7aae499539501b4a1d56a7c9bfda2061968f93fa7fafb83d2f15addafb4e36dd

General

Target

7aae499539501b4a1d56a7c9bfda2061968f93fa7fafb83d2f15addafb4e36dd.exe
Size

3.4MB
MD5

fbdd9b9d4305ccbd3d577e28c5a9f069
SHA1

ff95143f04e03257b1a0aba3e2b107339177088e
SHA256

7aae499539501b4a1d56a7c9bfda2061968f93fa7fafb83d2f15addafb4e36dd
SHA512

0b7a26b22127f81854f53f7cc169f6910f62dbc9cee4d57b3314aa6368c4ecd4c3c37cd6ac59682d1a4e87bc172bc918b13a5f66d189452c957a1a741380c2e1
SSDEEP

49152:YfIGEciXT1SMTEGUlayCd1XlOrUcwFY92eg6zBCYUFQumEeBAoCuYXMYo3js:vcmEZlaPfUwbYIelzBLU3vqCRs

Score

9^/10

discovery evasion trojan upx

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38regid.1991-06.com.microsoft-type1.9.7.7.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38regid.1991-06.com.microsoft-type1.9.7.7.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38regid.1991-06.com.microsoft-type1.9.7.7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38regid.1991-06.com.microsoft-type1.9.7.7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38regid.1991-06.com.microsoft-type1.9.7.7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38regid.1991-06.com.microsoft-type1.9.7.7.exe

Executes dropped EXE 2 IoCs

pid	Process
2804	Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38regid.1991-06.com.microsoft-type1.9.7.7.exe
4948	Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38regid.1991-06.com.microsoft-type1.9.7.7.exe

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
228	icacls.exe
2820	icacls.exe
4120	icacls.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000500000001da5e-149.dat	upx
behavioral1/files/0x000500000001da5e-151.dat	upx
behavioral1/files/0x000500000001da5e-150.dat	upx
behavioral1/memory/2804-153-0x00007FF71C100000-0x00007FF71C61F000-memory.dmp	upx
behavioral1/memory/2804-154-0x00007FF71C100000-0x00007FF71C61F000-memory.dmp	upx
behavioral1/memory/2804-155-0x00007FF71C100000-0x00007FF71C61F000-memory.dmp	upx
behavioral1/memory/2804-156-0x00007FF71C100000-0x00007FF71C61F000-memory.dmp	upx
behavioral1/files/0x000500000001da5e-157.dat	upx
behavioral1/memory/4948-158-0x00007FF71C100000-0x00007FF71C61F000-memory.dmp	upx
behavioral1/memory/4948-159-0x00007FF71C100000-0x00007FF71C61F000-memory.dmp	upx
behavioral1/memory/4948-160-0x00007FF71C100000-0x00007FF71C61F000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38regid.1991-06.com.microsoft-type1.9.7.7.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38regid.1991-06.com.microsoft-type1.9.7.7.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1064 set thread context of 2464	1064	7aae499539501b4a1d56a7c9bfda2061968f93fa7fafb83d2f15addafb4e36dd.exe	87

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1580	1064	WerFault.exe	85

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4188	schtasks.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1064 wrote to memory of 2464	1064	7aae499539501b4a1d56a7c9bfda2061968f93fa7fafb83d2f15addafb4e36dd.exe	87
PID 1064 wrote to memory of 2464	1064	7aae499539501b4a1d56a7c9bfda2061968f93fa7fafb83d2f15addafb4e36dd.exe	87
PID 1064 wrote to memory of 2464	1064	7aae499539501b4a1d56a7c9bfda2061968f93fa7fafb83d2f15addafb4e36dd.exe	87
PID 1064 wrote to memory of 2464	1064	7aae499539501b4a1d56a7c9bfda2061968f93fa7fafb83d2f15addafb4e36dd.exe	87
PID 1064 wrote to memory of 2464	1064	7aae499539501b4a1d56a7c9bfda2061968f93fa7fafb83d2f15addafb4e36dd.exe	87
PID 2464 wrote to memory of 228	2464	AppLaunch.exe	90
PID 2464 wrote to memory of 228	2464	AppLaunch.exe	90
PID 2464 wrote to memory of 228	2464	AppLaunch.exe	90
PID 2464 wrote to memory of 2820	2464	AppLaunch.exe	92
PID 2464 wrote to memory of 2820	2464	AppLaunch.exe	92
PID 2464 wrote to memory of 2820	2464	AppLaunch.exe	92
PID 2464 wrote to memory of 4120	2464	AppLaunch.exe	94
PID 2464 wrote to memory of 4120	2464	AppLaunch.exe	94
PID 2464 wrote to memory of 4120	2464	AppLaunch.exe	94
PID 2464 wrote to memory of 4188	2464	AppLaunch.exe	95
PID 2464 wrote to memory of 4188	2464	AppLaunch.exe	95
PID 2464 wrote to memory of 4188	2464	AppLaunch.exe	95
PID 2464 wrote to memory of 2804	2464	AppLaunch.exe	98
PID 2464 wrote to memory of 2804	2464	AppLaunch.exe	98

C:\Users\Admin\AppData\Local\Temp\7aae499539501b4a1d56a7c9bfda2061968f93fa7fafb83d2f15addafb4e36dd.exe
"C:\Users\Admin\AppData\Local\Temp\7aae499539501b4a1d56a7c9bfda2061968f93fa7fafb83d2f15addafb4e36dd.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38regid.1991-06.com.microsoft-type1.9.7.7" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:228
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38regid.1991-06.com.microsoft-type1.9.7.7" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:2820
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38regid.1991-06.com.microsoft-type1.9.7.7" /inheritance:e /deny "admin:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:4120
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /CREATE /TN "Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38regid.1991-06.com.microsoft-type1.9.7.7\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38regid.1991-06.com.microsoft-type1.9.7.7" /TR "C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38regid.1991-06.com.microsoft-type1.9.7.7\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38regid.1991-06.com.microsoft-type1.9.7.7.exe" /SC MINUTE
    3⤵
    - Creates scheduled task(s)
    PID:4188
- - C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38regid.1991-06.com.microsoft-type1.9.7.7\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38regid.1991-06.com.microsoft-type1.9.7.7.exe
    "C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38regid.1991-06.com.microsoft-type1.9.7.7\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38regid.1991-06.com.microsoft-type1.9.7.7.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    PID:2804
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1064 -s 140
  2⤵
  - Program crash
  PID:1580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1064 -ip 1064
1⤵
PID:3936

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38regid.1991-06.com.microsoft-type1.9.7.7\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38regid.1991-06.com.microsoft-type1.9.7.7.exe
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38regid.1991-06.com.microsoft-type1.9.7.7\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38regid.1991-06.com.microsoft-type1.9.7.7.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:4948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

File and Directory Permissions Modification

1

T1222

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38regid.1991-06.com.microsoft-type1.9.7.7\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38regid.1991-06.com.microsoft-type1.9.7.7.exe

Filesize
538.8MB

MD5
87687767e816f63404e4aee242f231a2

SHA1
ac640cd2a9e29105ac69b689e634a5b2a409e2dd

SHA256
b0d42d4835a86e9871186ebecb057e11bf0ded705f630749a4bbbbca900684d6

SHA512
f0623f92f0f88ce5259362599a031a7519f761ff62bec714fc2a81c37bf7447fa9f09df6f63c0dde6c6ea37e936f13a139c5a3b3d053c70f5c584a41281e54d3

Download Submit
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38regid.1991-06.com.microsoft-type1.9.7.7\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38regid.1991-06.com.microsoft-type1.9.7.7.exe

Filesize
559.8MB

MD5
62bfc7819e72621095c1eca22c001262

SHA1
267126b3b311f9ffa268cf03515308f6b3fafb2c

SHA256
0fb6f06c4fab004d17fbfebebaa3323fc7b3526cca53d691822dbf45bda88821

SHA512
2b10835ede79d0fc6c3e42953212bdb5511d54a8ffaa5a1cffc9c6fe22cb31e07f0a5c4b29b43d3ae64197c28099f6a1af89bfbe8e8e5e27adad1d089cd20fa0

Download Submit
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38regid.1991-06.com.microsoft-type1.9.7.7\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38regid.1991-06.com.microsoft-type1.9.7.7.exe

Filesize
543.9MB

MD5
3a6ebb7a2e1999da42741e130b167e80

SHA1
3d918d67a591975ba6119da782736303ad59fe4c

SHA256
04df8e1e5ececa8284eb422095e0798330197a9c33af2d9aea51510215b04ac5

SHA512
b99031ffd59ca6236242d440403e92e71f9eb3ece4dfb9d0becb1c379231a6e9e34783669bf39699a81d6e99e2f0973ff3e2adaeb3f71020612f53224d186cb7

Download Submit
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38regid.1991-06.com.microsoft-type1.9.7.7\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38regid.1991-06.com.microsoft-type1.9.7.7.exe

Filesize
387.9MB

MD5
0dfca5da3e35b1fa6805b00f0e561d60

SHA1
de43337559c32a8e3e67d3e68d5113497d9ff1ae

SHA256
6e86a6b7f77255eceefd492a581871380cdafaee5d9ea2de8fdbb03b7471b554

SHA512
62111b20375f631f9a22e9f42037ba329ba245ab454fd1a0a3c2f92644aacad5053380483e09d8eadc7ed191a583a8896a27a682773c4a1d44a07f997bfaf0ed

Download Submit
memory/2464-141-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download
memory/2464-138-0x00000000053A0000-0x0000000005944000-memory.dmp

Filesize
5.6MB

Download
memory/2464-143-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download
memory/2464-144-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download
memory/2464-133-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/2464-140-0x0000000004D40000-0x0000000004D4A000-memory.dmp

Filesize
40KB

Download
memory/2464-139-0x0000000004DF0000-0x0000000004E82000-memory.dmp

Filesize
584KB

Download
memory/2464-142-0x0000000004DB0000-0x0000000004DC0000-memory.dmp

Filesize
64KB

Download
memory/2804-153-0x00007FF71C100000-0x00007FF71C61F000-memory.dmp

Filesize
5.1MB

Download
memory/2804-155-0x00007FF71C100000-0x00007FF71C61F000-memory.dmp

Filesize
5.1MB

Download
memory/2804-156-0x00007FF71C100000-0x00007FF71C61F000-memory.dmp

Filesize
5.1MB

Download
memory/2804-154-0x00007FF71C100000-0x00007FF71C61F000-memory.dmp

Filesize
5.1MB

Download
memory/4948-158-0x00007FF71C100000-0x00007FF71C61F000-memory.dmp

Filesize
5.1MB

Download
memory/4948-159-0x00007FF71C100000-0x00007FF71C61F000-memory.dmp

Filesize
5.1MB

Download
memory/4948-160-0x00007FF71C100000-0x00007FF71C61F000-memory.dmp

Filesize
5.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads