66d06eb8a554b52d86a1f7e4a8691eab887b5b79c453d0a3f4567d42fbe69dba

General

Target

66d06eb8a554b52d86a1f7e4a8691eab887b5b79c453d0a3f4567d42fbe69dba.exe
Size

3.4MB
MD5

dbe5c12af8bd0f5b05120c5ec929d004
SHA1

d5fff42b4c76f524d33a13be9d0927ecefb5aea3
SHA256

66d06eb8a554b52d86a1f7e4a8691eab887b5b79c453d0a3f4567d42fbe69dba
SHA512

437bfa444338a118457caecce2982e3855310ae04d02913405cc9a0a9f5ce8f2d02c815714946102f0aec2d1e85d84be68b59ccc8feb4422ff8f59b8bec96460
SSDEEP

98304:Dna5Gkonx+t5bHJmSwD2jCgQIr/84IVuTPYU:ja5InxsjmTK+gQIjCwR

Score

9^/10

discovery evasion trojan upx

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	AdobeMicrosoft-type0.3.8.8.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	AdobeMicrosoft-type0.3.8.8.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	AdobeMicrosoft-type0.3.8.8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	AdobeMicrosoft-type0.3.8.8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	AdobeMicrosoft-type0.3.8.8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	AdobeMicrosoft-type0.3.8.8.exe

Executes dropped EXE 2 IoCs

pid	Process
3736	AdobeMicrosoft-type0.3.8.8.exe
3888	AdobeMicrosoft-type0.3.8.8.exe

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4768	icacls.exe
4776	icacls.exe
3520	icacls.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000600000001af18-149.dat	upx
behavioral1/files/0x000600000001af18-150.dat	upx
behavioral1/memory/3736-151-0x00007FF722DA0000-0x00007FF7232BF000-memory.dmp	upx
behavioral1/memory/3736-154-0x00007FF722DA0000-0x00007FF7232BF000-memory.dmp	upx
behavioral1/memory/3736-155-0x00007FF722DA0000-0x00007FF7232BF000-memory.dmp	upx
behavioral1/memory/3736-156-0x00007FF722DA0000-0x00007FF7232BF000-memory.dmp	upx
behavioral1/memory/3736-157-0x00007FF722DA0000-0x00007FF7232BF000-memory.dmp	upx
behavioral1/files/0x000600000001af18-158.dat	upx
behavioral1/memory/3888-159-0x00007FF722DA0000-0x00007FF7232BF000-memory.dmp	upx
behavioral1/memory/3888-160-0x00007FF722DA0000-0x00007FF7232BF000-memory.dmp	upx
behavioral1/memory/3888-161-0x00007FF722DA0000-0x00007FF7232BF000-memory.dmp	upx
behavioral1/memory/3888-162-0x00007FF722DA0000-0x00007FF7232BF000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	AdobeMicrosoft-type0.3.8.8.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	AdobeMicrosoft-type0.3.8.8.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1560 set thread context of 2456	1560	66d06eb8a554b52d86a1f7e4a8691eab887b5b79c453d0a3f4567d42fbe69dba.exe	67

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4440	1560	WerFault.exe	65

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4664	schtasks.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1560 wrote to memory of 2456	1560	66d06eb8a554b52d86a1f7e4a8691eab887b5b79c453d0a3f4567d42fbe69dba.exe	67
PID 1560 wrote to memory of 2456	1560	66d06eb8a554b52d86a1f7e4a8691eab887b5b79c453d0a3f4567d42fbe69dba.exe	67
PID 1560 wrote to memory of 2456	1560	66d06eb8a554b52d86a1f7e4a8691eab887b5b79c453d0a3f4567d42fbe69dba.exe	67
PID 1560 wrote to memory of 2456	1560	66d06eb8a554b52d86a1f7e4a8691eab887b5b79c453d0a3f4567d42fbe69dba.exe	67
PID 1560 wrote to memory of 2456	1560	66d06eb8a554b52d86a1f7e4a8691eab887b5b79c453d0a3f4567d42fbe69dba.exe	67
PID 2456 wrote to memory of 4768	2456	AppLaunch.exe	70
PID 2456 wrote to memory of 4768	2456	AppLaunch.exe	70
PID 2456 wrote to memory of 4768	2456	AppLaunch.exe	70
PID 2456 wrote to memory of 4776	2456	AppLaunch.exe	72
PID 2456 wrote to memory of 4776	2456	AppLaunch.exe	72
PID 2456 wrote to memory of 4776	2456	AppLaunch.exe	72
PID 2456 wrote to memory of 3520	2456	AppLaunch.exe	73
PID 2456 wrote to memory of 3520	2456	AppLaunch.exe	73
PID 2456 wrote to memory of 3520	2456	AppLaunch.exe	73
PID 2456 wrote to memory of 4664	2456	AppLaunch.exe	76
PID 2456 wrote to memory of 4664	2456	AppLaunch.exe	76
PID 2456 wrote to memory of 4664	2456	AppLaunch.exe	76
PID 2456 wrote to memory of 3736	2456	AppLaunch.exe	78
PID 2456 wrote to memory of 3736	2456	AppLaunch.exe	78

C:\Users\Admin\AppData\Local\Temp\66d06eb8a554b52d86a1f7e4a8691eab887b5b79c453d0a3f4567d42fbe69dba.exe
"C:\Users\Admin\AppData\Local\Temp\66d06eb8a554b52d86a1f7e4a8691eab887b5b79c453d0a3f4567d42fbe69dba.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1560
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2456
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\AdobeMicrosoft-type0.3.8.8" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:4768
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\AdobeMicrosoft-type0.3.8.8" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:4776
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\AdobeMicrosoft-type0.3.8.8" /inheritance:e /deny "admin:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:3520
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /CREATE /TN "AdobeMicrosoft-type0.3.8.8\AdobeMicrosoft-type0.3.8.8" /TR "C:\ProgramData\AdobeMicrosoft-type0.3.8.8\AdobeMicrosoft-type0.3.8.8.exe" /SC MINUTE
    3⤵
    - Creates scheduled task(s)
    PID:4664
- - C:\ProgramData\AdobeMicrosoft-type0.3.8.8\AdobeMicrosoft-type0.3.8.8.exe
    "C:\ProgramData\AdobeMicrosoft-type0.3.8.8\AdobeMicrosoft-type0.3.8.8.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    PID:3736
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1560 -s 14036556
  2⤵
  - Program crash
  PID:4440

C:\ProgramData\AdobeMicrosoft-type0.3.8.8\AdobeMicrosoft-type0.3.8.8.exe
C:\ProgramData\AdobeMicrosoft-type0.3.8.8\AdobeMicrosoft-type0.3.8.8.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:3888

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

File and Directory Permissions Modification

1

T1222

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AdobeMicrosoft-type0.3.8.8\AdobeMicrosoft-type0.3.8.8.exe

Filesize
720.7MB

MD5
ff8e163eb0ee785a5f5fdc8a07a76934

SHA1
2b56f394963721f885521ffb0c584a969737052b

SHA256
5e3c1c62ba14b4f63dbe65e6dd1e612e356cdca7012d2d5b03f25209e3621fae

SHA512
521d34de7d4f82258d470dcd45dee75974e860d073641def3651de5346190ea9714d29dd0e90f86badefb4d46b769ced364cce695513e4f6115b446c3b37f012

Download Submit
C:\ProgramData\AdobeMicrosoft-type0.3.8.8\AdobeMicrosoft-type0.3.8.8.exe

Filesize
720.7MB

MD5
ff8e163eb0ee785a5f5fdc8a07a76934

SHA1
2b56f394963721f885521ffb0c584a969737052b

SHA256
5e3c1c62ba14b4f63dbe65e6dd1e612e356cdca7012d2d5b03f25209e3621fae

SHA512
521d34de7d4f82258d470dcd45dee75974e860d073641def3651de5346190ea9714d29dd0e90f86badefb4d46b769ced364cce695513e4f6115b446c3b37f012

Download Submit
C:\ProgramData\AdobeMicrosoft-type0.3.8.8\AdobeMicrosoft-type0.3.8.8.exe

Filesize
245.9MB

MD5
bf669dfe28bf4ac09d67239354da1368

SHA1
f895d96dc75267ad83ba256bbb765f6b41ec316c

SHA256
f2496b6d6791108974ecefc5d14d3050fcd97b30ec350ca846d08057a56af4fb

SHA512
425934a0722f803001570238048c57bed2456af05b278dee3c430a3c0fc9fc2afb139c38fc73cfa5c44c119f1f5e77eee8ac0653f5469824a32890bbf2cda051

Download Submit
memory/2456-132-0x00000000092E0000-0x00000000092F0000-memory.dmp

Filesize
64KB

Download
memory/2456-131-0x0000000009000000-0x000000000900A000-memory.dmp

Filesize
40KB

Download
memory/2456-121-0x0000000004830000-0x0000000004B8C000-memory.dmp

Filesize
3.4MB

Download
memory/2456-133-0x00000000092E0000-0x00000000092F0000-memory.dmp

Filesize
64KB

Download
memory/2456-134-0x00000000092E0000-0x00000000092F0000-memory.dmp

Filesize
64KB

Download
memory/2456-130-0x00000000092E0000-0x00000000092F0000-memory.dmp

Filesize
64KB

Download
memory/2456-129-0x0000000009090000-0x0000000009122000-memory.dmp

Filesize
584KB

Download
memory/2456-128-0x00000000096F0000-0x0000000009BEE000-memory.dmp

Filesize
5.0MB

Download
memory/3736-155-0x00007FF722DA0000-0x00007FF7232BF000-memory.dmp

Filesize
5.1MB

Download
memory/3736-154-0x00007FF722DA0000-0x00007FF7232BF000-memory.dmp

Filesize
5.1MB

Download
memory/3736-156-0x00007FF722DA0000-0x00007FF7232BF000-memory.dmp

Filesize
5.1MB

Download
memory/3736-157-0x00007FF722DA0000-0x00007FF7232BF000-memory.dmp

Filesize
5.1MB

Download
memory/3736-151-0x00007FF722DA0000-0x00007FF7232BF000-memory.dmp

Filesize
5.1MB

Download
memory/3888-159-0x00007FF722DA0000-0x00007FF7232BF000-memory.dmp

Filesize
5.1MB

Download
memory/3888-160-0x00007FF722DA0000-0x00007FF7232BF000-memory.dmp

Filesize
5.1MB

Download
memory/3888-161-0x00007FF722DA0000-0x00007FF7232BF000-memory.dmp

Filesize
5.1MB

Download
memory/3888-162-0x00007FF722DA0000-0x00007FF7232BF000-memory.dmp

Filesize
5.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads