767e24bd2ddbc19f639745c9f6152159465352a59c9393e6ef61bfcb0ab98e0a

General

Target

767e24bd2ddbc19f639745c9f6152159465352a59c9393e6ef61bfcb0ab98e0a.exe
Size

3.4MB
MD5

1f11f17ea4f84c1668f4592e48100942
SHA1

9b7f0163fb51769431a5ba70f6b39c2954d7c17d
SHA256

767e24bd2ddbc19f639745c9f6152159465352a59c9393e6ef61bfcb0ab98e0a
SHA512

b4a8c2f5e0f5fd7d9dfbfaedea9e2fb9abf14191a1d3baefe3a31ad060268410685428861c3a276cf3879ef30071298a3610d9a215671b65544ddccdbde30fdd
SSDEEP

98304:JWAaEU6/HWQ4noYOCtapQX9ejqcT3/SgYC:wBEH/QotQGrT3T

Score

9^/10

discovery evasion trojan upx

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	DesktopMicrosoft-type4.9.5.2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	DesktopMicrosoft-type4.9.5.2.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	DesktopMicrosoft-type4.9.5.2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	DesktopMicrosoft-type4.9.5.2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	DesktopMicrosoft-type4.9.5.2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	DesktopMicrosoft-type4.9.5.2.exe

Executes dropped EXE 2 IoCs

pid	Process
2168	DesktopMicrosoft-type4.9.5.2.exe
2928	DesktopMicrosoft-type4.9.5.2.exe

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4204	icacls.exe
3096	icacls.exe
3116	icacls.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000900000001af12-150.dat	upx
behavioral1/files/0x000900000001af12-151.dat	upx
behavioral1/memory/2168-153-0x00007FF67A5A0000-0x00007FF67AABF000-memory.dmp	upx
behavioral1/memory/2168-154-0x00007FF67A5A0000-0x00007FF67AABF000-memory.dmp	upx
behavioral1/memory/2168-155-0x00007FF67A5A0000-0x00007FF67AABF000-memory.dmp	upx
behavioral1/files/0x000900000001af12-157.dat	upx
behavioral1/memory/2928-158-0x00007FF67A5A0000-0x00007FF67AABF000-memory.dmp	upx
behavioral1/memory/2928-159-0x00007FF67A5A0000-0x00007FF67AABF000-memory.dmp	upx
behavioral1/memory/2928-160-0x00007FF67A5A0000-0x00007FF67AABF000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DesktopMicrosoft-type4.9.5.2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DesktopMicrosoft-type4.9.5.2.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 400 set thread context of 2408	400	767e24bd2ddbc19f639745c9f6152159465352a59c9393e6ef61bfcb0ab98e0a.exe	67

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3568	schtasks.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 400 wrote to memory of 2408	400	767e24bd2ddbc19f639745c9f6152159465352a59c9393e6ef61bfcb0ab98e0a.exe	67
PID 400 wrote to memory of 2408	400	767e24bd2ddbc19f639745c9f6152159465352a59c9393e6ef61bfcb0ab98e0a.exe	67
PID 400 wrote to memory of 2408	400	767e24bd2ddbc19f639745c9f6152159465352a59c9393e6ef61bfcb0ab98e0a.exe	67
PID 400 wrote to memory of 2408	400	767e24bd2ddbc19f639745c9f6152159465352a59c9393e6ef61bfcb0ab98e0a.exe	67
PID 400 wrote to memory of 2408	400	767e24bd2ddbc19f639745c9f6152159465352a59c9393e6ef61bfcb0ab98e0a.exe	67
PID 2408 wrote to memory of 3116	2408	AppLaunch.exe	68
PID 2408 wrote to memory of 3116	2408	AppLaunch.exe	68
PID 2408 wrote to memory of 3116	2408	AppLaunch.exe	68
PID 2408 wrote to memory of 3096	2408	AppLaunch.exe	72
PID 2408 wrote to memory of 3096	2408	AppLaunch.exe	72
PID 2408 wrote to memory of 3096	2408	AppLaunch.exe	72
PID 2408 wrote to memory of 4204	2408	AppLaunch.exe	70
PID 2408 wrote to memory of 4204	2408	AppLaunch.exe	70
PID 2408 wrote to memory of 4204	2408	AppLaunch.exe	70
PID 2408 wrote to memory of 3568	2408	AppLaunch.exe	74
PID 2408 wrote to memory of 3568	2408	AppLaunch.exe	74
PID 2408 wrote to memory of 3568	2408	AppLaunch.exe	74
PID 2408 wrote to memory of 2168	2408	AppLaunch.exe	76
PID 2408 wrote to memory of 2168	2408	AppLaunch.exe	76

C:\Users\Admin\AppData\Local\Temp\767e24bd2ddbc19f639745c9f6152159465352a59c9393e6ef61bfcb0ab98e0a.exe
"C:\Users\Admin\AppData\Local\Temp\767e24bd2ddbc19f639745c9f6152159465352a59c9393e6ef61bfcb0ab98e0a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:400
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2408
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\DesktopMicrosoft-type4.9.5.2" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:3116
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\DesktopMicrosoft-type4.9.5.2" /inheritance:e /deny "admin:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:4204
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\DesktopMicrosoft-type4.9.5.2" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:3096
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /CREATE /TN "DesktopMicrosoft-type4.9.5.2\DesktopMicrosoft-type4.9.5.2" /TR "C:\ProgramData\DesktopMicrosoft-type4.9.5.2\DesktopMicrosoft-type4.9.5.2.exe" /SC MINUTE
    3⤵
    - Creates scheduled task(s)
    PID:3568
- - C:\ProgramData\DesktopMicrosoft-type4.9.5.2\DesktopMicrosoft-type4.9.5.2.exe
    "C:\ProgramData\DesktopMicrosoft-type4.9.5.2\DesktopMicrosoft-type4.9.5.2.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    PID:2168

C:\ProgramData\DesktopMicrosoft-type4.9.5.2\DesktopMicrosoft-type4.9.5.2.exe
C:\ProgramData\DesktopMicrosoft-type4.9.5.2\DesktopMicrosoft-type4.9.5.2.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:2928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

File and Directory Permissions Modification

1

T1222

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\DesktopMicrosoft-type4.9.5.2\DesktopMicrosoft-type4.9.5.2.exe

Filesize
586.6MB

MD5
1eea44de72741045bb28ee09a457b4da

SHA1
7d0d4b050dda913565eefc9f562f26fc537c44f1

SHA256
655adaf4f8136558225c79f6be4228dbdf5a6b8681c9689e2e2957424dbc610d

SHA512
47ecae4a654e531fc119c10d81aa36cf1c433b9d146594db67856bfdad3a6207fe1faa68b6ec9f0e21357e0976ac11cde5c0201d17a4f1b2ee822fcd92ebce8d

Download Submit
C:\ProgramData\DesktopMicrosoft-type4.9.5.2\DesktopMicrosoft-type4.9.5.2.exe

Filesize
629.0MB

MD5
c6a92118d8de9c06099bd7226d1073f8

SHA1
29bf8879e784561a968f98d3128bc1029fdb6c9d

SHA256
f59197133f1cb106e05f8b91823460dc4cc8d955b95691f871f6cf9101eec528

SHA512
7cfec682f024a7e41489112663bb6a5fa01e5f460a6176b9e6a9b43c89d20423ac7fd8bcc6f350b7774da212b77d5e0bae39f168735984197e16985521006856

Download Submit
C:\ProgramData\DesktopMicrosoft-type4.9.5.2\DesktopMicrosoft-type4.9.5.2.exe

Filesize
472.8MB

MD5
abd93655b476ca2b2cb2f6cffeeb5ed3

SHA1
21ef29e4f4b6824277adfaaa4a79384449a586d2

SHA256
e9d2a4375883183da6b21fe9cd3783a9056a7421f3674b7d608ddd608c663c46

SHA512
89901fd9cd06ad1e873ebfb209da1d1172beeff200c435065144d1a26ebf5a8c9dac49226f99d2dd11076b37647f56e1ee670a9416274df480ce324d83748319

Download Submit
memory/2168-155-0x00007FF67A5A0000-0x00007FF67AABF000-memory.dmp

Filesize
5.1MB

Download
memory/2168-153-0x00007FF67A5A0000-0x00007FF67AABF000-memory.dmp

Filesize
5.1MB

Download
memory/2168-154-0x00007FF67A5A0000-0x00007FF67AABF000-memory.dmp

Filesize
5.1MB

Download
memory/2408-135-0x00000000094F0000-0x0000000009500000-memory.dmp

Filesize
64KB

Download
memory/2408-132-0x00000000093C0000-0x00000000093CA000-memory.dmp

Filesize
40KB

Download
memory/2408-131-0x00000000094F0000-0x0000000009500000-memory.dmp

Filesize
64KB

Download
memory/2408-130-0x00000000092E0000-0x0000000009372000-memory.dmp

Filesize
584KB

Download
memory/2408-134-0x00000000094F0000-0x0000000009500000-memory.dmp

Filesize
64KB

Download
memory/2408-133-0x00000000094F0000-0x0000000009500000-memory.dmp

Filesize
64KB

Download
memory/2408-122-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/2408-129-0x00000000097E0000-0x0000000009CDE000-memory.dmp

Filesize
5.0MB

Download
memory/2928-158-0x00007FF67A5A0000-0x00007FF67AABF000-memory.dmp

Filesize
5.1MB

Download
memory/2928-159-0x00007FF67A5A0000-0x00007FF67AABF000-memory.dmp

Filesize
5.1MB

Download
memory/2928-160-0x00007FF67A5A0000-0x00007FF67AABF000-memory.dmp

Filesize
5.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads