Analysis
-
max time kernel
92s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07/11/2024, 15:55
Behavioral task
behavioral1
Sample
307fd2473bbe87ec23370dcf2944a4a0106f21c0286ffcf27026121f2fd92cbeN.exe
Resource
win7-20240903-en
General
-
Target
307fd2473bbe87ec23370dcf2944a4a0106f21c0286ffcf27026121f2fd92cbeN.exe
-
Size
574KB
-
MD5
84dc9e5f85faf4b3a38813e35e289450
-
SHA1
d5b5eaa57b1bacedaec44723b5f3340936a800dc
-
SHA256
307fd2473bbe87ec23370dcf2944a4a0106f21c0286ffcf27026121f2fd92cbe
-
SHA512
ba3a40df870d0aba3987ee4f2993728fba4b69c8ef3661ca34945c068c343abcaf362716c21da4df122d267c1910b862e6208e53b08175c9291f77f0447eee7a
-
SSDEEP
6144:XV55pRPQdrFhbEhtVacLaN//2gWF6lxcg/I:XDDGdDbEh/a3tw
Malware Config
Signatures
-
Looks for VMWare Tools registry key 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools 307fd2473bbe87ec23370dcf2944a4a0106f21c0286ffcf27026121f2fd92cbeN.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools drvsrv.exe -
Executes dropped EXE 1 IoCs
pid Process 4024 drvsrv.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\drvsrv.exe 307fd2473bbe87ec23370dcf2944a4a0106f21c0286ffcf27026121f2fd92cbeN.exe File opened for modification C:\Windows\SysWOW64\drvsrv.exe 307fd2473bbe87ec23370dcf2944a4a0106f21c0286ffcf27026121f2fd92cbeN.exe File created C:\Windows\SysWOW64\drvsrv.exe drvsrv.exe -
resource yara_rule behavioral2/memory/1176-0-0x0000000000400000-0x0000000000448000-memory.dmp upx behavioral2/files/0x000d000000023bb2-6.dat upx behavioral2/memory/1176-8-0x0000000000400000-0x0000000000448000-memory.dmp upx behavioral2/memory/4024-9-0x0000000000400000-0x0000000000448000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 307fd2473bbe87ec23370dcf2944a4a0106f21c0286ffcf27026121f2fd92cbeN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language drvsrv.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1176 307fd2473bbe87ec23370dcf2944a4a0106f21c0286ffcf27026121f2fd92cbeN.exe 1176 307fd2473bbe87ec23370dcf2944a4a0106f21c0286ffcf27026121f2fd92cbeN.exe 1176 307fd2473bbe87ec23370dcf2944a4a0106f21c0286ffcf27026121f2fd92cbeN.exe 1176 307fd2473bbe87ec23370dcf2944a4a0106f21c0286ffcf27026121f2fd92cbeN.exe 1176 307fd2473bbe87ec23370dcf2944a4a0106f21c0286ffcf27026121f2fd92cbeN.exe 1176 307fd2473bbe87ec23370dcf2944a4a0106f21c0286ffcf27026121f2fd92cbeN.exe 4024 drvsrv.exe 4024 drvsrv.exe 1176 307fd2473bbe87ec23370dcf2944a4a0106f21c0286ffcf27026121f2fd92cbeN.exe 1176 307fd2473bbe87ec23370dcf2944a4a0106f21c0286ffcf27026121f2fd92cbeN.exe 1176 307fd2473bbe87ec23370dcf2944a4a0106f21c0286ffcf27026121f2fd92cbeN.exe 4024 drvsrv.exe 1176 307fd2473bbe87ec23370dcf2944a4a0106f21c0286ffcf27026121f2fd92cbeN.exe 4024 drvsrv.exe 1176 307fd2473bbe87ec23370dcf2944a4a0106f21c0286ffcf27026121f2fd92cbeN.exe 1176 307fd2473bbe87ec23370dcf2944a4a0106f21c0286ffcf27026121f2fd92cbeN.exe 4024 drvsrv.exe 4024 drvsrv.exe 4024 drvsrv.exe 4024 drvsrv.exe 4024 drvsrv.exe 4024 drvsrv.exe 4024 drvsrv.exe 4024 drvsrv.exe 4024 drvsrv.exe 4024 drvsrv.exe 4024 drvsrv.exe 4024 drvsrv.exe 4024 drvsrv.exe 4024 drvsrv.exe 4024 drvsrv.exe 4024 drvsrv.exe 4024 drvsrv.exe 4024 drvsrv.exe 4024 drvsrv.exe 4024 drvsrv.exe 4024 drvsrv.exe 4024 drvsrv.exe 4024 drvsrv.exe 4024 drvsrv.exe 4024 drvsrv.exe 4024 drvsrv.exe 4024 drvsrv.exe 4024 drvsrv.exe 4024 drvsrv.exe 4024 drvsrv.exe 4024 drvsrv.exe 4024 drvsrv.exe 4024 drvsrv.exe 4024 drvsrv.exe 4024 drvsrv.exe 4024 drvsrv.exe 4024 drvsrv.exe 4024 drvsrv.exe 4024 drvsrv.exe 4024 drvsrv.exe 4024 drvsrv.exe 4024 drvsrv.exe 4024 drvsrv.exe 4024 drvsrv.exe 4024 drvsrv.exe 4024 drvsrv.exe 4024 drvsrv.exe 4024 drvsrv.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1176 wrote to memory of 4024 1176 307fd2473bbe87ec23370dcf2944a4a0106f21c0286ffcf27026121f2fd92cbeN.exe 84 PID 1176 wrote to memory of 4024 1176 307fd2473bbe87ec23370dcf2944a4a0106f21c0286ffcf27026121f2fd92cbeN.exe 84 PID 1176 wrote to memory of 4024 1176 307fd2473bbe87ec23370dcf2944a4a0106f21c0286ffcf27026121f2fd92cbeN.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\307fd2473bbe87ec23370dcf2944a4a0106f21c0286ffcf27026121f2fd92cbeN.exe"C:\Users\Admin\AppData\Local\Temp\307fd2473bbe87ec23370dcf2944a4a0106f21c0286ffcf27026121f2fd92cbeN.exe"1⤵
- Looks for VMWare Tools registry key
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\SysWOW64\drvsrv.exeC:\Windows\system32\drvsrv.exe2⤵
- Looks for VMWare Tools registry key
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4024
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
577KB
MD5f7630a278a5e34eb641f7f97174bf9b9
SHA1ec57724d6bd0e774f54a8060d9e06f790a8f32b6
SHA256fc239acedbe7f735cea0de545b3a6bab6948e4c7d6122bdc68767ecc5aeb00c7
SHA512c553d190bbddaead3ed15280f058ffbf9cbd7c3abafc65a93739b5294a1fc0c9e2eee2c5f013a7fa2bc88e32050dde026992ccf4364c992daebc4645682b1252