c1f9375f5df21b182cbe9c882cc263cbb8b991c79c85016c2ce34f4cacf69f45

General

Target

c1f9375f5df21b182cbe9c882cc263cbb8b991c79c85016c2ce34f4cacf69f45.exe
Size

3.4MB
MD5

b89cfb2403ff3c814ddd79624874e213
SHA1

d107ad1b15cde70754142f591a5581d3b28ef356
SHA256

c1f9375f5df21b182cbe9c882cc263cbb8b991c79c85016c2ce34f4cacf69f45
SHA512

5b3e7554d219ffae18daeaa03d654ba20be26f19092616aef19b48074376834f0a2369a9d05ed338c9b9fa4027226bec3c3b58a9c05c15185e14e1136ae2c571
SSDEEP

98304:UbaD2xzt49ndR/hqOAX7Jhh15VRN6UnNOzFm:0t4rqN19n/

Score

9^/10

discovery evasion trojan upx

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	regid.1991-06.com.microsoftMicrosoft-type4.6.1.7.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	regid.1991-06.com.microsoftMicrosoft-type4.6.1.7.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	regid.1991-06.com.microsoftMicrosoft-type4.6.1.7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	regid.1991-06.com.microsoftMicrosoft-type4.6.1.7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	regid.1991-06.com.microsoftMicrosoft-type4.6.1.7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	regid.1991-06.com.microsoftMicrosoft-type4.6.1.7.exe

Executes dropped EXE 2 IoCs

pid	Process
3800	regid.1991-06.com.microsoftMicrosoft-type4.6.1.7.exe
2196	regid.1991-06.com.microsoftMicrosoft-type4.6.1.7.exe

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2808	icacls.exe
3764	icacls.exe
3648	icacls.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000600000001af4a-149.dat	upx
behavioral2/files/0x000600000001af4a-150.dat	upx
behavioral2/memory/3800-153-0x00007FF62A3C0000-0x00007FF62A8DF000-memory.dmp	upx
behavioral2/memory/3800-154-0x00007FF62A3C0000-0x00007FF62A8DF000-memory.dmp	upx
behavioral2/memory/3800-155-0x00007FF62A3C0000-0x00007FF62A8DF000-memory.dmp	upx
behavioral2/memory/3800-156-0x00007FF62A3C0000-0x00007FF62A8DF000-memory.dmp	upx
behavioral2/memory/3800-157-0x00007FF62A3C0000-0x00007FF62A8DF000-memory.dmp	upx
behavioral2/memory/3800-158-0x00007FF62A3C0000-0x00007FF62A8DF000-memory.dmp	upx
behavioral2/memory/3800-159-0x00007FF62A3C0000-0x00007FF62A8DF000-memory.dmp	upx
behavioral2/files/0x000600000001af4a-160.dat	upx
behavioral2/memory/2196-161-0x00007FF62A3C0000-0x00007FF62A8DF000-memory.dmp	upx
behavioral2/memory/2196-162-0x00007FF62A3C0000-0x00007FF62A8DF000-memory.dmp	upx
behavioral2/memory/2196-163-0x00007FF62A3C0000-0x00007FF62A8DF000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	regid.1991-06.com.microsoftMicrosoft-type4.6.1.7.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	regid.1991-06.com.microsoftMicrosoft-type4.6.1.7.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2236 set thread context of 2560	2236	c1f9375f5df21b182cbe9c882cc263cbb8b991c79c85016c2ce34f4cacf69f45.exe	67

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5096	2236	WerFault.exe	65

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3052	schtasks.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2560	2236	c1f9375f5df21b182cbe9c882cc263cbb8b991c79c85016c2ce34f4cacf69f45.exe	67
PID 2236 wrote to memory of 2560	2236	c1f9375f5df21b182cbe9c882cc263cbb8b991c79c85016c2ce34f4cacf69f45.exe	67
PID 2236 wrote to memory of 2560	2236	c1f9375f5df21b182cbe9c882cc263cbb8b991c79c85016c2ce34f4cacf69f45.exe	67
PID 2236 wrote to memory of 2560	2236	c1f9375f5df21b182cbe9c882cc263cbb8b991c79c85016c2ce34f4cacf69f45.exe	67
PID 2236 wrote to memory of 2560	2236	c1f9375f5df21b182cbe9c882cc263cbb8b991c79c85016c2ce34f4cacf69f45.exe	67
PID 2560 wrote to memory of 2808	2560	AppLaunch.exe	70
PID 2560 wrote to memory of 2808	2560	AppLaunch.exe	70
PID 2560 wrote to memory of 2808	2560	AppLaunch.exe	70
PID 2560 wrote to memory of 3648	2560	AppLaunch.exe	74
PID 2560 wrote to memory of 3648	2560	AppLaunch.exe	74
PID 2560 wrote to memory of 3648	2560	AppLaunch.exe	74
PID 2560 wrote to memory of 3764	2560	AppLaunch.exe	71
PID 2560 wrote to memory of 3764	2560	AppLaunch.exe	71
PID 2560 wrote to memory of 3764	2560	AppLaunch.exe	71
PID 2560 wrote to memory of 3052	2560	AppLaunch.exe	76
PID 2560 wrote to memory of 3052	2560	AppLaunch.exe	76
PID 2560 wrote to memory of 3052	2560	AppLaunch.exe	76
PID 2560 wrote to memory of 3800	2560	AppLaunch.exe	78
PID 2560 wrote to memory of 3800	2560	AppLaunch.exe	78

C:\Users\Admin\AppData\Local\Temp\c1f9375f5df21b182cbe9c882cc263cbb8b991c79c85016c2ce34f4cacf69f45.exe
"C:\Users\Admin\AppData\Local\Temp\c1f9375f5df21b182cbe9c882cc263cbb8b991c79c85016c2ce34f4cacf69f45.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\regid.1991-06.com.microsoftMicrosoft-type4.6.1.7" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:2808
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\regid.1991-06.com.microsoftMicrosoft-type4.6.1.7" /inheritance:e /deny "admin:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:3764
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\regid.1991-06.com.microsoftMicrosoft-type4.6.1.7" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:3648
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /CREATE /TN "regid.1991-06.com.microsoftMicrosoft-type4.6.1.7\regid.1991-06.com.microsoftMicrosoft-type4.6.1.7" /TR "C:\ProgramData\regid.1991-06.com.microsoftMicrosoft-type4.6.1.7\regid.1991-06.com.microsoftMicrosoft-type4.6.1.7.exe" /SC MINUTE
    3⤵
    - Creates scheduled task(s)
    PID:3052
- - C:\ProgramData\regid.1991-06.com.microsoftMicrosoft-type4.6.1.7\regid.1991-06.com.microsoftMicrosoft-type4.6.1.7.exe
    "C:\ProgramData\regid.1991-06.com.microsoftMicrosoft-type4.6.1.7\regid.1991-06.com.microsoftMicrosoft-type4.6.1.7.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    PID:3800
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2236 -s 520
  2⤵
  - Program crash
  PID:5096

C:\ProgramData\regid.1991-06.com.microsoftMicrosoft-type4.6.1.7\regid.1991-06.com.microsoftMicrosoft-type4.6.1.7.exe
C:\ProgramData\regid.1991-06.com.microsoftMicrosoft-type4.6.1.7\regid.1991-06.com.microsoftMicrosoft-type4.6.1.7.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:2196

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

File and Directory Permissions Modification

1

T1222

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\regid.1991-06.com.microsoftMicrosoft-type4.6.1.7\regid.1991-06.com.microsoftMicrosoft-type4.6.1.7.exe

Filesize
572.6MB

MD5
103528dec7da763b5834872dcefe6d82

SHA1
046291d918aaee1e900279615693221470321e44

SHA256
9b32a81738368d223b4860bb64c07bea93f776bcc045ce4d3abf31ac197de673

SHA512
a4dab5b2e0c1223d31461978ee643761a7cf6003d1bd92614228a61a3b57e5792d88f676e2698afa0ba9569da3c8952475b2dd808a068c7ec84286fe2a398ef5

Download Submit
C:\ProgramData\regid.1991-06.com.microsoftMicrosoft-type4.6.1.7\regid.1991-06.com.microsoftMicrosoft-type4.6.1.7.exe

Filesize
570.3MB

MD5
5104c644d033966e65ffa504d9b3d9b5

SHA1
fe62f11639800f8f8305b9325b3424e686db0747

SHA256
b282702edb0c16a8e60f8081fb13e2ab87be0da7cb16c036feaa3328af1fa95f

SHA512
ad1f2e2c767323f71e431a872d8920d85da0a4fe7f542ce489dcc1b17fb9eeeea8bacf97037716a04561dd76ea89ca80367df4f9ac5a603b689c5c7976a190cf

Download Submit
C:\ProgramData\regid.1991-06.com.microsoftMicrosoft-type4.6.1.7\regid.1991-06.com.microsoftMicrosoft-type4.6.1.7.exe

Filesize
387.8MB

MD5
8237beb00003b97e70ef9853601f7ba2

SHA1
c4fcdcd63d20c25bf8d6fa1a033f29322183b539

SHA256
4279ec74beab8c9b12ca7fa3f6d97a397e8d5efd4ca07ce337a0b5b027652342

SHA512
5eeade1dd0a09d734b5b4b6cf983e29e8eb21e89215cd3f7fd3fbbe2d53f78b58141c276573ee6103ef593217a66c96d4f05c2c0a9f9a59a037387ecb21077a3

Download Submit
memory/2196-161-0x00007FF62A3C0000-0x00007FF62A8DF000-memory.dmp

Filesize
5.1MB

Download
memory/2196-162-0x00007FF62A3C0000-0x00007FF62A8DF000-memory.dmp

Filesize
5.1MB

Download
memory/2196-163-0x00007FF62A3C0000-0x00007FF62A8DF000-memory.dmp

Filesize
5.1MB

Download
memory/2560-130-0x0000000009210000-0x000000000921A000-memory.dmp

Filesize
40KB

Download
memory/2560-134-0x0000000009280000-0x0000000009290000-memory.dmp

Filesize
64KB

Download
memory/2560-133-0x0000000009280000-0x0000000009290000-memory.dmp

Filesize
64KB

Download
memory/2560-132-0x0000000009280000-0x0000000009290000-memory.dmp

Filesize
64KB

Download
memory/2560-121-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/2560-131-0x0000000009280000-0x0000000009290000-memory.dmp

Filesize
64KB

Download
memory/2560-129-0x0000000009320000-0x00000000093B2000-memory.dmp

Filesize
584KB

Download
memory/2560-128-0x0000000009820000-0x0000000009D1E000-memory.dmp

Filesize
5.0MB

Download
memory/3800-153-0x00007FF62A3C0000-0x00007FF62A8DF000-memory.dmp

Filesize
5.1MB

Download
memory/3800-158-0x00007FF62A3C0000-0x00007FF62A8DF000-memory.dmp

Filesize
5.1MB

Download
memory/3800-159-0x00007FF62A3C0000-0x00007FF62A8DF000-memory.dmp

Filesize
5.1MB

Download
memory/3800-157-0x00007FF62A3C0000-0x00007FF62A8DF000-memory.dmp

Filesize
5.1MB

Download
memory/3800-156-0x00007FF62A3C0000-0x00007FF62A8DF000-memory.dmp

Filesize
5.1MB

Download
memory/3800-155-0x00007FF62A3C0000-0x00007FF62A8DF000-memory.dmp

Filesize
5.1MB

Download
memory/3800-154-0x00007FF62A3C0000-0x00007FF62A8DF000-memory.dmp

Filesize
5.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads