Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
31/10/2024, 20:13
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20241010-en
General
-
Target
file.exe
-
Size
3.8MB
-
MD5
f5d31bef57f4d69af9f1b44a6f8f8d5e
-
SHA1
2ffa0bb9f123f6e8cda8ef398d33c1c71a01961e
-
SHA256
88dbbdcc10e16ae14103f8a0cbcd2d692668fc78efcc36a406880ff1e6b5fac0
-
SHA512
c07729ab676d6db44b0176fd64d0ec79936bbdba2f2526f7b2f24e4e407e8100372329195018d661e2d79536cd02b9046acf739cebee0607aacbfa3331d9395a
-
SSDEEP
49152:oyXV/ctnAqeOjKiPPDWw9OmzBo4H0yr+334/PYWsRtQ4vEphxd+ykCSMpt4xYhp0:rcO2RPP8mlH0yr+0W/5vEpnYmuxY7HET
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" file.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions file.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3020 powershell.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools file.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion file.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" file.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA file.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum file.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 file.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1304 set thread context of 2276 1304 file.exe 34 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 3020 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1304 file.exe Token: SeDebugPrivilege 3020 powershell.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 1304 wrote to memory of 3020 1304 file.exe 32 PID 1304 wrote to memory of 3020 1304 file.exe 32 PID 1304 wrote to memory of 3020 1304 file.exe 32 PID 1304 wrote to memory of 2276 1304 file.exe 34 PID 1304 wrote to memory of 2276 1304 file.exe 34 PID 1304 wrote to memory of 2276 1304 file.exe 34 PID 1304 wrote to memory of 2276 1304 file.exe 34 PID 1304 wrote to memory of 2276 1304 file.exe 34 PID 1304 wrote to memory of 2276 1304 file.exe 34 PID 1304 wrote to memory of 2276 1304 file.exe 34 PID 1304 wrote to memory of 2276 1304 file.exe 34 PID 1304 wrote to memory of 2276 1304 file.exe 34 PID 1304 wrote to memory of 2276 1304 file.exe 34 PID 1304 wrote to memory of 2276 1304 file.exe 34 PID 1304 wrote to memory of 2276 1304 file.exe 34 PID 1304 wrote to memory of 2276 1304 file.exe 34 PID 1304 wrote to memory of 2276 1304 file.exe 34 PID 1304 wrote to memory of 2276 1304 file.exe 34 PID 1304 wrote to memory of 2276 1304 file.exe 34 PID 1304 wrote to memory of 2276 1304 file.exe 34 PID 1304 wrote to memory of 2276 1304 file.exe 34 PID 1304 wrote to memory of 2276 1304 file.exe 34 PID 1304 wrote to memory of 2276 1304 file.exe 34 PID 2276 wrote to memory of 2836 2276 csc.exe 35 PID 2276 wrote to memory of 2836 2276 csc.exe 35 PID 2276 wrote to memory of 2836 2276 csc.exe 35 PID 1304 wrote to memory of 2964 1304 file.exe 36 PID 1304 wrote to memory of 2964 1304 file.exe 36 PID 1304 wrote to memory of 2964 1304 file.exe 36 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" file.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- UAC bypass
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1304 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\file.exe" -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3020
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2276 -s 203⤵PID:2836
-
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1304 -s 8002⤵PID:2964
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Virtualization/Sandbox Evasion
2