6213ba0f7c174d6009e248ec97de6c4bd18bfd5b51ea27a3d186092d23b64dbb

General

Target

6213ba0f7c174d6009e248ec97de6c4bd18bfd5b51ea27a3d186092d23b64dbb.exe
Size

3.4MB
MD5

ec236b147253c8c3cf42b7fc2ccfb7cf
SHA1

115655d5c4170d66a3fbf32b54eede5e25b95299
SHA256

6213ba0f7c174d6009e248ec97de6c4bd18bfd5b51ea27a3d186092d23b64dbb
SHA512

c9f731e80661bb95d0976c313964816297091f8612b64e3bd80630a0e2a2d311f18c0205d4a2e932c122fb12e53fc8c2fca89420fd0015e5128eaf356fc35fcd
SSDEEP

49152:VnPTOKMFrJmsf6/HAv4fVCnoYcNmCCyQaxfrLkWUhsZz2RNRenjqc4i3PHkVgXI/:ZaEU6/HWQ4noYOCtapQX9ejqcT3/SgY/

Score

9^/10

discovery evasion trojan upx

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MicrosoftTemplates-type6.5.2.0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MicrosoftTemplates-type6.5.2.0.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MicrosoftTemplates-type6.5.2.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MicrosoftTemplates-type6.5.2.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MicrosoftTemplates-type6.5.2.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MicrosoftTemplates-type6.5.2.0.exe

Executes dropped EXE 2 IoCs

pid	Process
1836	MicrosoftTemplates-type6.5.2.0.exe
1820	MicrosoftTemplates-type6.5.2.0.exe

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1444	icacls.exe
2072	icacls.exe
2068	icacls.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000900000001ae77-144.dat	upx
behavioral2/files/0x000900000001ae77-145.dat	upx
behavioral2/memory/1836-146-0x00007FF72E510000-0x00007FF72EA2F000-memory.dmp	upx
behavioral2/memory/1836-149-0x00007FF72E510000-0x00007FF72EA2F000-memory.dmp	upx
behavioral2/memory/1836-150-0x00007FF72E510000-0x00007FF72EA2F000-memory.dmp	upx
behavioral2/memory/1836-151-0x00007FF72E510000-0x00007FF72EA2F000-memory.dmp	upx
behavioral2/memory/1836-152-0x00007FF72E510000-0x00007FF72EA2F000-memory.dmp	upx
behavioral2/files/0x000900000001ae77-153.dat	upx
behavioral2/memory/1820-154-0x00007FF72E510000-0x00007FF72EA2F000-memory.dmp	upx
behavioral2/memory/1820-155-0x00007FF72E510000-0x00007FF72EA2F000-memory.dmp	upx
behavioral2/memory/1820-156-0x00007FF72E510000-0x00007FF72EA2F000-memory.dmp	upx
behavioral2/memory/1820-158-0x00007FF72E510000-0x00007FF72EA2F000-memory.dmp	upx
behavioral2/memory/1820-159-0x00007FF72E510000-0x00007FF72EA2F000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MicrosoftTemplates-type6.5.2.0.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MicrosoftTemplates-type6.5.2.0.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4116 set thread context of 4472	4116	6213ba0f7c174d6009e248ec97de6c4bd18bfd5b51ea27a3d186092d23b64dbb.exe	67

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4692	schtasks.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 4116 wrote to memory of 4472	4116	6213ba0f7c174d6009e248ec97de6c4bd18bfd5b51ea27a3d186092d23b64dbb.exe	67
PID 4116 wrote to memory of 4472	4116	6213ba0f7c174d6009e248ec97de6c4bd18bfd5b51ea27a3d186092d23b64dbb.exe	67
PID 4116 wrote to memory of 4472	4116	6213ba0f7c174d6009e248ec97de6c4bd18bfd5b51ea27a3d186092d23b64dbb.exe	67
PID 4116 wrote to memory of 4472	4116	6213ba0f7c174d6009e248ec97de6c4bd18bfd5b51ea27a3d186092d23b64dbb.exe	67
PID 4116 wrote to memory of 4472	4116	6213ba0f7c174d6009e248ec97de6c4bd18bfd5b51ea27a3d186092d23b64dbb.exe	67
PID 4472 wrote to memory of 1444	4472	AppLaunch.exe	68
PID 4472 wrote to memory of 1444	4472	AppLaunch.exe	68
PID 4472 wrote to memory of 1444	4472	AppLaunch.exe	68
PID 4472 wrote to memory of 2068	4472	AppLaunch.exe	73
PID 4472 wrote to memory of 2068	4472	AppLaunch.exe	73
PID 4472 wrote to memory of 2068	4472	AppLaunch.exe	73
PID 4472 wrote to memory of 2072	4472	AppLaunch.exe	72
PID 4472 wrote to memory of 2072	4472	AppLaunch.exe	72
PID 4472 wrote to memory of 2072	4472	AppLaunch.exe	72
PID 4472 wrote to memory of 4692	4472	AppLaunch.exe	74
PID 4472 wrote to memory of 4692	4472	AppLaunch.exe	74
PID 4472 wrote to memory of 4692	4472	AppLaunch.exe	74
PID 4472 wrote to memory of 1836	4472	AppLaunch.exe	76
PID 4472 wrote to memory of 1836	4472	AppLaunch.exe	76

C:\Users\Admin\AppData\Local\Temp\6213ba0f7c174d6009e248ec97de6c4bd18bfd5b51ea27a3d186092d23b64dbb.exe
"C:\Users\Admin\AppData\Local\Temp\6213ba0f7c174d6009e248ec97de6c4bd18bfd5b51ea27a3d186092d23b64dbb.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4116
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4472
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\MicrosoftTemplates-type6.5.2.0" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:1444
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\MicrosoftTemplates-type6.5.2.0" /inheritance:e /deny "admin:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:2072
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\MicrosoftTemplates-type6.5.2.0" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:2068
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /CREATE /TN "MicrosoftTemplates-type6.5.2.0\MicrosoftTemplates-type6.5.2.0" /TR "C:\ProgramData\MicrosoftTemplates-type6.5.2.0\MicrosoftTemplates-type6.5.2.0.exe" /SC MINUTE
    3⤵
    - Creates scheduled task(s)
    PID:4692
- - C:\ProgramData\MicrosoftTemplates-type6.5.2.0\MicrosoftTemplates-type6.5.2.0.exe
    "C:\ProgramData\MicrosoftTemplates-type6.5.2.0\MicrosoftTemplates-type6.5.2.0.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    PID:1836

C:\ProgramData\MicrosoftTemplates-type6.5.2.0\MicrosoftTemplates-type6.5.2.0.exe
C:\ProgramData\MicrosoftTemplates-type6.5.2.0\MicrosoftTemplates-type6.5.2.0.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:1820

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

File and Directory Permissions Modification

1

T1222

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\MicrosoftTemplates-type6.5.2.0\MicrosoftTemplates-type6.5.2.0.exe

Filesize
717.7MB

MD5
0828db569bc982a6719575bc3fc41155

SHA1
78cfe4d19344a74ddabe72be24044582398b449b

SHA256
147874503a536759d02806f60a4fc3d19c5b59903ab840d044104a081f74bbcc

SHA512
9a7d68390e9f9608d598bce67e71e744f3cbfb6efc2f591c18f00d2a428cda923731988c98d3c1ac475e612b79b4056177ffc7cf0a0c22ff1071e720aa4d8c8b

Download Submit
C:\ProgramData\MicrosoftTemplates-type6.5.2.0\MicrosoftTemplates-type6.5.2.0.exe

Filesize
717.7MB

MD5
0828db569bc982a6719575bc3fc41155

SHA1
78cfe4d19344a74ddabe72be24044582398b449b

SHA256
147874503a536759d02806f60a4fc3d19c5b59903ab840d044104a081f74bbcc

SHA512
9a7d68390e9f9608d598bce67e71e744f3cbfb6efc2f591c18f00d2a428cda923731988c98d3c1ac475e612b79b4056177ffc7cf0a0c22ff1071e720aa4d8c8b

Download Submit
C:\ProgramData\MicrosoftTemplates-type6.5.2.0\MicrosoftTemplates-type6.5.2.0.exe

Filesize
717.7MB

MD5
0828db569bc982a6719575bc3fc41155

SHA1
78cfe4d19344a74ddabe72be24044582398b449b

SHA256
147874503a536759d02806f60a4fc3d19c5b59903ab840d044104a081f74bbcc

SHA512
9a7d68390e9f9608d598bce67e71e744f3cbfb6efc2f591c18f00d2a428cda923731988c98d3c1ac475e612b79b4056177ffc7cf0a0c22ff1071e720aa4d8c8b

Download Submit
memory/1820-159-0x00007FF72E510000-0x00007FF72EA2F000-memory.dmp

Filesize
5.1MB

Download
memory/1820-158-0x00007FF72E510000-0x00007FF72EA2F000-memory.dmp

Filesize
5.1MB

Download
memory/1820-156-0x00007FF72E510000-0x00007FF72EA2F000-memory.dmp

Filesize
5.1MB

Download
memory/1820-155-0x00007FF72E510000-0x00007FF72EA2F000-memory.dmp

Filesize
5.1MB

Download
memory/1820-154-0x00007FF72E510000-0x00007FF72EA2F000-memory.dmp

Filesize
5.1MB

Download
memory/1836-149-0x00007FF72E510000-0x00007FF72EA2F000-memory.dmp

Filesize
5.1MB

Download
memory/1836-146-0x00007FF72E510000-0x00007FF72EA2F000-memory.dmp

Filesize
5.1MB

Download
memory/1836-150-0x00007FF72E510000-0x00007FF72EA2F000-memory.dmp

Filesize
5.1MB

Download
memory/1836-151-0x00007FF72E510000-0x00007FF72EA2F000-memory.dmp

Filesize
5.1MB

Download
memory/1836-152-0x00007FF72E510000-0x00007FF72EA2F000-memory.dmp

Filesize
5.1MB

Download
memory/4472-117-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/4472-129-0x0000000009620000-0x0000000009630000-memory.dmp

Filesize
64KB

Download
memory/4472-128-0x0000000009620000-0x0000000009630000-memory.dmp

Filesize
64KB

Download
memory/4472-127-0x0000000009620000-0x0000000009630000-memory.dmp

Filesize
64KB

Download
memory/4472-126-0x0000000009370000-0x000000000937A000-memory.dmp

Filesize
40KB

Download
memory/4472-125-0x0000000009410000-0x00000000094A2000-memory.dmp

Filesize
584KB

Download
memory/4472-124-0x0000000009870000-0x0000000009D6E000-memory.dmp

Filesize
5.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads