aead5f8a50a452f64f8dc540ae9b1c6d3457479196e4d59f5bb2fceaf6a617e5

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
28/05/2024, 18:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aead5f8a50a452f64f8dc540ae9b1c6d3457479196e4d59f5bb2fceaf6a617e5.exe
Size

5.7MB
MD5

f4ab1f3cd0b25046a92f9a5e3ee685c8
SHA1

bad6466cf662a305665ac3dc83e346f809f25d76
SHA256

aead5f8a50a452f64f8dc540ae9b1c6d3457479196e4d59f5bb2fceaf6a617e5
SHA512

c23894c7566ceeff1107f05d296ddebf980eb36cc2862fac992d3f0166e73775bac2aaa1a5d6ea96f676c6cb21baa56b23d3dc52f131870acb7515b5ca963705
SSDEEP

98304:j/6n94bDY2EBcBuq62V///4nAWakrn7S/IhWoaVVfs/VIsMF4JD8iulhq7NmYkV2:mMD+cpvJ/4H3nmghWoa/fsysMF4JD85S

Score

9^/10

evasion

Malware Config

Signatures

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions	aead5f8a50a452f64f8dc540ae9b1c6d3457479196e4d59f5bb2fceaf6a617e5.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2972	aead5f8a50a452f64f8dc540ae9b1c6d3457479196e4d59f5bb2fceaf6a617e5.exe
2972	aead5f8a50a452f64f8dc540ae9b1c6d3457479196e4d59f5bb2fceaf6a617e5.exe
2972	aead5f8a50a452f64f8dc540ae9b1c6d3457479196e4d59f5bb2fceaf6a617e5.exe
2972	aead5f8a50a452f64f8dc540ae9b1c6d3457479196e4d59f5bb2fceaf6a617e5.exe
2972	aead5f8a50a452f64f8dc540ae9b1c6d3457479196e4d59f5bb2fceaf6a617e5.exe
2972	aead5f8a50a452f64f8dc540ae9b1c6d3457479196e4d59f5bb2fceaf6a617e5.exe
2972	aead5f8a50a452f64f8dc540ae9b1c6d3457479196e4d59f5bb2fceaf6a617e5.exe
2972	aead5f8a50a452f64f8dc540ae9b1c6d3457479196e4d59f5bb2fceaf6a617e5.exe
2972	aead5f8a50a452f64f8dc540ae9b1c6d3457479196e4d59f5bb2fceaf6a617e5.exe
2972	aead5f8a50a452f64f8dc540ae9b1c6d3457479196e4d59f5bb2fceaf6a617e5.exe
2972	aead5f8a50a452f64f8dc540ae9b1c6d3457479196e4d59f5bb2fceaf6a617e5.exe
2972	aead5f8a50a452f64f8dc540ae9b1c6d3457479196e4d59f5bb2fceaf6a617e5.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2972	aead5f8a50a452f64f8dc540ae9b1c6d3457479196e4d59f5bb2fceaf6a617e5.exe
Token: SeShutdownPrivilege	2972	aead5f8a50a452f64f8dc540ae9b1c6d3457479196e4d59f5bb2fceaf6a617e5.exe
Token: SeShutdownPrivilege	2972	aead5f8a50a452f64f8dc540ae9b1c6d3457479196e4d59f5bb2fceaf6a617e5.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2972	aead5f8a50a452f64f8dc540ae9b1c6d3457479196e4d59f5bb2fceaf6a617e5.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2972	aead5f8a50a452f64f8dc540ae9b1c6d3457479196e4d59f5bb2fceaf6a617e5.exe

C:\Users\Admin\AppData\Local\Temp\aead5f8a50a452f64f8dc540ae9b1c6d3457479196e4d59f5bb2fceaf6a617e5.exe
"C:\Users\Admin\AppData\Local\Temp\aead5f8a50a452f64f8dc540ae9b1c6d3457479196e4d59f5bb2fceaf6a617e5.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

Filesize
9KB

MD5
78b7d7b736ea57e157fe33d62c299818

SHA1
ad5edf44f99556ece2c42b75820f85f3bcb99a86

SHA256
96b579d317099c8a1a8e572b6d22dd426991ba2873789196c144a2cf3e3aa12b

SHA512
3c457acc8fb446ae6a7ffe44c12adbb03780fa25751c9e66137b207b00be774fc100b80d896049250828b298a39875235fff241d4ec364dcfce43a241782d1b1

Download Submit