3ee8c079419e1817b557d8ca1b61be3ab2046d0f384bdfafefe2a07bc2c58629

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
23-07-2024 13:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c255d8e51b1bbe3020a80b176e59c020N.exe
Size

500KB
MD5

c255d8e51b1bbe3020a80b176e59c020
SHA1

764795f7b7ca93918a2c532dae7558a5b85869a9
SHA256

3ee8c079419e1817b557d8ca1b61be3ab2046d0f384bdfafefe2a07bc2c58629
SHA512

dd41c71a8f2c9f0af7662f3d031aa313b93b8f9532033b324eec717488098b7cf070e69b06bb28aa5207e235e0802e313bafab323501145f85eca80a518f2030
SSDEEP

12288:61q6Mn+dPqFKW0WsG7SmNOWxsJCT1gpAc:61hMn+4FlxsqS761gpt

Score

9^/10

evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	c255d8e51b1bbe3020a80b176e59c020N.exe

Executes dropped EXE 1 IoCs

pid	Process
2444	s554.exe

Loads dropped DLL 4 IoCs

pid	Process
2452	c255d8e51b1bbe3020a80b176e59c020N.exe
2452	c255d8e51b1bbe3020a80b176e59c020N.exe
2452	c255d8e51b1bbe3020a80b176e59c020N.exe
2452	c255d8e51b1bbe3020a80b176e59c020N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	c255d8e51b1bbe3020a80b176e59c020N.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	c255d8e51b1bbe3020a80b176e59c020N.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2452	c255d8e51b1bbe3020a80b176e59c020N.exe
2452	c255d8e51b1bbe3020a80b176e59c020N.exe
2444	s554.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2444	s554.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2444	s554.exe
2444	s554.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2452 wrote to memory of 2444	2452	c255d8e51b1bbe3020a80b176e59c020N.exe	31
PID 2452 wrote to memory of 2444	2452	c255d8e51b1bbe3020a80b176e59c020N.exe	31
PID 2452 wrote to memory of 2444	2452	c255d8e51b1bbe3020a80b176e59c020N.exe	31
PID 2452 wrote to memory of 2444	2452	c255d8e51b1bbe3020a80b176e59c020N.exe	31

C:\Users\Admin\AppData\Local\Temp\c255d8e51b1bbe3020a80b176e59c020N.exe
"C:\Users\Admin\AppData\Local\Temp\c255d8e51b1bbe3020a80b176e59c020N.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2452
- C:\Users\Admin\AppData\Local\Temp\n554\s554.exe
  "C:\Users\Admin\AppData\Local\Temp\n554\s554.exe" ins.exe /e 1911877 /u 4d886865-fe6c-4569-82be-0f545bc06ebe /v "C:\Users\Admin\AppData\Local\Temp\c255d8e51b1bbe3020a80b176e59c020N.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\n554\s554.exe

Filesize
282KB

MD5
a5f96448b94c4cbdb67cab9144084305

SHA1
df5d9135cc23a1cf0c9ec626f07fe6a2fbd7b752

SHA256
3ee1a236436e1bb2d84bc1d586560e7450444828a9c86af7f3c09654a54061b4

SHA512
6b4973bd5895822381944b22832093c6c4d6704ecaf7d693fa7a2c563f18b44342012b9a119b407dcab8824158ce42815a6f54902a93b85855ae1d78d6295899

Download Submit
memory/2444-14-0x000007FEF5F8E000-0x000007FEF5F8F000-memory.dmp

Filesize
4KB

Download
memory/2444-15-0x0000000000630000-0x000000000063A000-memory.dmp

Filesize
40KB

Download
memory/2444-16-0x000007FEF5CD0000-0x000007FEF666D000-memory.dmp

Filesize
9.6MB

Download
memory/2444-17-0x000007FEF5CD0000-0x000007FEF666D000-memory.dmp

Filesize
9.6MB

Download
memory/2444-18-0x000007FEF5CD0000-0x000007FEF666D000-memory.dmp

Filesize
9.6MB

Download
memory/2444-19-0x000007FEF5CD0000-0x000007FEF666D000-memory.dmp

Filesize
9.6MB

Download