34a6bee05ae1cd4867079eecfc851ce0780fd808889b403c5e3bcbe6d38a9adc

General

Target

34a6bee05ae1cd4867079eecfc851ce0780fd808889b403c5e3bcbe6d38a9adc.exe
Size

3.4MB
MD5

7091d94999f271f0368e3dadaa9df71b
SHA1

a1f0bd53b03f42a47ff96f99fd6cc3a01770b6a7
SHA256

34a6bee05ae1cd4867079eecfc851ce0780fd808889b403c5e3bcbe6d38a9adc
SHA512

a921ea110d932d94063796c6969bc1fc206f33d015a1e88018b3843064293d08bb0fd0ae1e6bd4c6cb9b7739270ecc6ea89d0554e23f1a30cef9d2bf353435a8
SSDEEP

98304:RJuR21C/yIq/dhl/O4i/TksjdFwvhzjMSwRV6:R8D/yIqlhlW4i/QsnwZzjMSeV6

Score

9^/10

discovery evasion trojan upx

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	regid.1991-06.com.microsoftUSOShared-type3.3.3.7.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	regid.1991-06.com.microsoftUSOShared-type3.3.3.7.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	regid.1991-06.com.microsoftUSOShared-type3.3.3.7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	regid.1991-06.com.microsoftUSOShared-type3.3.3.7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	regid.1991-06.com.microsoftUSOShared-type3.3.3.7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	regid.1991-06.com.microsoftUSOShared-type3.3.3.7.exe

Executes dropped EXE 2 IoCs

pid	Process
4204	regid.1991-06.com.microsoftUSOShared-type3.3.3.7.exe
1020	regid.1991-06.com.microsoftUSOShared-type3.3.3.7.exe

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2844	icacls.exe
1880	icacls.exe
4316	icacls.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a000000023121-149.dat	upx
behavioral1/files/0x000a000000023121-150.dat	upx
behavioral1/memory/4204-152-0x00007FF73BA90000-0x00007FF73BFAF000-memory.dmp	upx
behavioral1/memory/4204-153-0x00007FF73BA90000-0x00007FF73BFAF000-memory.dmp	upx
behavioral1/memory/4204-154-0x00007FF73BA90000-0x00007FF73BFAF000-memory.dmp	upx
behavioral1/memory/4204-155-0x00007FF73BA90000-0x00007FF73BFAF000-memory.dmp	upx
behavioral1/files/0x000a000000023121-156.dat	upx
behavioral1/memory/1020-157-0x00007FF73BA90000-0x00007FF73BFAF000-memory.dmp	upx
behavioral1/memory/1020-160-0x00007FF73BA90000-0x00007FF73BFAF000-memory.dmp	upx
behavioral1/memory/1020-161-0x00007FF73BA90000-0x00007FF73BFAF000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	regid.1991-06.com.microsoftUSOShared-type3.3.3.7.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	regid.1991-06.com.microsoftUSOShared-type3.3.3.7.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 380 set thread context of 2044	380	34a6bee05ae1cd4867079eecfc851ce0780fd808889b403c5e3bcbe6d38a9adc.exe	83

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1784	380	WerFault.exe	81

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3060	schtasks.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 380 wrote to memory of 2044	380	34a6bee05ae1cd4867079eecfc851ce0780fd808889b403c5e3bcbe6d38a9adc.exe	83
PID 380 wrote to memory of 2044	380	34a6bee05ae1cd4867079eecfc851ce0780fd808889b403c5e3bcbe6d38a9adc.exe	83
PID 380 wrote to memory of 2044	380	34a6bee05ae1cd4867079eecfc851ce0780fd808889b403c5e3bcbe6d38a9adc.exe	83
PID 380 wrote to memory of 2044	380	34a6bee05ae1cd4867079eecfc851ce0780fd808889b403c5e3bcbe6d38a9adc.exe	83
PID 380 wrote to memory of 2044	380	34a6bee05ae1cd4867079eecfc851ce0780fd808889b403c5e3bcbe6d38a9adc.exe	83
PID 2044 wrote to memory of 4316	2044	AppLaunch.exe	92
PID 2044 wrote to memory of 4316	2044	AppLaunch.exe	92
PID 2044 wrote to memory of 4316	2044	AppLaunch.exe	92
PID 2044 wrote to memory of 2844	2044	AppLaunch.exe	94
PID 2044 wrote to memory of 2844	2044	AppLaunch.exe	94
PID 2044 wrote to memory of 2844	2044	AppLaunch.exe	94
PID 2044 wrote to memory of 1880	2044	AppLaunch.exe	95
PID 2044 wrote to memory of 1880	2044	AppLaunch.exe	95
PID 2044 wrote to memory of 1880	2044	AppLaunch.exe	95
PID 2044 wrote to memory of 3060	2044	AppLaunch.exe	96
PID 2044 wrote to memory of 3060	2044	AppLaunch.exe	96
PID 2044 wrote to memory of 3060	2044	AppLaunch.exe	96
PID 2044 wrote to memory of 4204	2044	AppLaunch.exe	100
PID 2044 wrote to memory of 4204	2044	AppLaunch.exe	100

C:\Users\Admin\AppData\Local\Temp\34a6bee05ae1cd4867079eecfc851ce0780fd808889b403c5e3bcbe6d38a9adc.exe
"C:\Users\Admin\AppData\Local\Temp\34a6bee05ae1cd4867079eecfc851ce0780fd808889b403c5e3bcbe6d38a9adc.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:380
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\regid.1991-06.com.microsoftUSOShared-type3.3.3.7" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:4316
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\regid.1991-06.com.microsoftUSOShared-type3.3.3.7" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:2844
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\regid.1991-06.com.microsoftUSOShared-type3.3.3.7" /inheritance:e /deny "admin:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:1880
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /CREATE /TN "regid.1991-06.com.microsoftUSOShared-type3.3.3.7\regid.1991-06.com.microsoftUSOShared-type3.3.3.7" /TR "C:\ProgramData\regid.1991-06.com.microsoftUSOShared-type3.3.3.7\regid.1991-06.com.microsoftUSOShared-type3.3.3.7.exe" /SC MINUTE
    3⤵
    - Creates scheduled task(s)
    PID:3060
- - C:\ProgramData\regid.1991-06.com.microsoftUSOShared-type3.3.3.7\regid.1991-06.com.microsoftUSOShared-type3.3.3.7.exe
    "C:\ProgramData\regid.1991-06.com.microsoftUSOShared-type3.3.3.7\regid.1991-06.com.microsoftUSOShared-type3.3.3.7.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    PID:4204
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 380 -s 308
  2⤵
  - Program crash
  PID:1784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 380 -ip 380
1⤵
PID:724

C:\ProgramData\regid.1991-06.com.microsoftUSOShared-type3.3.3.7\regid.1991-06.com.microsoftUSOShared-type3.3.3.7.exe
C:\ProgramData\regid.1991-06.com.microsoftUSOShared-type3.3.3.7\regid.1991-06.com.microsoftUSOShared-type3.3.3.7.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:1020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

File and Directory Permissions Modification

1

T1222

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\regid.1991-06.com.microsoftUSOShared-type3.3.3.7\regid.1991-06.com.microsoftUSOShared-type3.3.3.7.exe

Filesize
721.3MB

MD5
7792445dc669df8d8ea31beb33673045

SHA1
80eafc4da1756d9eb5597d18ba7224987599f775

SHA256
6315fbcc0b5731e4f19ef029cc249e14061e6497c2b5217321360f8085b9616c

SHA512
4f48520e2cdc09a0f15d5021a5f8841d3c67bb406097d8f4083362c0af9b34a9b03d44e7fcc88c9f295b5a71bc960634f9c3ebd662e5b72ab4e8548846830abb

Download Submit
C:\ProgramData\regid.1991-06.com.microsoftUSOShared-type3.3.3.7\regid.1991-06.com.microsoftUSOShared-type3.3.3.7.exe

Filesize
721.3MB

MD5
7792445dc669df8d8ea31beb33673045

SHA1
80eafc4da1756d9eb5597d18ba7224987599f775

SHA256
6315fbcc0b5731e4f19ef029cc249e14061e6497c2b5217321360f8085b9616c

SHA512
4f48520e2cdc09a0f15d5021a5f8841d3c67bb406097d8f4083362c0af9b34a9b03d44e7fcc88c9f295b5a71bc960634f9c3ebd662e5b72ab4e8548846830abb

Download Submit
C:\ProgramData\regid.1991-06.com.microsoftUSOShared-type3.3.3.7\regid.1991-06.com.microsoftUSOShared-type3.3.3.7.exe

Filesize
605.8MB

MD5
3ea5f2b0f6aa685a354c32d17986cd85

SHA1
0ee65004fd51dd0db83b5fed0412f8b1da29f5bf

SHA256
7f7e66228ee79e1867715c267bf3ee53960fa7fe56f786578b9c072287aa4896

SHA512
7e851f8b8ac88d4a95db6a283108e2ffaa7b3e5e9a91db96b9f14fd968b023580fee9383288abc49488f2287929821278297ea12080f637fb08f9be2d99b9fbf

Download Submit
memory/1020-161-0x00007FF73BA90000-0x00007FF73BFAF000-memory.dmp

Filesize
5.1MB

Download
memory/1020-160-0x00007FF73BA90000-0x00007FF73BFAF000-memory.dmp

Filesize
5.1MB

Download
memory/1020-157-0x00007FF73BA90000-0x00007FF73BFAF000-memory.dmp

Filesize
5.1MB

Download
memory/2044-141-0x0000000005900000-0x0000000005910000-memory.dmp

Filesize
64KB

Download
memory/2044-144-0x0000000005900000-0x0000000005910000-memory.dmp

Filesize
64KB

Download
memory/2044-143-0x0000000005900000-0x0000000005910000-memory.dmp

Filesize
64KB

Download
memory/2044-142-0x0000000005900000-0x0000000005910000-memory.dmp

Filesize
64KB

Download
memory/2044-133-0x0000000000D00000-0x000000000105C000-memory.dmp

Filesize
3.4MB

Download
memory/2044-140-0x00000000056D0000-0x00000000056DA000-memory.dmp

Filesize
40KB

Download
memory/2044-139-0x0000000005630000-0x00000000056C2000-memory.dmp

Filesize
584KB

Download
memory/2044-138-0x0000000005CC0000-0x0000000006264000-memory.dmp

Filesize
5.6MB

Download
memory/4204-152-0x00007FF73BA90000-0x00007FF73BFAF000-memory.dmp

Filesize
5.1MB

Download
memory/4204-153-0x00007FF73BA90000-0x00007FF73BFAF000-memory.dmp

Filesize
5.1MB

Download
memory/4204-154-0x00007FF73BA90000-0x00007FF73BFAF000-memory.dmp

Filesize
5.1MB

Download
memory/4204-155-0x00007FF73BA90000-0x00007FF73BFAF000-memory.dmp

Filesize
5.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads