f2fa3ee40e1be3913e0920cdfd4f744e47bc082fffa276caed011859c3e3ad41

Analysis

max time kernel
148s
max time network
147s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
14/08/2024, 17:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f2fa3ee40e1be3913e0920cdfd4f744e47bc082fffa276caed011859c3e3ad41.exe
Size

6.2MB
MD5

9931a63ffde51187b1cbdd7a81fa1dfb
SHA1

7daa5e3724c1c9ed44689a533a7a6ef71fd07208
SHA256

f2fa3ee40e1be3913e0920cdfd4f744e47bc082fffa276caed011859c3e3ad41
SHA512

0742f07d4a3ed9e12f675dee635693f1bc926e895fa71db7cd9af0e5250f7570c5830305e43b1caa65f95068af92e18b446ac58354cce2d5bcbc0ebe810b1743
SSDEEP

196608:oMD+cpvJ/4H3nmghWoa/fsysMF4JD85lJiY9pkjic:oMFgXnU7sEl79pyX

Score

9^/10

discovery evasion

Malware Config

Signatures

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions	f2fa3ee40e1be3913e0920cdfd4f744e47bc082fffa276caed011859c3e3ad41.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f2fa3ee40e1be3913e0920cdfd4f744e47bc082fffa276caed011859c3e3ad41.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2148	f2fa3ee40e1be3913e0920cdfd4f744e47bc082fffa276caed011859c3e3ad41.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2148	f2fa3ee40e1be3913e0920cdfd4f744e47bc082fffa276caed011859c3e3ad41.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2148	f2fa3ee40e1be3913e0920cdfd4f744e47bc082fffa276caed011859c3e3ad41.exe

C:\Users\Admin\AppData\Local\Temp\f2fa3ee40e1be3913e0920cdfd4f744e47bc082fffa276caed011859c3e3ad41.exe
"C:\Users\Admin\AppData\Local\Temp\f2fa3ee40e1be3913e0920cdfd4f744e47bc082fffa276caed011859c3e3ad41.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

Filesize
8KB

MD5
6a71ec0a8ba79bb83b361a803554ef05

SHA1
35eff8658ad64751350d40fcc3928113d475e96e

SHA256
414513439365bcdde4a7a122d48e88da0c5f133656e9a7a2454706dfbb40c324

SHA512
48b6975ce3fee081feb1a54090d4bf98a2e837d1cd8ff6aa5340020e09120e013898c9fb2412a5fa7c4c95a95b1876fb45cccdd73835759187f0cc68dd55b021

Download Submit