f868254d8af8afd717cca8b281929e924166e57fad4b11ab65a9740c424e2fe2

General

Target

f868254d8af8afd717cca8b281929e924166e57fad4b11ab65a9740c424e2fe2.exe
Size

8.9MB
MD5

f205470fd1cbe293434397547ea08085
SHA1

fef100258be04cfc8004b1e0827f7e7a78db8bae
SHA256

f868254d8af8afd717cca8b281929e924166e57fad4b11ab65a9740c424e2fe2
SHA512

f1c856c6b606f857d715dc19359456ff4464885b2783979b201c1b089a76ad78eccaf2ebb95bd188c5a944fb286dc1f7f24e74573d1306e954503243b2d885c7
SSDEEP

196608:LJTx4XeiMijsL8e4O7mBEHwkSbgnVzTJUy392wJIlbgEc3Hs2V:tmiiwR4O7rw/bgVz973ttZHFV

Score

9^/10

discovery evasion persistence trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

f868254d8af8afd717cca8b281929e924166e57fad4b11ab65a9740c424e2fe2.exeWlndowsDraiver-Ver8.3.7.2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	f868254d8af8afd717cca8b281929e924166e57fad4b11ab65a9740c424e2fe2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	WlndowsDraiver-Ver8.3.7.2.exe

Executes dropped EXE 1 IoCs

Processes:

WlndowsDraiver-Ver8.3.7.2.exe

pid process

4252 WlndowsDraiver-Ver8.3.7.2.exe

pid	process
4252	WlndowsDraiver-Ver8.3.7.2.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f868254d8af8afd717cca8b281929e924166e57fad4b11ab65a9740c424e2fe2.exeWlndowsDraiver-Ver8.3.7.2.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	f868254d8af8afd717cca8b281929e924166e57fad4b11ab65a9740c424e2fe2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	f868254d8af8afd717cca8b281929e924166e57fad4b11ab65a9740c424e2fe2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WlndowsDraiver-Ver8.3.7.2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	WlndowsDraiver-Ver8.3.7.2.exe

Modifies file permissions 1 TTPs 3 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exe

pid process

4788 icacls.exe
300 icacls.exe
2072 icacls.exe

pid	process
4788	icacls.exe
300	icacls.exe
2072	icacls.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

f868254d8af8afd717cca8b281929e924166e57fad4b11ab65a9740c424e2fe2.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run	f868254d8af8afd717cca8b281929e924166e57fad4b11ab65a9740c424e2fe2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Microsoft\Windows\CurrentVersion\Run\0L5JOINL = "C:\\ProgramData\\5QP8WC5O\\WlndowsDraiver-Ver8.3.7.2.exe"	f868254d8af8afd717cca8b281929e924166e57fad4b11ab65a9740c424e2fe2.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

f868254d8af8afd717cca8b281929e924166e57fad4b11ab65a9740c424e2fe2.exeWlndowsDraiver-Ver8.3.7.2.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	f868254d8af8afd717cca8b281929e924166e57fad4b11ab65a9740c424e2fe2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WlndowsDraiver-Ver8.3.7.2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3364 schtasks.exe

pid	process
3364	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

f868254d8af8afd717cca8b281929e924166e57fad4b11ab65a9740c424e2fe2.exe

pid	process
3812	f868254d8af8afd717cca8b281929e924166e57fad4b11ab65a9740c424e2fe2.exe
3812	f868254d8af8afd717cca8b281929e924166e57fad4b11ab65a9740c424e2fe2.exe
3812	f868254d8af8afd717cca8b281929e924166e57fad4b11ab65a9740c424e2fe2.exe
3812	f868254d8af8afd717cca8b281929e924166e57fad4b11ab65a9740c424e2fe2.exe
3812	f868254d8af8afd717cca8b281929e924166e57fad4b11ab65a9740c424e2fe2.exe
3812	f868254d8af8afd717cca8b281929e924166e57fad4b11ab65a9740c424e2fe2.exe
3812	f868254d8af8afd717cca8b281929e924166e57fad4b11ab65a9740c424e2fe2.exe
3812	f868254d8af8afd717cca8b281929e924166e57fad4b11ab65a9740c424e2fe2.exe
3812	f868254d8af8afd717cca8b281929e924166e57fad4b11ab65a9740c424e2fe2.exe
3812	f868254d8af8afd717cca8b281929e924166e57fad4b11ab65a9740c424e2fe2.exe
3812	f868254d8af8afd717cca8b281929e924166e57fad4b11ab65a9740c424e2fe2.exe
3812	f868254d8af8afd717cca8b281929e924166e57fad4b11ab65a9740c424e2fe2.exe
3812	f868254d8af8afd717cca8b281929e924166e57fad4b11ab65a9740c424e2fe2.exe
3812	f868254d8af8afd717cca8b281929e924166e57fad4b11ab65a9740c424e2fe2.exe
3812	f868254d8af8afd717cca8b281929e924166e57fad4b11ab65a9740c424e2fe2.exe
3812	f868254d8af8afd717cca8b281929e924166e57fad4b11ab65a9740c424e2fe2.exe
3812	f868254d8af8afd717cca8b281929e924166e57fad4b11ab65a9740c424e2fe2.exe
3812	f868254d8af8afd717cca8b281929e924166e57fad4b11ab65a9740c424e2fe2.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

f868254d8af8afd717cca8b281929e924166e57fad4b11ab65a9740c424e2fe2.exe

description	pid	process	target process
PID 3812 wrote to memory of 3364	3812	f868254d8af8afd717cca8b281929e924166e57fad4b11ab65a9740c424e2fe2.exe	schtasks.exe
PID 3812 wrote to memory of 3364	3812	f868254d8af8afd717cca8b281929e924166e57fad4b11ab65a9740c424e2fe2.exe	schtasks.exe
PID 3812 wrote to memory of 4788	3812	f868254d8af8afd717cca8b281929e924166e57fad4b11ab65a9740c424e2fe2.exe	icacls.exe
PID 3812 wrote to memory of 4788	3812	f868254d8af8afd717cca8b281929e924166e57fad4b11ab65a9740c424e2fe2.exe	icacls.exe
PID 3812 wrote to memory of 300	3812	f868254d8af8afd717cca8b281929e924166e57fad4b11ab65a9740c424e2fe2.exe	icacls.exe
PID 3812 wrote to memory of 300	3812	f868254d8af8afd717cca8b281929e924166e57fad4b11ab65a9740c424e2fe2.exe	icacls.exe
PID 3812 wrote to memory of 2072	3812	f868254d8af8afd717cca8b281929e924166e57fad4b11ab65a9740c424e2fe2.exe	icacls.exe
PID 3812 wrote to memory of 2072	3812	f868254d8af8afd717cca8b281929e924166e57fad4b11ab65a9740c424e2fe2.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\f868254d8af8afd717cca8b281929e924166e57fad4b11ab65a9740c424e2fe2.exe
"C:\Users\Admin\AppData\Local\Temp\f868254d8af8afd717cca8b281929e924166e57fad4b11ab65a9740c424e2fe2.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3812

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /CREATE /TN "8.3.7.Microsoft.NET\AgentActivationRuntime8.3.7.\IntelPalnt8.3.7." /TR "C:\ProgramData\5QP8WC5O\WlndowsDraiver-Ver8.3.7.2.exe" /SC MINUTE
2⤵
- Creates scheduled task(s)
PID:3364

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\ProgramData\5QP8WC5O" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
2⤵
- Modifies file permissions
PID:4788

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\ProgramData\5QP8WC5O" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
2⤵
- Modifies file permissions
PID:300

C:\Windows\System32\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\ProgramData\5QP8WC5O" /inheritance:e /deny "admin:(R,REA,RA,RD)"
2⤵
- Modifies file permissions
PID:2072

C:\ProgramData\5QP8WC5O\WlndowsDraiver-Ver8.3.7.2.exe
C:\ProgramData\5QP8WC5O\WlndowsDraiver-Ver8.3.7.2.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:4252

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

File Permissions Modification

1

T1222

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\5QP8WC5O\WlndowsDraiver-Ver8.3.7.2.exe
Filesize
643.3MB

MD5
fd1d33f24186fc488ec1dc023922320d

SHA1
6e666b1208eb252fbad96c2a6812b2eb841cdac6

SHA256
786510ffa18676e7df771a3b5771d90c0a65d5cadd5c81762ffbf18d9e4b90d8

SHA512
8a1009c95a763e16efe35defd955b2ff59dd89d4df661e9ccc1617520c01fa59d8633c894de6bd61d7968124a7b28a4d821ffdc51c5a55ef95c383b42683a4c7

Download Submit
C:\ProgramData\5QP8WC5O\WlndowsDraiver-Ver8.3.7.2.exe
Filesize
643.3MB

MD5
fd1d33f24186fc488ec1dc023922320d

SHA1
6e666b1208eb252fbad96c2a6812b2eb841cdac6

SHA256
786510ffa18676e7df771a3b5771d90c0a65d5cadd5c81762ffbf18d9e4b90d8

SHA512
8a1009c95a763e16efe35defd955b2ff59dd89d4df661e9ccc1617520c01fa59d8633c894de6bd61d7968124a7b28a4d821ffdc51c5a55ef95c383b42683a4c7

Download Submit
memory/300-126-0x0000000000000000-mapping.dmp

Download
memory/2072-127-0x0000000000000000-mapping.dmp

Download
memory/3364-124-0x0000000000000000-mapping.dmp

Download
memory/3812-123-0x00007FF6E3280000-0x00007FF6E43CA000-memory.dmp

Filesize
17.3MB

Download
memory/3812-132-0x00007FF6E3280000-0x00007FF6E43CA000-memory.dmp

Filesize
17.3MB

Download
memory/3812-116-0x00007FF6E3280000-0x00007FF6E43CA000-memory.dmp

Filesize
17.3MB

Download
memory/3812-122-0x00007FF6E3280000-0x00007FF6E43CA000-memory.dmp

Filesize
17.3MB

Download
memory/3812-121-0x00007FF6E3280000-0x00007FF6E43CA000-memory.dmp

Filesize
17.3MB

Download
memory/3812-129-0x00007FF6E3280000-0x00007FF6E43CA000-memory.dmp

Filesize
17.3MB

Download
memory/3812-117-0x00007FF6E3280000-0x00007FF6E43CA000-memory.dmp

Filesize
17.3MB

Download
memory/4252-131-0x00007FF7714D0000-0x00007FF77261A000-memory.dmp

Filesize
17.3MB

Download
memory/4252-133-0x00007FF7714D0000-0x00007FF77261A000-memory.dmp

Filesize
17.3MB

Download
memory/4252-137-0x00007FF7714D0000-0x00007FF77261A000-memory.dmp

Filesize
17.3MB

Download
memory/4252-138-0x00007FF7714D0000-0x00007FF77261A000-memory.dmp

Filesize
17.3MB

Download
memory/4252-139-0x00007FF7714D0000-0x00007FF77261A000-memory.dmp

Filesize
17.3MB

Download
memory/4252-140-0x00007FF7714D0000-0x00007FF77261A000-memory.dmp

Filesize
17.3MB

Download
memory/4788-125-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads