Analysis
-
max time kernel
91s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
08-09-2024 01:08
Static task
static1
Behavioral task
behavioral1
Sample
VirtualBox-7.0.20-163906-Win.exe
Resource
win7-20240729-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
VirtualBox-7.0.20-163906-Win.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
VirtualBox-7.0.20-163906-Win.exe
-
Size
105.1MB
-
MD5
b822835698e76fff193342effc92d286
-
SHA1
e049adb24caf0153b94e801da9835d485c67e38c
-
SHA256
fa3544162eee87b660999bd913f76ccb2e5a706928ef2c2e29811e4ac76fb166
-
SHA512
0381b27478dc25d4b3707fb21a34be66ca42eb18d93ce8ec90be7325015f540a39ebfea58b7992a38cc2c861e6e86d89c67f5b3a84ddb65e339fcca0dc314bed
-
SSDEEP
3145728:VuwDpzeIGwA7iKVCv8hxxgFYHey3WCfEOiP1e48TetH+H9:VuwDpz9A70Cno1XZBtHC9
Score
6/10
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: VirtualBox-7.0.20-163906-Win.exe File opened (read-only) \??\I: VirtualBox-7.0.20-163906-Win.exe File opened (read-only) \??\L: VirtualBox-7.0.20-163906-Win.exe File opened (read-only) \??\X: VirtualBox-7.0.20-163906-Win.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Q: VirtualBox-7.0.20-163906-Win.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: VirtualBox-7.0.20-163906-Win.exe File opened (read-only) \??\J: VirtualBox-7.0.20-163906-Win.exe File opened (read-only) \??\K: VirtualBox-7.0.20-163906-Win.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: VirtualBox-7.0.20-163906-Win.exe File opened (read-only) \??\S: VirtualBox-7.0.20-163906-Win.exe File opened (read-only) \??\Z: VirtualBox-7.0.20-163906-Win.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\M: VirtualBox-7.0.20-163906-Win.exe File opened (read-only) \??\V: VirtualBox-7.0.20-163906-Win.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: VirtualBox-7.0.20-163906-Win.exe File opened (read-only) \??\N: VirtualBox-7.0.20-163906-Win.exe File opened (read-only) \??\P: VirtualBox-7.0.20-163906-Win.exe File opened (read-only) \??\U: VirtualBox-7.0.20-163906-Win.exe File opened (read-only) \??\Y: VirtualBox-7.0.20-163906-Win.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\O: VirtualBox-7.0.20-163906-Win.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: VirtualBox-7.0.20-163906-Win.exe File opened (read-only) \??\E: VirtualBox-7.0.20-163906-Win.exe File opened (read-only) \??\T: VirtualBox-7.0.20-163906-Win.exe File opened (read-only) \??\W: VirtualBox-7.0.20-163906-Win.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe -
Loads dropped DLL 5 IoCs
pid Process 4916 MsiExec.exe 4916 MsiExec.exe 4916 MsiExec.exe 4916 MsiExec.exe 4916 MsiExec.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VirtualBox-7.0.20-163906-Win.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 556 VirtualBox-7.0.20-163906-Win.exe Token: SeIncreaseQuotaPrivilege 556 VirtualBox-7.0.20-163906-Win.exe Token: SeSecurityPrivilege 1460 msiexec.exe Token: SeCreateTokenPrivilege 556 VirtualBox-7.0.20-163906-Win.exe Token: SeAssignPrimaryTokenPrivilege 556 VirtualBox-7.0.20-163906-Win.exe Token: SeLockMemoryPrivilege 556 VirtualBox-7.0.20-163906-Win.exe Token: SeIncreaseQuotaPrivilege 556 VirtualBox-7.0.20-163906-Win.exe Token: SeMachineAccountPrivilege 556 VirtualBox-7.0.20-163906-Win.exe Token: SeTcbPrivilege 556 VirtualBox-7.0.20-163906-Win.exe Token: SeSecurityPrivilege 556 VirtualBox-7.0.20-163906-Win.exe Token: SeTakeOwnershipPrivilege 556 VirtualBox-7.0.20-163906-Win.exe Token: SeLoadDriverPrivilege 556 VirtualBox-7.0.20-163906-Win.exe Token: SeSystemProfilePrivilege 556 VirtualBox-7.0.20-163906-Win.exe Token: SeSystemtimePrivilege 556 VirtualBox-7.0.20-163906-Win.exe Token: SeProfSingleProcessPrivilege 556 VirtualBox-7.0.20-163906-Win.exe Token: SeIncBasePriorityPrivilege 556 VirtualBox-7.0.20-163906-Win.exe Token: SeCreatePagefilePrivilege 556 VirtualBox-7.0.20-163906-Win.exe Token: SeCreatePermanentPrivilege 556 VirtualBox-7.0.20-163906-Win.exe Token: SeBackupPrivilege 556 VirtualBox-7.0.20-163906-Win.exe Token: SeRestorePrivilege 556 VirtualBox-7.0.20-163906-Win.exe Token: SeShutdownPrivilege 556 VirtualBox-7.0.20-163906-Win.exe Token: SeDebugPrivilege 556 VirtualBox-7.0.20-163906-Win.exe Token: SeAuditPrivilege 556 VirtualBox-7.0.20-163906-Win.exe Token: SeSystemEnvironmentPrivilege 556 VirtualBox-7.0.20-163906-Win.exe Token: SeChangeNotifyPrivilege 556 VirtualBox-7.0.20-163906-Win.exe Token: SeRemoteShutdownPrivilege 556 VirtualBox-7.0.20-163906-Win.exe Token: SeUndockPrivilege 556 VirtualBox-7.0.20-163906-Win.exe Token: SeSyncAgentPrivilege 556 VirtualBox-7.0.20-163906-Win.exe Token: SeEnableDelegationPrivilege 556 VirtualBox-7.0.20-163906-Win.exe Token: SeManageVolumePrivilege 556 VirtualBox-7.0.20-163906-Win.exe Token: SeImpersonatePrivilege 556 VirtualBox-7.0.20-163906-Win.exe Token: SeCreateGlobalPrivilege 556 VirtualBox-7.0.20-163906-Win.exe Token: SeCreateTokenPrivilege 556 VirtualBox-7.0.20-163906-Win.exe Token: SeAssignPrimaryTokenPrivilege 556 VirtualBox-7.0.20-163906-Win.exe Token: SeLockMemoryPrivilege 556 VirtualBox-7.0.20-163906-Win.exe Token: SeIncreaseQuotaPrivilege 556 VirtualBox-7.0.20-163906-Win.exe Token: SeMachineAccountPrivilege 556 VirtualBox-7.0.20-163906-Win.exe Token: SeTcbPrivilege 556 VirtualBox-7.0.20-163906-Win.exe Token: SeSecurityPrivilege 556 VirtualBox-7.0.20-163906-Win.exe Token: SeTakeOwnershipPrivilege 556 VirtualBox-7.0.20-163906-Win.exe Token: SeLoadDriverPrivilege 556 VirtualBox-7.0.20-163906-Win.exe Token: SeSystemProfilePrivilege 556 VirtualBox-7.0.20-163906-Win.exe Token: SeSystemtimePrivilege 556 VirtualBox-7.0.20-163906-Win.exe Token: SeProfSingleProcessPrivilege 556 VirtualBox-7.0.20-163906-Win.exe Token: SeIncBasePriorityPrivilege 556 VirtualBox-7.0.20-163906-Win.exe Token: SeCreatePagefilePrivilege 556 VirtualBox-7.0.20-163906-Win.exe Token: SeCreatePermanentPrivilege 556 VirtualBox-7.0.20-163906-Win.exe Token: SeBackupPrivilege 556 VirtualBox-7.0.20-163906-Win.exe Token: SeRestorePrivilege 556 VirtualBox-7.0.20-163906-Win.exe Token: SeShutdownPrivilege 556 VirtualBox-7.0.20-163906-Win.exe Token: SeDebugPrivilege 556 VirtualBox-7.0.20-163906-Win.exe Token: SeAuditPrivilege 556 VirtualBox-7.0.20-163906-Win.exe Token: SeSystemEnvironmentPrivilege 556 VirtualBox-7.0.20-163906-Win.exe Token: SeChangeNotifyPrivilege 556 VirtualBox-7.0.20-163906-Win.exe Token: SeRemoteShutdownPrivilege 556 VirtualBox-7.0.20-163906-Win.exe Token: SeUndockPrivilege 556 VirtualBox-7.0.20-163906-Win.exe Token: SeSyncAgentPrivilege 556 VirtualBox-7.0.20-163906-Win.exe Token: SeEnableDelegationPrivilege 556 VirtualBox-7.0.20-163906-Win.exe Token: SeManageVolumePrivilege 556 VirtualBox-7.0.20-163906-Win.exe Token: SeImpersonatePrivilege 556 VirtualBox-7.0.20-163906-Win.exe Token: SeCreateGlobalPrivilege 556 VirtualBox-7.0.20-163906-Win.exe Token: SeCreateTokenPrivilege 556 VirtualBox-7.0.20-163906-Win.exe Token: SeAssignPrimaryTokenPrivilege 556 VirtualBox-7.0.20-163906-Win.exe Token: SeLockMemoryPrivilege 556 VirtualBox-7.0.20-163906-Win.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 556 VirtualBox-7.0.20-163906-Win.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 1460 wrote to memory of 4916 1460 msiexec.exe 88 PID 1460 wrote to memory of 4916 1460 msiexec.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.20-163906-Win.exe"C:\Users\Admin\AppData\Local\Temp\VirtualBox-7.0.20-163906-Win.exe"1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:556
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding A9C2006E9A8993C224D017D5014369F9 C2⤵
- Loads dropped DLL
PID:4916
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
324KB
MD50653ce43996240dde250d557ef940bed
SHA1da125564fadda9bea308bd7325d4664ee14c69a8
SHA256d2fd21376c4595e60299e37cb55dceb92b531685f1a4545c6bb73681dbcad193
SHA51227ab2bd553fa390315d360e593ca95e90f8de13d0d60326549fd5e63479143b33a0a7a49c4111e2041cfb05d5f2e9b516eaa7261acae3884094e3842a8309a6c