4c8a37bba1eda81eb0e51922a98fa61f278fcab7b58870fa650865a53e308b1d

Analysis

max time kernel
93s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-11-2024 14:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

67.2MB
MD5

2a67434fe41c54946d0f82294efe0c46
SHA1

0109f1f1988289b9d9ff33f6bd9de5fb5d9e3a17
SHA256

4c8a37bba1eda81eb0e51922a98fa61f278fcab7b58870fa650865a53e308b1d
SHA512

f6a171693e63e326f9f5e7781fa8b6d783cf3da17c68d5381506d489c86469384d78ee183fecffeaf0bbc1ee1a11088c5cc5b6ba1cb0215994ace1c9ed43ccc0
SSDEEP

1572864:8X+49uMjQOzasFtnCfcc4ZKrTruLo5CXecJ2sMA:8qKQQJF+uQTr6BPJ2/A

Score

9^/10

evasion

Malware Config

Signatures

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

file.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	file.exe

Looks for VMWare Tools registry key 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

file.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools	file.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

file.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	file.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

file.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	file.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	file.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

file.exe

description	pid	Process
Token: SeDebugPrivilege	5068	file.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

file.exe

description	pid	Process	procid_target
PID 5068 wrote to memory of 2304	5068	file.exe	91
PID 5068 wrote to memory of 2304	5068	file.exe	91
PID 5068 wrote to memory of 2304	5068	file.exe	91
PID 5068 wrote to memory of 4404	5068	file.exe	92
PID 5068 wrote to memory of 4404	5068	file.exe	92
PID 5068 wrote to memory of 4404	5068	file.exe	92
PID 5068 wrote to memory of 1252	5068	file.exe	93
PID 5068 wrote to memory of 1252	5068	file.exe	93
PID 5068 wrote to memory of 1252	5068	file.exe	93
PID 5068 wrote to memory of 2376	5068	file.exe	94
PID 5068 wrote to memory of 2376	5068	file.exe	94
PID 5068 wrote to memory of 2376	5068	file.exe	94
PID 5068 wrote to memory of 4488	5068	file.exe	96
PID 5068 wrote to memory of 4488	5068	file.exe	96
PID 5068 wrote to memory of 4488	5068	file.exe	96
PID 5068 wrote to memory of 3936	5068	file.exe	97
PID 5068 wrote to memory of 3936	5068	file.exe	97
PID 5068 wrote to memory of 3936	5068	file.exe	97
PID 5068 wrote to memory of 1368	5068	file.exe	98
PID 5068 wrote to memory of 1368	5068	file.exe	98
PID 5068 wrote to memory of 1368	5068	file.exe	98

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
  2⤵
  PID:2304
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
  2⤵
  PID:4404
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
  2⤵
  PID:1252
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
  2⤵
  PID:2376
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
  2⤵
  PID:4488
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
  2⤵
  PID:3936
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
  2⤵
  PID:1368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/5068-0-0x0000016F2B2A0000-0x0000016F2B2A8000-memory.dmp

Filesize
32KB

Download
memory/5068-1-0x00007FF82B893000-0x00007FF82B895000-memory.dmp

Filesize
8KB

Download
memory/5068-2-0x0000016F5ECB0000-0x0000016F62F72000-memory.dmp

Filesize
66.8MB

Download
memory/5068-3-0x00007FF82B890000-0x00007FF82C351000-memory.dmp

Filesize
10.8MB

Download
memory/5068-4-0x00007FF82B893000-0x00007FF82B895000-memory.dmp

Filesize
8KB

Download
memory/5068-5-0x00007FF82B890000-0x00007FF82C351000-memory.dmp

Filesize
10.8MB

Download