754d764d71e3a59739d454c268f68fcab6ec3b95e6aa15de46f31dfee9a6f4a9

General

Target

754d764d71e3a59739d454c268f68fcab6ec3b95e6aa15de46f31dfee9a6f4a9.exe
Size

3.4MB
MD5

328c53fc62c8bd7ba812e0be7b7e2c3e
SHA1

f3b72b25f0cf4e25360d7b9a20388e6c9cb79c3a
SHA256

754d764d71e3a59739d454c268f68fcab6ec3b95e6aa15de46f31dfee9a6f4a9
SHA512

53d6bcc238a22ae463365ebde0fe550187846bf82250b2c1298f692510bf709c87ddbaed9423eeb514035facc94cffb0fd1e6a1d200efd947d9965b231fabde8
SSDEEP

98304:oST9w80soegcII9U+lVAkWi4D7BDE4Nmmwe:oST9wO1u+lkBQumY

Score

9^/10

discovery evasion trojan upx

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TemplatesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type7.3.9.8.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	TemplatesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type7.3.9.8.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TemplatesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type7.3.9.8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TemplatesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type7.3.9.8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	TemplatesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type7.3.9.8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	TemplatesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type7.3.9.8.exe

Executes dropped EXE 2 IoCs

pid	Process
1252	TemplatesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type7.3.9.8.exe
2504	TemplatesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type7.3.9.8.exe

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2916	icacls.exe
2692	icacls.exe
3732	icacls.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0009000000023110-149.dat	upx
behavioral1/files/0x0009000000023110-151.dat	upx
behavioral1/files/0x0009000000023110-150.dat	upx
behavioral1/memory/1252-152-0x00007FF7ADB20000-0x00007FF7AE03F000-memory.dmp	upx
behavioral1/memory/1252-154-0x00007FF7ADB20000-0x00007FF7AE03F000-memory.dmp	upx
behavioral1/memory/1252-155-0x00007FF7ADB20000-0x00007FF7AE03F000-memory.dmp	upx
behavioral1/memory/1252-157-0x00007FF7ADB20000-0x00007FF7AE03F000-memory.dmp	upx
behavioral1/memory/1252-156-0x00007FF7ADB20000-0x00007FF7AE03F000-memory.dmp	upx
behavioral1/memory/1252-158-0x00007FF7ADB20000-0x00007FF7AE03F000-memory.dmp	upx
behavioral1/files/0x0009000000023110-159.dat	upx
behavioral1/memory/2504-160-0x00007FF7ADB20000-0x00007FF7AE03F000-memory.dmp	upx
behavioral1/memory/2504-162-0x00007FF7ADB20000-0x00007FF7AE03F000-memory.dmp	upx
behavioral1/memory/2504-163-0x00007FF7ADB20000-0x00007FF7AE03F000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	TemplatesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type7.3.9.8.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	TemplatesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type7.3.9.8.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3984 set thread context of 1384	3984	754d764d71e3a59739d454c268f68fcab6ec3b95e6aa15de46f31dfee9a6f4a9.exe	91

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2560	3984	WerFault.exe	87

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4832	schtasks.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 3984 wrote to memory of 1384	3984	754d764d71e3a59739d454c268f68fcab6ec3b95e6aa15de46f31dfee9a6f4a9.exe	91
PID 3984 wrote to memory of 1384	3984	754d764d71e3a59739d454c268f68fcab6ec3b95e6aa15de46f31dfee9a6f4a9.exe	91
PID 3984 wrote to memory of 1384	3984	754d764d71e3a59739d454c268f68fcab6ec3b95e6aa15de46f31dfee9a6f4a9.exe	91
PID 3984 wrote to memory of 1384	3984	754d764d71e3a59739d454c268f68fcab6ec3b95e6aa15de46f31dfee9a6f4a9.exe	91
PID 3984 wrote to memory of 1384	3984	754d764d71e3a59739d454c268f68fcab6ec3b95e6aa15de46f31dfee9a6f4a9.exe	91
PID 1384 wrote to memory of 2692	1384	AppLaunch.exe	98
PID 1384 wrote to memory of 2692	1384	AppLaunch.exe	98
PID 1384 wrote to memory of 2692	1384	AppLaunch.exe	98
PID 1384 wrote to memory of 3732	1384	AppLaunch.exe	100
PID 1384 wrote to memory of 3732	1384	AppLaunch.exe	100
PID 1384 wrote to memory of 3732	1384	AppLaunch.exe	100
PID 1384 wrote to memory of 2916	1384	AppLaunch.exe	102
PID 1384 wrote to memory of 2916	1384	AppLaunch.exe	102
PID 1384 wrote to memory of 2916	1384	AppLaunch.exe	102
PID 1384 wrote to memory of 4832	1384	AppLaunch.exe	104
PID 1384 wrote to memory of 4832	1384	AppLaunch.exe	104
PID 1384 wrote to memory of 4832	1384	AppLaunch.exe	104
PID 1384 wrote to memory of 1252	1384	AppLaunch.exe	106
PID 1384 wrote to memory of 1252	1384	AppLaunch.exe	106

C:\Users\Admin\AppData\Local\Temp\754d764d71e3a59739d454c268f68fcab6ec3b95e6aa15de46f31dfee9a6f4a9.exe
"C:\Users\Admin\AppData\Local\Temp\754d764d71e3a59739d454c268f68fcab6ec3b95e6aa15de46f31dfee9a6f4a9.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3984
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1384
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\TemplatesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type7.3.9.8" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:2692
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\TemplatesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type7.3.9.8" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:3732
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\TemplatesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type7.3.9.8" /inheritance:e /deny "admin:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:2916
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /CREATE /TN "TemplatesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type7.3.9.8\TemplatesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type7.3.9.8" /TR "C:\ProgramData\TemplatesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type7.3.9.8\TemplatesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type7.3.9.8.exe" /SC MINUTE
    3⤵
    - Creates scheduled task(s)
    PID:4832
- - C:\ProgramData\TemplatesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type7.3.9.8\TemplatesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type7.3.9.8.exe
    "C:\ProgramData\TemplatesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type7.3.9.8\TemplatesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type7.3.9.8.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    PID:1252
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3984 -s 164
  2⤵
  - Program crash
  PID:2560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3984 -ip 3984
1⤵
PID:3472

C:\ProgramData\TemplatesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type7.3.9.8\TemplatesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type7.3.9.8.exe
C:\ProgramData\TemplatesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type7.3.9.8\TemplatesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type7.3.9.8.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:2504

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

File and Directory Permissions Modification

1

T1222

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\TemplatesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type7.3.9.8\TemplatesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type7.3.9.8.exe

Filesize
571.1MB

MD5
652d54b45016e6bb2e498aced74667c6

SHA1
ff941e622f9803ce5400898020db8f7f454b4b5e

SHA256
21a2225f886210993ec2f4cd30b53f1b80cc08979e3edf0e53462a6992481f91

SHA512
69810c19fa550ffb2e9dd59ca33b0e932c77e341f85ded8ceaa693d7988fbc633e6fe0ede280ae10ee5250820f5ff6fafb93b20e5b591cc8dde5013b83469ce6

Download Submit
C:\ProgramData\TemplatesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type7.3.9.8\TemplatesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type7.3.9.8.exe

Filesize
583.3MB

MD5
33bd033675f374a7de811a2ef288751a

SHA1
01d6fa38bc11c0a4ca5046b31ecd6d26f13a0ade

SHA256
47ed804b10dae12def9651267d335b92046a14188d6d37750d3a6fc4fe4c471e

SHA512
8816a11efcc2410e2978bb214bee51854f8fbb6a95efbcd9f909942de00dd9fbc1dc8db12a65b9ccb18182ccb6e8e8b20cf03c8415ac6d79bee12a1ceb0fe2aa

Download Submit
C:\ProgramData\TemplatesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type7.3.9.8\TemplatesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type7.3.9.8.exe

Filesize
564.6MB

MD5
73bf9a5d362363ddac556d5790015151

SHA1
a3ab784f6602137b1743b3f37913aec402638911

SHA256
fc367521dac23090e5bb64420f8f98cd585dcdf7397308a6e078f067392ec4d1

SHA512
e19645c9f500bfe540dc64250701fa8f698ac8753bde41913d4876d1763fd0848197215da84321817f768e3d172e40552909ed2d88bda6d091cde87efd6fa628

Download Submit
C:\ProgramData\TemplatesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type7.3.9.8\TemplatesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type7.3.9.8.exe

Filesize
146.7MB

MD5
b198de8c658a147f459527e19efae682

SHA1
0e6d00d04ad73d1bd190447fda82f652ffc96b84

SHA256
8f29b209d69e944317ddc861c66d74080add9f34010a2a81f921417f21bfb03b

SHA512
f8bbe85e3ce266b0f5b07d9f1b8f99405dabcdcb7f102c7d73108fd15099ac662e7614d079778ba8eb14669aaa2184894c0cc7f08c2466dfddc27717fdc821b6

Download Submit
memory/1252-156-0x00007FF7ADB20000-0x00007FF7AE03F000-memory.dmp

Filesize
5.1MB

Download
memory/1252-152-0x00007FF7ADB20000-0x00007FF7AE03F000-memory.dmp

Filesize
5.1MB

Download
memory/1252-158-0x00007FF7ADB20000-0x00007FF7AE03F000-memory.dmp

Filesize
5.1MB

Download
memory/1252-157-0x00007FF7ADB20000-0x00007FF7AE03F000-memory.dmp

Filesize
5.1MB

Download
memory/1252-155-0x00007FF7ADB20000-0x00007FF7AE03F000-memory.dmp

Filesize
5.1MB

Download
memory/1252-154-0x00007FF7ADB20000-0x00007FF7AE03F000-memory.dmp

Filesize
5.1MB

Download
memory/1384-140-0x0000000004D80000-0x0000000004D8A000-memory.dmp

Filesize
40KB

Download
memory/1384-139-0x0000000004DA0000-0x0000000004E32000-memory.dmp

Filesize
584KB

Download
memory/1384-142-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/1384-141-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/1384-144-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/1384-133-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/1384-143-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/1384-138-0x0000000005430000-0x00000000059D4000-memory.dmp

Filesize
5.6MB

Download
memory/2504-160-0x00007FF7ADB20000-0x00007FF7AE03F000-memory.dmp

Filesize
5.1MB

Download
memory/2504-162-0x00007FF7ADB20000-0x00007FF7AE03F000-memory.dmp

Filesize
5.1MB

Download
memory/2504-163-0x00007FF7ADB20000-0x00007FF7AE03F000-memory.dmp

Filesize
5.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads