5d9562f015510a723f1531ba29ed55eced3da6ae3402d5943fac358eb8f2ef87

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-09-2024 22:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

adc7e2d59b7ba16257a324402a842ca0N.exe
Size

4.5MB
MD5

adc7e2d59b7ba16257a324402a842ca0
SHA1

d2d334d235caec709e77be6595a544992dbb6760
SHA256

5d9562f015510a723f1531ba29ed55eced3da6ae3402d5943fac358eb8f2ef87
SHA512

4dc7f99228ab880555181483637cdf0a79ec0c7c7827abb07b8c4e8bc2e6523208b2adb68afe6d8835fb0aed2c09762b77984938aeabb7a57e3b9e644ac6b7b0
SSDEEP

98304:SjysHjbTDnOTNn122TAqnLBBdzDBP40fkqXf0FFV3GJIT4bNJFY3OqtP4V:SjNHjbP82+LtBNfkSIFV2JjBHYf4V

Score

9^/10

evasion

Malware Config

Signatures

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	adc7e2d59b7ba16257a324402a842ca0N.exe

Looks for VMWare Tools registry key 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools	adc7e2d59b7ba16257a324402a842ca0N.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	adc7e2d59b7ba16257a324402a842ca0N.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	adc7e2d59b7ba16257a324402a842ca0N.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	adc7e2d59b7ba16257a324402a842ca0N.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	adc7e2d59b7ba16257a324402a842ca0N.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2248	adc7e2d59b7ba16257a324402a842ca0N.exe

C:\Users\Admin\AppData\Local\Temp\adc7e2d59b7ba16257a324402a842ca0N.exe
"C:\Users\Admin\AppData\Local\Temp\adc7e2d59b7ba16257a324402a842ca0N.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of AdjustPrivilegeToken
PID:2248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2248-0-0x000007FEF6453000-0x000007FEF6454000-memory.dmp

Filesize
4KB

Download
memory/2248-1-0x0000000000DC0000-0x0000000001246000-memory.dmp

Filesize
4.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads