7613459cb31b5b0121bec0408fc5ce28757827607bb987b623c85cd42518af98

General

Target

7613459cb31b5b0121bec0408fc5ce28757827607bb987b623c85cd42518af98.exe
Size

3.4MB
MD5

9997d2197e23cf9fde553fb4b9facb13
SHA1

3995030146b89cfcc68ce39166ad6d8ab8af3cb4
SHA256

7613459cb31b5b0121bec0408fc5ce28757827607bb987b623c85cd42518af98
SHA512

a3206ae4cb631aa110bad59f658d2629954f1ad7bc27abdd582b280b3b38eaa94c15405ad317802f4996297a5826d9b9777884bc191059ddaa718fcc10c44955
SSDEEP

98304:PmwMi6hqm+mXHkTiGDsAsQJEwky5CXjcM0Jhv8jYhz:PmRhfv3DG4+vsXjcM0zv8jS

Score

9^/10

discovery evasion trojan upx

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	USOPrivatePackages-type8.4.2.8.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	USOPrivatePackages-type8.4.2.8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	USOPrivatePackages-type8.4.2.8.exe

Executes dropped EXE 1 IoCs

pid	Process
1732	USOPrivatePackages-type8.4.2.8.exe

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1752	icacls.exe
4396	icacls.exe
4748	icacls.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000700000002274a-150.dat	upx
behavioral1/files/0x000700000002274a-151.dat	upx
behavioral1/files/0x000700000002274a-152.dat	upx
behavioral1/memory/1732-153-0x00007FF607940000-0x00007FF607E5F000-memory.dmp	upx
behavioral1/memory/1732-155-0x00007FF607940000-0x00007FF607E5F000-memory.dmp	upx
behavioral1/memory/1732-156-0x00007FF607940000-0x00007FF607E5F000-memory.dmp	upx
behavioral1/memory/1732-157-0x00007FF607940000-0x00007FF607E5F000-memory.dmp	upx
behavioral1/memory/1732-158-0x00007FF607940000-0x00007FF607E5F000-memory.dmp	upx
behavioral1/memory/1732-159-0x00007FF607940000-0x00007FF607E5F000-memory.dmp	upx
behavioral1/memory/1732-160-0x00007FF607940000-0x00007FF607E5F000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	USOPrivatePackages-type8.4.2.8.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 8 set thread context of 1864	8	7613459cb31b5b0121bec0408fc5ce28757827607bb987b623c85cd42518af98.exe	86

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1668	schtasks.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 8 wrote to memory of 1864	8	7613459cb31b5b0121bec0408fc5ce28757827607bb987b623c85cd42518af98.exe	86
PID 8 wrote to memory of 1864	8	7613459cb31b5b0121bec0408fc5ce28757827607bb987b623c85cd42518af98.exe	86
PID 8 wrote to memory of 1864	8	7613459cb31b5b0121bec0408fc5ce28757827607bb987b623c85cd42518af98.exe	86
PID 8 wrote to memory of 1864	8	7613459cb31b5b0121bec0408fc5ce28757827607bb987b623c85cd42518af98.exe	86
PID 8 wrote to memory of 1864	8	7613459cb31b5b0121bec0408fc5ce28757827607bb987b623c85cd42518af98.exe	86
PID 1864 wrote to memory of 1752	1864	AppLaunch.exe	93
PID 1864 wrote to memory of 1752	1864	AppLaunch.exe	93
PID 1864 wrote to memory of 1752	1864	AppLaunch.exe	93
PID 1864 wrote to memory of 4396	1864	AppLaunch.exe	95
PID 1864 wrote to memory of 4396	1864	AppLaunch.exe	95
PID 1864 wrote to memory of 4396	1864	AppLaunch.exe	95
PID 1864 wrote to memory of 4748	1864	AppLaunch.exe	97
PID 1864 wrote to memory of 4748	1864	AppLaunch.exe	97
PID 1864 wrote to memory of 4748	1864	AppLaunch.exe	97
PID 1864 wrote to memory of 1668	1864	AppLaunch.exe	99
PID 1864 wrote to memory of 1668	1864	AppLaunch.exe	99
PID 1864 wrote to memory of 1668	1864	AppLaunch.exe	99
PID 1864 wrote to memory of 1732	1864	AppLaunch.exe	101
PID 1864 wrote to memory of 1732	1864	AppLaunch.exe	101

C:\Users\Admin\AppData\Local\Temp\7613459cb31b5b0121bec0408fc5ce28757827607bb987b623c85cd42518af98.exe
"C:\Users\Admin\AppData\Local\Temp\7613459cb31b5b0121bec0408fc5ce28757827607bb987b623c85cd42518af98.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:8
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1864
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\USOPrivatePackages-type8.4.2.8" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:1752
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\USOPrivatePackages-type8.4.2.8" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:4396
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\USOPrivatePackages-type8.4.2.8" /inheritance:e /deny "admin:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:4748
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /CREATE /TN "USOPrivatePackages-type8.4.2.8\USOPrivatePackages-type8.4.2.8" /TR "C:\ProgramData\USOPrivatePackages-type8.4.2.8\USOPrivatePackages-type8.4.2.8.exe" /SC MINUTE
    3⤵
    - Creates scheduled task(s)
    PID:1668
- - C:\ProgramData\USOPrivatePackages-type8.4.2.8\USOPrivatePackages-type8.4.2.8.exe
    "C:\ProgramData\USOPrivatePackages-type8.4.2.8\USOPrivatePackages-type8.4.2.8.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    PID:1732

C:\ProgramData\USOPrivatePackages-type8.4.2.8\USOPrivatePackages-type8.4.2.8.exe
C:\ProgramData\USOPrivatePackages-type8.4.2.8\USOPrivatePackages-type8.4.2.8.exe
1⤵
PID:2520

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

File and Directory Permissions Modification

1

T1222

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\USOPrivatePackages-type8.4.2.8\USOPrivatePackages-type8.4.2.8.exe

Filesize
622.8MB

MD5
67334a367d6d2a17e235eb6324a20d52

SHA1
920adf1eff8f047e7f4a8c32252c823f610d52cc

SHA256
11d288be2aea1f736ba9d015b7e37542db6ba3379552eba519c04f0caa47a239

SHA512
4d866ff95d4a8b3eab9ec192367a5d1b1e2d6a9c9700884603d70f44f6e211d9dd1a7a652bc78fc3160724d533115de55daea41762ffeb124b7de8d1ab9b4bd5

Download Submit
C:\ProgramData\USOPrivatePackages-type8.4.2.8\USOPrivatePackages-type8.4.2.8.exe

Filesize
598.4MB

MD5
6daf98e6a77057ca83899431be29f461

SHA1
252d0acfe6b58aff483be226033521889a6413de

SHA256
44f66f8bbd0fcb9f57ba51def4a825d03b82fd48b5a20d38152944adc4b4ecc9

SHA512
b4d9c975f605e2e9a5a23f780decc2cdf01b03f1130412e352ee62609b956415ff471bccc5a6151636d4e8951ba71ca7dbb6b8ecef6d67fe9998b1b443c43139

Download Submit
C:\ProgramData\USOPrivatePackages-type8.4.2.8\USOPrivatePackages-type8.4.2.8.exe

Filesize
647.4MB

MD5
e7319fac7711b03c030beffa0de0565d

SHA1
7b9e637151c218059d9aedc5ebbd38e90e60f279

SHA256
a4e0297ce1e003653cc880b3c1b524e9b626980b5fd558051e75bd3daa34e1e7

SHA512
ac7b6128cb57c7d2033f43bdb1a6276e7eb52705706662b30f86de3f5b26c34fba3d5ece2b48473085601ce25aaafa57e95645122b4a2e1f03604806b794d5b2

Download Submit
memory/1732-155-0x00007FF607940000-0x00007FF607E5F000-memory.dmp

Filesize
5.1MB

Download
memory/1732-153-0x00007FF607940000-0x00007FF607E5F000-memory.dmp

Filesize
5.1MB

Download
memory/1732-160-0x00007FF607940000-0x00007FF607E5F000-memory.dmp

Filesize
5.1MB

Download
memory/1732-159-0x00007FF607940000-0x00007FF607E5F000-memory.dmp

Filesize
5.1MB

Download
memory/1732-158-0x00007FF607940000-0x00007FF607E5F000-memory.dmp

Filesize
5.1MB

Download
memory/1732-157-0x00007FF607940000-0x00007FF607E5F000-memory.dmp

Filesize
5.1MB

Download
memory/1732-156-0x00007FF607940000-0x00007FF607E5F000-memory.dmp

Filesize
5.1MB

Download
memory/1864-145-0x0000000005150000-0x0000000005160000-memory.dmp

Filesize
64KB

Download
memory/1864-139-0x00000000054A0000-0x0000000005A44000-memory.dmp

Filesize
5.6MB

Download
memory/1864-134-0x0000000000500000-0x000000000085C000-memory.dmp

Filesize
3.4MB

Download
memory/1864-140-0x0000000004EF0000-0x0000000004F82000-memory.dmp

Filesize
584KB

Download
memory/1864-141-0x0000000005150000-0x0000000005160000-memory.dmp

Filesize
64KB

Download
memory/1864-142-0x0000000004E60000-0x0000000004E6A000-memory.dmp

Filesize
40KB

Download
memory/1864-144-0x0000000005150000-0x0000000005160000-memory.dmp

Filesize
64KB

Download
memory/1864-143-0x0000000005150000-0x0000000005160000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads