Analysis
-
max time kernel
146s -
max time network
142s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
19-03-2023 01:57
Static task
static1
General
-
Target
432bdaebda187fa78b04d6e0ea0baf49cd4747182f336636bf3c6d602b410011.exe
-
Size
3.4MB
-
MD5
4fa9920fcd7a89c599cb5ac1c111264e
-
SHA1
ac19248d3dc29e559aae3fd4af16cfd7778b2c1d
-
SHA256
432bdaebda187fa78b04d6e0ea0baf49cd4747182f336636bf3c6d602b410011
-
SHA512
3b66cd31fb4001c41f429614f3a6412813b4317771d10daa610c70a0331d12da7392c7793af4ed8dfb62d81b52f876c7e19051fbc166fcc58590363fc4064e7f
-
SSDEEP
49152:gr1c7Kvf8e9HTgXHXayMSTQ5c1ztH9rDDQvOJRg05T0Oa/rm2ho8IucxzrurVlo9:LKvfd94XayMT5sH9M0aS8o9uWyUhHyk
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
MicrosoftTemplates-type6.5.2.0.exeMicrosoftTemplates-type6.5.2.0.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ MicrosoftTemplates-type6.5.2.0.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ MicrosoftTemplates-type6.5.2.0.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
MicrosoftTemplates-type6.5.2.0.exeMicrosoftTemplates-type6.5.2.0.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion MicrosoftTemplates-type6.5.2.0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion MicrosoftTemplates-type6.5.2.0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion MicrosoftTemplates-type6.5.2.0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion MicrosoftTemplates-type6.5.2.0.exe -
Executes dropped EXE 2 IoCs
Processes:
MicrosoftTemplates-type6.5.2.0.exeMicrosoftTemplates-type6.5.2.0.exepid process 4720 MicrosoftTemplates-type6.5.2.0.exe 2288 MicrosoftTemplates-type6.5.2.0.exe -
Modifies file permissions 1 TTPs 3 IoCs
Processes:
icacls.exeicacls.exeicacls.exepid process 3876 icacls.exe 2264 icacls.exe 4796 icacls.exe -
Processes:
resource yara_rule C:\ProgramData\MicrosoftTemplates-type6.5.2.0\MicrosoftTemplates-type6.5.2.0.exe upx C:\ProgramData\MicrosoftTemplates-type6.5.2.0\MicrosoftTemplates-type6.5.2.0.exe upx behavioral1/memory/4720-146-0x00007FF76F170000-0x00007FF76F68F000-memory.dmp upx behavioral1/memory/4720-149-0x00007FF76F170000-0x00007FF76F68F000-memory.dmp upx behavioral1/memory/4720-150-0x00007FF76F170000-0x00007FF76F68F000-memory.dmp upx C:\ProgramData\MicrosoftTemplates-type6.5.2.0\MicrosoftTemplates-type6.5.2.0.exe upx behavioral1/memory/2288-152-0x00007FF76F170000-0x00007FF76F68F000-memory.dmp upx behavioral1/memory/2288-153-0x00007FF76F170000-0x00007FF76F68F000-memory.dmp upx behavioral1/memory/2288-155-0x00007FF76F170000-0x00007FF76F68F000-memory.dmp upx behavioral1/memory/2288-156-0x00007FF76F170000-0x00007FF76F68F000-memory.dmp upx -
Processes:
MicrosoftTemplates-type6.5.2.0.exeMicrosoftTemplates-type6.5.2.0.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MicrosoftTemplates-type6.5.2.0.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MicrosoftTemplates-type6.5.2.0.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
432bdaebda187fa78b04d6e0ea0baf49cd4747182f336636bf3c6d602b410011.exedescription pid process target process PID 4668 set thread context of 4376 4668 432bdaebda187fa78b04d6e0ea0baf49cd4747182f336636bf3c6d602b410011.exe AppLaunch.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
432bdaebda187fa78b04d6e0ea0baf49cd4747182f336636bf3c6d602b410011.exeAppLaunch.exedescription pid process target process PID 4668 wrote to memory of 4376 4668 432bdaebda187fa78b04d6e0ea0baf49cd4747182f336636bf3c6d602b410011.exe AppLaunch.exe PID 4668 wrote to memory of 4376 4668 432bdaebda187fa78b04d6e0ea0baf49cd4747182f336636bf3c6d602b410011.exe AppLaunch.exe PID 4668 wrote to memory of 4376 4668 432bdaebda187fa78b04d6e0ea0baf49cd4747182f336636bf3c6d602b410011.exe AppLaunch.exe PID 4668 wrote to memory of 4376 4668 432bdaebda187fa78b04d6e0ea0baf49cd4747182f336636bf3c6d602b410011.exe AppLaunch.exe PID 4668 wrote to memory of 4376 4668 432bdaebda187fa78b04d6e0ea0baf49cd4747182f336636bf3c6d602b410011.exe AppLaunch.exe PID 4376 wrote to memory of 3876 4376 AppLaunch.exe icacls.exe PID 4376 wrote to memory of 3876 4376 AppLaunch.exe icacls.exe PID 4376 wrote to memory of 3876 4376 AppLaunch.exe icacls.exe PID 4376 wrote to memory of 2264 4376 AppLaunch.exe icacls.exe PID 4376 wrote to memory of 2264 4376 AppLaunch.exe icacls.exe PID 4376 wrote to memory of 2264 4376 AppLaunch.exe icacls.exe PID 4376 wrote to memory of 4796 4376 AppLaunch.exe icacls.exe PID 4376 wrote to memory of 4796 4376 AppLaunch.exe icacls.exe PID 4376 wrote to memory of 4796 4376 AppLaunch.exe icacls.exe PID 4376 wrote to memory of 1944 4376 AppLaunch.exe schtasks.exe PID 4376 wrote to memory of 1944 4376 AppLaunch.exe schtasks.exe PID 4376 wrote to memory of 1944 4376 AppLaunch.exe schtasks.exe PID 4376 wrote to memory of 4720 4376 AppLaunch.exe MicrosoftTemplates-type6.5.2.0.exe PID 4376 wrote to memory of 4720 4376 AppLaunch.exe MicrosoftTemplates-type6.5.2.0.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\432bdaebda187fa78b04d6e0ea0baf49cd4747182f336636bf3c6d602b410011.exe"C:\Users\Admin\AppData\Local\Temp\432bdaebda187fa78b04d6e0ea0baf49cd4747182f336636bf3c6d602b410011.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\ProgramData\MicrosoftTemplates-type6.5.2.0" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\ProgramData\MicrosoftTemplates-type6.5.2.0" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\ProgramData\MicrosoftTemplates-type6.5.2.0" /inheritance:e /deny "admin:(R,REA,RA,RD)"3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /TN "MicrosoftTemplates-type6.5.2.0\MicrosoftTemplates-type6.5.2.0" /TR "C:\ProgramData\MicrosoftTemplates-type6.5.2.0\MicrosoftTemplates-type6.5.2.0.exe" /SC MINUTE3⤵
- Creates scheduled task(s)
-
C:\ProgramData\MicrosoftTemplates-type6.5.2.0\MicrosoftTemplates-type6.5.2.0.exe"C:\ProgramData\MicrosoftTemplates-type6.5.2.0\MicrosoftTemplates-type6.5.2.0.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\ProgramData\MicrosoftTemplates-type6.5.2.0\MicrosoftTemplates-type6.5.2.0.exeC:\ProgramData\MicrosoftTemplates-type6.5.2.0\MicrosoftTemplates-type6.5.2.0.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\MicrosoftTemplates-type6.5.2.0\MicrosoftTemplates-type6.5.2.0.exeFilesize
717.7MB
MD50828db569bc982a6719575bc3fc41155
SHA178cfe4d19344a74ddabe72be24044582398b449b
SHA256147874503a536759d02806f60a4fc3d19c5b59903ab840d044104a081f74bbcc
SHA5129a7d68390e9f9608d598bce67e71e744f3cbfb6efc2f591c18f00d2a428cda923731988c98d3c1ac475e612b79b4056177ffc7cf0a0c22ff1071e720aa4d8c8b
-
C:\ProgramData\MicrosoftTemplates-type6.5.2.0\MicrosoftTemplates-type6.5.2.0.exeFilesize
717.7MB
MD50828db569bc982a6719575bc3fc41155
SHA178cfe4d19344a74ddabe72be24044582398b449b
SHA256147874503a536759d02806f60a4fc3d19c5b59903ab840d044104a081f74bbcc
SHA5129a7d68390e9f9608d598bce67e71e744f3cbfb6efc2f591c18f00d2a428cda923731988c98d3c1ac475e612b79b4056177ffc7cf0a0c22ff1071e720aa4d8c8b
-
C:\ProgramData\MicrosoftTemplates-type6.5.2.0\MicrosoftTemplates-type6.5.2.0.exeFilesize
521.6MB
MD5cbd9aafeaf0f10ac21c2d659fe898a53
SHA14454db40ca44ad0f4ed113a36d99fbe8c89189ef
SHA256306b4f8e398be020c79f223535fe07e31bb6a66fefd4629d1a320013bc48e1b3
SHA512d2cffc714bc7f7d894b2161cb40694d7940863f9ad444710085e205decf98e823446a9747289b51cb8ef169c5337f5f232f77f6fd3e3af3456382162301fc4e6
-
memory/2288-156-0x00007FF76F170000-0x00007FF76F68F000-memory.dmpFilesize
5.1MB
-
memory/2288-155-0x00007FF76F170000-0x00007FF76F68F000-memory.dmpFilesize
5.1MB
-
memory/2288-153-0x00007FF76F170000-0x00007FF76F68F000-memory.dmpFilesize
5.1MB
-
memory/2288-152-0x00007FF76F170000-0x00007FF76F68F000-memory.dmpFilesize
5.1MB
-
memory/4376-127-0x0000000006AD0000-0x0000000006AE0000-memory.dmpFilesize
64KB
-
memory/4376-128-0x0000000006AD0000-0x0000000006AE0000-memory.dmpFilesize
64KB
-
memory/4376-129-0x0000000006AD0000-0x0000000006AE0000-memory.dmpFilesize
64KB
-
memory/4376-126-0x0000000006AD0000-0x0000000006AE0000-memory.dmpFilesize
64KB
-
memory/4376-116-0x0000000000400000-0x000000000075C000-memory.dmpFilesize
3.4MB
-
memory/4376-125-0x0000000006A50000-0x0000000006A5A000-memory.dmpFilesize
40KB
-
memory/4376-124-0x00000000090F0000-0x0000000009182000-memory.dmpFilesize
584KB
-
memory/4376-123-0x00000000097F0000-0x0000000009CEE000-memory.dmpFilesize
5.0MB
-
memory/4720-146-0x00007FF76F170000-0x00007FF76F68F000-memory.dmpFilesize
5.1MB
-
memory/4720-149-0x00007FF76F170000-0x00007FF76F68F000-memory.dmpFilesize
5.1MB
-
memory/4720-150-0x00007FF76F170000-0x00007FF76F68F000-memory.dmpFilesize
5.1MB