Overview

overview

9

Static

static

1

winprofile

windows7-x64

9

winprofile

windows10-1703-x64

9

Analysis

  • max time kernel
    290s
  • max time network
    36s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    14/03/2023, 22:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6213ba0f7c174d6009e248ec97de6c4bd18bfd5b51ea27a3d186092d23b64dbb.exe

  • Size

    3.4MB

  • MD5

    ec236b147253c8c3cf42b7fc2ccfb7cf

  • SHA1

    115655d5c4170d66a3fbf32b54eede5e25b95299

  • SHA256

    6213ba0f7c174d6009e248ec97de6c4bd18bfd5b51ea27a3d186092d23b64dbb

  • SHA512

    c9f731e80661bb95d0976c313964816297091f8612b64e3bd80630a0e2a2d311f18c0205d4a2e932c122fb12e53fc8c2fca89420fd0015e5128eaf356fc35fcd

  • SSDEEP

    49152:VnPTOKMFrJmsf6/HAv4fVCnoYcNmCCyQaxfrLkWUhsZz2RNRenjqc4i3PHkVgXI/:ZaEU6/HWQ4noYOCtapQX9ejqcT3/SgY/

Score
9/10
discoveryevasiontrojanupx

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Modifies file permissions 1 TTPs 3 IoCs
    discovery
  • UPX packed file 16 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6213ba0f7c174d6009e248ec97de6c4bd18bfd5b51ea27a3d186092d23b64dbb.exe
    "C:\Users\Admin\AppData\Local\Temp\6213ba0f7c174d6009e248ec97de6c4bd18bfd5b51ea27a3d186092d23b64dbb.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:932
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:888
      • C:\Windows\SysWOW64\icacls.exe
        "C:\Windows\System32\icacls.exe" "C:\ProgramData\TemplatesTemplates-type2.6.0.1" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:1476
      • C:\Windows\SysWOW64\icacls.exe
        "C:\Windows\System32\icacls.exe" "C:\ProgramData\TemplatesTemplates-type2.6.0.1" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:588
      • C:\Windows\SysWOW64\icacls.exe
        "C:\Windows\System32\icacls.exe" "C:\ProgramData\TemplatesTemplates-type2.6.0.1" /inheritance:e /deny "admin:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:596
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /CREATE /TN "TemplatesTemplates-type2.6.0.1\TemplatesTemplates-type2.6.0.1" /TR "C:\ProgramData\TemplatesTemplates-type2.6.0.1\TemplatesTemplates-type2.6.0.1.exe" /SC MINUTE
        3⤵
        • Creates scheduled task(s)
        PID:1700
      • C:\ProgramData\TemplatesTemplates-type2.6.0.1\TemplatesTemplates-type2.6.0.1.exe
        "C:\ProgramData\TemplatesTemplates-type2.6.0.1\TemplatesTemplates-type2.6.0.1.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Checks whether UAC is enabled
        PID:1444
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {DA9940C5-6995-405D-8D3F-C897BB253276} S-1-5-21-1283023626-844874658-3193756055-1000:THEQWNRW\Admin:Interactive:[1]
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1660
    • C:\ProgramData\TemplatesTemplates-type2.6.0.1\TemplatesTemplates-type2.6.0.1.exe
      C:\ProgramData\TemplatesTemplates-type2.6.0.1\TemplatesTemplates-type2.6.0.1.exe
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Checks whether UAC is enabled
      PID:1096

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\TemplatesTemplates-type2.6.0.1\TemplatesTemplates-type2.6.0.1.exe
    Filesize

    528.1MB

    MD5

    6281dbb2e69ecb1af43b3c43626c304e

    SHA1

    498d3c8fb2fc4e83f4262b7172a50564a5e0437a

    SHA256

    31f2da88fcfa6be496351fde4d1134f8de834052a12b621eec3377260b66c4e0

    SHA512

    c694ca8263634a108bed41c2b90ad7f6830fca128e5baf236b71f0484936e79ac8e7062f6fccbef6739b61821647c3ed86b3438f23ff6c895e0f7ef0a868a210

    Download Submit

  • C:\ProgramData\TemplatesTemplates-type2.6.0.1\TemplatesTemplates-type2.6.0.1.exe
    Filesize

    602.1MB

    MD5

    ffcbba3e5b095a6de4cf58ddd6d2782e

    SHA1

    1625406fcae8657879f7ca24a10a8486a59b3ff6

    SHA256

    9b39f5bce7741af168f2c77c98b9a3f5a8916c943b6853f68be25c721cd8352c

    SHA512

    75436e33c3b80593f231e7cb90af6eca9186c6e9e75ebb2c4466fd284fc949b733a600d16db9752090f15c092c6a1d5262df4dbc6cbb02784cb7eecebfa6a2b1

    Download Submit

  • C:\ProgramData\TemplatesTemplates-type2.6.0.1\TemplatesTemplates-type2.6.0.1.exe
    Filesize

    568.6MB

    MD5

    e4107502eff5fb38511ca79efb5768b9

    SHA1

    16a574f5ea4478f3698927a238c441ac3680f450

    SHA256

    9db2d58a3bc5c98544b9eaf405cde486631d66f476f469f3f690f80077cdc0ad

    SHA512

    040f0e1dbf2fc20df4e9d6d6c4b5bdedcf494bc5d4a75e0519e0942b5dbf0acff46f7ac228204fc85f32a63a5323c72fb8e308aafa166dce903e40cbc26a06ca

    Download Submit

  • C:\ProgramData\TemplatesTemplates-type2.6.0.1\TemplatesTemplates-type2.6.0.1.exe
    Filesize

    480.1MB

    MD5

    a21ae52f6314a6a191c0aa960e5f5364

    SHA1

    308201584cabe2266a1b297421f95c159bb02930

    SHA256

    444dd25c578a657cd06e57388d7d204f3a3653ab9acd341888442bee491c69bb

    SHA512

    213fa7d47b8a1415fd46756ce2ab166d5c13183b4048a79eb7fb448c7f920d273def1bbffda56cbb3bffcf1393077a0e79ce826f506a0a24de79a2d8ecd5e829

    Download Submit

  • \ProgramData\TemplatesTemplates-type2.6.0.1\TemplatesTemplates-type2.6.0.1.exe
    Filesize

    617.6MB

    MD5

    69509688b7a8d22337b0dae1a761be21

    SHA1

    a62c83926fee04ffc8a9b0b9559ea7f96e7d1892

    SHA256

    8e0c2a59897e477d11874e41ef0b24da644dbab2165ba0db20fbc01e1a86782b

    SHA512

    a0f4d6cdfceb13bbc1dae48edd6e1d83855df3bbd6ba34f56899f1387cb6d4053ccf14012ca1b171aec41e5e6bc9e4c41096140d92e526ff1610aee6322e1c73

    Download Submit

  • \ProgramData\TemplatesTemplates-type2.6.0.1\TemplatesTemplates-type2.6.0.1.exe
    Filesize

    561.5MB

    MD5

    2f241985562816d74b6dcbd9eccfdddb

    SHA1

    8bc0cebf127f9c0e638de7a1c35d7c713aa8df89

    SHA256

    d3d5928f75206043baf177a38f87946f1b74040bee6dd93119f42e58d8f2b994

    SHA512

    724c9e701fad57b4093e1e4364147d6af6bd4fcf3df0e556ae140be6fede0688c091eed75751a4349c7aab385938a5a6c16b43f611235c03ee17f496d788973f

    Download Submit

  • \ProgramData\TemplatesTemplates-type2.6.0.1\TemplatesTemplates-type2.6.0.1.exe
    Filesize

    478.1MB

    MD5

    51398f81f8d5fc2fc17a826797d70b1a

    SHA1

    f483b4aad7402907e33ecbf40fa6393681f11798

    SHA256

    778032f0730e0596d918de144f4b78042356c4cb5f776c1af3d260c2f602a2a7

    SHA512

    9f7a63b11c70918a79930e8e146ec402ed30540e41e8ee778b0f1836cc6cff79945d88523d61f2424e90bf9889a88f462bf2f20d866d7836cedff7b8a5e80347

    Download Submit

  • \ProgramData\TemplatesTemplates-type2.6.0.1\TemplatesTemplates-type2.6.0.1.exe
    Filesize

    483.5MB

    MD5

    ead5ad2195bb34f9d3f7bd0c95fc1ada

    SHA1

    d6ed9382b379dfd57c238625e343775ffa4079e7

    SHA256

    5782daf54b3465e41762f7070d518a4b80e84c26f890005a05d519d0dace0eaa

    SHA512

    f80bffd925ec9f7d4eec2d02b9c1233bce93eb7078d27652d56081a78f2bf8c83ca9dec9fb5c8826d5e20508b4fa960c18414b5c45bf1c019bda697cd8e2e557

    Download Submit

  • memory/888-65-0x00000000051F0000-0x0000000005230000-memory.dmp

    Filesize

    256KB

    Download

  • memory/888-62-0x0000000000400000-0x000000000075C000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/888-64-0x00000000051F0000-0x0000000005230000-memory.dmp

    Filesize

    256KB

    Download

  • memory/888-74-0x0000000008940000-0x0000000008E5F000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/888-55-0x0000000000400000-0x000000000075C000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/888-63-0x0000000000400000-0x000000000075C000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/888-75-0x0000000008940000-0x0000000008E5F000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/888-56-0x0000000000400000-0x000000000075C000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/888-60-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1096-84-0x000000013FDE0000-0x00000001402FF000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/1096-85-0x000000013FDE0000-0x00000001402FF000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/1096-87-0x000000013FDE0000-0x00000001402FF000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/1096-88-0x000000013FDE0000-0x00000001402FF000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/1444-80-0x000000013FA80000-0x000000013FF9F000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/1444-78-0x000000013FA80000-0x000000013FF9F000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/1444-79-0x000000013FA80000-0x000000013FF9F000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/1444-77-0x000000013FA80000-0x000000013FF9F000-memory.dmp

    Filesize

    5.1MB

    Download

  • memory/1660-86-0x000000013FDE0000-0x00000001402FF000-memory.dmp

    Filesize

    5.1MB

    Download