5684bacad212c89707f53f052cf4e3261b397110e9424e764772db7010deca16

Analysis

max time kernel
136s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
25-06-2024 14:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5684bacad212c89707f53f052cf4e3261b397110e9424e764772db7010deca16.exe
Size

5.7MB
MD5

6670376842668c9015833b07fc6b92ef
SHA1

dd3471fef9630b46a3e734cf76232ddeeefe8b82
SHA256

5684bacad212c89707f53f052cf4e3261b397110e9424e764772db7010deca16
SHA512

9de5569a05f3011ef814c682f2995ea67dbbce02625e76627182fd05e43a1d0b360bd533899f2771f09b4b4ba216ac6a0323510f24eb72931e554f4c1d4a34f5
SSDEEP

98304:j/6n94bDY2EBcBuq62V///4nAWakrn7S/IhWoaVVfs/VIsMF4JD8iulhq7NmMkVp:mMD+cpvJ/4H3nmghWoa/fsysMF4JD85B

Score

9^/10

evasion

Malware Config

Signatures

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions	5684bacad212c89707f53f052cf4e3261b397110e9424e764772db7010deca16.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2284	5684bacad212c89707f53f052cf4e3261b397110e9424e764772db7010deca16.exe
2284	5684bacad212c89707f53f052cf4e3261b397110e9424e764772db7010deca16.exe
2284	5684bacad212c89707f53f052cf4e3261b397110e9424e764772db7010deca16.exe
2284	5684bacad212c89707f53f052cf4e3261b397110e9424e764772db7010deca16.exe
2284	5684bacad212c89707f53f052cf4e3261b397110e9424e764772db7010deca16.exe
2284	5684bacad212c89707f53f052cf4e3261b397110e9424e764772db7010deca16.exe
2284	5684bacad212c89707f53f052cf4e3261b397110e9424e764772db7010deca16.exe
2284	5684bacad212c89707f53f052cf4e3261b397110e9424e764772db7010deca16.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2284	5684bacad212c89707f53f052cf4e3261b397110e9424e764772db7010deca16.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2284	5684bacad212c89707f53f052cf4e3261b397110e9424e764772db7010deca16.exe

C:\Users\Admin\AppData\Local\Temp\5684bacad212c89707f53f052cf4e3261b397110e9424e764772db7010deca16.exe
"C:\Users\Admin\AppData\Local\Temp\5684bacad212c89707f53f052cf4e3261b397110e9424e764772db7010deca16.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

Filesize
652B

MD5
257ea0b36aa9ed0c69b12282bf9eca90

SHA1
f7b95797b483a8e6c2161ad1f2855d2a17e8fcdc

SHA256
08e5e6a9b924b5707aa5192cccc31375c478b245b01d852f2a70ba9b364c5ca3

SHA512
24730cbef382c08849a53cae92f89dc073a454e5643de8e0a046f5bebde807ec5339f4cc3c4eb0d3202c7b4c2cbae21dc9d6af4a2f9debcc7dad08cb7fabc472

Download Submit
C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

Filesize
7KB

MD5
bbec3258530bcad4f96de8bff2b6e9cc

SHA1
25239b61a71e703d02e72f7e1c3bc0182d8f4d44

SHA256
3b62af586b3f880963d7db3870f8d02b79df08f63979fec40dd9d35fafa7b630

SHA512
8f0b314a43c2baf81ec5009be0d958b65993913bfe84d21ab0211a846106efaa6c8cac336a475b99bd948a525732f6d73df5e61946c8c4a7739cda2d75d4a6c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

Filesize
310B

MD5
91df7be12f54f500568b90d79de3f11d

SHA1
e471ad827d6dc4ee2a9d8aa901d12099a51f7161

SHA256
a853b33147730f893dfc35122d6780753a038efc4e845922fef8167c57e54407

SHA512
89dfc8afde9ed33d7efab488864a48da13733c3fc169721fd8dfa094321bacbe4287a68977cf929bf56cf545c9ec13e69bf206f2e1cd218a465b54a8a9dac585

Download Submit