Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
28-03-2023 06:00
General
-
Target
9207ab2a3c6535602da48fa9acf4c621f73ec83de33c706bd90cfd3c6af66f46.exe
-
Size
3.4MB
-
MD5
983273e5eafcda86d2a5e566d3563862
-
SHA1
fb0a250df1c52ff6997933b57d5c72b8f6de3408
-
SHA256
9207ab2a3c6535602da48fa9acf4c621f73ec83de33c706bd90cfd3c6af66f46
-
SHA512
bbf06ffe5e7e42ec882ecba11356b1073fa86c75f467a23b41d603c237e6dc7f893d417a403c8ed84936e34b7188e2ac5341d822faac2b2985bbff134a99cb14
-
SSDEEP
98304:NJuR21C/yIq/dhl/O4i/TksjdFwvhzjMSwRVq:N8D/yIqlhlW4i/QsnwZzjMSeVq
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 2 IoCs
-
Modifies file permissions 1 TTPs 3 IoCs
-
UPX packed file 10 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Program crash 1 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 19 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\9207ab2a3c6535602da48fa9acf4c621f73ec83de33c706bd90cfd3c6af66f46.exe"C:\Users\Admin\AppData\Local\Temp\9207ab2a3c6535602da48fa9acf4c621f73ec83de33c706bd90cfd3c6af66f46.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\ProgramData\AdobeDocuments-type4.8.8.6" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\ProgramData\AdobeDocuments-type4.8.8.6" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\ProgramData\AdobeDocuments-type4.8.8.6" /inheritance:e /deny "admin:(R,REA,RA,RD)"3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /TN "AdobeDocuments-type4.8.8.6\AdobeDocuments-type4.8.8.6" /TR "C:\ProgramData\AdobeDocuments-type4.8.8.6\AdobeDocuments-type4.8.8.6.exe" /SC MINUTE3⤵
- Creates scheduled task(s)
-
C:\ProgramData\AdobeDocuments-type4.8.8.6\AdobeDocuments-type4.8.8.6.exe"C:\ProgramData\AdobeDocuments-type4.8.8.6\AdobeDocuments-type4.8.8.6.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1884 -s 1402⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1884 -ip 18841⤵
-
C:\ProgramData\AdobeDocuments-type4.8.8.6\AdobeDocuments-type4.8.8.6.exeC:\ProgramData\AdobeDocuments-type4.8.8.6\AdobeDocuments-type4.8.8.6.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\AdobeDocuments-type4.8.8.6\AdobeDocuments-type4.8.8.6.exeFilesize
716.3MB
MD5a07a631dc4cc4c603b65f75ed394cc67
SHA1ba0c10a300394ab6ee7cf242e23e7ba43aef9a1f
SHA256f9c1109d7df2b4e3b687ca1cb20ca3ca7f33384b25185a89eba0bfa074361f5b
SHA5125abd2e740e16fbc08a10a9b384662c234a0bbb8b563678f44f19987c00461490638c1186c4358cde5609b88d1e23bea0bfc352b8f237f65e96368cc0e92d4d15
-
C:\ProgramData\AdobeDocuments-type4.8.8.6\AdobeDocuments-type4.8.8.6.exeFilesize
716.3MB
MD5a07a631dc4cc4c603b65f75ed394cc67
SHA1ba0c10a300394ab6ee7cf242e23e7ba43aef9a1f
SHA256f9c1109d7df2b4e3b687ca1cb20ca3ca7f33384b25185a89eba0bfa074361f5b
SHA5125abd2e740e16fbc08a10a9b384662c234a0bbb8b563678f44f19987c00461490638c1186c4358cde5609b88d1e23bea0bfc352b8f237f65e96368cc0e92d4d15
-
C:\ProgramData\AdobeDocuments-type4.8.8.6\AdobeDocuments-type4.8.8.6.exeFilesize
621.9MB
MD56791f84da9b5720d09501baaa25cf20c
SHA13d680d1a9020e5db1f8c1d4f5f851ed231680978
SHA2568284d9c8e2ce693226061f8c19492d30feea45c893a156fc1ab6615ebeb93339
SHA5121c876c52006486d13af44fc24bbb142a1093bd6a03ca6d822261f1d4185424c0b7d393c9b1ff8675b026a4dae1c1a684e0e81a2f22ec757fe5ab119183d346d4
-
memory/448-141-0x0000000005270000-0x0000000005280000-memory.dmpFilesize
64KB
-
memory/448-138-0x0000000005570000-0x0000000005B14000-memory.dmpFilesize
5.6MB
-
memory/448-142-0x0000000005270000-0x0000000005280000-memory.dmpFilesize
64KB
-
memory/448-143-0x0000000005270000-0x0000000005280000-memory.dmpFilesize
64KB
-
memory/448-144-0x0000000005270000-0x0000000005280000-memory.dmpFilesize
64KB
-
memory/448-140-0x0000000004FF0000-0x0000000004FFA000-memory.dmpFilesize
40KB
-
memory/448-139-0x0000000005060000-0x00000000050F2000-memory.dmpFilesize
584KB
-
memory/448-133-0x0000000000400000-0x000000000075C000-memory.dmpFilesize
3.4MB
-
memory/2228-150-0x00007FF721990000-0x00007FF721EAF000-memory.dmpFilesize
5.1MB
-
memory/2228-152-0x00007FF721990000-0x00007FF721EAF000-memory.dmpFilesize
5.1MB
-
memory/2228-154-0x00007FF721990000-0x00007FF721EAF000-memory.dmpFilesize
5.1MB
-
memory/2228-153-0x00007FF721990000-0x00007FF721EAF000-memory.dmpFilesize
5.1MB
-
memory/4536-156-0x00007FF721990000-0x00007FF721EAF000-memory.dmpFilesize
5.1MB
-
memory/4536-157-0x00007FF721990000-0x00007FF721EAF000-memory.dmpFilesize
5.1MB
-
memory/4536-158-0x00007FF721990000-0x00007FF721EAF000-memory.dmpFilesize
5.1MB