Overview

overview

9

Static

static

5

temp_0sz7n...in.exe

windows7-x64

9

temp_0sz7n...in.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    143s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-08-2024 18:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    temp_0sz7npj031wnvpnvg170.bin.exe

  • Size

    6.0MB

  • MD5

    ab09d7d42cea63410374cc3de8f021c1

  • SHA1

    1766566087780f9b016ac67eaf28196f89b41731

  • SHA256

    5168a986f9710c4f47b45c8bb815d332a0aed107bd380294cf748495d72b0de1

  • SHA512

    686f21dcac7dc63cd072f2740f9235ab655dcb1ce4d98f0e57e380daa244680248b9a53ff94ff3af3d8016088e608530009a5a94a59ec9a34004a8503ce2d69c

  • SSDEEP

    196608:Z3dxfH3KFhUi1h9RXWFmDpuGKN1lbdEm:Z3dRH3/i1XFWFmDpO3y

Score
9/10
discoveryevasion

Malware Config

Signatures

  • Detected Nirsoft tools 1 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 1 IoCs
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\temp_0sz7npj031wnvpnvg170.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\temp_0sz7npj031wnvpnvg170.bin.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4824
    • C:\Users\Admin\AppData\Local\Temp\Dots Software 6.4.0.exe
      "C:\Users\Admin\AppData\Local\Temp\Dots Software 6.4.0.exe"
      2⤵
      • Looks for VirtualBox Guest Additions in registry
      • Looks for VMWare Tools registry key
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Maps connected drives based on registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:3440

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\autA2D7.tmp
    Filesize

    5.1MB

    MD5

    a802a0d5eb06166a9f5e822d0eea5daf

    SHA1

    ec7c937d1de14de3fda034bbdddea15f07133b2b

    SHA256

    f9c71efaedc7ea6f78ec639cdff44a6678b9aa375e772700b8579b4c37ffd397

    SHA512

    8e49482ca6206d82a4f10ab1cfedf72744ec38991d2f198bfe3a873d9ecebb223d5b2e8c8378271dc502767f7812f1538d8bf63d3d3a6665e9efb42d9e5766a8

    Download Submit

  • memory/3440-10-0x00007FF83D4B3000-0x00007FF83D4B5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3440-11-0x0000025EF4B20000-0x0000025EF504E000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/3440-12-0x00007FF83D4B0000-0x00007FF83DF71000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3440-13-0x0000025EF7870000-0x0000025EF7D5A000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/3440-14-0x0000025EF6CB0000-0x0000025EF6CC2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3440-15-0x0000025EF6DC0000-0x0000025EF6DFC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3440-16-0x0000025EF82E0000-0x0000025EF86E6000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/3440-17-0x00007FF83D4B0000-0x00007FF83DF71000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3440-18-0x00007FF83D4B0000-0x00007FF83DF71000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3440-19-0x00007FF83D4B0000-0x00007FF83DF71000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3440-20-0x00007FF83D4B0000-0x00007FF83DF71000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3440-21-0x00007FF83D4B3000-0x00007FF83D4B5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3440-22-0x00007FF83D4B0000-0x00007FF83DF71000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3440-23-0x00007FF83D4B0000-0x00007FF83DF71000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3440-24-0x00007FF83D4B0000-0x00007FF83DF71000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3440-25-0x00007FF83D4B0000-0x00007FF83DF71000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3440-26-0x00007FF83D4B0000-0x00007FF83DF71000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3440-27-0x00007FF83D4B0000-0x00007FF83DF71000-memory.dmp

    Filesize

    10.8MB

    Download