Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
-
submitted
01-08-2024 21:13
General
-
Target
vmaware64.exe
-
Size
277KB
-
MD5
bffab92f405fe14f40b1c128fd5cbf97
-
SHA1
83cd0f565d1b05c4d56660eeee30cf48b5ef1aad
-
SHA256
7ef9217f5bbc58e995de28f851f68d4c850052587e100ab522b860ca71a0b3a1
-
SHA512
a1209a24a2eb4bd7985cb4564934eb2a693975c4880eb79af6d65e215d47878e2ac8ed3bb69ea74b41dd24884294720c8d4f9d646a7c35316d0e9c773d380d16
-
SSDEEP
6144:FtN7mjESfkP86KYIa9Z5oO9Xi8w0JKitPcZy4cegilb/rQA8dk:7NSJsxZ5oOh85r8d
Malware Config
Signatures
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Maps connected drives based on registry 3 TTPs 7 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Checks system information in the registry 2 TTPs 1 IoCs
System information is often read in order to detect sandboxing environments.
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 44 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\vmaware64.exe"C:\Users\Admin\AppData\Local\Temp\vmaware64.exe"1⤵
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks system information in the registry
- Checks for VirtualBox DLLs, possible anti-VM trick
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses