Analysis
-
max time kernel
119s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
31/10/2024, 19:58
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20240903-en
General
-
Target
file.exe
-
Size
3.8MB
-
MD5
f5d31bef57f4d69af9f1b44a6f8f8d5e
-
SHA1
2ffa0bb9f123f6e8cda8ef398d33c1c71a01961e
-
SHA256
88dbbdcc10e16ae14103f8a0cbcd2d692668fc78efcc36a406880ff1e6b5fac0
-
SHA512
c07729ab676d6db44b0176fd64d0ec79936bbdba2f2526f7b2f24e4e407e8100372329195018d661e2d79536cd02b9046acf739cebee0607aacbfa3331d9395a
-
SSDEEP
49152:oyXV/ctnAqeOjKiPPDWw9OmzBo4H0yr+334/PYWsRtQ4vEphxd+ykCSMpt4xYhp0:rcO2RPP8mlH0yr+0W/5vEpnYmuxY7HET
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" file.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions file.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1104 powershell.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools file.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion file.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA file.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" file.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 file.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum file.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2172 set thread context of 2664 2172 file.exe 35 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1104 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2172 file.exe Token: SeDebugPrivilege 1104 powershell.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 2172 wrote to memory of 1104 2172 file.exe 33 PID 2172 wrote to memory of 1104 2172 file.exe 33 PID 2172 wrote to memory of 1104 2172 file.exe 33 PID 2172 wrote to memory of 2664 2172 file.exe 35 PID 2172 wrote to memory of 2664 2172 file.exe 35 PID 2172 wrote to memory of 2664 2172 file.exe 35 PID 2172 wrote to memory of 2664 2172 file.exe 35 PID 2172 wrote to memory of 2664 2172 file.exe 35 PID 2172 wrote to memory of 2664 2172 file.exe 35 PID 2172 wrote to memory of 2664 2172 file.exe 35 PID 2172 wrote to memory of 2664 2172 file.exe 35 PID 2172 wrote to memory of 2664 2172 file.exe 35 PID 2172 wrote to memory of 2664 2172 file.exe 35 PID 2172 wrote to memory of 2664 2172 file.exe 35 PID 2172 wrote to memory of 2664 2172 file.exe 35 PID 2172 wrote to memory of 2664 2172 file.exe 35 PID 2172 wrote to memory of 2664 2172 file.exe 35 PID 2172 wrote to memory of 2664 2172 file.exe 35 PID 2172 wrote to memory of 2664 2172 file.exe 35 PID 2172 wrote to memory of 2664 2172 file.exe 35 PID 2172 wrote to memory of 2664 2172 file.exe 35 PID 2172 wrote to memory of 2664 2172 file.exe 35 PID 2172 wrote to memory of 2664 2172 file.exe 35 PID 2172 wrote to memory of 2760 2172 file.exe 36 PID 2172 wrote to memory of 2760 2172 file.exe 36 PID 2172 wrote to memory of 2760 2172 file.exe 36 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" file.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- UAC bypass
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2172 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\file.exe" -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1104
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"2⤵PID:2664
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2172 -s 9842⤵PID:2760
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Virtualization/Sandbox Evasion
2