Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
05/07/2024, 11:48
General
-
Target
Your file name without extension goes here.exe
-
Size
2.1MB
-
MD5
81005ce1a11c6f8722c14bea4663e942
-
SHA1
7b69c8315fdc0182a0dcdc1edb58de7819acd72d
-
SHA256
77dc175b8fe04dae53d6c2a82d8842b03eff1f7a0116c5da1e4cebd7e7d6d4b1
-
SHA512
8ee192b32eea8b3427446bae26e5f6ab30c0451fc90f97aad87e25d7ec533b02ccd10ccc881a90f2d1897b17e9bd3dd68d42e204be1e5c4eb3dedec143c13453
-
SSDEEP
12288:qOmuutRpVOCYRl9AJX1p/cLfHaRoQy4b9Ki5yXH5o8VVZ:qk81eRl6bpkzPQyEyXy+
Malware Config
Signatures
-
UAC bypass 3 TTPs 1 IoCs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Uses the VBS compiler for execution 1 TTPs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs regedit.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Your file name without extension goes here.exe"C:\Users\Admin\AppData\Local\Temp\Your file name without extension goes here.exe"1⤵
- UAC bypass
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Your file name without extension goes here.exe" -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"2⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"2⤵
-
-
C:\Windows\System32\svchost.exe"C:\Windows\System32\svchost.exe"2⤵
-
-
C:\Windows\regedit.exe"C:\Windows\regedit.exe"2⤵
- Runs regedit.exe
-
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe"2⤵
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Scripting
1Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
268KB
-
Filesize
4KB
-
Filesize
268KB
-
Filesize
268KB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
4KB
-
Filesize
56KB
-
Filesize
9.9MB
-
Filesize
56KB
-
Filesize
624KB
-
Filesize
9.9MB