Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
28-03-2023 04:25
General
-
Target
e2d21b630a24aa7d2ef7b24c27942d9ffa14d7f258df75839a572970b77d019d.exe
-
Size
3.4MB
-
MD5
8f7c72d1e3e11bdfd0a629c383115d2f
-
SHA1
a3c168b628860418447f193eef699780edffec3f
-
SHA256
e2d21b630a24aa7d2ef7b24c27942d9ffa14d7f258df75839a572970b77d019d
-
SHA512
f9148affeefdeeb2766f83d4b72585ecb5b4989fa0feffe45a2d107752aac27e5d26c74cabe009ecbefe5cb9fccf101864753a9d2c91f649358fe67317e18505
-
SSDEEP
98304:ZJuR21C/yIq/dhl/O4i/TksjdFwvhzjMSwRV6:Z8D/yIqlhlW4i/QsnwZzjMSeV6
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 1 IoCs
-
Modifies file permissions 1 TTPs 3 IoCs
-
UPX packed file 7 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Program crash 1 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 19 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e2d21b630a24aa7d2ef7b24c27942d9ffa14d7f258df75839a572970b77d019d.exe"C:\Users\Admin\AppData\Local\Temp\e2d21b630a24aa7d2ef7b24c27942d9ffa14d7f258df75839a572970b77d019d.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\ProgramData\SoftwareDistributionPackages-type4.8.8.3" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\ProgramData\SoftwareDistributionPackages-type4.8.8.3" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\ProgramData\SoftwareDistributionPackages-type4.8.8.3" /inheritance:e /deny "admin:(R,REA,RA,RD)"3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /TN "SoftwareDistributionPackages-type4.8.8.3\SoftwareDistributionPackages-type4.8.8.3" /TR "C:\ProgramData\SoftwareDistributionPackages-type4.8.8.3\SoftwareDistributionPackages-type4.8.8.3.exe" /SC MINUTE3⤵
- Creates scheduled task(s)
-
C:\ProgramData\SoftwareDistributionPackages-type4.8.8.3\SoftwareDistributionPackages-type4.8.8.3.exe"C:\ProgramData\SoftwareDistributionPackages-type4.8.8.3\SoftwareDistributionPackages-type4.8.8.3.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 3082⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1512 -ip 15121⤵
-
C:\ProgramData\SoftwareDistributionPackages-type4.8.8.3\SoftwareDistributionPackages-type4.8.8.3.exeC:\ProgramData\SoftwareDistributionPackages-type4.8.8.3\SoftwareDistributionPackages-type4.8.8.3.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\SoftwareDistributionPackages-type4.8.8.3\SoftwareDistributionPackages-type4.8.8.3.exeFilesize
693.1MB
MD59dda99b8e6dc1b155e7124997f155004
SHA100e019ce31165161df2af78d94659fad5a21dc73
SHA2565c79ffaeecc4e491185558e48dd1b99a793d6de9153b2344759671a6fe04614a
SHA512c8f8ad408b2e1aedbb82ae67655ce29accaafb96f53b0379538d63face7738b424a0140020096c9e51663d3e0518364490b2975e607a12d1db001e69e909a38b
-
C:\ProgramData\SoftwareDistributionPackages-type4.8.8.3\SoftwareDistributionPackages-type4.8.8.3.exeFilesize
700.0MB
MD58f1b957282e7ef9302cc0230d1c39ab7
SHA1e51cd80c09449106574e91e74509c3e5c51e176e
SHA2566e82a49debcb263c7c357634b50be42f0eb1d2ab6c402217ac07cf0f7497d1de
SHA51214ff54f05153c754a873e2a8011f23256503a6fffd78ea716a062ac105e66f9330e9a44c3a35cbfe23cb96e40a73aed4e15582dce2f07e04da94b55a8930166b
-
C:\ProgramData\SoftwareDistributionPackages-type4.8.8.3\SoftwareDistributionPackages-type4.8.8.3.exeFilesize
690.6MB
MD5416a88aa82a5aa86c8528a40871c6013
SHA1701a1bdc845b1149e48925c029940f933de3824c
SHA256aa4189d6bfcc3c8d51d70ae68638a58dd5dce2458224cd2450826e4633ec7e2f
SHA51234f19b828def232aed659ed991582fbf13d1460066f5cec80a1600218ea3452452d206e85b7396bb9c0c39e8d279503a0768cfad283d5d3e22f316c81bed211f
-
memory/3528-140-0x0000000005580000-0x000000000558A000-memory.dmpFilesize
40KB
-
memory/3528-141-0x0000000005650000-0x0000000005660000-memory.dmpFilesize
64KB
-
memory/3528-142-0x0000000005650000-0x0000000005660000-memory.dmpFilesize
64KB
-
memory/3528-143-0x0000000005650000-0x0000000005660000-memory.dmpFilesize
64KB
-
memory/3528-144-0x0000000005650000-0x0000000005660000-memory.dmpFilesize
64KB
-
memory/3528-133-0x0000000000400000-0x000000000075C000-memory.dmpFilesize
3.4MB
-
memory/3528-139-0x00000000054A0000-0x0000000005532000-memory.dmpFilesize
584KB
-
memory/3528-138-0x0000000005B20000-0x00000000060C4000-memory.dmpFilesize
5.6MB
-
memory/3536-154-0x00007FF7102B0000-0x00007FF7107CF000-memory.dmpFilesize
5.1MB
-
memory/3536-155-0x00007FF7102B0000-0x00007FF7107CF000-memory.dmpFilesize
5.1MB
-
memory/3536-156-0x00007FF7102B0000-0x00007FF7107CF000-memory.dmpFilesize
5.1MB
-
memory/3536-157-0x00007FF7102B0000-0x00007FF7107CF000-memory.dmpFilesize
5.1MB