ad9d35e287924a270d35465910be280dddba17a1415d416e89d6b49005078857

General

Target

ad9d35e287924a270d35465910be280dddba17a1415d416e89d6b49005078857.exe
Size

3.4MB
MD5

c197214dfd6cd7194ba5302b1f76c604
SHA1

82bb39e4e8c3c505c32ece9b73e02dd25c8bc2f2
SHA256

ad9d35e287924a270d35465910be280dddba17a1415d416e89d6b49005078857
SHA512

1b4f6bef7c59e06797068645083ebb267d880fc0d0267fa1366de952732b2cb64e2e0f5edbae2d83156908cc749ed6e1619e9fb5502786513e3e02cd3ebcf1d9
SSDEEP

98304:yJuR21C/yIq/dhl/O4i/TksjdFwvhzjMSwRV6:y8D/yIqlhlW4i/QsnwZzjMSeV6

Score

9^/10

discovery evasion trojan upx

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

USOSharedMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type8.3.0.2.exeUSOSharedMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type8.3.0.2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	USOSharedMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type8.3.0.2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	USOSharedMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type8.3.0.2.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

USOSharedMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type8.3.0.2.exeUSOSharedMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type8.3.0.2.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	USOSharedMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type8.3.0.2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	USOSharedMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type8.3.0.2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	USOSharedMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type8.3.0.2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	USOSharedMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type8.3.0.2.exe

Executes dropped EXE 2 IoCs

Processes:

USOSharedMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type8.3.0.2.exeUSOSharedMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type8.3.0.2.exe

pid	process
4888	USOSharedMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type8.3.0.2.exe
1136	USOSharedMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type8.3.0.2.exe

Modifies file permissions 1 TTPs 3 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exe

pid process

2756 icacls.exe
3616 icacls.exe
2628 icacls.exe

pid	process
2756	icacls.exe
3616	icacls.exe
2628	icacls.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\ProgramData\USOSharedMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type8.3.0.2\USOSharedMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type8.3.0.2.exe	upx
C:\ProgramData\USOSharedMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type8.3.0.2\USOSharedMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type8.3.0.2.exe	upx
C:\ProgramData\USOSharedMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type8.3.0.2\USOSharedMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type8.3.0.2.exe	upx
behavioral1/memory/4888-155-0x00007FF647010000-0x00007FF64752F000-memory.dmp	upx
behavioral1/memory/4888-156-0x00007FF647010000-0x00007FF64752F000-memory.dmp	upx
behavioral1/memory/4888-157-0x00007FF647010000-0x00007FF64752F000-memory.dmp	upx
C:\ProgramData\USOSharedMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type8.3.0.2\USOSharedMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type8.3.0.2.exe	upx
behavioral1/memory/1136-160-0x00007FF647010000-0x00007FF64752F000-memory.dmp	upx
behavioral1/memory/1136-159-0x00007FF647010000-0x00007FF64752F000-memory.dmp	upx
behavioral1/memory/1136-161-0x00007FF647010000-0x00007FF64752F000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

USOSharedMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type8.3.0.2.exeUSOSharedMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type8.3.0.2.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	USOSharedMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type8.3.0.2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	USOSharedMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type8.3.0.2.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

ad9d35e287924a270d35465910be280dddba17a1415d416e89d6b49005078857.exe

description	pid	process	target process
PID 3560 set thread context of 2160	3560	ad9d35e287924a270d35465910be280dddba17a1415d416e89d6b49005078857.exe	AppLaunch.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2556 3560 WerFault.exe ad9d35e287924a270d35465910be280dddba17a1415d416e89d6b49005078857.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

684 schtasks.exe

pid	pid_target	process	target process
2556	3560	WerFault.exe	ad9d35e287924a270d35465910be280dddba17a1415d416e89d6b49005078857.exe

pid	process
684	schtasks.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

ad9d35e287924a270d35465910be280dddba17a1415d416e89d6b49005078857.exeAppLaunch.exe

description	pid	process	target process
PID 3560 wrote to memory of 2160	3560	ad9d35e287924a270d35465910be280dddba17a1415d416e89d6b49005078857.exe	AppLaunch.exe
PID 3560 wrote to memory of 2160	3560	ad9d35e287924a270d35465910be280dddba17a1415d416e89d6b49005078857.exe	AppLaunch.exe
PID 3560 wrote to memory of 2160	3560	ad9d35e287924a270d35465910be280dddba17a1415d416e89d6b49005078857.exe	AppLaunch.exe
PID 3560 wrote to memory of 2160	3560	ad9d35e287924a270d35465910be280dddba17a1415d416e89d6b49005078857.exe	AppLaunch.exe
PID 3560 wrote to memory of 2160	3560	ad9d35e287924a270d35465910be280dddba17a1415d416e89d6b49005078857.exe	AppLaunch.exe
PID 2160 wrote to memory of 2756	2160	AppLaunch.exe	icacls.exe
PID 2160 wrote to memory of 2756	2160	AppLaunch.exe	icacls.exe
PID 2160 wrote to memory of 2756	2160	AppLaunch.exe	icacls.exe
PID 2160 wrote to memory of 3616	2160	AppLaunch.exe	icacls.exe
PID 2160 wrote to memory of 3616	2160	AppLaunch.exe	icacls.exe
PID 2160 wrote to memory of 3616	2160	AppLaunch.exe	icacls.exe
PID 2160 wrote to memory of 2628	2160	AppLaunch.exe	icacls.exe
PID 2160 wrote to memory of 2628	2160	AppLaunch.exe	icacls.exe
PID 2160 wrote to memory of 2628	2160	AppLaunch.exe	icacls.exe
PID 2160 wrote to memory of 684	2160	AppLaunch.exe	schtasks.exe
PID 2160 wrote to memory of 684	2160	AppLaunch.exe	schtasks.exe
PID 2160 wrote to memory of 684	2160	AppLaunch.exe	schtasks.exe
PID 2160 wrote to memory of 4888	2160	AppLaunch.exe	USOSharedMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type8.3.0.2.exe
PID 2160 wrote to memory of 4888	2160	AppLaunch.exe	USOSharedMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type8.3.0.2.exe

C:\Users\Admin\AppData\Local\Temp\ad9d35e287924a270d35465910be280dddba17a1415d416e89d6b49005078857.exe
"C:\Users\Admin\AppData\Local\Temp\ad9d35e287924a270d35465910be280dddba17a1415d416e89d6b49005078857.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3560

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2160

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\ProgramData\USOSharedMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type8.3.0.2" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
3⤵
- Modifies file permissions
PID:2756

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\ProgramData\USOSharedMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type8.3.0.2" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
3⤵
- Modifies file permissions
PID:3616

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\ProgramData\USOSharedMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type8.3.0.2" /inheritance:e /deny "admin:(R,REA,RA,RD)"
3⤵
- Modifies file permissions
PID:2628

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /CREATE /TN "USOSharedMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type8.3.0.2\USOSharedMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type8.3.0.2" /TR "C:\ProgramData\USOSharedMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type8.3.0.2\USOSharedMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type8.3.0.2.exe" /SC MINUTE
3⤵
- Creates scheduled task(s)
PID:684

C:\ProgramData\USOSharedMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type8.3.0.2\USOSharedMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type8.3.0.2.exe
"C:\ProgramData\USOSharedMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type8.3.0.2\USOSharedMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type8.3.0.2.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:4888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3560 -s 308
2⤵
- Program crash
PID:2556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3560 -ip 3560
1⤵
PID:1988

C:\ProgramData\USOSharedMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type8.3.0.2\USOSharedMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type8.3.0.2.exe
C:\ProgramData\USOSharedMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type8.3.0.2\USOSharedMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type8.3.0.2.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:1136

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

File Permissions Modification

1

T1222

Credential Access

Discovery

Query Registry

2

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\USOSharedMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type8.3.0.2\USOSharedMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type8.3.0.2.exe
Filesize
613.1MB

MD5
662f3ba433f93d9d30cb0af9479c4d70

SHA1
4db1eeac27a6d335acd796cd73254c1474358304

SHA256
adf0070e7ea68a1c065957318b0d478d033cac45d5031994f5debddc9bd92236

SHA512
2278af5323a6b2ba94e8947ed24eda3a44af6236ee6e909d51b801db188f7ec32f791f53f4185269e14eb6458d5cadb335331e0da53c475e64ca63c1a8109920

Download Submit
C:\ProgramData\USOSharedMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type8.3.0.2\USOSharedMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type8.3.0.2.exe
Filesize
567.4MB

MD5
c79df88df4d10702c0c6b88c87217eb2

SHA1
d05a35ebbf6348931637232cc4892053748e98bc

SHA256
d11f3e4befbd1b6ef1ec4ca2cbf8e7a2a0c38a53172ebb3e9204fe169de14157

SHA512
255a2250da27393da72df24add34e3abdd8049416a3e2663dcba7fda054a04cc5cc17c594944bfe5c44a043324bcfa398c3109a89c73d81f7b956f83080bcf4b

Download Submit
C:\ProgramData\USOSharedMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type8.3.0.2\USOSharedMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type8.3.0.2.exe
Filesize
587.1MB

MD5
bff29c422fa60c518dd439876383e068

SHA1
cc25810fa82f2bfbd29346b572ea4d4d78b023a0

SHA256
89706fd7e0a9afca5e631520af3c88b3ac53679c9d64fde92b6b9afadb2ba5d0

SHA512
1da5481fc5838a20f1143aa4300c556df38388bf4bc4fe2c2f2377846a507ae835f9aa76dd81f9afc07b3f3aed2966981d6890ea2c5fdccbe23555341368b3b6

Download Submit
C:\ProgramData\USOSharedMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type8.3.0.2\USOSharedMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-type8.3.0.2.exe
Filesize
314.4MB

MD5
1d320aace97d7c6c6fea0e94033264c2

SHA1
a2aa96e5fa69ee8b93debd41d77f1ea38719ce02

SHA256
ba0d166c66eb5c80d4d9a5a8e5e1d5debbbda1701ef4e7e2a77638ca0fedf191

SHA512
35721a98966cacccedcc6f8dc844a54acaad53081d4b430b026c064c89b2d51ed31fa4fe3d0cfd445f8b5d0e366b87501a7fe5f5eaf5a12e2857a85acc676bae

Download Submit
memory/1136-161-0x00007FF647010000-0x00007FF64752F000-memory.dmp

Filesize
5.1MB

Download
memory/1136-159-0x00007FF647010000-0x00007FF64752F000-memory.dmp

Filesize
5.1MB

Download
memory/1136-160-0x00007FF647010000-0x00007FF64752F000-memory.dmp

Filesize
5.1MB

Download
memory/2160-141-0x00000000050A0000-0x00000000050B0000-memory.dmp

Filesize
64KB

Download
memory/2160-144-0x00000000050A0000-0x00000000050B0000-memory.dmp

Filesize
64KB

Download
memory/2160-143-0x00000000050A0000-0x00000000050B0000-memory.dmp

Filesize
64KB

Download
memory/2160-142-0x00000000050A0000-0x00000000050B0000-memory.dmp

Filesize
64KB

Download
memory/2160-133-0x0000000000600000-0x000000000095C000-memory.dmp

Filesize
3.4MB

Download
memory/2160-140-0x0000000004D50000-0x0000000004D5A000-memory.dmp

Filesize
40KB

Download
memory/2160-139-0x0000000004E10000-0x0000000004EA2000-memory.dmp

Filesize
584KB

Download
memory/2160-138-0x0000000005320000-0x00000000058C4000-memory.dmp

Filesize
5.6MB

Download
memory/4888-155-0x00007FF647010000-0x00007FF64752F000-memory.dmp

Filesize
5.1MB

Download
memory/4888-156-0x00007FF647010000-0x00007FF64752F000-memory.dmp

Filesize
5.1MB

Download
memory/4888-157-0x00007FF647010000-0x00007FF64752F000-memory.dmp

Filesize
5.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads