Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
29-08-2024 21:33
General
-
Target
Final_Exo.exe
-
Size
11.6MB
-
MD5
95ca9ea4df718e942a9469809d4d3f0c
-
SHA1
3b10fcdad8200b06a819cce0ef2927e8ac2b41e4
-
SHA256
2bde57f6947faaf82ac15c44168284560b7b0f4178a17aaeb6ff7347528127eb
-
SHA512
085d634494aae323d7a632659aea6b4e61a77e7b5e960d7654b6e8dc1c32e9e2cac6c89535844b8011e3e1a5e5a027312eff03698226c2a206d436bcaa7e1cad
-
SSDEEP
196608:K2GXWNwlpIKEmpYg0nSKOfF8UNQfjzWdRlASRXUGTgT1LglvZkgrc:KFMdSQnSzmUNSjzlSRFKglhkgI
Malware Config
Signatures
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
Processes:
Final_Exo.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions Final_Exo.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
Processes:
Final_Exo.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools Final_Exo.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Final_Exo.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Final_Exo.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Final_Exo.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/616-1-0x0000027A4E9C0000-0x0000027A4F56C000-memory.dmp agile_net -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
Final_Exo.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Final_Exo.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 Final_Exo.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Final_Exo.exetaskmgr.exepid process 616 Final_Exo.exe 616 Final_Exo.exe 616 Final_Exo.exe 616 Final_Exo.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
taskmgr.exepid process 4040 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
Final_Exo.exetaskmgr.exedescription pid process Token: SeDebugPrivilege 616 Final_Exo.exe Token: SeDebugPrivilege 4040 taskmgr.exe Token: SeSystemProfilePrivilege 4040 taskmgr.exe Token: SeCreateGlobalPrivilege 4040 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
taskmgr.exepid process 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exepid process 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe 4040 taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Final_Exo.exe"C:\Users\Admin\AppData\Local\Temp\Final_Exo.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:616
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4040