Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
28-03-2023 04:25
Static task
static1
General
-
Target
e2d21b630a24aa7d2ef7b24c27942d9ffa14d7f258df75839a572970b77d019d.exe
-
Size
3.4MB
-
MD5
8f7c72d1e3e11bdfd0a629c383115d2f
-
SHA1
a3c168b628860418447f193eef699780edffec3f
-
SHA256
e2d21b630a24aa7d2ef7b24c27942d9ffa14d7f258df75839a572970b77d019d
-
SHA512
f9148affeefdeeb2766f83d4b72585ecb5b4989fa0feffe45a2d107752aac27e5d26c74cabe009ecbefe5cb9fccf101864753a9d2c91f649358fe67317e18505
-
SSDEEP
98304:ZJuR21C/yIq/dhl/O4i/TksjdFwvhzjMSwRV6:Z8D/yIqlhlW4i/QsnwZzjMSeV6
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
SoftwareDistributionPackages-type4.8.8.3.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ SoftwareDistributionPackages-type4.8.8.3.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
SoftwareDistributionPackages-type4.8.8.3.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion SoftwareDistributionPackages-type4.8.8.3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion SoftwareDistributionPackages-type4.8.8.3.exe -
Executes dropped EXE 1 IoCs
Processes:
SoftwareDistributionPackages-type4.8.8.3.exepid process 3536 SoftwareDistributionPackages-type4.8.8.3.exe -
Modifies file permissions 1 TTPs 3 IoCs
Processes:
icacls.exeicacls.exeicacls.exepid process 724 icacls.exe 1888 icacls.exe 4152 icacls.exe -
Processes:
resource yara_rule C:\ProgramData\SoftwareDistributionPackages-type4.8.8.3\SoftwareDistributionPackages-type4.8.8.3.exe upx C:\ProgramData\SoftwareDistributionPackages-type4.8.8.3\SoftwareDistributionPackages-type4.8.8.3.exe upx C:\ProgramData\SoftwareDistributionPackages-type4.8.8.3\SoftwareDistributionPackages-type4.8.8.3.exe upx behavioral1/memory/3536-154-0x00007FF7102B0000-0x00007FF7107CF000-memory.dmp upx behavioral1/memory/3536-155-0x00007FF7102B0000-0x00007FF7107CF000-memory.dmp upx behavioral1/memory/3536-156-0x00007FF7102B0000-0x00007FF7107CF000-memory.dmp upx behavioral1/memory/3536-157-0x00007FF7102B0000-0x00007FF7107CF000-memory.dmp upx -
Processes:
SoftwareDistributionPackages-type4.8.8.3.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SoftwareDistributionPackages-type4.8.8.3.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
e2d21b630a24aa7d2ef7b24c27942d9ffa14d7f258df75839a572970b77d019d.exedescription pid process target process PID 1512 set thread context of 3528 1512 e2d21b630a24aa7d2ef7b24c27942d9ffa14d7f258df75839a572970b77d019d.exe AppLaunch.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1284 1512 WerFault.exe e2d21b630a24aa7d2ef7b24c27942d9ffa14d7f258df75839a572970b77d019d.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
e2d21b630a24aa7d2ef7b24c27942d9ffa14d7f258df75839a572970b77d019d.exeAppLaunch.exedescription pid process target process PID 1512 wrote to memory of 3528 1512 e2d21b630a24aa7d2ef7b24c27942d9ffa14d7f258df75839a572970b77d019d.exe AppLaunch.exe PID 1512 wrote to memory of 3528 1512 e2d21b630a24aa7d2ef7b24c27942d9ffa14d7f258df75839a572970b77d019d.exe AppLaunch.exe PID 1512 wrote to memory of 3528 1512 e2d21b630a24aa7d2ef7b24c27942d9ffa14d7f258df75839a572970b77d019d.exe AppLaunch.exe PID 1512 wrote to memory of 3528 1512 e2d21b630a24aa7d2ef7b24c27942d9ffa14d7f258df75839a572970b77d019d.exe AppLaunch.exe PID 1512 wrote to memory of 3528 1512 e2d21b630a24aa7d2ef7b24c27942d9ffa14d7f258df75839a572970b77d019d.exe AppLaunch.exe PID 3528 wrote to memory of 4152 3528 AppLaunch.exe icacls.exe PID 3528 wrote to memory of 4152 3528 AppLaunch.exe icacls.exe PID 3528 wrote to memory of 4152 3528 AppLaunch.exe icacls.exe PID 3528 wrote to memory of 724 3528 AppLaunch.exe icacls.exe PID 3528 wrote to memory of 724 3528 AppLaunch.exe icacls.exe PID 3528 wrote to memory of 724 3528 AppLaunch.exe icacls.exe PID 3528 wrote to memory of 1888 3528 AppLaunch.exe icacls.exe PID 3528 wrote to memory of 1888 3528 AppLaunch.exe icacls.exe PID 3528 wrote to memory of 1888 3528 AppLaunch.exe icacls.exe PID 3528 wrote to memory of 2184 3528 AppLaunch.exe schtasks.exe PID 3528 wrote to memory of 2184 3528 AppLaunch.exe schtasks.exe PID 3528 wrote to memory of 2184 3528 AppLaunch.exe schtasks.exe PID 3528 wrote to memory of 3536 3528 AppLaunch.exe SoftwareDistributionPackages-type4.8.8.3.exe PID 3528 wrote to memory of 3536 3528 AppLaunch.exe SoftwareDistributionPackages-type4.8.8.3.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e2d21b630a24aa7d2ef7b24c27942d9ffa14d7f258df75839a572970b77d019d.exe"C:\Users\Admin\AppData\Local\Temp\e2d21b630a24aa7d2ef7b24c27942d9ffa14d7f258df75839a572970b77d019d.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\ProgramData\SoftwareDistributionPackages-type4.8.8.3" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\ProgramData\SoftwareDistributionPackages-type4.8.8.3" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\ProgramData\SoftwareDistributionPackages-type4.8.8.3" /inheritance:e /deny "admin:(R,REA,RA,RD)"3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /TN "SoftwareDistributionPackages-type4.8.8.3\SoftwareDistributionPackages-type4.8.8.3" /TR "C:\ProgramData\SoftwareDistributionPackages-type4.8.8.3\SoftwareDistributionPackages-type4.8.8.3.exe" /SC MINUTE3⤵
- Creates scheduled task(s)
-
C:\ProgramData\SoftwareDistributionPackages-type4.8.8.3\SoftwareDistributionPackages-type4.8.8.3.exe"C:\ProgramData\SoftwareDistributionPackages-type4.8.8.3\SoftwareDistributionPackages-type4.8.8.3.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1512 -s 3082⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1512 -ip 15121⤵
-
C:\ProgramData\SoftwareDistributionPackages-type4.8.8.3\SoftwareDistributionPackages-type4.8.8.3.exeC:\ProgramData\SoftwareDistributionPackages-type4.8.8.3\SoftwareDistributionPackages-type4.8.8.3.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\SoftwareDistributionPackages-type4.8.8.3\SoftwareDistributionPackages-type4.8.8.3.exeFilesize
693.1MB
MD59dda99b8e6dc1b155e7124997f155004
SHA100e019ce31165161df2af78d94659fad5a21dc73
SHA2565c79ffaeecc4e491185558e48dd1b99a793d6de9153b2344759671a6fe04614a
SHA512c8f8ad408b2e1aedbb82ae67655ce29accaafb96f53b0379538d63face7738b424a0140020096c9e51663d3e0518364490b2975e607a12d1db001e69e909a38b
-
C:\ProgramData\SoftwareDistributionPackages-type4.8.8.3\SoftwareDistributionPackages-type4.8.8.3.exeFilesize
700.0MB
MD58f1b957282e7ef9302cc0230d1c39ab7
SHA1e51cd80c09449106574e91e74509c3e5c51e176e
SHA2566e82a49debcb263c7c357634b50be42f0eb1d2ab6c402217ac07cf0f7497d1de
SHA51214ff54f05153c754a873e2a8011f23256503a6fffd78ea716a062ac105e66f9330e9a44c3a35cbfe23cb96e40a73aed4e15582dce2f07e04da94b55a8930166b
-
C:\ProgramData\SoftwareDistributionPackages-type4.8.8.3\SoftwareDistributionPackages-type4.8.8.3.exeFilesize
690.6MB
MD5416a88aa82a5aa86c8528a40871c6013
SHA1701a1bdc845b1149e48925c029940f933de3824c
SHA256aa4189d6bfcc3c8d51d70ae68638a58dd5dce2458224cd2450826e4633ec7e2f
SHA51234f19b828def232aed659ed991582fbf13d1460066f5cec80a1600218ea3452452d206e85b7396bb9c0c39e8d279503a0768cfad283d5d3e22f316c81bed211f
-
memory/3528-140-0x0000000005580000-0x000000000558A000-memory.dmpFilesize
40KB
-
memory/3528-141-0x0000000005650000-0x0000000005660000-memory.dmpFilesize
64KB
-
memory/3528-142-0x0000000005650000-0x0000000005660000-memory.dmpFilesize
64KB
-
memory/3528-143-0x0000000005650000-0x0000000005660000-memory.dmpFilesize
64KB
-
memory/3528-144-0x0000000005650000-0x0000000005660000-memory.dmpFilesize
64KB
-
memory/3528-133-0x0000000000400000-0x000000000075C000-memory.dmpFilesize
3.4MB
-
memory/3528-139-0x00000000054A0000-0x0000000005532000-memory.dmpFilesize
584KB
-
memory/3528-138-0x0000000005B20000-0x00000000060C4000-memory.dmpFilesize
5.6MB
-
memory/3536-154-0x00007FF7102B0000-0x00007FF7107CF000-memory.dmpFilesize
5.1MB
-
memory/3536-155-0x00007FF7102B0000-0x00007FF7107CF000-memory.dmpFilesize
5.1MB
-
memory/3536-156-0x00007FF7102B0000-0x00007FF7107CF000-memory.dmpFilesize
5.1MB
-
memory/3536-157-0x00007FF7102B0000-0x00007FF7107CF000-memory.dmpFilesize
5.1MB