfdacf4fbe94108646e45c22a3d827e0bcda3aa5c856f02a4716c4adb4.exe
2400	a0e192bfdacf4fbe94108646e45c22a3d827e0bcda3aa5c856f02a4716c4adb4.exe
2400	a0e192bfdacf4fbe94108646e45c22a3d827e0bcda3aa5c856f02a4716c4adb4.exe
2400	a0e192bfdacf4fbe94108646e45c22a3d827e0bcda3aa5c856f02a4716c4adb4.exe
2400	a0e192bfdacf4fbe94108646e45c22a3d827e0bcda3aa5c856f02a4716c4adb4.exe
2400	a0e192bfdacf4fbe94108646e45c22a3d827e0bcda3aa5c856f02a4716c4adb4.exe
2400	a0e192bfdacf4fbe94108646e45c22a3d827e0bcda3aa5c856f02a4716c4adb4.exe
2400	a0e192bfdacf4fbe94108646e45c22a3d827e0bcda3aa5c856f02a4716c4adb4.exe
2400	a0e192bfdacf4fbe94108646e45c22a3d827e0bcda3aa5c856f02a4716c4adb4.exe
2400	a0e192bfdacf4fbe94108646e45c22a3d827e0bcda3aa5c856f02a4716c4adb4.exe
2400	a0e192bfdacf4fbe94108646e45c22a3d827e0bcda3aa5c856f02a4716c4adb4.exe
2400	a0e192bfdacf4fbe94108646e45c22a3d827e0bcda3aa5c856f02a4716c4adb4.exe
2400	a0e192bfdacf4fbe94108646e45c22a3d827e0bcda3aa5c856f02a4716c4adb4.exe
2400	a0e192bfdacf4fbe94108646e45c22a3d827e0bcda3aa5c856f02a4716c4adb4.exe
2400	a0e192bfdacf4fbe94108646e45c22a3d827e0bcda3aa5c856f02a4716c4adb4.exe
2400	a0e192bfdacf4fbe94108646e45c22a3d827e0bcda3aa5c856f02a4716c4adb4.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2400	a0e192bfdacf4fbe94108646e45c22a3d827e0bcda3aa5c856f02a4716c4adb4.exe
Token: SeShutdownPrivilege	2400	a0e192bfdacf4fbe94108646e45c22a3d827e0bcda3aa5c856f02a4716c4adb4.exe
Token: SeShutdownPrivilege	2400	a0e192bfdacf4fbe94108646e45c22a3d827e0bcda3aa5c856f02a4716c4adb4.exe
Token: SeShutdownPrivilege	2400	a0e192bfdacf4fbe94108646e45c22a3d827e0bcda3aa5c856f02a4716c4adb4.exe
Token: SeShutdownPrivilege	2400	a0e192bfdacf4fbe94108646e45c22a3d827e0bcda3aa5c856f02a4716c4adb4.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2400	a0e192bfdacf4fbe94108646e45c22a3d827e0bcda3aa5c856f02a4716c4adb4.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2400	a0e192bfdacf4fbe94108646e45c22a3d827e0bcda3aa5c856f02a4716c4adb4.exe

C:\Users\Admin\AppData\Local\Temp\a0e192bfdacf4fbe94108646e45c22a3d827e0bcda3aa5c856f02a4716c4adb4.exe
"C:\Users\Admin\AppData\Local\Temp\a0e192bfdacf4fbe94108646e45c22a3d827e0bcda3aa5c856f02a4716c4adb4.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

Filesize
657B

MD5
8f89e9ae2b516021d8e031c12386d174

SHA1
754b6776ba2200740a9aed6ba113f4ea255017c8

SHA256
f7b79ddd44b7d3ba4004b5da04b13ce357757dd17927253ae663121891cafa1e

SHA512
287caff9db192e41d934c781543c611db6b7840773ae5577fd28312e35271a3aec07b9f45f73bf9807045ff57a8ba238944d78f98b17dae9d123059f85c9968a

Download Submit
C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

Filesize
4KB

MD5
eade72d07591171a46bb8ed2e1dc3827

SHA1
5c9c8fa8e40c474881153c23fde30a973cff9a53

SHA256
174d3d78ea1bac9457ac652576013d924a84510c6e5a02d455f53f9bd7d7becc

SHA512
422c045bfb8c13bef9e21add2ef7894fc97b92a972e0e041e517f68d694ae0e1093684e4f05e94c1a4e7f645f322b8b8c4c3ee61bd2b9c0c698c8b3f3975c094

Download Submit
C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

Filesize
315B

MD5
f7ef7df949d978e9e3578dc5ccf98bae

SHA1
46499e492c77e1e42076482fcedad7147c096b7f

SHA256
38f1ad4600d61d3ff24f323d4dec6164760e8aa64b6ccea85605f13cda541c34

SHA512
7479ea33c7faf4d0e9985e4ad60a9ed4dd0efa97cc8acde56c264dc8b44d271e6fd2de8f2ec9b3933a8ca467897211b84237a1a86b265ff724f3737bdc1dd67c

Download Submit