Analysis
-
max time kernel
145s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
19-03-2023 02:13
General
-
Target
0052238110cbbade6a8d88ca3bc3ecd55be1f32cfb0ce0e922bd2e66491c18c1.exe
-
Size
3.4MB
-
MD5
e64d43d3203f39444ac9458125576d0e
-
SHA1
6e901f88e2a1518c812a4084b60c24189c222384
-
SHA256
0052238110cbbade6a8d88ca3bc3ecd55be1f32cfb0ce0e922bd2e66491c18c1
-
SHA512
b4837311c8ce6d2e84f5b4182a9f8d5fa3ccd61607383309eb168cf1aff2013336485383c51d810592ae81237522824cb1964182b935c9089291a89f582df107
-
SSDEEP
49152:Hr1c7Kvf8e9HTgXHXayMSTQ5c1ztH9rDDQvOJRg05T0Oa/rm2ho8IucxzrurVloL:cKvfd94XayMT5sH9M0aS8o9uWyUhHyC
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 2 IoCs
-
Modifies file permissions 1 TTPs 3 IoCs
-
UPX packed file 9 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 19 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0052238110cbbade6a8d88ca3bc3ecd55be1f32cfb0ce0e922bd2e66491c18c1.exe"C:\Users\Admin\AppData\Local\Temp\0052238110cbbade6a8d88ca3bc3ecd55be1f32cfb0ce0e922bd2e66491c18c1.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\ProgramData\USOSharedUSOPrivate-type4.6.0.8" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\ProgramData\USOSharedUSOPrivate-type4.6.0.8" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\ProgramData\USOSharedUSOPrivate-type4.6.0.8" /inheritance:e /deny "admin:(R,REA,RA,RD)"3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /TN "USOSharedUSOPrivate-type4.6.0.8\USOSharedUSOPrivate-type4.6.0.8" /TR "C:\ProgramData\USOSharedUSOPrivate-type4.6.0.8\USOSharedUSOPrivate-type4.6.0.8.exe" /SC MINUTE3⤵
- Creates scheduled task(s)
-
C:\ProgramData\USOSharedUSOPrivate-type4.6.0.8\USOSharedUSOPrivate-type4.6.0.8.exe"C:\ProgramData\USOSharedUSOPrivate-type4.6.0.8\USOSharedUSOPrivate-type4.6.0.8.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\ProgramData\USOSharedUSOPrivate-type4.6.0.8\USOSharedUSOPrivate-type4.6.0.8.exeC:\ProgramData\USOSharedUSOPrivate-type4.6.0.8\USOSharedUSOPrivate-type4.6.0.8.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\USOSharedUSOPrivate-type4.6.0.8\USOSharedUSOPrivate-type4.6.0.8.exeFilesize
678.1MB
MD5d476ec025892bdff7c20b01fefbf5bb2
SHA19d19b947254179805d9677b476c43127194fd5d0
SHA25661c7953a9def6679ca0a760d0b1c461fb1541bdb8afec499fc83534be5e1e4e0
SHA512c9285dde919f515e7abac4a1f2dd240fe886add3f1a1cfae7be9746475f4ee1dad5b96993630941a52624720135cba411ea3e6d63ec3116101357ee92fa01045
-
C:\ProgramData\USOSharedUSOPrivate-type4.6.0.8\USOSharedUSOPrivate-type4.6.0.8.exeFilesize
639.6MB
MD52e5f9f8b3470b826bcdb6e646799790a
SHA1a92ea4bfedce8e684a936d82ce0b407ac958047b
SHA256aa59a2b2b391fa55e25412ea7246f9438f4481b4fb60e106fb15cf34e77ba234
SHA51236ed3062ce7d7305bc4cf8a8e10752ed3c05fc41fd2538a990fcd3c6de562b9cb59cd13e7d6244e105d04af4efb6002304f02f5849bdc01e164badd544d42874
-
C:\ProgramData\USOSharedUSOPrivate-type4.6.0.8\USOSharedUSOPrivate-type4.6.0.8.exeFilesize
343.0MB
MD550fd997a6bfdc7d827dbb5a08d7c63a8
SHA1d8d051e27a7cb3150743b02e22e9370a6ccf333f
SHA256253959c7be66b3066ba3979c69187232b33331ab4f68bd729f9ae12c81966d6b
SHA512911d3be570dc1daefd0388d8e40762d80ce1136e09a524b356c86823cfd10a1762526e1dab66b3bba7c230ea0dc469425f8c7a951ce11a89e3bc8f34f35d4563
-
memory/1180-152-0x00007FF7E84F0000-0x00007FF7E8A0F000-memory.dmpFilesize
5.1MB
-
memory/1180-148-0x00007FF7E84F0000-0x00007FF7E8A0F000-memory.dmpFilesize
5.1MB
-
memory/1180-151-0x00007FF7E84F0000-0x00007FF7E8A0F000-memory.dmpFilesize
5.1MB
-
memory/1344-156-0x00007FF7E84F0000-0x00007FF7E8A0F000-memory.dmpFilesize
5.1MB
-
memory/1344-155-0x00007FF7E84F0000-0x00007FF7E8A0F000-memory.dmpFilesize
5.1MB
-
memory/1344-154-0x00007FF7E84F0000-0x00007FF7E8A0F000-memory.dmpFilesize
5.1MB
-
memory/3600-144-0x00000000059E0000-0x00000000059F0000-memory.dmpFilesize
64KB
-
memory/3600-139-0x00000000059F0000-0x0000000005A82000-memory.dmpFilesize
584KB
-
memory/3600-140-0x0000000005990000-0x000000000599A000-memory.dmpFilesize
40KB
-
memory/3600-133-0x0000000000400000-0x000000000075C000-memory.dmpFilesize
3.4MB
-
memory/3600-138-0x0000000005F00000-0x00000000064A4000-memory.dmpFilesize
5.6MB
-
memory/3600-141-0x00000000059E0000-0x00000000059F0000-memory.dmpFilesize
64KB
-
memory/3600-143-0x00000000059E0000-0x00000000059F0000-memory.dmpFilesize
64KB
-
memory/3600-142-0x00000000059E0000-0x00000000059F0000-memory.dmpFilesize
64KB