849fc0c4496ba40a1c8662f54fc7f459cd6077f934e29077348b1c77fda09a4d

General

Target

849fc0c4496ba40a1c8662f54fc7f459cd6077f934e29077348b1c77fda09a4d.exe
Size

3.4MB
MD5

ff7c5f7d6900ad65f8870feb07b133d0
SHA1

ec27c8d7ae9f3963d2d42e80c060308aad887053
SHA256

849fc0c4496ba40a1c8662f54fc7f459cd6077f934e29077348b1c77fda09a4d
SHA512

ddfa352cd739f8f07cb657c5116a2664e6e54c363a3f7dba9e42a61c6207177f7f262d7a8fb3ad393f135bfdd3b892d39d3507ed0b9d64b62f482076245736f7
SSDEEP

98304:Zna5Gkonx+t5bHJmSwD2jCgQIr/84IVuTPY5:Za5InxsjmTK+gQIjCwg

Score

9^/10

discovery evasion trojan upx

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	AdobeDocuments-type4.8.8.6.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	AdobeDocuments-type4.8.8.6.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	AdobeDocuments-type4.8.8.6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	AdobeDocuments-type4.8.8.6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	AdobeDocuments-type4.8.8.6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	AdobeDocuments-type4.8.8.6.exe

Executes dropped EXE 2 IoCs

pid	Process
1088	AdobeDocuments-type4.8.8.6.exe
4308	AdobeDocuments-type4.8.8.6.exe

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3740	icacls.exe
3548	icacls.exe
908	icacls.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0009000000023182-149.dat	upx
behavioral1/files/0x0009000000023182-150.dat	upx
behavioral1/files/0x0009000000023182-151.dat	upx
behavioral1/memory/1088-153-0x00007FF656F20000-0x00007FF65743F000-memory.dmp	upx
behavioral1/memory/1088-154-0x00007FF656F20000-0x00007FF65743F000-memory.dmp	upx
behavioral1/memory/1088-155-0x00007FF656F20000-0x00007FF65743F000-memory.dmp	upx
behavioral1/memory/1088-156-0x00007FF656F20000-0x00007FF65743F000-memory.dmp	upx
behavioral1/memory/1088-158-0x00007FF656F20000-0x00007FF65743F000-memory.dmp	upx
behavioral1/memory/1088-157-0x00007FF656F20000-0x00007FF65743F000-memory.dmp	upx
behavioral1/memory/1088-159-0x00007FF656F20000-0x00007FF65743F000-memory.dmp	upx
behavioral1/files/0x0009000000023182-160.dat	upx
behavioral1/memory/4308-161-0x00007FF656F20000-0x00007FF65743F000-memory.dmp	upx
behavioral1/memory/4308-162-0x00007FF656F20000-0x00007FF65743F000-memory.dmp	upx
behavioral1/memory/4308-163-0x00007FF656F20000-0x00007FF65743F000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	AdobeDocuments-type4.8.8.6.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	AdobeDocuments-type4.8.8.6.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4604 set thread context of 2188	4604	849fc0c4496ba40a1c8662f54fc7f459cd6077f934e29077348b1c77fda09a4d.exe	88

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4668	4604	WerFault.exe	83
2312	4604	WerFault.exe	83

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3152	schtasks.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 4604 wrote to memory of 2188	4604	849fc0c4496ba40a1c8662f54fc7f459cd6077f934e29077348b1c77fda09a4d.exe	88
PID 4604 wrote to memory of 2188	4604	849fc0c4496ba40a1c8662f54fc7f459cd6077f934e29077348b1c77fda09a4d.exe	88
PID 4604 wrote to memory of 2188	4604	849fc0c4496ba40a1c8662f54fc7f459cd6077f934e29077348b1c77fda09a4d.exe	88
PID 4604 wrote to memory of 2188	4604	849fc0c4496ba40a1c8662f54fc7f459cd6077f934e29077348b1c77fda09a4d.exe	88
PID 4604 wrote to memory of 2188	4604	849fc0c4496ba40a1c8662f54fc7f459cd6077f934e29077348b1c77fda09a4d.exe	88
PID 4604 wrote to memory of 4668	4604	849fc0c4496ba40a1c8662f54fc7f459cd6077f934e29077348b1c77fda09a4d.exe	93
PID 4604 wrote to memory of 4668	4604	849fc0c4496ba40a1c8662f54fc7f459cd6077f934e29077348b1c77fda09a4d.exe	93
PID 4604 wrote to memory of 4668	4604	849fc0c4496ba40a1c8662f54fc7f459cd6077f934e29077348b1c77fda09a4d.exe	93
PID 2188 wrote to memory of 3740	2188	AppLaunch.exe	97
PID 2188 wrote to memory of 3740	2188	AppLaunch.exe	97
PID 2188 wrote to memory of 3740	2188	AppLaunch.exe	97
PID 2188 wrote to memory of 908	2188	AppLaunch.exe	101
PID 2188 wrote to memory of 908	2188	AppLaunch.exe	101
PID 2188 wrote to memory of 908	2188	AppLaunch.exe	101
PID 2188 wrote to memory of 3548	2188	AppLaunch.exe	99
PID 2188 wrote to memory of 3548	2188	AppLaunch.exe	99
PID 2188 wrote to memory of 3548	2188	AppLaunch.exe	99
PID 2188 wrote to memory of 3152	2188	AppLaunch.exe	100
PID 2188 wrote to memory of 3152	2188	AppLaunch.exe	100
PID 2188 wrote to memory of 3152	2188	AppLaunch.exe	100
PID 2188 wrote to memory of 1088	2188	AppLaunch.exe	105
PID 2188 wrote to memory of 1088	2188	AppLaunch.exe	105

C:\Users\Admin\AppData\Local\Temp\849fc0c4496ba40a1c8662f54fc7f459cd6077f934e29077348b1c77fda09a4d.exe
"C:\Users\Admin\AppData\Local\Temp\849fc0c4496ba40a1c8662f54fc7f459cd6077f934e29077348b1c77fda09a4d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4604
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\AdobeDocuments-type4.8.8.6" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:3740
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\AdobeDocuments-type4.8.8.6" /inheritance:e /deny "admin:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:3548
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /CREATE /TN "AdobeDocuments-type4.8.8.6\AdobeDocuments-type4.8.8.6" /TR "C:\ProgramData\AdobeDocuments-type4.8.8.6\AdobeDocuments-type4.8.8.6.exe" /SC MINUTE
    3⤵
    - Creates scheduled task(s)
    PID:3152
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\AdobeDocuments-type4.8.8.6" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:908
- - C:\ProgramData\AdobeDocuments-type4.8.8.6\AdobeDocuments-type4.8.8.6.exe
    "C:\ProgramData\AdobeDocuments-type4.8.8.6\AdobeDocuments-type4.8.8.6.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    PID:1088
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 14036496
  2⤵
  - Program crash
  PID:4668
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 14036496
  2⤵
  - Program crash
  PID:2312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4604 -ip 4604
1⤵
PID:1208

C:\ProgramData\AdobeDocuments-type4.8.8.6\AdobeDocuments-type4.8.8.6.exe
C:\ProgramData\AdobeDocuments-type4.8.8.6\AdobeDocuments-type4.8.8.6.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:4308

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

File and Directory Permissions Modification

1

T1222

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AdobeDocuments-type4.8.8.6\AdobeDocuments-type4.8.8.6.exe

Filesize
461.0MB

MD5
ad5dc8e10637cfe6706a8a61925589e5

SHA1
8d7684d336b1a1aa3c0474d1665657d8a094999c

SHA256
04942275938f685b5070aaba8d7a8da9c64425d44f945bb609c7c14233167943

SHA512
5a4424a3bcdda1518536f378cbec5e3a5d3e419cf8089ba0940e790befcded5f23499d96b436be03f0feacd81f4a046968d67aaf1924576f5d713fec73dab7c1

Download Submit
C:\ProgramData\AdobeDocuments-type4.8.8.6\AdobeDocuments-type4.8.8.6.exe

Filesize
455.2MB

MD5
ef7a7d30b8868957640c95b33ef9621d

SHA1
9bf347a49f8b7277b88a27c431d1201fa0f4dbbc

SHA256
c2af56958ceb4e4754df799da5308cfad4683e84beb82da98e45cb1c8168fe5b

SHA512
a132e92998a06c1e3e437a83aed119104d05825e373ff0583b64244692af1df1baa9cb4ab772ad27610bce2001f747fe60fda9def67058e1f1ac27e15ae8538b

Download Submit
C:\ProgramData\AdobeDocuments-type4.8.8.6\AdobeDocuments-type4.8.8.6.exe

Filesize
423.0MB

MD5
a6ff43c40d01467a2f648b03f2f9a668

SHA1
cf2601ee12edd574dcad60a3600796fafe1ea7e4

SHA256
371cd864ac59a26c0b716316287b86ab5b95b99c56facbffe8fe4d373234e155

SHA512
028410ef373c2b391175a5d726593c76b6917d08013e767329e3c6502aa4d734a834392d647255716650f8a3ae52efac4a01d0fec69e818073ae34cf414bb514

Download Submit
C:\ProgramData\AdobeDocuments-type4.8.8.6\AdobeDocuments-type4.8.8.6.exe

Filesize
321.6MB

MD5
dc2aa6fe7ba630c4f8816a99b3df4b17

SHA1
2ffa3818003bab83b1674901d839bed4412f8609

SHA256
dc9a2ec723ec8436446bd38f11c978db29c2674fe11bbf3fac9ddd03a411d83e

SHA512
7b7bdd286fcb7bf6d319ccf1a6adc09243bbb138660c93b3a588da0d837f06edb4ccba264d0aa406f613ad8809f80316743e2230759cf7c2c81b076d6655b256

Download Submit
memory/1088-158-0x00007FF656F20000-0x00007FF65743F000-memory.dmp

Filesize
5.1MB

Download
memory/1088-159-0x00007FF656F20000-0x00007FF65743F000-memory.dmp

Filesize
5.1MB

Download
memory/1088-157-0x00007FF656F20000-0x00007FF65743F000-memory.dmp

Filesize
5.1MB

Download
memory/1088-156-0x00007FF656F20000-0x00007FF65743F000-memory.dmp

Filesize
5.1MB

Download
memory/1088-155-0x00007FF656F20000-0x00007FF65743F000-memory.dmp

Filesize
5.1MB

Download
memory/1088-154-0x00007FF656F20000-0x00007FF65743F000-memory.dmp

Filesize
5.1MB

Download
memory/1088-153-0x00007FF656F20000-0x00007FF65743F000-memory.dmp

Filesize
5.1MB

Download
memory/2188-139-0x00000000052C0000-0x0000000005352000-memory.dmp

Filesize
584KB

Download
memory/2188-140-0x0000000005280000-0x000000000528A000-memory.dmp

Filesize
40KB

Download
memory/2188-141-0x0000000005460000-0x0000000005470000-memory.dmp

Filesize
64KB

Download
memory/2188-144-0x0000000005460000-0x0000000005470000-memory.dmp

Filesize
64KB

Download
memory/2188-133-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/2188-143-0x0000000005460000-0x0000000005470000-memory.dmp

Filesize
64KB

Download
memory/2188-142-0x0000000005460000-0x0000000005470000-memory.dmp

Filesize
64KB

Download
memory/2188-138-0x0000000005870000-0x0000000005E14000-memory.dmp

Filesize
5.6MB

Download
memory/4308-161-0x00007FF656F20000-0x00007FF65743F000-memory.dmp

Filesize
5.1MB

Download
memory/4308-162-0x00007FF656F20000-0x00007FF65743F000-memory.dmp

Filesize
5.1MB

Download
memory/4308-163-0x00007FF656F20000-0x00007FF65743F000-memory.dmp

Filesize
5.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads