Overview

overview

9

Static

static

1

winprofile

windows7-x64

9

winprofile

windows10-1703-x64

9

Analysis

  • max time kernel
    291s
  • max time network
    183s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    14/03/2023, 04:50

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    6213ba0f7c174d6009e248ec97de6c4bd18bfd5b51ea27a3d186092d23b64dbb.exe

  • Size

    3.4MB

  • MD5

    ec236b147253c8c3cf42b7fc2ccfb7cf

  • SHA1

    115655d5c4170d66a3fbf32b54eede5e25b95299

  • SHA256

    6213ba0f7c174d6009e248ec97de6c4bd18bfd5b51ea27a3d186092d23b64dbb

  • SHA512

    c9f731e80661bb95d0976c313964816297091f8612b64e3bd80630a0e2a2d311f18c0205d4a2e932c122fb12e53fc8c2fca89420fd0015e5128eaf356fc35fcd

  • SSDEEP

    49152:VnPTOKMFrJmsf6/HAv4fVCnoYcNmCCyQaxfrLkWUhsZz2RNRenjqc4i3PHkVgXI/:ZaEU6/HWQ4noYOCtapQX9ejqcT3/SgY/

Score
9/10
discoveryevasiontrojanupx

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 2 IoCs
  • Modifies file permissions 1 TTPs 3 IoCs
    discovery
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6213ba0f7c174d6009e248ec97de6c4bd18bfd5b51ea27a3d186092d23b64dbb.exe
    "C:\Users\Admin\AppData\Local\Temp\6213ba0f7c174d6009e248ec97de6c4bd18bfd5b51ea27a3d186092d23b64dbb.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4104
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4456
      • C:\Windows\SysWOW64\icacls.exe
        "C:\Windows\System32\icacls.exe" "C:\ProgramData\AdobeTemplates-type2.8.8.9" /inheritance:e /deny "admin:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:3552
      • C:\Windows\SysWOW64\icacls.exe
        "C:\Windows\System32\icacls.exe" "C:\ProgramData\AdobeTemplates-type2.8.8.9" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:3868
      • C:\Windows\SysWOW64\icacls.exe
        "C:\Windows\System32\icacls.exe" "C:\ProgramData\AdobeTemplates-type2.8.8.9" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:3908
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /CREATE /TN "AdobeTemplates-type2.8.8.9\AdobeTemplates-type2.8.8.9" /TR "C:\ProgramData\AdobeTemplates-type2.8.8.9\AdobeTemplates-type2.8.8.9.exe" /SC MINUTE
        3⤵
        • Creates scheduled task(s)
        PID:3096
      • C:\ProgramData\AdobeTemplates-type2.8.8.9\AdobeTemplates-type2.8.8.9.exe
        "C:\ProgramData\AdobeTemplates-type2.8.8.9\AdobeTemplates-type2.8.8.9.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Checks whether UAC is enabled
        PID:4748
  • C:\ProgramData\AdobeTemplates-type2.8.8.9\AdobeTemplates-type2.8.8.9.exe
    C:\ProgramData\AdobeTemplates-type2.8.8.9\AdobeTemplates-type2.8.8.9.exe
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Executes dropped EXE
    • Checks whether UAC is enabled
    PID:2212

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\AdobeTemplates-type2.8.8.9\AdobeTemplates-type2.8.8.9.exe
          Filesize

          756.4MB

          MD5

          25105030b3fad544f31884dc61a11b9f

          SHA1

          ac073d3f3c5af5e129bfc4dbad05705fb57c6661

          SHA256

          72e2ec3f7d9946726f18a15a8b1f17aecfc41f8077c0ae3e80b2dd10259cc5c9

          SHA512

          80f071b85d6b1f5aab4d2b43b33ffb0d31a29e382ab9c2c40fac3b8cfaf63a0d97f2f03266ed6df14a9cee3a08b04d595c7c16e688f599f2a3200d4f6e928007

          Download Submit

        • C:\ProgramData\AdobeTemplates-type2.8.8.9\AdobeTemplates-type2.8.8.9.exe
          Filesize

          756.4MB

          MD5

          25105030b3fad544f31884dc61a11b9f

          SHA1

          ac073d3f3c5af5e129bfc4dbad05705fb57c6661

          SHA256

          72e2ec3f7d9946726f18a15a8b1f17aecfc41f8077c0ae3e80b2dd10259cc5c9

          SHA512

          80f071b85d6b1f5aab4d2b43b33ffb0d31a29e382ab9c2c40fac3b8cfaf63a0d97f2f03266ed6df14a9cee3a08b04d595c7c16e688f599f2a3200d4f6e928007

          Download Submit

        • C:\ProgramData\AdobeTemplates-type2.8.8.9\AdobeTemplates-type2.8.8.9.exe
          Filesize

          756.4MB

          MD5

          25105030b3fad544f31884dc61a11b9f

          SHA1

          ac073d3f3c5af5e129bfc4dbad05705fb57c6661

          SHA256

          72e2ec3f7d9946726f18a15a8b1f17aecfc41f8077c0ae3e80b2dd10259cc5c9

          SHA512

          80f071b85d6b1f5aab4d2b43b33ffb0d31a29e382ab9c2c40fac3b8cfaf63a0d97f2f03266ed6df14a9cee3a08b04d595c7c16e688f599f2a3200d4f6e928007

          Download Submit

        • memory/2212-160-0x00007FF6B3DE0000-0x00007FF6B42FF000-memory.dmp

          Filesize

          5.1MB

          Download

        • memory/2212-159-0x00007FF6B3DE0000-0x00007FF6B42FF000-memory.dmp

          Filesize

          5.1MB

          Download

        • memory/2212-158-0x00007FF6B3DE0000-0x00007FF6B42FF000-memory.dmp

          Filesize

          5.1MB

          Download

        • memory/2212-157-0x00007FF6B3DE0000-0x00007FF6B42FF000-memory.dmp

          Filesize

          5.1MB

          Download

        • memory/2212-156-0x00007FF6B3DE0000-0x00007FF6B42FF000-memory.dmp

          Filesize

          5.1MB

          Download

        • memory/4456-130-0x00000000091D0000-0x00000000091E0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4456-133-0x00000000091D0000-0x00000000091E0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4456-132-0x00000000091D0000-0x00000000091E0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4456-131-0x00000000091D0000-0x00000000091E0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4456-120-0x0000000000400000-0x000000000075C000-memory.dmp

          Filesize

          3.4MB

          Download

        • memory/4456-129-0x00000000091E0000-0x00000000091EA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/4456-128-0x00000000091F0000-0x0000000009282000-memory.dmp

          Filesize

          584KB

          Download

        • memory/4456-127-0x00000000097B0000-0x0000000009CAE000-memory.dmp

          Filesize

          5.0MB

          Download

        • memory/4748-150-0x00007FF6B3DE0000-0x00007FF6B42FF000-memory.dmp

          Filesize

          5.1MB

          Download

        • memory/4748-151-0x00007FF6B3DE0000-0x00007FF6B42FF000-memory.dmp

          Filesize

          5.1MB

          Download

        • memory/4748-154-0x00007FF6B3DE0000-0x00007FF6B42FF000-memory.dmp

          Filesize

          5.1MB

          Download