17e923ccb022bfb35484861031c3cf547a55b949df5e821c2edd22e64862d269

General

Target

17e923ccb022bfb35484861031c3cf547a55b949df5e821c2edd22e64862d269.exe
Size

3.4MB
MD5

b21383166d61746164058b74fc4175a1
SHA1

99534e63ab00a3d97afa6bc3dbd05d0c3ce11585
SHA256

17e923ccb022bfb35484861031c3cf547a55b949df5e821c2edd22e64862d269
SHA512

383175653ad4770c1956c0e218dbffb546719bf383c590413a66436a32def85005c37c50924272afe8e375df0c16e21361ff80b3598cab433c2331dcf27e2d15
SSDEEP

98304:kJuR21C/yIq/dhl/O4i/TksjdFwvhzjMSwRVq:k8D/yIqlhlW4i/QsnwZzjMSeVq

Score

9^/10

discovery evasion trojan upx

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38ssh-type2.6.9.8.exeMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38ssh-type2.6.9.8.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38ssh-type2.6.9.8.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38ssh-type2.6.9.8.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38ssh-type2.6.9.8.exeMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38ssh-type2.6.9.8.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38ssh-type2.6.9.8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38ssh-type2.6.9.8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38ssh-type2.6.9.8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38ssh-type2.6.9.8.exe

Executes dropped EXE 2 IoCs

Processes:

Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38ssh-type2.6.9.8.exeMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38ssh-type2.6.9.8.exe

pid process

844 Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38ssh-type2.6.9.8.exe
3344 Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38ssh-type2.6.9.8.exe
Modifies file permissions 1 TTPs 3 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exe

pid process

2792 icacls.exe
2956 icacls.exe
1880 icacls.exe

pid	process
844	Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38ssh-type2.6.9.8.exe
3344	Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38ssh-type2.6.9.8.exe

pid	process
2792	icacls.exe
2956	icacls.exe
1880	icacls.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38ssh-type2.6.9.8\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38ssh-type2.6.9.8.exe	upx
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38ssh-type2.6.9.8\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38ssh-type2.6.9.8.exe	upx
behavioral1/memory/844-152-0x00007FF7902F0000-0x00007FF79080F000-memory.dmp	upx
behavioral1/memory/844-153-0x00007FF7902F0000-0x00007FF79080F000-memory.dmp	upx
behavioral1/memory/844-154-0x00007FF7902F0000-0x00007FF79080F000-memory.dmp	upx
behavioral1/memory/844-155-0x00007FF7902F0000-0x00007FF79080F000-memory.dmp	upx
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38ssh-type2.6.9.8\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38ssh-type2.6.9.8.exe	upx
behavioral1/memory/3344-158-0x00007FF7902F0000-0x00007FF79080F000-memory.dmp	upx
behavioral1/memory/3344-159-0x00007FF7902F0000-0x00007FF79080F000-memory.dmp	upx
behavioral1/memory/3344-160-0x00007FF7902F0000-0x00007FF79080F000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38ssh-type2.6.9.8.exeMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38ssh-type2.6.9.8.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38ssh-type2.6.9.8.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38ssh-type2.6.9.8.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

17e923ccb022bfb35484861031c3cf547a55b949df5e821c2edd22e64862d269.exe

description	pid	process	target process
PID 1500 set thread context of 4248	1500	17e923ccb022bfb35484861031c3cf547a55b949df5e821c2edd22e64862d269.exe	AppLaunch.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3360 1500 WerFault.exe 17e923ccb022bfb35484861031c3cf547a55b949df5e821c2edd22e64862d269.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3476 schtasks.exe

pid	pid_target	process	target process
3360	1500	WerFault.exe	17e923ccb022bfb35484861031c3cf547a55b949df5e821c2edd22e64862d269.exe

pid	process
3476	schtasks.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

17e923ccb022bfb35484861031c3cf547a55b949df5e821c2edd22e64862d269.exeAppLaunch.exe

description	pid	process	target process
PID 1500 wrote to memory of 4248	1500	17e923ccb022bfb35484861031c3cf547a55b949df5e821c2edd22e64862d269.exe	AppLaunch.exe
PID 1500 wrote to memory of 4248	1500	17e923ccb022bfb35484861031c3cf547a55b949df5e821c2edd22e64862d269.exe	AppLaunch.exe
PID 1500 wrote to memory of 4248	1500	17e923ccb022bfb35484861031c3cf547a55b949df5e821c2edd22e64862d269.exe	AppLaunch.exe
PID 1500 wrote to memory of 4248	1500	17e923ccb022bfb35484861031c3cf547a55b949df5e821c2edd22e64862d269.exe	AppLaunch.exe
PID 1500 wrote to memory of 4248	1500	17e923ccb022bfb35484861031c3cf547a55b949df5e821c2edd22e64862d269.exe	AppLaunch.exe
PID 4248 wrote to memory of 2792	4248	AppLaunch.exe	icacls.exe
PID 4248 wrote to memory of 2792	4248	AppLaunch.exe	icacls.exe
PID 4248 wrote to memory of 2792	4248	AppLaunch.exe	icacls.exe
PID 4248 wrote to memory of 2956	4248	AppLaunch.exe	icacls.exe
PID 4248 wrote to memory of 2956	4248	AppLaunch.exe	icacls.exe
PID 4248 wrote to memory of 2956	4248	AppLaunch.exe	icacls.exe
PID 4248 wrote to memory of 1880	4248	AppLaunch.exe	icacls.exe
PID 4248 wrote to memory of 1880	4248	AppLaunch.exe	icacls.exe
PID 4248 wrote to memory of 1880	4248	AppLaunch.exe	icacls.exe
PID 4248 wrote to memory of 3476	4248	AppLaunch.exe	schtasks.exe
PID 4248 wrote to memory of 3476	4248	AppLaunch.exe	schtasks.exe
PID 4248 wrote to memory of 3476	4248	AppLaunch.exe	schtasks.exe
PID 4248 wrote to memory of 844	4248	AppLaunch.exe	Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38ssh-type2.6.9.8.exe
PID 4248 wrote to memory of 844	4248	AppLaunch.exe	Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38ssh-type2.6.9.8.exe

C:\Users\Admin\AppData\Local\Temp\17e923ccb022bfb35484861031c3cf547a55b949df5e821c2edd22e64862d269.exe
"C:\Users\Admin\AppData\Local\Temp\17e923ccb022bfb35484861031c3cf547a55b949df5e821c2edd22e64862d269.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1500

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4248

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38ssh-type2.6.9.8" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
3⤵
- Modifies file permissions
PID:2792

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38ssh-type2.6.9.8" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
3⤵
- Modifies file permissions
PID:2956

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38ssh-type2.6.9.8" /inheritance:e /deny "admin:(R,REA,RA,RD)"
3⤵
- Modifies file permissions
PID:1880

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /CREATE /TN "Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38ssh-type2.6.9.8\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38ssh-type2.6.9.8" /TR "C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38ssh-type2.6.9.8\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38ssh-type2.6.9.8.exe" /SC MINUTE
3⤵
- Creates scheduled task(s)
PID:3476

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38ssh-type2.6.9.8\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38ssh-type2.6.9.8.exe
"C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38ssh-type2.6.9.8\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38ssh-type2.6.9.8.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 312
2⤵
- Program crash
PID:3360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1500 -ip 1500
1⤵
PID:3924

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38ssh-type2.6.9.8\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38ssh-type2.6.9.8.exe
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38ssh-type2.6.9.8\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38ssh-type2.6.9.8.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:3344

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

File Permissions Modification

1

T1222

Credential Access

Discovery

Query Registry

2

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38ssh-type2.6.9.8\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38ssh-type2.6.9.8.exe
Filesize
652.2MB

MD5
caf0ea6fbfb63150fa9f74cc65e45bff

SHA1
6705958ce96d2b03a977e7e7e5443531a55e3567

SHA256
97f4fcc3aae63101ec71f58811aebb905e2804cd8192b3815935349b9b392e88

SHA512
49045049b507d1cb001dfc8f2501192075ae3befc1b315b3eb3f8bcd4e404d6d84fcf3429138ec3cd51cdc7261550b98beb4ea4227a4d25d217254fd785c96e5

Download Submit
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38ssh-type2.6.9.8\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38ssh-type2.6.9.8.exe
Filesize
793.0MB

MD5
33043124ec61089caa2c79d1b8cbf9dd

SHA1
ec41b801b7d9eb84bd8f03104b7d991df7b54096

SHA256
dedb08d36ad2b0ce22139d361ed1a5fefe4d47b3f3728411a4f0fd1162af7b68

SHA512
e752dce4d7d72f1e3074c7b01847f16cce04c9fd184a2747758a3e57dc123df0206f4e844f9b3d723acf3df4f24d1d5f84b32c252607f25f1ed38344e0c60c2e

Download Submit
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38ssh-type2.6.9.8\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38ssh-type2.6.9.8.exe
Filesize
498.5MB

MD5
e0502144c283b9766d12b29a7a421964

SHA1
6963355201cf6ef6ab0f26be12435cf8903a0303

SHA256
b27a1013b1643f4fc6d7657e61304719dd35de35781eb0da7a65aef2b7245317

SHA512
c421367fe89f36a28e4d89aca925d7d0ed42789bd27d18671dc6a5c5a0d992b81570aac72d8d4a421fe1381b46d3e6f11df0dd4dc16bfea21b952c110b215d6b

Download Submit
memory/844-154-0x00007FF7902F0000-0x00007FF79080F000-memory.dmp

Filesize
5.1MB

Download
memory/844-155-0x00007FF7902F0000-0x00007FF79080F000-memory.dmp

Filesize
5.1MB

Download
memory/844-156-0x00007FF7902F0000-0x00007FF79080F000-memory.dmp

Filesize
5.1MB

Download
memory/844-153-0x00007FF7902F0000-0x00007FF79080F000-memory.dmp

Filesize
5.1MB

Download
memory/844-152-0x00007FF7902F0000-0x00007FF79080F000-memory.dmp

Filesize
5.1MB

Download
memory/3344-158-0x00007FF7902F0000-0x00007FF79080F000-memory.dmp

Filesize
5.1MB

Download
memory/3344-159-0x00007FF7902F0000-0x00007FF79080F000-memory.dmp

Filesize
5.1MB

Download
memory/3344-160-0x00007FF7902F0000-0x00007FF79080F000-memory.dmp

Filesize
5.1MB

Download
memory/4248-140-0x0000000005440000-0x000000000544A000-memory.dmp

Filesize
40KB

Download
memory/4248-139-0x00000000054B0000-0x0000000005542000-memory.dmp

Filesize
584KB

Download
memory/4248-144-0x0000000005490000-0x00000000054A0000-memory.dmp

Filesize
64KB

Download
memory/4248-143-0x0000000005490000-0x00000000054A0000-memory.dmp

Filesize
64KB

Download
memory/4248-133-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/4248-141-0x0000000005490000-0x00000000054A0000-memory.dmp

Filesize
64KB

Download
memory/4248-142-0x0000000005490000-0x00000000054A0000-memory.dmp

Filesize
64KB

Download
memory/4248-138-0x0000000005A60000-0x0000000006004000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads