Analysis
-
max time kernel
77s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
02/08/2024, 18:03
Static task
static1
Behavioral task
behavioral1
Sample
VirtualBox-7.0.20-163906-Win.exe
Resource
win7-20240704-en
windows7-x64
20 signatures
150 seconds
Behavioral task
behavioral2
Sample
VirtualBox-7.0.20-163906-Win.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
VirtualBox-7.0.20-163906-Win.exe
-
Size
105.1MB
-
MD5
b822835698e76fff193342effc92d286
-
SHA1
e049adb24caf0153b94e801da9835d485c67e38c
-
SHA256
fa3544162eee87b660999bd913f76ccb2e5a706928ef2c2e29811e4ac76fb166
-
SHA512
0381b27478dc25d4b3707fb21a34be66ca42eb18d93ce8ec90be7325015f540a39ebfea58b7992a38cc2c861e6e86d89c67f5b3a84ddb65e339fcca0dc314bed
-
SSDEEP
3145728:VuwDpzeIGwA7iKVCv8hxxgFYHey3WCfEOiP1e48TetH+H9:VuwDpz9A70Cno1XZBtHC9
Score
6/10
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\E: VirtualBox-7.0.20-163906-Win.exe File opened (read-only) \??\G: VirtualBox-7.0.20-163906-Win.exe File opened (read-only) \??\R: VirtualBox-7.0.20-163906-Win.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\T: VirtualBox-7.0.20-163906-Win.exe File opened (read-only) \??\W: VirtualBox-7.0.20-163906-Win.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\H: VirtualBox-7.0.20-163906-Win.exe File opened (read-only) \??\O: VirtualBox-7.0.20-163906-Win.exe File opened (read-only) \??\Q: VirtualBox-7.0.20-163906-Win.exe File opened (read-only) \??\S: VirtualBox-7.0.20-163906-Win.exe File opened (read-only) \??\J: VirtualBox-7.0.20-163906-Win.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: VirtualBox-7.0.20-163906-Win.exe File opened (read-only) \??\K: VirtualBox-7.0.20-163906-Win.exe File opened (read-only) \??\N: VirtualBox-7.0.20-163906-Win.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Z: VirtualBox-7.0.20-163906-Win.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\L: VirtualBox-7.0.20-163906-Win.exe File opened (read-only) \??\M: VirtualBox-7.0.20-163906-Win.exe File opened (read-only) \??\U: VirtualBox-7.0.20-163906-Win.exe File opened (read-only) \??\V: VirtualBox-7.0.20-163906-Win.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\I: VirtualBox-7.0.20-163906-Win.exe File opened (read-only) \??\Y: VirtualBox-7.0.20-163906-Win.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\B: VirtualBox-7.0.20-163906-Win.exe File opened (read-only) \??\P: VirtualBox-7.0.20-163906-Win.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: VirtualBox-7.0.20-163906-Win.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe -
Loads dropped DLL 5 IoCs
pid Process 1620 MsiExec.exe 1620 MsiExec.exe 1620 MsiExec.exe 1620 MsiExec.exe 1620 MsiExec.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VirtualBox-7.0.20-163906-Win.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2072 VirtualBox-7.0.20-163906-Win.exe Token: SeIncreaseQuotaPrivilege 2072 VirtualBox-7.0.20-163906-Win.exe Token: SeSecurityPrivilege 4024 msiexec.exe Token: SeCreateTokenPrivilege 2072 VirtualBox-7.0.20-163906-Win.exe Token: SeAssignPrimaryTokenPrivilege 2072 VirtualBox-7.0.20-163906-Win.exe Token: SeLockMemoryPrivilege 2072 VirtualBox-7.0.20-163906-Win.exe Token: SeIncreaseQuotaPrivilege 2072 VirtualBox-7.0.20-163906-Win.exe Token: SeMachineAccountPrivilege 2072 VirtualBox-7.0.20-163906-Win.exe Token: SeTcbPrivilege 2072 VirtualBox-7.0.20-163906-Win.exe Token: SeSecurityPrivilege 2072 VirtualBox-7.0.20-163906-Win.exe Token: SeTakeOwnershipPrivilege 2072 VirtualBox-7.0.20-163906-Win.exe Token: SeLoadDriverPrivilege 2072 VirtualBox-7.0.20-163906-Win.exe Token: SeSystemProfilePrivilege 2072 VirtualBox-7.0.20-163906-Win.exe Token: SeSystemtimePrivilege 2072 VirtualBox-7.0.20-163906-Win.exe Token: SeProfSingleProcessPrivilege 2072 VirtualBox-7.0.20-163906-Win.exe Token: SeIncBasePriorityPrivilege 2072 VirtualBox-7.0.20-163906-Win.exe Token: SeCreatePagefilePrivilege 2072 VirtualBox-7.0.20-163906-Win.exe Token: SeCreatePermanentPrivilege 2072 VirtualBox-7.0.20-163906-Win.exe Token: SeBackupPrivilege 2072 VirtualBox-7.0.20-163906-Win.exe Token: SeRestorePrivilege 2072 VirtualBox-7.0.20-163906-Win.exe Token: SeShutdownPrivilege 2072 VirtualBox-7.0.20-163906-Win.exe Token: SeDebugPrivilege 2072 VirtualBox-7.0.20-163906-Win.exe Token: SeAuditPrivilege 2072 VirtualBox-7.0.20-163906-Win.exe Token: SeSystemEnvironmentPrivilege 2072 VirtualBox-7.0.20-163906-Win.exe Token: SeChangeNotifyPrivilege 2072 VirtualBox-7.0.20-163906-Win.exe Token: SeRemoteShutdownPrivilege 2072 VirtualBox-7.0.20-163906-Win.exe Token: SeUndockPrivilege 2072 VirtualBox-7.0.20-163906-Win.exe Token: SeSyncAgentPrivilege 2072 VirtualBox-7.0.20-163906-Win.exe Token: SeEnableDelegationPrivilege 2072 VirtualBox-7.0.20-163906-Win.exe Token: SeManageVolumePrivilege 2072 VirtualBox-7.0.20-163906-Win.exe Token: SeImpersonatePrivilege 2072 VirtualBox-7.0.20-163906-Win.exe Token: SeCreateGlobalPrivilege 2072 VirtualBox-7.0.20-163906-Win.exe Token: SeCreateTokenPrivilege 2072 VirtualBox-7.0.20-163906-Win.exe Token: SeAssignPrimaryTokenPrivilege 2072 VirtualBox-7.0.20-163906-Win.exe Token: SeLockMemoryPrivilege 2072 VirtualBox-7.0.20-163906-Win.exe Token: SeIncreaseQuotaPrivilege 2072 VirtualBox-7.0.20-163906-Win.exe Token: SeMachineAccountPrivilege 2072 VirtualBox-7.0.20-163906-Win.exe Token: SeTcbPrivilege 2072 VirtualBox-7.0.20-163906-Win.exe Token: SeSecurityPrivilege 2072 VirtualBox-7.0.20-163906-Win.exe Token: SeTakeOwnershipPrivilege 2072 VirtualBox-7.0.20-163906-Win.exe Token: SeLoadDriverPrivilege 2072 VirtualBox-7.0.20-163906-Win.exe Token: SeSystemProfilePrivilege 2072 VirtualBox-7.0.20-163906-Win.exe Token: SeSystemtimePrivilege 2072 VirtualBox-7.0.20-163906-Win.exe Token: SeProfSingleProcessPrivilege 2072 VirtualBox-7.0.20-163906-Win.exe Token: SeIncBasePriorityPrivilege 2072 VirtualBox-7.0.20-163906-Win.exe Token: SeCreatePagefilePrivilege 2072 VirtualBox-7.0.20-163906-Win.exe Token: SeCreatePermanentPrivilege 2072 VirtualBox-7.0.20-163906-Win.exe Token: SeBackupPrivilege 2072 VirtualBox-7.0.20-163906-Win.exe Token: SeRestorePrivilege 2072 VirtualBox-7.0.20-163906-Win.exe Token: SeShutdownPrivilege 2072 VirtualBox-7.0.20-163906-Win.exe Token: SeDebugPrivilege 2072 VirtualBox-7.0.20-163906-Win.exe Token: SeAuditPrivilege 2072 VirtualBox-7.0.20-163906-Win.exe Token: SeSystemEnvironmentPrivilege 2072 VirtualBox-7.0.20-163906-Win.exe Token: SeChangeNotifyPrivilege 2072 VirtualBox-7.0.20-163906-Win.exe Token: SeRemoteShutdownPrivilege 2072 VirtualBox-7.0.20-163906-Win.exe Token: SeUndockPrivilege 2072 VirtualBox-7.0.20-163906-Win.exe Token: SeSyncAgentPrivilege 2072 VirtualBox-7.0.20-163906-Win.exe Token: SeEnableDelegationPrivilege 2072 VirtualBox-7.0.20-163906-Win.exe Token: SeManageVolumePrivilege 2072 VirtualBox-7.0.20-163906-Win.exe Token: SeImpersonatePrivilege 2072 VirtualBox-7.0.20-163906-Win.exe Token: SeCreateGlobalPrivilege 2072 VirtualBox-7.0.20-163906-Win.exe Token: SeCreateTokenPrivilege 2072 VirtualBox-7.0.20-163906-Win.exe Token: SeAssignPrimaryTokenPrivilege 2072 VirtualBox-7.0.20-163906-Win.exe Token: SeLockMemoryPrivilege 2072 VirtualBox-7.0.20-163906-Win.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2072 VirtualBox-7.0.20-163906-Win.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4024 wrote to memory of 1620 4024 msiexec.exe 88 PID 4024 wrote to memory of 1620 4024 msiexec.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.20-163906-Win.exe"C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.20-163906-Win.exe"1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2072
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding A686A77243E869CB0069577D084B5907 C2⤵
- Loads dropped DLL
PID:1620
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
324KB
MD50653ce43996240dde250d557ef940bed
SHA1da125564fadda9bea308bd7325d4664ee14c69a8
SHA256d2fd21376c4595e60299e37cb55dceb92b531685f1a4545c6bb73681dbcad193
SHA51227ab2bd553fa390315d360e593ca95e90f8de13d0d60326549fd5e63479143b33a0a7a49c4111e2041cfb05d5f2e9b516eaa7261acae3884094e3842a8309a6c