Analysis Overview
SHA256
307fd2473bbe87ec23370dcf2944a4a0106f21c0286ffcf27026121f2fd92cbe
Threat Level: Likely malicious
The file 307fd2473bbe87ec23370dcf2944a4a0106f21c0286ffcf27026121f2fd92cbeN was found to be: Likely malicious.
Malicious Activity Summary
Looks for VMWare Tools registry key
Loads dropped DLL
Executes dropped EXE
Drops file in System32 directory
UPX packed file
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-07 15:55
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-07 15:55
Reported
2024-11-07 15:57
Platform
win7-20240903-en
Max time kernel
20s
Max time network
17s
Command Line
Signatures
Looks for VMWare Tools registry key
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools | C:\Users\Admin\AppData\Local\Temp\307fd2473bbe87ec23370dcf2944a4a0106f21c0286ffcf27026121f2fd92cbeN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools | C:\Windows\SysWOW64\chkmon32.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\chkmon32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\307fd2473bbe87ec23370dcf2944a4a0106f21c0286ffcf27026121f2fd92cbeN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\307fd2473bbe87ec23370dcf2944a4a0106f21c0286ffcf27026121f2fd92cbeN.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\chkmon32.exe | C:\Users\Admin\AppData\Local\Temp\307fd2473bbe87ec23370dcf2944a4a0106f21c0286ffcf27026121f2fd92cbeN.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\chkmon32.exe | C:\Users\Admin\AppData\Local\Temp\307fd2473bbe87ec23370dcf2944a4a0106f21c0286ffcf27026121f2fd92cbeN.exe | N/A |
| File created | C:\Windows\SysWOW64\chkmon32.exe | C:\Windows\SysWOW64\chkmon32.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\307fd2473bbe87ec23370dcf2944a4a0106f21c0286ffcf27026121f2fd92cbeN.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2332 wrote to memory of 2548 | N/A | C:\Users\Admin\AppData\Local\Temp\307fd2473bbe87ec23370dcf2944a4a0106f21c0286ffcf27026121f2fd92cbeN.exe | C:\Windows\SysWOW64\chkmon32.exe |
| PID 2332 wrote to memory of 2548 | N/A | C:\Users\Admin\AppData\Local\Temp\307fd2473bbe87ec23370dcf2944a4a0106f21c0286ffcf27026121f2fd92cbeN.exe | C:\Windows\SysWOW64\chkmon32.exe |
| PID 2332 wrote to memory of 2548 | N/A | C:\Users\Admin\AppData\Local\Temp\307fd2473bbe87ec23370dcf2944a4a0106f21c0286ffcf27026121f2fd92cbeN.exe | C:\Windows\SysWOW64\chkmon32.exe |
| PID 2332 wrote to memory of 2548 | N/A | C:\Users\Admin\AppData\Local\Temp\307fd2473bbe87ec23370dcf2944a4a0106f21c0286ffcf27026121f2fd92cbeN.exe | C:\Windows\SysWOW64\chkmon32.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\307fd2473bbe87ec23370dcf2944a4a0106f21c0286ffcf27026121f2fd92cbeN.exe
"C:\Users\Admin\AppData\Local\Temp\307fd2473bbe87ec23370dcf2944a4a0106f21c0286ffcf27026121f2fd92cbeN.exe"
C:\Windows\SysWOW64\chkmon32.exe
C:\Windows\system32\chkmon32.exe
Network
Files
memory/2332-0-0x0000000000400000-0x0000000000448000-memory.dmp
\Windows\SysWOW64\chkmon32.exe
| MD5 | 9eaa68fd35fe16a5cf760189f2672629 |
| SHA1 | b45a4a4b7433c2cc92e4fc9a78dcb254b010c50b |
| SHA256 | de348e95a91804fa618e1a978cb99f5af91dbdf3449c5445ee003ad5cb01c8dd |
| SHA512 | f54ea16aba07dd41e437fba2fcd676490cb45258021131c18b6bf71cb213530baf02632b505cc717f7f8717b01b40c582031b5db9f66b25e101ba2538abf83bd |
memory/2332-13-0x0000000000490000-0x00000000004D8000-memory.dmp
memory/2332-12-0x0000000000490000-0x00000000004D8000-memory.dmp
memory/2548-14-0x0000000000400000-0x0000000000448000-memory.dmp
memory/2332-15-0x0000000000400000-0x0000000000448000-memory.dmp
memory/2548-17-0x0000000000400000-0x0000000000448000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-07 15:55
Reported
2024-11-07 15:57
Platform
win10v2004-20241007-en
Max time kernel
92s
Max time network
93s
Command Line
Signatures
Looks for VMWare Tools registry key
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools | C:\Users\Admin\AppData\Local\Temp\307fd2473bbe87ec23370dcf2944a4a0106f21c0286ffcf27026121f2fd92cbeN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools | C:\Windows\SysWOW64\drvsrv.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\drvsrv.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\drvsrv.exe | C:\Users\Admin\AppData\Local\Temp\307fd2473bbe87ec23370dcf2944a4a0106f21c0286ffcf27026121f2fd92cbeN.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drvsrv.exe | C:\Users\Admin\AppData\Local\Temp\307fd2473bbe87ec23370dcf2944a4a0106f21c0286ffcf27026121f2fd92cbeN.exe | N/A |
| File created | C:\Windows\SysWOW64\drvsrv.exe | C:\Windows\SysWOW64\drvsrv.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\307fd2473bbe87ec23370dcf2944a4a0106f21c0286ffcf27026121f2fd92cbeN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\drvsrv.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1176 wrote to memory of 4024 | N/A | C:\Users\Admin\AppData\Local\Temp\307fd2473bbe87ec23370dcf2944a4a0106f21c0286ffcf27026121f2fd92cbeN.exe | C:\Windows\SysWOW64\drvsrv.exe |
| PID 1176 wrote to memory of 4024 | N/A | C:\Users\Admin\AppData\Local\Temp\307fd2473bbe87ec23370dcf2944a4a0106f21c0286ffcf27026121f2fd92cbeN.exe | C:\Windows\SysWOW64\drvsrv.exe |
| PID 1176 wrote to memory of 4024 | N/A | C:\Users\Admin\AppData\Local\Temp\307fd2473bbe87ec23370dcf2944a4a0106f21c0286ffcf27026121f2fd92cbeN.exe | C:\Windows\SysWOW64\drvsrv.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\307fd2473bbe87ec23370dcf2944a4a0106f21c0286ffcf27026121f2fd92cbeN.exe
"C:\Users\Admin\AppData\Local\Temp\307fd2473bbe87ec23370dcf2944a4a0106f21c0286ffcf27026121f2fd92cbeN.exe"
C:\Windows\SysWOW64\drvsrv.exe
C:\Windows\system32\drvsrv.exe
Network
Files
memory/1176-0-0x0000000000400000-0x0000000000448000-memory.dmp
C:\Windows\SysWOW64\drvsrv.exe
| MD5 | f7630a278a5e34eb641f7f97174bf9b9 |
| SHA1 | ec57724d6bd0e774f54a8060d9e06f790a8f32b6 |
| SHA256 | fc239acedbe7f735cea0de545b3a6bab6948e4c7d6122bdc68767ecc5aeb00c7 |
| SHA512 | c553d190bbddaead3ed15280f058ffbf9cbd7c3abafc65a93739b5294a1fc0c9e2eee2c5f013a7fa2bc88e32050dde026992ccf4364c992daebc4645682b1252 |
memory/1176-8-0x0000000000400000-0x0000000000448000-memory.dmp
memory/4024-9-0x0000000000400000-0x0000000000448000-memory.dmp