Analysis
-
max time kernel
142s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
19-03-2023 02:28
General
-
Target
559343650622dff6f46762a32ff54c03ac8296f700d8914812440af4c9e0a5c0.exe
-
Size
3.4MB
-
MD5
190a6ae730a81c5a672e2d8498e230ff
-
SHA1
1e2457b2a56aafd15424a420813a13f52cda6287
-
SHA256
559343650622dff6f46762a32ff54c03ac8296f700d8914812440af4c9e0a5c0
-
SHA512
946e6b2793e8fa8fb57b16f889b8ba2bf9b8a48d5c2fedd0806db81086d59ff7fd5bce67a623e715329263569b3757442aba49d614a1954cdc998cbc68ea50ec
-
SSDEEP
49152:7r1c7Kvf8e9HTgXHXayMSTQ5c1ztH9rDDQvOJRg05T0Oa/rm2ho8IucxzrurVloF:QKvfd94XayMT5sH9M0aS8o9uWyUhHy0
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 2 IoCs
-
Modifies file permissions 1 TTPs 3 IoCs
-
UPX packed file 9 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 19 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\559343650622dff6f46762a32ff54c03ac8296f700d8914812440af4c9e0a5c0.exe"C:\Users\Admin\AppData\Local\Temp\559343650622dff6f46762a32ff54c03ac8296f700d8914812440af4c9e0a5c0.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\ProgramData\sshUSOPrivate-type7.8.1.7" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\ProgramData\sshUSOPrivate-type7.8.1.7" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\ProgramData\sshUSOPrivate-type7.8.1.7" /inheritance:e /deny "admin:(R,REA,RA,RD)"3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /TN "sshUSOPrivate-type7.8.1.7\sshUSOPrivate-type7.8.1.7" /TR "C:\ProgramData\sshUSOPrivate-type7.8.1.7\sshUSOPrivate-type7.8.1.7.exe" /SC MINUTE3⤵
- Creates scheduled task(s)
-
C:\ProgramData\sshUSOPrivate-type7.8.1.7\sshUSOPrivate-type7.8.1.7.exe"C:\ProgramData\sshUSOPrivate-type7.8.1.7\sshUSOPrivate-type7.8.1.7.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\ProgramData\sshUSOPrivate-type7.8.1.7\sshUSOPrivate-type7.8.1.7.exeC:\ProgramData\sshUSOPrivate-type7.8.1.7\sshUSOPrivate-type7.8.1.7.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\sshUSOPrivate-type7.8.1.7\sshUSOPrivate-type7.8.1.7.exeFilesize
720.7MB
MD50e0d3a934a321177a6673d6eea291164
SHA19c33b1aa32dc5803afa9c6fc5bf53db9902b0796
SHA25636ee42a0b6590fbe9089e665d553baa7ca9f2934cdff854abeb3361af34eefa3
SHA5120c0ba2ed3d98175d70c6c1641553ca73bffd64928a95874fd0a45e92c730c47dac48f181cdef740929562c1147acf63a44177d41132f13eac16805f833c1d3ae
-
C:\ProgramData\sshUSOPrivate-type7.8.1.7\sshUSOPrivate-type7.8.1.7.exeFilesize
720.7MB
MD50e0d3a934a321177a6673d6eea291164
SHA19c33b1aa32dc5803afa9c6fc5bf53db9902b0796
SHA25636ee42a0b6590fbe9089e665d553baa7ca9f2934cdff854abeb3361af34eefa3
SHA5120c0ba2ed3d98175d70c6c1641553ca73bffd64928a95874fd0a45e92c730c47dac48f181cdef740929562c1147acf63a44177d41132f13eac16805f833c1d3ae
-
C:\ProgramData\sshUSOPrivate-type7.8.1.7\sshUSOPrivate-type7.8.1.7.exeFilesize
574.4MB
MD50fb89586d55bfbdc62620e1c373fd011
SHA1e7a34a191915fa77e8eba77a01cb26790afa7477
SHA25651f6ed81b10a5f2c52d6812bb0ebb7efbf31201f7b831af0b1c66b1605382633
SHA51270b990f8bf1f2f79b9bab9a6bc2756f9295cfe310cd2d8d324d4a39a27e1246d52c8d47684cd2f35a134f1dd723ea2fa2905fe7b82b0d8a54fb9ed49b35d6971
-
memory/2184-159-0x00007FF645220000-0x00007FF64573F000-memory.dmpFilesize
5.1MB
-
memory/2184-158-0x00007FF645220000-0x00007FF64573F000-memory.dmpFilesize
5.1MB
-
memory/2184-156-0x00007FF645220000-0x00007FF64573F000-memory.dmpFilesize
5.1MB
-
memory/2976-154-0x00007FF645220000-0x00007FF64573F000-memory.dmpFilesize
5.1MB
-
memory/2976-152-0x00007FF645220000-0x00007FF64573F000-memory.dmpFilesize
5.1MB
-
memory/2976-153-0x00007FF645220000-0x00007FF64573F000-memory.dmpFilesize
5.1MB
-
memory/3448-144-0x0000000005640000-0x0000000005650000-memory.dmpFilesize
64KB
-
memory/3448-143-0x0000000005640000-0x0000000005650000-memory.dmpFilesize
64KB
-
memory/3448-142-0x0000000005640000-0x0000000005650000-memory.dmpFilesize
64KB
-
memory/3448-133-0x0000000000400000-0x000000000075C000-memory.dmpFilesize
3.4MB
-
memory/3448-141-0x0000000005640000-0x0000000005650000-memory.dmpFilesize
64KB
-
memory/3448-140-0x0000000002F30000-0x0000000002F3A000-memory.dmpFilesize
40KB
-
memory/3448-139-0x0000000005360000-0x00000000053F2000-memory.dmpFilesize
584KB
-
memory/3448-138-0x0000000005A60000-0x0000000006004000-memory.dmpFilesize
5.6MB