449adac1f0940043f26ab1a8b91748360b4d7d9759108d3db6669edd758129cb

General

Target

c5d71dbbbc50db8c2762835e83e0bd9c.exe
Size

5.6MB
MD5

c5d71dbbbc50db8c2762835e83e0bd9c
SHA1

e266d9870fcf13d7072e9e7a6a881a239ac0c523
SHA256

449adac1f0940043f26ab1a8b91748360b4d7d9759108d3db6669edd758129cb
SHA512

4ff07f801849131e621f7fa605c4215f3bd1c4229e1de99b23f3fc7c07c0a798935cb590fa9ea0b9fee1422f771198bbb84a58ad128743e7e90580fb29304bdc
SSDEEP

98304:H7nk+M3jECnNQJkMn33Mbz0Hy5SF+EaIFKedyFY1+EgYO6wLujDo8E+7LtJqfjXC:YLzhMCpQ+1edyePg969JTEX6NZ

Score

9^/10

evasion persistence trojan upx

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

c5d71dbbbc50db8c2762835e83e0bd9c.exeDesktopFavorites-tupe0.4.9.2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	c5d71dbbbc50db8c2762835e83e0bd9c.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	DesktopFavorites-tupe0.4.9.2.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c5d71dbbbc50db8c2762835e83e0bd9c.exeDesktopFavorites-tupe0.4.9.2.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	c5d71dbbbc50db8c2762835e83e0bd9c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	c5d71dbbbc50db8c2762835e83e0bd9c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	DesktopFavorites-tupe0.4.9.2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	DesktopFavorites-tupe0.4.9.2.exe

Executes dropped EXE 1 IoCs

Processes:

DesktopFavorites-tupe0.4.9.2.exe

pid process

832 DesktopFavorites-tupe0.4.9.2.exe
Loads dropped DLL 2 IoCs

Processes:

c5d71dbbbc50db8c2762835e83e0bd9c.exe

pid process

1740 c5d71dbbbc50db8c2762835e83e0bd9c.exe
1740 c5d71dbbbc50db8c2762835e83e0bd9c.exe

pid	process
832	DesktopFavorites-tupe0.4.9.2.exe

pid	process
1740	c5d71dbbbc50db8c2762835e83e0bd9c.exe
1740	c5d71dbbbc50db8c2762835e83e0bd9c.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1740-55-0x000000013F2C0000-0x000000013FB51000-memory.dmp	upx
behavioral1/memory/1740-54-0x000000013F2C0000-0x000000013FB51000-memory.dmp	upx
behavioral1/memory/1740-56-0x000000013F2C0000-0x000000013FB51000-memory.dmp	upx
behavioral1/memory/1740-58-0x000000013F2C0000-0x000000013FB51000-memory.dmp	upx
\ProgramData\DesktopFavorites-tupe0.4.9.2\DesktopFavorites-tupe0.4.9.2.exe	upx
C:\ProgramData\DesktopFavorites-tupe0.4.9.2\DesktopFavorites-tupe0.4.9.2.exe	upx
behavioral1/memory/1740-66-0x000000013F2C0000-0x000000013FB51000-memory.dmp	upx
C:\ProgramData\DesktopFavorites-tupe0.4.9.2\DesktopFavorites-tupe0.4.9.2.exe	upx
\ProgramData\DesktopFavorites-tupe0.4.9.2\DesktopFavorites-tupe0.4.9.2.exe	upx
behavioral1/memory/832-69-0x000000013FEE0000-0x0000000140771000-memory.dmp	upx
behavioral1/memory/832-68-0x000000013FEE0000-0x0000000140771000-memory.dmp	upx
behavioral1/memory/832-70-0x000000013FEE0000-0x0000000140771000-memory.dmp	upx
behavioral1/memory/832-71-0x000000013FEE0000-0x0000000140771000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

c5d71dbbbc50db8c2762835e83e0bd9c.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	c5d71dbbbc50db8c2762835e83e0bd9c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Run\DesktopFavorites-tupe0.4.9.2 = "C:\\ProgramData\\DesktopFavorites-tupe0.4.9.2\\DesktopFavorites-tupe0.4.9.2.exe"	c5d71dbbbc50db8c2762835e83e0bd9c.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

DesktopFavorites-tupe0.4.9.2.exec5d71dbbbc50db8c2762835e83e0bd9c.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DesktopFavorites-tupe0.4.9.2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	c5d71dbbbc50db8c2762835e83e0bd9c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

c5d71dbbbc50db8c2762835e83e0bd9c.exe

description	pid	process	target process
PID 1740 wrote to memory of 832	1740	c5d71dbbbc50db8c2762835e83e0bd9c.exe	DesktopFavorites-tupe0.4.9.2.exe
PID 1740 wrote to memory of 832	1740	c5d71dbbbc50db8c2762835e83e0bd9c.exe	DesktopFavorites-tupe0.4.9.2.exe
PID 1740 wrote to memory of 832	1740	c5d71dbbbc50db8c2762835e83e0bd9c.exe	DesktopFavorites-tupe0.4.9.2.exe

C:\Users\Admin\AppData\Local\Temp\c5d71dbbbc50db8c2762835e83e0bd9c.exe
"C:\Users\Admin\AppData\Local\Temp\c5d71dbbbc50db8c2762835e83e0bd9c.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
PID:1740

C:\ProgramData\DesktopFavorites-tupe0.4.9.2\DesktopFavorites-tupe0.4.9.2.exe
"C:\ProgramData\DesktopFavorites-tupe0.4.9.2\DesktopFavorites-tupe0.4.9.2.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:832

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\DesktopFavorites-tupe0.4.9.2\DesktopFavorites-tupe0.4.9.2.exe
Filesize
486.9MB

MD5
d4df27a1ce1a43496c7138eb46ce87af

SHA1
e0d1945aceb99240117efdbdf43140cb9b500bb0

SHA256
c3ce93d96208167f336cca0b6837a72673a64cc527ffb0594e8b9d0cc5ba4460

SHA512
78b03316d96d6f9374fea18e02a2de94fb4083f70c524e21f6931d99b41f2bebc2afe3746ee0de00cd4ec8dbc81b2427b54badb3a7f96f8f4a8a6117ced874e8

Download Submit
C:\ProgramData\DesktopFavorites-tupe0.4.9.2\DesktopFavorites-tupe0.4.9.2.exe
Filesize
557.1MB

MD5
db3caac8c76c84c7b9ed22d7235f6ce8

SHA1
669ecfeb186623ccb620cd8380864abf953c2669

SHA256
7b5cff90424924e95c0f74445632dbe5a47f6592a1f1cca9f42eb494005710f0

SHA512
f5d58000274b811d7cbd91a7f404ce51b7a78531174a7ad19d4b06d7f7f2bef8280922da929404038c2b8c043586ac99b5ebed5696b751e8f7988b54a8425469

Download Submit
\ProgramData\DesktopFavorites-tupe0.4.9.2\DesktopFavorites-tupe0.4.9.2.exe
Filesize
522.3MB

MD5
6cd82685584c68a1290d28084dab7047

SHA1
83c73823497d7974a254da411f8d794e135d6ec5

SHA256
cb675b41cda5742e5304cb60ff21597b350a80e2193aa3b3cb1cdc6da4676d34

SHA512
819b86e95dbd2a25faf0ea44312873e373eda19e4e29a633bb32c3c4085d9ccaaf85a7ba33e49ccf9e376401ea40fe3971b32872a90377a358cff508db226878

Download Submit
\ProgramData\DesktopFavorites-tupe0.4.9.2\DesktopFavorites-tupe0.4.9.2.exe
Filesize
564.2MB

MD5
e13bd0614e6e2a161d2ddc3e23cae9c0

SHA1
6e588718c41a607db821170d96a8cfc386d7af40

SHA256
27e7ac5b2df425ee573e34dc14eb1a11b5e989ae8a46c54cf836603249a4d91d

SHA512
8442e8521cffa5f912cbc443068195bfd88422be70f81f5f099e74cfbbf98df8a74cb50af91ed167512feaf79640443c363d49e6fb90464188b0df2f8572b4a3

Download Submit
memory/832-71-0x000000013FEE0000-0x0000000140771000-memory.dmp

Filesize
8.6MB

Download
memory/832-70-0x000000013FEE0000-0x0000000140771000-memory.dmp

Filesize
8.6MB

Download
memory/832-68-0x000000013FEE0000-0x0000000140771000-memory.dmp

Filesize
8.6MB

Download
memory/832-69-0x000000013FEE0000-0x0000000140771000-memory.dmp

Filesize
8.6MB

Download
memory/1740-58-0x000000013F2C0000-0x000000013FB51000-memory.dmp

Filesize
8.6MB

Download
memory/1740-66-0x000000013F2C0000-0x000000013FB51000-memory.dmp

Filesize
8.6MB

Download
memory/1740-55-0x000000013F2C0000-0x000000013FB51000-memory.dmp

Filesize
8.6MB

Download
memory/1740-56-0x000000013F2C0000-0x000000013FB51000-memory.dmp

Filesize
8.6MB

Download
memory/1740-54-0x000000013F2C0000-0x000000013FB51000-memory.dmp

Filesize
8.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads