Analysis
-
max time kernel
145s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
20-03-2023 20:55
Behavioral task
behavioral1
Sample
c5d71dbbbc50db8c2762835e83e0bd9c.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
c5d71dbbbc50db8c2762835e83e0bd9c.exe
Resource
win10v2004-20230220-en
General
-
Target
c5d71dbbbc50db8c2762835e83e0bd9c.exe
-
Size
5.6MB
-
MD5
c5d71dbbbc50db8c2762835e83e0bd9c
-
SHA1
e266d9870fcf13d7072e9e7a6a881a239ac0c523
-
SHA256
449adac1f0940043f26ab1a8b91748360b4d7d9759108d3db6669edd758129cb
-
SHA512
4ff07f801849131e621f7fa605c4215f3bd1c4229e1de99b23f3fc7c07c0a798935cb590fa9ea0b9fee1422f771198bbb84a58ad128743e7e90580fb29304bdc
-
SSDEEP
98304:H7nk+M3jECnNQJkMn33Mbz0Hy5SF+EaIFKedyFY1+EgYO6wLujDo8E+7LtJqfjXC:YLzhMCpQ+1edyePg969JTEX6NZ
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
c5d71dbbbc50db8c2762835e83e0bd9c.exeDesktopFavorites-tupe0.4.9.2.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ c5d71dbbbc50db8c2762835e83e0bd9c.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ DesktopFavorites-tupe0.4.9.2.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
c5d71dbbbc50db8c2762835e83e0bd9c.exeDesktopFavorites-tupe0.4.9.2.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion c5d71dbbbc50db8c2762835e83e0bd9c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion c5d71dbbbc50db8c2762835e83e0bd9c.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion DesktopFavorites-tupe0.4.9.2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion DesktopFavorites-tupe0.4.9.2.exe -
Executes dropped EXE 1 IoCs
Processes:
DesktopFavorites-tupe0.4.9.2.exepid process 832 DesktopFavorites-tupe0.4.9.2.exe -
Loads dropped DLL 2 IoCs
Processes:
c5d71dbbbc50db8c2762835e83e0bd9c.exepid process 1740 c5d71dbbbc50db8c2762835e83e0bd9c.exe 1740 c5d71dbbbc50db8c2762835e83e0bd9c.exe -
Processes:
resource yara_rule behavioral1/memory/1740-55-0x000000013F2C0000-0x000000013FB51000-memory.dmp upx behavioral1/memory/1740-54-0x000000013F2C0000-0x000000013FB51000-memory.dmp upx behavioral1/memory/1740-56-0x000000013F2C0000-0x000000013FB51000-memory.dmp upx behavioral1/memory/1740-58-0x000000013F2C0000-0x000000013FB51000-memory.dmp upx \ProgramData\DesktopFavorites-tupe0.4.9.2\DesktopFavorites-tupe0.4.9.2.exe upx C:\ProgramData\DesktopFavorites-tupe0.4.9.2\DesktopFavorites-tupe0.4.9.2.exe upx behavioral1/memory/1740-66-0x000000013F2C0000-0x000000013FB51000-memory.dmp upx C:\ProgramData\DesktopFavorites-tupe0.4.9.2\DesktopFavorites-tupe0.4.9.2.exe upx \ProgramData\DesktopFavorites-tupe0.4.9.2\DesktopFavorites-tupe0.4.9.2.exe upx behavioral1/memory/832-69-0x000000013FEE0000-0x0000000140771000-memory.dmp upx behavioral1/memory/832-68-0x000000013FEE0000-0x0000000140771000-memory.dmp upx behavioral1/memory/832-70-0x000000013FEE0000-0x0000000140771000-memory.dmp upx behavioral1/memory/832-71-0x000000013FEE0000-0x0000000140771000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
c5d71dbbbc50db8c2762835e83e0bd9c.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run c5d71dbbbc50db8c2762835e83e0bd9c.exe Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Run\DesktopFavorites-tupe0.4.9.2 = "C:\\ProgramData\\DesktopFavorites-tupe0.4.9.2\\DesktopFavorites-tupe0.4.9.2.exe" c5d71dbbbc50db8c2762835e83e0bd9c.exe -
Processes:
DesktopFavorites-tupe0.4.9.2.exec5d71dbbbc50db8c2762835e83e0bd9c.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DesktopFavorites-tupe0.4.9.2.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA c5d71dbbbc50db8c2762835e83e0bd9c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
c5d71dbbbc50db8c2762835e83e0bd9c.exedescription pid process target process PID 1740 wrote to memory of 832 1740 c5d71dbbbc50db8c2762835e83e0bd9c.exe DesktopFavorites-tupe0.4.9.2.exe PID 1740 wrote to memory of 832 1740 c5d71dbbbc50db8c2762835e83e0bd9c.exe DesktopFavorites-tupe0.4.9.2.exe PID 1740 wrote to memory of 832 1740 c5d71dbbbc50db8c2762835e83e0bd9c.exe DesktopFavorites-tupe0.4.9.2.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c5d71dbbbc50db8c2762835e83e0bd9c.exe"C:\Users\Admin\AppData\Local\Temp\c5d71dbbbc50db8c2762835e83e0bd9c.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\DesktopFavorites-tupe0.4.9.2\DesktopFavorites-tupe0.4.9.2.exe"C:\ProgramData\DesktopFavorites-tupe0.4.9.2\DesktopFavorites-tupe0.4.9.2.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\DesktopFavorites-tupe0.4.9.2\DesktopFavorites-tupe0.4.9.2.exeFilesize
486.9MB
MD5d4df27a1ce1a43496c7138eb46ce87af
SHA1e0d1945aceb99240117efdbdf43140cb9b500bb0
SHA256c3ce93d96208167f336cca0b6837a72673a64cc527ffb0594e8b9d0cc5ba4460
SHA51278b03316d96d6f9374fea18e02a2de94fb4083f70c524e21f6931d99b41f2bebc2afe3746ee0de00cd4ec8dbc81b2427b54badb3a7f96f8f4a8a6117ced874e8
-
C:\ProgramData\DesktopFavorites-tupe0.4.9.2\DesktopFavorites-tupe0.4.9.2.exeFilesize
557.1MB
MD5db3caac8c76c84c7b9ed22d7235f6ce8
SHA1669ecfeb186623ccb620cd8380864abf953c2669
SHA2567b5cff90424924e95c0f74445632dbe5a47f6592a1f1cca9f42eb494005710f0
SHA512f5d58000274b811d7cbd91a7f404ce51b7a78531174a7ad19d4b06d7f7f2bef8280922da929404038c2b8c043586ac99b5ebed5696b751e8f7988b54a8425469
-
\ProgramData\DesktopFavorites-tupe0.4.9.2\DesktopFavorites-tupe0.4.9.2.exeFilesize
522.3MB
MD56cd82685584c68a1290d28084dab7047
SHA183c73823497d7974a254da411f8d794e135d6ec5
SHA256cb675b41cda5742e5304cb60ff21597b350a80e2193aa3b3cb1cdc6da4676d34
SHA512819b86e95dbd2a25faf0ea44312873e373eda19e4e29a633bb32c3c4085d9ccaaf85a7ba33e49ccf9e376401ea40fe3971b32872a90377a358cff508db226878
-
\ProgramData\DesktopFavorites-tupe0.4.9.2\DesktopFavorites-tupe0.4.9.2.exeFilesize
564.2MB
MD5e13bd0614e6e2a161d2ddc3e23cae9c0
SHA16e588718c41a607db821170d96a8cfc386d7af40
SHA25627e7ac5b2df425ee573e34dc14eb1a11b5e989ae8a46c54cf836603249a4d91d
SHA5128442e8521cffa5f912cbc443068195bfd88422be70f81f5f099e74cfbbf98df8a74cb50af91ed167512feaf79640443c363d49e6fb90464188b0df2f8572b4a3
-
memory/832-71-0x000000013FEE0000-0x0000000140771000-memory.dmpFilesize
8.6MB
-
memory/832-70-0x000000013FEE0000-0x0000000140771000-memory.dmpFilesize
8.6MB
-
memory/832-68-0x000000013FEE0000-0x0000000140771000-memory.dmpFilesize
8.6MB
-
memory/832-69-0x000000013FEE0000-0x0000000140771000-memory.dmpFilesize
8.6MB
-
memory/1740-58-0x000000013F2C0000-0x000000013FB51000-memory.dmpFilesize
8.6MB
-
memory/1740-66-0x000000013F2C0000-0x000000013FB51000-memory.dmpFilesize
8.6MB
-
memory/1740-55-0x000000013F2C0000-0x000000013FB51000-memory.dmpFilesize
8.6MB
-
memory/1740-56-0x000000013F2C0000-0x000000013FB51000-memory.dmpFilesize
8.6MB
-
memory/1740-54-0x000000013F2C0000-0x000000013FB51000-memory.dmpFilesize
8.6MB