55532e6aa8774e79873445fdf85f647181e12c43a2714e42fde567397c247d17

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
29/05/2024, 06:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

55532e6aa8774e79873445fdf85f647181e12c43a2714e42fde567397c247d17.exe
Size

6.1MB
MD5

5c38aead7733f5517b559bb493606e82
SHA1

72e24201d52610f133382a55d96ac408bad4c594
SHA256

55532e6aa8774e79873445fdf85f647181e12c43a2714e42fde567397c247d17
SHA512

68af3b9efd6ba7fc0649c9c7186c3ef96a981ff2c4c1dcc404ece51841436db78ab2ba3e126000bbcca8f1511f2b96f45998a7b29f1c12381dd087b99d4846d5
SSDEEP

196608:MMD+cpvJ/4H3nmghWoa/fsysMF4JD85lrkjiAo:MMFgXnU7sElry2

Score

9^/10

evasion

Malware Config

Signatures

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions	55532e6aa8774e79873445fdf85f647181e12c43a2714e42fde567397c247d17.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
2320	55532e6aa8774e79873445fdf85f647181e12c43a2714e42fde567397c247d17.exe
2320	55532e6aa8774e79873445fdf85f647181e12c43a2714e42fde567397c247d17.exe
2320	55532e6aa8774e79873445fdf85f647181e12c43a2714e42fde567397c247d17.exe
2320	55532e6aa8774e79873445fdf85f647181e12c43a2714e42fde567397c247d17.exe
2320	55532e6aa8774e79873445fdf85f647181e12c43a2714e42fde567397c247d17.exe
2320	55532e6aa8774e79873445fdf85f647181e12c43a2714e42fde567397c247d17.exe
2320	55532e6aa8774e79873445fdf85f647181e12c43a2714e42fde567397c247d17.exe
2320	55532e6aa8774e79873445fdf85f647181e12c43a2714e42fde567397c247d17.exe
2320	55532e6aa8774e79873445fdf85f647181e12c43a2714e42fde567397c247d17.exe
2320	55532e6aa8774e79873445fdf85f647181e12c43a2714e42fde567397c247d17.exe
2320	55532e6aa8774e79873445fdf85f647181e12c43a2714e42fde567397c247d17.exe
2320	55532e6aa8774e79873445fdf85f647181e12c43a2714e42fde567397c247d17.exe
2320	55532e6aa8774e79873445fdf85f647181e12c43a2714e42fde567397c247d17.exe
2320	55532e6aa8774e79873445fdf85f647181e12c43a2714e42fde567397c247d17.exe
2320	55532e6aa8774e79873445fdf85f647181e12c43a2714e42fde567397c247d17.exe
2320	55532e6aa8774e79873445fdf85f647181e12c43a2714e42fde567397c247d17.exe
2320	55532e6aa8774e79873445fdf85f647181e12c43a2714e42fde567397c247d17.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2320	55532e6aa8774e79873445fdf85f647181e12c43a2714e42fde567397c247d17.exe
Token: SeShutdownPrivilege	2320	55532e6aa8774e79873445fdf85f647181e12c43a2714e42fde567397c247d17.exe
Token: SeShutdownPrivilege	2320	55532e6aa8774e79873445fdf85f647181e12c43a2714e42fde567397c247d17.exe
Token: SeShutdownPrivilege	2320	55532e6aa8774e79873445fdf85f647181e12c43a2714e42fde567397c247d17.exe
Token: SeShutdownPrivilege	2320	55532e6aa8774e79873445fdf85f647181e12c43a2714e42fde567397c247d17.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2320	55532e6aa8774e79873445fdf85f647181e12c43a2714e42fde567397c247d17.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2320	55532e6aa8774e79873445fdf85f647181e12c43a2714e42fde567397c247d17.exe

C:\Users\Admin\AppData\Local\Temp\55532e6aa8774e79873445fdf85f647181e12c43a2714e42fde567397c247d17.exe
"C:\Users\Admin\AppData\Local\Temp\55532e6aa8774e79873445fdf85f647181e12c43a2714e42fde567397c247d17.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

Filesize
2KB

MD5
04766f4542ad672b2a3b13df399bd4aa

SHA1
6d450a6fa6b4a43489373091f75fced437633942

SHA256
68b9ba23ad76656cbb1fc80d298c3e48e3a261ad0958d46aa94c817523fa4280

SHA512
2322f667013751d2739383530632b6d207c259d8888ccb7d359ca9ba46d61732c2fb999e3b6b0dccbe17c27fa318cb7a0cc5a34e18eac285072b70ce8041737f

Download Submit