432bdaebda187fa78b04d6e0ea0baf49cd4747182f336636bf3c6d602b410011

General

Target

432bdaebda187fa78b04d6e0ea0baf49cd4747182f336636bf3c6d602b410011.exe
Size

3.4MB
MD5

4fa9920fcd7a89c599cb5ac1c111264e
SHA1

ac19248d3dc29e559aae3fd4af16cfd7778b2c1d
SHA256

432bdaebda187fa78b04d6e0ea0baf49cd4747182f336636bf3c6d602b410011
SHA512

3b66cd31fb4001c41f429614f3a6412813b4317771d10daa610c70a0331d12da7392c7793af4ed8dfb62d81b52f876c7e19051fbc166fcc58590363fc4064e7f
SSDEEP

49152:gr1c7Kvf8e9HTgXHXayMSTQ5c1ztH9rDDQvOJRg05T0Oa/rm2ho8IucxzrurVlo9:LKvfd94XayMT5sH9M0aS8o9uWyUhHyk

Score

9^/10

discovery evasion trojan upx

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

MicrosoftTemplates-type6.5.2.0.exeMicrosoftTemplates-type6.5.2.0.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MicrosoftTemplates-type6.5.2.0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	MicrosoftTemplates-type6.5.2.0.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MicrosoftTemplates-type6.5.2.0.exeMicrosoftTemplates-type6.5.2.0.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MicrosoftTemplates-type6.5.2.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MicrosoftTemplates-type6.5.2.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	MicrosoftTemplates-type6.5.2.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	MicrosoftTemplates-type6.5.2.0.exe

Executes dropped EXE 2 IoCs

Processes:

MicrosoftTemplates-type6.5.2.0.exeMicrosoftTemplates-type6.5.2.0.exe

pid process

4720 MicrosoftTemplates-type6.5.2.0.exe
2288 MicrosoftTemplates-type6.5.2.0.exe
Modifies file permissions 1 TTPs 3 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exe

pid process

3876 icacls.exe
2264 icacls.exe
4796 icacls.exe

pid	process
4720	MicrosoftTemplates-type6.5.2.0.exe
2288	MicrosoftTemplates-type6.5.2.0.exe

pid	process
3876	icacls.exe
2264	icacls.exe
4796	icacls.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\ProgramData\MicrosoftTemplates-type6.5.2.0\MicrosoftTemplates-type6.5.2.0.exe	upx
C:\ProgramData\MicrosoftTemplates-type6.5.2.0\MicrosoftTemplates-type6.5.2.0.exe	upx
behavioral1/memory/4720-146-0x00007FF76F170000-0x00007FF76F68F000-memory.dmp	upx
behavioral1/memory/4720-149-0x00007FF76F170000-0x00007FF76F68F000-memory.dmp	upx
behavioral1/memory/4720-150-0x00007FF76F170000-0x00007FF76F68F000-memory.dmp	upx
C:\ProgramData\MicrosoftTemplates-type6.5.2.0\MicrosoftTemplates-type6.5.2.0.exe	upx
behavioral1/memory/2288-152-0x00007FF76F170000-0x00007FF76F68F000-memory.dmp	upx
behavioral1/memory/2288-153-0x00007FF76F170000-0x00007FF76F68F000-memory.dmp	upx
behavioral1/memory/2288-155-0x00007FF76F170000-0x00007FF76F68F000-memory.dmp	upx
behavioral1/memory/2288-156-0x00007FF76F170000-0x00007FF76F68F000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

MicrosoftTemplates-type6.5.2.0.exeMicrosoftTemplates-type6.5.2.0.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MicrosoftTemplates-type6.5.2.0.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MicrosoftTemplates-type6.5.2.0.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

432bdaebda187fa78b04d6e0ea0baf49cd4747182f336636bf3c6d602b410011.exe

description	pid	process	target process
PID 4668 set thread context of 4376	4668	432bdaebda187fa78b04d6e0ea0baf49cd4747182f336636bf3c6d602b410011.exe	AppLaunch.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1944 schtasks.exe

pid	process
1944	schtasks.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

432bdaebda187fa78b04d6e0ea0baf49cd4747182f336636bf3c6d602b410011.exeAppLaunch.exe

description	pid	process	target process
PID 4668 wrote to memory of 4376	4668	432bdaebda187fa78b04d6e0ea0baf49cd4747182f336636bf3c6d602b410011.exe	AppLaunch.exe
PID 4668 wrote to memory of 4376	4668	432bdaebda187fa78b04d6e0ea0baf49cd4747182f336636bf3c6d602b410011.exe	AppLaunch.exe
PID 4668 wrote to memory of 4376	4668	432bdaebda187fa78b04d6e0ea0baf49cd4747182f336636bf3c6d602b410011.exe	AppLaunch.exe
PID 4668 wrote to memory of 4376	4668	432bdaebda187fa78b04d6e0ea0baf49cd4747182f336636bf3c6d602b410011.exe	AppLaunch.exe
PID 4668 wrote to memory of 4376	4668	432bdaebda187fa78b04d6e0ea0baf49cd4747182f336636bf3c6d602b410011.exe	AppLaunch.exe
PID 4376 wrote to memory of 3876	4376	AppLaunch.exe	icacls.exe
PID 4376 wrote to memory of 3876	4376	AppLaunch.exe	icacls.exe
PID 4376 wrote to memory of 3876	4376	AppLaunch.exe	icacls.exe
PID 4376 wrote to memory of 2264	4376	AppLaunch.exe	icacls.exe
PID 4376 wrote to memory of 2264	4376	AppLaunch.exe	icacls.exe
PID 4376 wrote to memory of 2264	4376	AppLaunch.exe	icacls.exe
PID 4376 wrote to memory of 4796	4376	AppLaunch.exe	icacls.exe
PID 4376 wrote to memory of 4796	4376	AppLaunch.exe	icacls.exe
PID 4376 wrote to memory of 4796	4376	AppLaunch.exe	icacls.exe
PID 4376 wrote to memory of 1944	4376	AppLaunch.exe	schtasks.exe
PID 4376 wrote to memory of 1944	4376	AppLaunch.exe	schtasks.exe
PID 4376 wrote to memory of 1944	4376	AppLaunch.exe	schtasks.exe
PID 4376 wrote to memory of 4720	4376	AppLaunch.exe	MicrosoftTemplates-type6.5.2.0.exe
PID 4376 wrote to memory of 4720	4376	AppLaunch.exe	MicrosoftTemplates-type6.5.2.0.exe

C:\Users\Admin\AppData\Local\Temp\432bdaebda187fa78b04d6e0ea0baf49cd4747182f336636bf3c6d602b410011.exe
"C:\Users\Admin\AppData\Local\Temp\432bdaebda187fa78b04d6e0ea0baf49cd4747182f336636bf3c6d602b410011.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4668

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4376

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\ProgramData\MicrosoftTemplates-type6.5.2.0" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
3⤵
- Modifies file permissions
PID:3876

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\ProgramData\MicrosoftTemplates-type6.5.2.0" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
3⤵
- Modifies file permissions
PID:2264

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\ProgramData\MicrosoftTemplates-type6.5.2.0" /inheritance:e /deny "admin:(R,REA,RA,RD)"
3⤵
- Modifies file permissions
PID:4796

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /CREATE /TN "MicrosoftTemplates-type6.5.2.0\MicrosoftTemplates-type6.5.2.0" /TR "C:\ProgramData\MicrosoftTemplates-type6.5.2.0\MicrosoftTemplates-type6.5.2.0.exe" /SC MINUTE
3⤵
- Creates scheduled task(s)
PID:1944

C:\ProgramData\MicrosoftTemplates-type6.5.2.0\MicrosoftTemplates-type6.5.2.0.exe
"C:\ProgramData\MicrosoftTemplates-type6.5.2.0\MicrosoftTemplates-type6.5.2.0.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:4720

C:\ProgramData\MicrosoftTemplates-type6.5.2.0\MicrosoftTemplates-type6.5.2.0.exe
C:\ProgramData\MicrosoftTemplates-type6.5.2.0\MicrosoftTemplates-type6.5.2.0.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:2288

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

File Permissions Modification

1

T1222

Credential Access

Discovery

Query Registry

2

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\MicrosoftTemplates-type6.5.2.0\MicrosoftTemplates-type6.5.2.0.exe
Filesize
717.7MB

MD5
0828db569bc982a6719575bc3fc41155

SHA1
78cfe4d19344a74ddabe72be24044582398b449b

SHA256
147874503a536759d02806f60a4fc3d19c5b59903ab840d044104a081f74bbcc

SHA512
9a7d68390e9f9608d598bce67e71e744f3cbfb6efc2f591c18f00d2a428cda923731988c98d3c1ac475e612b79b4056177ffc7cf0a0c22ff1071e720aa4d8c8b

Download Submit
C:\ProgramData\MicrosoftTemplates-type6.5.2.0\MicrosoftTemplates-type6.5.2.0.exe
Filesize
717.7MB

MD5
0828db569bc982a6719575bc3fc41155

SHA1
78cfe4d19344a74ddabe72be24044582398b449b

SHA256
147874503a536759d02806f60a4fc3d19c5b59903ab840d044104a081f74bbcc

SHA512
9a7d68390e9f9608d598bce67e71e744f3cbfb6efc2f591c18f00d2a428cda923731988c98d3c1ac475e612b79b4056177ffc7cf0a0c22ff1071e720aa4d8c8b

Download Submit
C:\ProgramData\MicrosoftTemplates-type6.5.2.0\MicrosoftTemplates-type6.5.2.0.exe
Filesize
521.6MB

MD5
cbd9aafeaf0f10ac21c2d659fe898a53

SHA1
4454db40ca44ad0f4ed113a36d99fbe8c89189ef

SHA256
306b4f8e398be020c79f223535fe07e31bb6a66fefd4629d1a320013bc48e1b3

SHA512
d2cffc714bc7f7d894b2161cb40694d7940863f9ad444710085e205decf98e823446a9747289b51cb8ef169c5337f5f232f77f6fd3e3af3456382162301fc4e6

Download Submit
memory/2288-156-0x00007FF76F170000-0x00007FF76F68F000-memory.dmp

Filesize
5.1MB

Download
memory/2288-155-0x00007FF76F170000-0x00007FF76F68F000-memory.dmp

Filesize
5.1MB

Download
memory/2288-153-0x00007FF76F170000-0x00007FF76F68F000-memory.dmp

Filesize
5.1MB

Download
memory/2288-152-0x00007FF76F170000-0x00007FF76F68F000-memory.dmp

Filesize
5.1MB

Download
memory/4376-127-0x0000000006AD0000-0x0000000006AE0000-memory.dmp

Filesize
64KB

Download
memory/4376-128-0x0000000006AD0000-0x0000000006AE0000-memory.dmp

Filesize
64KB

Download
memory/4376-129-0x0000000006AD0000-0x0000000006AE0000-memory.dmp

Filesize
64KB

Download
memory/4376-126-0x0000000006AD0000-0x0000000006AE0000-memory.dmp

Filesize
64KB

Download
memory/4376-116-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/4376-125-0x0000000006A50000-0x0000000006A5A000-memory.dmp

Filesize
40KB

Download
memory/4376-124-0x00000000090F0000-0x0000000009182000-memory.dmp

Filesize
584KB

Download
memory/4376-123-0x00000000097F0000-0x0000000009CEE000-memory.dmp

Filesize
5.0MB

Download
memory/4720-146-0x00007FF76F170000-0x00007FF76F68F000-memory.dmp

Filesize
5.1MB

Download
memory/4720-149-0x00007FF76F170000-0x00007FF76F68F000-memory.dmp

Filesize
5.1MB

Download
memory/4720-150-0x00007FF76F170000-0x00007FF76F68F000-memory.dmp

Filesize
5.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads