3943d98242eba7bfb58d9d7be07584e01746a0cee3935d684c29ddaae17497e7

General

Target

3943d98242eba7bfb58d9d7be07584e01746a0cee3935d684c29ddaae17497e7.exe
Size

3.4MB
MD5

c828fda10f938f02831b56be4252142f
SHA1

3b351a156e73ea7e49dee2ace64077602d756f21
SHA256

3943d98242eba7bfb58d9d7be07584e01746a0cee3935d684c29ddaae17497e7
SHA512

37b119f5be07acd20aa169b0e7bfba023041bfdc1fa6028b89790b9223a58437e6b28c65f693e9e0a9d879435f7c1f7aed71758de8bbbd08dd22f88dc3d44f7f
SSDEEP

98304:AmwMi6hqm+mXHkTiGDsAsQJEwky5CXjcM0Jhv8jYhz:AmRhfv3DG4+vsXjcM0zv8jS

Score

9^/10

discovery evasion trojan upx

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	USOPrivateMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type8.2.8.8.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	USOPrivateMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type8.2.8.8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	USOPrivateMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type8.2.8.8.exe

Executes dropped EXE 1 IoCs

pid	Process
1636	USOPrivateMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type8.2.8.8.exe

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3380	icacls.exe
4956	icacls.exe
4828	icacls.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000600000002313b-148.dat	upx
behavioral1/files/0x000600000002313b-149.dat	upx
behavioral1/files/0x000600000002313b-150.dat	upx
behavioral1/memory/1636-152-0x00007FF617240000-0x00007FF61775F000-memory.dmp	upx
behavioral1/memory/1636-153-0x00007FF617240000-0x00007FF61775F000-memory.dmp	upx
behavioral1/memory/1636-154-0x00007FF617240000-0x00007FF61775F000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	USOPrivateMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type8.2.8.8.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3412 set thread context of 816	3412	3943d98242eba7bfb58d9d7be07584e01746a0cee3935d684c29ddaae17497e7.exe	86

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
992	schtasks.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 3412 wrote to memory of 816	3412	3943d98242eba7bfb58d9d7be07584e01746a0cee3935d684c29ddaae17497e7.exe	86
PID 3412 wrote to memory of 816	3412	3943d98242eba7bfb58d9d7be07584e01746a0cee3935d684c29ddaae17497e7.exe	86
PID 3412 wrote to memory of 816	3412	3943d98242eba7bfb58d9d7be07584e01746a0cee3935d684c29ddaae17497e7.exe	86
PID 3412 wrote to memory of 816	3412	3943d98242eba7bfb58d9d7be07584e01746a0cee3935d684c29ddaae17497e7.exe	86
PID 3412 wrote to memory of 816	3412	3943d98242eba7bfb58d9d7be07584e01746a0cee3935d684c29ddaae17497e7.exe	86
PID 816 wrote to memory of 3380	816	AppLaunch.exe	93
PID 816 wrote to memory of 3380	816	AppLaunch.exe	93
PID 816 wrote to memory of 3380	816	AppLaunch.exe	93
PID 816 wrote to memory of 4956	816	AppLaunch.exe	95
PID 816 wrote to memory of 4956	816	AppLaunch.exe	95
PID 816 wrote to memory of 4956	816	AppLaunch.exe	95
PID 816 wrote to memory of 4828	816	AppLaunch.exe	96
PID 816 wrote to memory of 4828	816	AppLaunch.exe	96
PID 816 wrote to memory of 4828	816	AppLaunch.exe	96
PID 816 wrote to memory of 992	816	AppLaunch.exe	99
PID 816 wrote to memory of 992	816	AppLaunch.exe	99
PID 816 wrote to memory of 992	816	AppLaunch.exe	99
PID 816 wrote to memory of 1636	816	AppLaunch.exe	101
PID 816 wrote to memory of 1636	816	AppLaunch.exe	101

C:\Users\Admin\AppData\Local\Temp\3943d98242eba7bfb58d9d7be07584e01746a0cee3935d684c29ddaae17497e7.exe
"C:\Users\Admin\AppData\Local\Temp\3943d98242eba7bfb58d9d7be07584e01746a0cee3935d684c29ddaae17497e7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3412
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:816
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\USOPrivateMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type8.2.8.8" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:3380
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\USOPrivateMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type8.2.8.8" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:4956
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\USOPrivateMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type8.2.8.8" /inheritance:e /deny "admin:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:4828
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /CREATE /TN "USOPrivateMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type8.2.8.8\USOPrivateMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type8.2.8.8" /TR "C:\ProgramData\USOPrivateMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type8.2.8.8\USOPrivateMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type8.2.8.8.exe" /SC MINUTE
    3⤵
    - Creates scheduled task(s)
    PID:992
- - C:\ProgramData\USOPrivateMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type8.2.8.8\USOPrivateMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type8.2.8.8.exe
    "C:\ProgramData\USOPrivateMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type8.2.8.8\USOPrivateMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type8.2.8.8.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    PID:1636

C:\ProgramData\USOPrivateMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type8.2.8.8\USOPrivateMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type8.2.8.8.exe
C:\ProgramData\USOPrivateMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type8.2.8.8\USOPrivateMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type8.2.8.8.exe
1⤵
PID:3488

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

File and Directory Permissions Modification

1

T1222

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\USOPrivateMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type8.2.8.8\USOPrivateMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type8.2.8.8.exe

Filesize
739.1MB

MD5
466d0d80b6ea8222a5849f914598d88b

SHA1
36841b8f83f21819d3593a9c938c1088e37fb326

SHA256
83ea570c8cf885b741315ab33528e8376eab33855726dd23cd0b29daa961469c

SHA512
9e5361669ed045674f3107d4ba8bf8e57de00ab40e697bd46ac82324644374c8a6d8e6503c94324179cee61752061ee566b483225ec1107be2e9eaba930d1af3

Download Submit
C:\ProgramData\USOPrivateMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type8.2.8.8\USOPrivateMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type8.2.8.8.exe

Filesize
716.0MB

MD5
b05005b9d5084b2cb5638a6e17d180e6

SHA1
3a68f0fd1887286fa0cc71a1e8f7300a285c844d

SHA256
7bdad5ea981b41fc3ace2252bdaa634ed998f74001eb23cd79a86c5ca70f2482

SHA512
55374ec7f05c5211bdbb9a31b1e2338043aacf8cbd711db849e1953a4bf885625b06cca05598428bc117ef7064ad6b0124efc9b83d63d213e47df1d3662255a4

Download Submit
C:\ProgramData\USOPrivateMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type8.2.8.8\USOPrivateMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type8.2.8.8.exe

Filesize
749.0MB

MD5
8406c31e8d4e88220db1a3d141ad72ec

SHA1
e4668babbf89f8e945760517bf4e9c6522cd237b

SHA256
059df0e1c18cbb2f4742c0b4b530d52105d4570ffb5de5d9b179181150eefd5f

SHA512
5fd0ef5ee486023057a035bdad61866ec407fe60f2ba62c1e4824b7df3030deb0a62437842fb31a96d473050449c0befb00defdc34d1e35824f9e37c6d7be1e1

Download Submit
memory/816-134-0x00000000005B0000-0x000000000090C000-memory.dmp

Filesize
3.4MB

Download
memory/816-139-0x0000000005580000-0x0000000005B24000-memory.dmp

Filesize
5.6MB

Download
memory/816-140-0x0000000004FD0000-0x0000000005062000-memory.dmp

Filesize
584KB

Download
memory/816-141-0x0000000004F20000-0x0000000004F2A000-memory.dmp

Filesize
40KB

Download
memory/816-142-0x0000000005260000-0x0000000005270000-memory.dmp

Filesize
64KB

Download
memory/816-143-0x0000000005260000-0x0000000005270000-memory.dmp

Filesize
64KB

Download
memory/1636-152-0x00007FF617240000-0x00007FF61775F000-memory.dmp

Filesize
5.1MB

Download
memory/1636-153-0x00007FF617240000-0x00007FF61775F000-memory.dmp

Filesize
5.1MB

Download
memory/1636-154-0x00007FF617240000-0x00007FF61775F000-memory.dmp

Filesize
5.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads