Analysis
-
max time kernel
145s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
19-03-2023 02:13
Static task
static1
General
-
Target
0052238110cbbade6a8d88ca3bc3ecd55be1f32cfb0ce0e922bd2e66491c18c1.exe
-
Size
3.4MB
-
MD5
e64d43d3203f39444ac9458125576d0e
-
SHA1
6e901f88e2a1518c812a4084b60c24189c222384
-
SHA256
0052238110cbbade6a8d88ca3bc3ecd55be1f32cfb0ce0e922bd2e66491c18c1
-
SHA512
b4837311c8ce6d2e84f5b4182a9f8d5fa3ccd61607383309eb168cf1aff2013336485383c51d810592ae81237522824cb1964182b935c9089291a89f582df107
-
SSDEEP
49152:Hr1c7Kvf8e9HTgXHXayMSTQ5c1ztH9rDDQvOJRg05T0Oa/rm2ho8IucxzrurVloL:cKvfd94XayMT5sH9M0aS8o9uWyUhHyC
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
USOSharedUSOPrivate-type4.6.0.8.exeUSOSharedUSOPrivate-type4.6.0.8.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ USOSharedUSOPrivate-type4.6.0.8.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ USOSharedUSOPrivate-type4.6.0.8.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
USOSharedUSOPrivate-type4.6.0.8.exeUSOSharedUSOPrivate-type4.6.0.8.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion USOSharedUSOPrivate-type4.6.0.8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion USOSharedUSOPrivate-type4.6.0.8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion USOSharedUSOPrivate-type4.6.0.8.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion USOSharedUSOPrivate-type4.6.0.8.exe -
Executes dropped EXE 2 IoCs
Processes:
USOSharedUSOPrivate-type4.6.0.8.exeUSOSharedUSOPrivate-type4.6.0.8.exepid process 1180 USOSharedUSOPrivate-type4.6.0.8.exe 1344 USOSharedUSOPrivate-type4.6.0.8.exe -
Modifies file permissions 1 TTPs 3 IoCs
Processes:
icacls.exeicacls.exeicacls.exepid process 628 icacls.exe 488 icacls.exe 5028 icacls.exe -
Processes:
resource yara_rule C:\ProgramData\USOSharedUSOPrivate-type4.6.0.8\USOSharedUSOPrivate-type4.6.0.8.exe upx C:\ProgramData\USOSharedUSOPrivate-type4.6.0.8\USOSharedUSOPrivate-type4.6.0.8.exe upx behavioral1/memory/1180-148-0x00007FF7E84F0000-0x00007FF7E8A0F000-memory.dmp upx behavioral1/memory/1180-151-0x00007FF7E84F0000-0x00007FF7E8A0F000-memory.dmp upx behavioral1/memory/1180-152-0x00007FF7E84F0000-0x00007FF7E8A0F000-memory.dmp upx C:\ProgramData\USOSharedUSOPrivate-type4.6.0.8\USOSharedUSOPrivate-type4.6.0.8.exe upx behavioral1/memory/1344-154-0x00007FF7E84F0000-0x00007FF7E8A0F000-memory.dmp upx behavioral1/memory/1344-155-0x00007FF7E84F0000-0x00007FF7E8A0F000-memory.dmp upx behavioral1/memory/1344-156-0x00007FF7E84F0000-0x00007FF7E8A0F000-memory.dmp upx -
Processes:
USOSharedUSOPrivate-type4.6.0.8.exeUSOSharedUSOPrivate-type4.6.0.8.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA USOSharedUSOPrivate-type4.6.0.8.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA USOSharedUSOPrivate-type4.6.0.8.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
0052238110cbbade6a8d88ca3bc3ecd55be1f32cfb0ce0e922bd2e66491c18c1.exedescription pid process target process PID 1580 set thread context of 3600 1580 0052238110cbbade6a8d88ca3bc3ecd55be1f32cfb0ce0e922bd2e66491c18c1.exe AppLaunch.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
0052238110cbbade6a8d88ca3bc3ecd55be1f32cfb0ce0e922bd2e66491c18c1.exeAppLaunch.exedescription pid process target process PID 1580 wrote to memory of 3600 1580 0052238110cbbade6a8d88ca3bc3ecd55be1f32cfb0ce0e922bd2e66491c18c1.exe AppLaunch.exe PID 1580 wrote to memory of 3600 1580 0052238110cbbade6a8d88ca3bc3ecd55be1f32cfb0ce0e922bd2e66491c18c1.exe AppLaunch.exe PID 1580 wrote to memory of 3600 1580 0052238110cbbade6a8d88ca3bc3ecd55be1f32cfb0ce0e922bd2e66491c18c1.exe AppLaunch.exe PID 1580 wrote to memory of 3600 1580 0052238110cbbade6a8d88ca3bc3ecd55be1f32cfb0ce0e922bd2e66491c18c1.exe AppLaunch.exe PID 1580 wrote to memory of 3600 1580 0052238110cbbade6a8d88ca3bc3ecd55be1f32cfb0ce0e922bd2e66491c18c1.exe AppLaunch.exe PID 3600 wrote to memory of 628 3600 AppLaunch.exe icacls.exe PID 3600 wrote to memory of 628 3600 AppLaunch.exe icacls.exe PID 3600 wrote to memory of 628 3600 AppLaunch.exe icacls.exe PID 3600 wrote to memory of 488 3600 AppLaunch.exe icacls.exe PID 3600 wrote to memory of 488 3600 AppLaunch.exe icacls.exe PID 3600 wrote to memory of 488 3600 AppLaunch.exe icacls.exe PID 3600 wrote to memory of 5028 3600 AppLaunch.exe icacls.exe PID 3600 wrote to memory of 5028 3600 AppLaunch.exe icacls.exe PID 3600 wrote to memory of 5028 3600 AppLaunch.exe icacls.exe PID 3600 wrote to memory of 1064 3600 AppLaunch.exe schtasks.exe PID 3600 wrote to memory of 1064 3600 AppLaunch.exe schtasks.exe PID 3600 wrote to memory of 1064 3600 AppLaunch.exe schtasks.exe PID 3600 wrote to memory of 1180 3600 AppLaunch.exe USOSharedUSOPrivate-type4.6.0.8.exe PID 3600 wrote to memory of 1180 3600 AppLaunch.exe USOSharedUSOPrivate-type4.6.0.8.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0052238110cbbade6a8d88ca3bc3ecd55be1f32cfb0ce0e922bd2e66491c18c1.exe"C:\Users\Admin\AppData\Local\Temp\0052238110cbbade6a8d88ca3bc3ecd55be1f32cfb0ce0e922bd2e66491c18c1.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\ProgramData\USOSharedUSOPrivate-type4.6.0.8" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\ProgramData\USOSharedUSOPrivate-type4.6.0.8" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\ProgramData\USOSharedUSOPrivate-type4.6.0.8" /inheritance:e /deny "admin:(R,REA,RA,RD)"3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /TN "USOSharedUSOPrivate-type4.6.0.8\USOSharedUSOPrivate-type4.6.0.8" /TR "C:\ProgramData\USOSharedUSOPrivate-type4.6.0.8\USOSharedUSOPrivate-type4.6.0.8.exe" /SC MINUTE3⤵
- Creates scheduled task(s)
-
C:\ProgramData\USOSharedUSOPrivate-type4.6.0.8\USOSharedUSOPrivate-type4.6.0.8.exe"C:\ProgramData\USOSharedUSOPrivate-type4.6.0.8\USOSharedUSOPrivate-type4.6.0.8.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\ProgramData\USOSharedUSOPrivate-type4.6.0.8\USOSharedUSOPrivate-type4.6.0.8.exeC:\ProgramData\USOSharedUSOPrivate-type4.6.0.8\USOSharedUSOPrivate-type4.6.0.8.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\USOSharedUSOPrivate-type4.6.0.8\USOSharedUSOPrivate-type4.6.0.8.exeFilesize
678.1MB
MD5d476ec025892bdff7c20b01fefbf5bb2
SHA19d19b947254179805d9677b476c43127194fd5d0
SHA25661c7953a9def6679ca0a760d0b1c461fb1541bdb8afec499fc83534be5e1e4e0
SHA512c9285dde919f515e7abac4a1f2dd240fe886add3f1a1cfae7be9746475f4ee1dad5b96993630941a52624720135cba411ea3e6d63ec3116101357ee92fa01045
-
C:\ProgramData\USOSharedUSOPrivate-type4.6.0.8\USOSharedUSOPrivate-type4.6.0.8.exeFilesize
639.6MB
MD52e5f9f8b3470b826bcdb6e646799790a
SHA1a92ea4bfedce8e684a936d82ce0b407ac958047b
SHA256aa59a2b2b391fa55e25412ea7246f9438f4481b4fb60e106fb15cf34e77ba234
SHA51236ed3062ce7d7305bc4cf8a8e10752ed3c05fc41fd2538a990fcd3c6de562b9cb59cd13e7d6244e105d04af4efb6002304f02f5849bdc01e164badd544d42874
-
C:\ProgramData\USOSharedUSOPrivate-type4.6.0.8\USOSharedUSOPrivate-type4.6.0.8.exeFilesize
343.0MB
MD550fd997a6bfdc7d827dbb5a08d7c63a8
SHA1d8d051e27a7cb3150743b02e22e9370a6ccf333f
SHA256253959c7be66b3066ba3979c69187232b33331ab4f68bd729f9ae12c81966d6b
SHA512911d3be570dc1daefd0388d8e40762d80ce1136e09a524b356c86823cfd10a1762526e1dab66b3bba7c230ea0dc469425f8c7a951ce11a89e3bc8f34f35d4563
-
memory/1180-152-0x00007FF7E84F0000-0x00007FF7E8A0F000-memory.dmpFilesize
5.1MB
-
memory/1180-148-0x00007FF7E84F0000-0x00007FF7E8A0F000-memory.dmpFilesize
5.1MB
-
memory/1180-151-0x00007FF7E84F0000-0x00007FF7E8A0F000-memory.dmpFilesize
5.1MB
-
memory/1344-156-0x00007FF7E84F0000-0x00007FF7E8A0F000-memory.dmpFilesize
5.1MB
-
memory/1344-155-0x00007FF7E84F0000-0x00007FF7E8A0F000-memory.dmpFilesize
5.1MB
-
memory/1344-154-0x00007FF7E84F0000-0x00007FF7E8A0F000-memory.dmpFilesize
5.1MB
-
memory/3600-144-0x00000000059E0000-0x00000000059F0000-memory.dmpFilesize
64KB
-
memory/3600-139-0x00000000059F0000-0x0000000005A82000-memory.dmpFilesize
584KB
-
memory/3600-140-0x0000000005990000-0x000000000599A000-memory.dmpFilesize
40KB
-
memory/3600-133-0x0000000000400000-0x000000000075C000-memory.dmpFilesize
3.4MB
-
memory/3600-138-0x0000000005F00000-0x00000000064A4000-memory.dmpFilesize
5.6MB
-
memory/3600-141-0x00000000059E0000-0x00000000059F0000-memory.dmpFilesize
64KB
-
memory/3600-143-0x00000000059E0000-0x00000000059F0000-memory.dmpFilesize
64KB
-
memory/3600-142-0x00000000059E0000-0x00000000059F0000-memory.dmpFilesize
64KB