b91b6387f9463d4c6cc82dbafb471035905a77b0409574f3b5586b4c05a749e9

Analysis

max time kernel
300s
max time network
185s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
15/03/2023, 22:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b91b6387f9463d4c6cc82dbafb471035905a77b0409574f3b5586b4c05a749e9.exe
Size

510.7MB
MD5

befb8b2f0fbd5e9a60c8c8e489ce4c71
SHA1

fc5bc00baf4b386cbb6c04bb74317d63248cbc6f
SHA256

b91b6387f9463d4c6cc82dbafb471035905a77b0409574f3b5586b4c05a749e9
SHA512

75931ca7d5695a9dcb20dcafeac844a217c197c4875fb63eb94a4787475d15ba1c3d97749cfabc0a863f9fe88769b30e328b6fd48bf7c7f15d9f91e34c98b674
SSDEEP

98304:3Vde8FivCeGDRsiSc/XBgZrzyWGgRSL6O2jSk6adBNWuz+VRD0MbQP:HZFwAur6XBazEgRSSjS5aT1z+/D0yQP

Score

9^/10

discovery evasion spyware stealer trojan upx vmprotect

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MicrosoftUSOPrivate-type2.8.8.6.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MicrosoftUSOPrivate-type2.8.8.6.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MicrosoftUSOPrivate-type2.8.8.6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MicrosoftUSOPrivate-type2.8.8.6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MicrosoftUSOPrivate-type2.8.8.6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MicrosoftUSOPrivate-type2.8.8.6.exe

Executes dropped EXE 4 IoCs

pid	Process
2684	BB4Q1Lj8.exe
4688	hJm9b8I3.exe
2868	MicrosoftUSOPrivate-type2.8.8.6.exe
4412	MicrosoftUSOPrivate-type2.8.8.6.exe

Loads dropped DLL 3 IoCs

pid	Process
2524	b91b6387f9463d4c6cc82dbafb471035905a77b0409574f3b5586b4c05a749e9.exe
2524	b91b6387f9463d4c6cc82dbafb471035905a77b0409574f3b5586b4c05a749e9.exe
2524	b91b6387f9463d4c6cc82dbafb471035905a77b0409574f3b5586b4c05a749e9.exe

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3600	icacls.exe
3608	icacls.exe
3736	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000600000001af66-203.dat	upx
behavioral2/files/0x000600000001af66-202.dat	upx
behavioral2/memory/2868-206-0x00007FF608C50000-0x00007FF60916F000-memory.dmp	upx
behavioral2/memory/2868-207-0x00007FF608C50000-0x00007FF60916F000-memory.dmp	upx
behavioral2/memory/2868-208-0x00007FF608C50000-0x00007FF60916F000-memory.dmp	upx
behavioral2/memory/2868-209-0x00007FF608C50000-0x00007FF60916F000-memory.dmp	upx
behavioral2/files/0x000600000001af66-210.dat	upx
behavioral2/memory/4412-211-0x00007FF608C50000-0x00007FF60916F000-memory.dmp	upx
behavioral2/memory/4412-212-0x00007FF608C50000-0x00007FF60916F000-memory.dmp	upx
behavioral2/memory/4412-213-0x00007FF608C50000-0x00007FF60916F000-memory.dmp	upx
behavioral2/memory/4412-214-0x00007FF608C50000-0x00007FF60916F000-memory.dmp	upx

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/2524-121-0x0000000000400000-0x000000000091F000-memory.dmp	vmprotect

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MicrosoftUSOPrivate-type2.8.8.6.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MicrosoftUSOPrivate-type2.8.8.6.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2684 set thread context of 972	2684	BB4Q1Lj8.exe	68

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4080	schtasks.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 2684	2524	b91b6387f9463d4c6cc82dbafb471035905a77b0409574f3b5586b4c05a749e9.exe	66
PID 2524 wrote to memory of 2684	2524	b91b6387f9463d4c6cc82dbafb471035905a77b0409574f3b5586b4c05a749e9.exe	66
PID 2524 wrote to memory of 2684	2524	b91b6387f9463d4c6cc82dbafb471035905a77b0409574f3b5586b4c05a749e9.exe	66
PID 2684 wrote to memory of 972	2684	BB4Q1Lj8.exe	68
PID 2684 wrote to memory of 972	2684	BB4Q1Lj8.exe	68
PID 2684 wrote to memory of 972	2684	BB4Q1Lj8.exe	68
PID 2684 wrote to memory of 972	2684	BB4Q1Lj8.exe	68
PID 2684 wrote to memory of 972	2684	BB4Q1Lj8.exe	68
PID 2524 wrote to memory of 4688	2524	b91b6387f9463d4c6cc82dbafb471035905a77b0409574f3b5586b4c05a749e9.exe	69
PID 2524 wrote to memory of 4688	2524	b91b6387f9463d4c6cc82dbafb471035905a77b0409574f3b5586b4c05a749e9.exe	69
PID 4688 wrote to memory of 1236	4688	hJm9b8I3.exe	71
PID 4688 wrote to memory of 1236	4688	hJm9b8I3.exe	71
PID 1236 wrote to memory of 3568	1236	cmd.exe	72
PID 1236 wrote to memory of 3568	1236	cmd.exe	72
PID 972 wrote to memory of 3608	972	AppLaunch.exe	73
PID 972 wrote to memory of 3608	972	AppLaunch.exe	73
PID 972 wrote to memory of 3608	972	AppLaunch.exe	73
PID 972 wrote to memory of 3600	972	AppLaunch.exe	80
PID 972 wrote to memory of 3600	972	AppLaunch.exe	80
PID 972 wrote to memory of 3600	972	AppLaunch.exe	80
PID 972 wrote to memory of 3736	972	AppLaunch.exe	78
PID 972 wrote to memory of 3736	972	AppLaunch.exe	78
PID 972 wrote to memory of 3736	972	AppLaunch.exe	78
PID 972 wrote to memory of 4080	972	AppLaunch.exe	77
PID 972 wrote to memory of 4080	972	AppLaunch.exe	77
PID 972 wrote to memory of 4080	972	AppLaunch.exe	77
PID 972 wrote to memory of 2868	972	AppLaunch.exe	81
PID 972 wrote to memory of 2868	972	AppLaunch.exe	81

C:\Users\Admin\AppData\Local\Temp\b91b6387f9463d4c6cc82dbafb471035905a77b0409574f3b5586b4c05a749e9.exe
"C:\Users\Admin\AppData\Local\Temp\b91b6387f9463d4c6cc82dbafb471035905a77b0409574f3b5586b4c05a749e9.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Users\Admin\AppData\Roaming\BB4Q1Lj8.exe
  "C:\Users\Admin\AppData\Roaming\BB4Q1Lj8.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:972
  - - C:\Windows\SysWOW64\icacls.exe
      "C:\Windows\System32\icacls.exe" "C:\ProgramData\MicrosoftUSOPrivate-type2.8.8.6" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
      4⤵
      Modifies file permissions
      PID:3608
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /CREATE /TN "MicrosoftUSOPrivate-type2.8.8.6\MicrosoftUSOPrivate-type2.8.8.6" /TR "C:\ProgramData\MicrosoftUSOPrivate-type2.8.8.6\MicrosoftUSOPrivate-type2.8.8.6.exe" /SC MINUTE
      4⤵
      Creates scheduled task(s)
      PID:4080
  - - C:\Windows\SysWOW64\icacls.exe
      "C:\Windows\System32\icacls.exe" "C:\ProgramData\MicrosoftUSOPrivate-type2.8.8.6" /inheritance:e /deny "admin:(R,REA,RA,RD)"
      4⤵
      Modifies file permissions
      PID:3736
  - - C:\Windows\SysWOW64\icacls.exe
      "C:\Windows\System32\icacls.exe" "C:\ProgramData\MicrosoftUSOPrivate-type2.8.8.6" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
      4⤵
      Modifies file permissions
      PID:3600
  - - C:\ProgramData\MicrosoftUSOPrivate-type2.8.8.6\MicrosoftUSOPrivate-type2.8.8.6.exe
      "C:\ProgramData\MicrosoftUSOPrivate-type2.8.8.6\MicrosoftUSOPrivate-type2.8.8.6.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Checks whether UAC is enabled
      PID:2868
- C:\Users\Admin\AppData\Roaming\hJm9b8I3.exe
  "C:\Users\Admin\AppData\Roaming\hJm9b8I3.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Roaming\hJm9b8I3.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1236
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 0
      4⤵
      PID:3568

C:\ProgramData\MicrosoftUSOPrivate-type2.8.8.6\MicrosoftUSOPrivate-type2.8.8.6.exe
C:\ProgramData\MicrosoftUSOPrivate-type2.8.8.6\MicrosoftUSOPrivate-type2.8.8.6.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:4412

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\MicrosoftUSOPrivate-type2.8.8.6\MicrosoftUSOPrivate-type2.8.8.6.exe

Filesize
518.2MB

MD5
93d30560552c701a4c585d991ba2ebaf

SHA1
0572aa6c4f59a0397c080afeb4fa0ba3434f7d4e

SHA256
0c53e4d57590d1400c4878b465cddbf853320bebffed69a3702bf9063a55596d

SHA512
0535e8ec4735c445e938da758c2693f97ebd694359ba56400174360e27db8ac216f14b6c9f82354de6278abdddc5e0d65fd4206123c7e0b7972d97dc3a2644a7

Download Submit
C:\ProgramData\MicrosoftUSOPrivate-type2.8.8.6\MicrosoftUSOPrivate-type2.8.8.6.exe

Filesize
531.1MB

MD5
bca4e2932c211f91c749e828229cf7a7

SHA1
dfb81339579344d8980a21773089a3a327ea2145

SHA256
ebf32310a1f3a3368b21b8019e64dac87c36c26a86939b2318d251891ac510ab

SHA512
351e1640d801d0f01b04fa00e486f08092261d24fa6f71aefbe089bdf85bd496a25a23e2a4fa943e9a77452a0a0cbd6300eaf71112cca767424d30ca1680af05

Download Submit
C:\ProgramData\MicrosoftUSOPrivate-type2.8.8.6\MicrosoftUSOPrivate-type2.8.8.6.exe

Filesize
444.2MB

MD5
13a809fe91f36f530494d4b51fd8c37a

SHA1
8d134b2785d105964b7e25a99b27971795804009

SHA256
727144bf08c09a2f2bc029aff72e1c00e9ee0538dc8ca75fbc7d491d25c29640

SHA512
91e11ddaf867889881ba64bef1a18c2c63ee0a7745566adc9c3ff9f6c77053a69a885ef7f602c99db29732f1f115d5e61b55cc5790292dda3bcf940e9b1338f6

Download Submit
C:\Users\Admin\AppData\Roaming\BB4Q1Lj8.exe

Filesize
3.4MB

MD5
675cb0337806c721d81b629a4c1eaa51

SHA1
8768d0ad66884e1e6a65b93f6820c9803ec2f1a3

SHA256
2c06b7674a54162680fa8d01c69e3fa9d51a0bcbd2de9471cbb0f005935bdc2a

SHA512
98c80d05145f308d74b20bdff0fe33947c02bbef75b4e61c6fc83d11111c7fc44ef8edf77b9401d1a27b8702b80cffc4179db3333a25249db0a2198f5d602698

Download Submit
C:\Users\Admin\AppData\Roaming\BB4Q1Lj8.exe

Filesize
3.4MB

MD5
675cb0337806c721d81b629a4c1eaa51

SHA1
8768d0ad66884e1e6a65b93f6820c9803ec2f1a3

SHA256
2c06b7674a54162680fa8d01c69e3fa9d51a0bcbd2de9471cbb0f005935bdc2a

SHA512
98c80d05145f308d74b20bdff0fe33947c02bbef75b4e61c6fc83d11111c7fc44ef8edf77b9401d1a27b8702b80cffc4179db3333a25249db0a2198f5d602698

Download Submit
C:\Users\Admin\AppData\Roaming\hJm9b8I3.exe

Filesize
13.9MB

MD5
9e0c7bc064dcb53a222f5eed4e2eadeb

SHA1
473e0ba14f98a45f7b8c95c5e7404f0b452b3fa9

SHA256
dbf287872ae50281d3136c7f0b890bc534439d36c9b6f594d29b6453f7656e9b

SHA512
0c1536a1232b2a25f3837ae7c1caa4bd008ee316339f867906125d1c1d81f2e2a11f5cd152a829e2729cd4f412beab3afce718f25bb6c5705996812a173bffdd

Download Submit
C:\Users\Admin\AppData\Roaming\hJm9b8I3.exe

Filesize
13.9MB

MD5
9e0c7bc064dcb53a222f5eed4e2eadeb

SHA1
473e0ba14f98a45f7b8c95c5e7404f0b452b3fa9

SHA256
dbf287872ae50281d3136c7f0b890bc534439d36c9b6f594d29b6453f7656e9b

SHA512
0c1536a1232b2a25f3837ae7c1caa4bd008ee316339f867906125d1c1d81f2e2a11f5cd152a829e2729cd4f412beab3afce718f25bb6c5705996812a173bffdd

Download Submit
\Users\Admin\AppData\LocalLow\mozglue.dll

Filesize
612KB

MD5
f07d9977430e762b563eaadc2b94bbfa

SHA1
da0a05b2b8d269fb73558dfcf0ed5c167f6d3877

SHA256
4191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862

SHA512
6afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf

Download Submit
\Users\Admin\AppData\LocalLow\nss3.dll

Filesize
1.9MB

MD5
f67d08e8c02574cbc2f1122c53bfb976

SHA1
6522992957e7e4d074947cad63189f308a80fcf2

SHA256
c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e

SHA512
2e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll

Filesize
1.0MB

MD5
dbf4f8dcefb8056dc6bae4b67ff810ce

SHA1
bbac1dd8a07c6069415c04b62747d794736d0689

SHA256
47b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68

SHA512
b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1

Download Submit
memory/972-164-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/972-175-0x00000000097D0000-0x00000000097E0000-memory.dmp

Filesize
64KB

Download
memory/972-178-0x00000000097D0000-0x00000000097E0000-memory.dmp

Filesize
64KB

Download
memory/972-173-0x0000000009610000-0x000000000961A000-memory.dmp

Filesize
40KB

Download
memory/972-172-0x0000000009670000-0x0000000009702000-memory.dmp

Filesize
584KB

Download
memory/972-185-0x00000000097D0000-0x00000000097E0000-memory.dmp

Filesize
64KB

Download
memory/972-186-0x00000000097D0000-0x00000000097E0000-memory.dmp

Filesize
64KB

Download
memory/972-171-0x0000000009AD0000-0x0000000009FCE000-memory.dmp

Filesize
5.0MB

Download
memory/2524-158-0x0000000061E00000-0x0000000061EF1000-memory.dmp

Filesize
964KB

Download
memory/2524-121-0x0000000000400000-0x000000000091F000-memory.dmp

Filesize
5.1MB

Download
memory/2868-209-0x00007FF608C50000-0x00007FF60916F000-memory.dmp

Filesize
5.1MB

Download
memory/2868-207-0x00007FF608C50000-0x00007FF60916F000-memory.dmp

Filesize
5.1MB

Download
memory/2868-208-0x00007FF608C50000-0x00007FF60916F000-memory.dmp

Filesize
5.1MB

Download
memory/2868-206-0x00007FF608C50000-0x00007FF60916F000-memory.dmp

Filesize
5.1MB

Download
memory/4412-211-0x00007FF608C50000-0x00007FF60916F000-memory.dmp

Filesize
5.1MB

Download
memory/4412-212-0x00007FF608C50000-0x00007FF60916F000-memory.dmp

Filesize
5.1MB

Download
memory/4412-213-0x00007FF608C50000-0x00007FF60916F000-memory.dmp

Filesize
5.1MB

Download
memory/4412-214-0x00007FF608C50000-0x00007FF60916F000-memory.dmp

Filesize
5.1MB

Download
memory/4688-184-0x0000000000FD0000-0x0000000001E1F000-memory.dmp

Filesize
14.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads