af53e36a62f237597b47d34349e40c16a3682a492fe7c320c7e834f6247e078a

General

Target

c192d040bcbc2c2e77698410a3f9ad1caf2b9d2a4842b4a16eb09f3446493a9c.bin.exe
Size

915KB
MD5

76d274c823439cf02f18a0deccfe70c5
SHA1

1cd7cd1fc0f7890da57af806e67061d2022abcd4
SHA256

af53e36a62f237597b47d34349e40c16a3682a492fe7c320c7e834f6247e078a
SHA512

a094877fd2fe166517446eeb2134268fedfeaacba20cd7b964adf7f34affba675fa598c4f9d2689342e07d2bcd8a0e08d2f11202cfd00abffea679bb9d300c48

Score

9^/10

evasion

Malware Config

Signatures

Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	c192d040bcbc2c2e77698410a3f9ad1caf2b9d2a4842b4a16eb09f3446493a9c.bin.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	c192d040bcbc2c2e77698410a3f9ad1caf2b9d2a4842b4a16eb09f3446493a9c.bin.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	c192d040bcbc2c2e77698410a3f9ad1caf2b9d2a4842b4a16eb09f3446493a9c.bin.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	c192d040bcbc2c2e77698410a3f9ad1caf2b9d2a4842b4a16eb09f3446493a9c.bin.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1124	c192d040bcbc2c2e77698410a3f9ad1caf2b9d2a4842b4a16eb09f3446493a9c.bin.exe
Token: SeDebugPrivilege	1616	WerFault.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1616	1124	WerFault.exe	23

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1124 wrote to memory of 1616	1124	c192d040bcbc2c2e77698410a3f9ad1caf2b9d2a4842b4a16eb09f3446493a9c.bin.exe	26
PID 1124 wrote to memory of 1616	1124	c192d040bcbc2c2e77698410a3f9ad1caf2b9d2a4842b4a16eb09f3446493a9c.bin.exe	26
PID 1124 wrote to memory of 1616	1124	c192d040bcbc2c2e77698410a3f9ad1caf2b9d2a4842b4a16eb09f3446493a9c.bin.exe	26
PID 1124 wrote to memory of 1616	1124	c192d040bcbc2c2e77698410a3f9ad1caf2b9d2a4842b4a16eb09f3446493a9c.bin.exe	26

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1616	WerFault.exe
1616	WerFault.exe
1616	WerFault.exe
1616	WerFault.exe
1616	WerFault.exe

Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

C:\Users\Admin\AppData\Local\Temp\c192d040bcbc2c2e77698410a3f9ad1caf2b9d2a4842b4a16eb09f3446493a9c.bin.exe
"C:\Users\Admin\AppData\Local\Temp\c192d040bcbc2c2e77698410a3f9ad1caf2b9d2a4842b4a16eb09f3446493a9c.bin.exe"
1⤵
- Maps connected drives based on registry
- Checks BIOS information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1124
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1124 -s 1108
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  PID:1616

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1616-1-0x0000000001EE0000-0x0000000001EF1000-memory.dmp

Filesize
68KB

Download
memory/1616-2-0x00000000026F0000-0x0000000002701000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads