b625fb6849eed0feea2c9d5032600f75a524e2f20d023b7ba5da7b4fe1ab9ce9

General

Target

b625fb6849eed0feea2c9d5032600f75a524e2f20d023b7ba5da7b4fe1ab9ce9.exe
Size

3.4MB
MD5

63e0898dbf0716369acd4395fe105646
SHA1

62324fe2edac77742878e2b5dc875ad1bfefd015
SHA256

b625fb6849eed0feea2c9d5032600f75a524e2f20d023b7ba5da7b4fe1ab9ce9
SHA512

eaa497b514b0e2520c93a85fe4f51b34d55fb3bc629cd1286e6022b379647b16eb703f550e79d814b21bb4dac50602ba445834802aa76dd35bf8b803c81a1dd2
SSDEEP

98304:AJuR21C/yIq/dhl/O4i/TksjdFwvhzjMSwRV6:A8D/yIqlhlW4i/QsnwZzjMSeV6

Score

9^/10

discovery evasion trojan upx

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

DocumentsDesktop-type1.1.3.0.exeDocumentsDesktop-type1.1.3.0.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	DocumentsDesktop-type1.1.3.0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	DocumentsDesktop-type1.1.3.0.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

DocumentsDesktop-type1.1.3.0.exeDocumentsDesktop-type1.1.3.0.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	DocumentsDesktop-type1.1.3.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	DocumentsDesktop-type1.1.3.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	DocumentsDesktop-type1.1.3.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	DocumentsDesktop-type1.1.3.0.exe

Executes dropped EXE 2 IoCs

Processes:

DocumentsDesktop-type1.1.3.0.exeDocumentsDesktop-type1.1.3.0.exe

pid process

2832 DocumentsDesktop-type1.1.3.0.exe
4760 DocumentsDesktop-type1.1.3.0.exe
Modifies file permissions 1 TTPs 3 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exe

pid process

3860 icacls.exe
1424 icacls.exe
948 icacls.exe

pid	process
2832	DocumentsDesktop-type1.1.3.0.exe
4760	DocumentsDesktop-type1.1.3.0.exe

pid	process
3860	icacls.exe
1424	icacls.exe
948	icacls.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\ProgramData\DocumentsDesktop-type1.1.3.0\DocumentsDesktop-type1.1.3.0.exe	upx
C:\ProgramData\DocumentsDesktop-type1.1.3.0\DocumentsDesktop-type1.1.3.0.exe	upx
C:\ProgramData\DocumentsDesktop-type1.1.3.0\DocumentsDesktop-type1.1.3.0.exe	upx
behavioral1/memory/2832-154-0x00007FF6416A0000-0x00007FF641BBF000-memory.dmp	upx
behavioral1/memory/2832-152-0x00007FF6416A0000-0x00007FF641BBF000-memory.dmp	upx
behavioral1/memory/2832-155-0x00007FF6416A0000-0x00007FF641BBF000-memory.dmp	upx
behavioral1/memory/2832-156-0x00007FF6416A0000-0x00007FF641BBF000-memory.dmp	upx
C:\ProgramData\DocumentsDesktop-type1.1.3.0\DocumentsDesktop-type1.1.3.0.exe	upx
behavioral1/memory/4760-158-0x00007FF6416A0000-0x00007FF641BBF000-memory.dmp	upx
behavioral1/memory/4760-159-0x00007FF6416A0000-0x00007FF641BBF000-memory.dmp	upx
behavioral1/memory/4760-160-0x00007FF6416A0000-0x00007FF641BBF000-memory.dmp	upx
behavioral1/memory/4760-161-0x00007FF6416A0000-0x00007FF641BBF000-memory.dmp	upx
behavioral1/memory/4760-162-0x00007FF6416A0000-0x00007FF641BBF000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

DocumentsDesktop-type1.1.3.0.exeDocumentsDesktop-type1.1.3.0.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DocumentsDesktop-type1.1.3.0.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DocumentsDesktop-type1.1.3.0.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

b625fb6849eed0feea2c9d5032600f75a524e2f20d023b7ba5da7b4fe1ab9ce9.exe

description	pid	process	target process
PID 1876 set thread context of 3352	1876	b625fb6849eed0feea2c9d5032600f75a524e2f20d023b7ba5da7b4fe1ab9ce9.exe	AppLaunch.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4072 1876 WerFault.exe b625fb6849eed0feea2c9d5032600f75a524e2f20d023b7ba5da7b4fe1ab9ce9.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3828 schtasks.exe

pid	pid_target	process	target process
4072	1876	WerFault.exe	b625fb6849eed0feea2c9d5032600f75a524e2f20d023b7ba5da7b4fe1ab9ce9.exe

pid	process
3828	schtasks.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

b625fb6849eed0feea2c9d5032600f75a524e2f20d023b7ba5da7b4fe1ab9ce9.exeAppLaunch.exe

description	pid	process	target process
PID 1876 wrote to memory of 3352	1876	b625fb6849eed0feea2c9d5032600f75a524e2f20d023b7ba5da7b4fe1ab9ce9.exe	AppLaunch.exe
PID 1876 wrote to memory of 3352	1876	b625fb6849eed0feea2c9d5032600f75a524e2f20d023b7ba5da7b4fe1ab9ce9.exe	AppLaunch.exe
PID 1876 wrote to memory of 3352	1876	b625fb6849eed0feea2c9d5032600f75a524e2f20d023b7ba5da7b4fe1ab9ce9.exe	AppLaunch.exe
PID 1876 wrote to memory of 3352	1876	b625fb6849eed0feea2c9d5032600f75a524e2f20d023b7ba5da7b4fe1ab9ce9.exe	AppLaunch.exe
PID 1876 wrote to memory of 3352	1876	b625fb6849eed0feea2c9d5032600f75a524e2f20d023b7ba5da7b4fe1ab9ce9.exe	AppLaunch.exe
PID 3352 wrote to memory of 3860	3352	AppLaunch.exe	icacls.exe
PID 3352 wrote to memory of 3860	3352	AppLaunch.exe	icacls.exe
PID 3352 wrote to memory of 3860	3352	AppLaunch.exe	icacls.exe
PID 3352 wrote to memory of 1424	3352	AppLaunch.exe	icacls.exe
PID 3352 wrote to memory of 1424	3352	AppLaunch.exe	icacls.exe
PID 3352 wrote to memory of 1424	3352	AppLaunch.exe	icacls.exe
PID 3352 wrote to memory of 948	3352	AppLaunch.exe	icacls.exe
PID 3352 wrote to memory of 948	3352	AppLaunch.exe	icacls.exe
PID 3352 wrote to memory of 948	3352	AppLaunch.exe	icacls.exe
PID 3352 wrote to memory of 3828	3352	AppLaunch.exe	schtasks.exe
PID 3352 wrote to memory of 3828	3352	AppLaunch.exe	schtasks.exe
PID 3352 wrote to memory of 3828	3352	AppLaunch.exe	schtasks.exe
PID 3352 wrote to memory of 2832	3352	AppLaunch.exe	DocumentsDesktop-type1.1.3.0.exe
PID 3352 wrote to memory of 2832	3352	AppLaunch.exe	DocumentsDesktop-type1.1.3.0.exe

C:\Users\Admin\AppData\Local\Temp\b625fb6849eed0feea2c9d5032600f75a524e2f20d023b7ba5da7b4fe1ab9ce9.exe
"C:\Users\Admin\AppData\Local\Temp\b625fb6849eed0feea2c9d5032600f75a524e2f20d023b7ba5da7b4fe1ab9ce9.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3352

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\ProgramData\DocumentsDesktop-type1.1.3.0" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
3⤵
- Modifies file permissions
PID:3860

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\ProgramData\DocumentsDesktop-type1.1.3.0" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
3⤵
- Modifies file permissions
PID:1424

C:\Windows\SysWOW64\icacls.exe
"C:\Windows\System32\icacls.exe" "C:\ProgramData\DocumentsDesktop-type1.1.3.0" /inheritance:e /deny "admin:(R,REA,RA,RD)"
3⤵
- Modifies file permissions
PID:948

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /CREATE /TN "DocumentsDesktop-type1.1.3.0\DocumentsDesktop-type1.1.3.0" /TR "C:\ProgramData\DocumentsDesktop-type1.1.3.0\DocumentsDesktop-type1.1.3.0.exe" /SC MINUTE
3⤵
- Creates scheduled task(s)
PID:3828

C:\ProgramData\DocumentsDesktop-type1.1.3.0\DocumentsDesktop-type1.1.3.0.exe
"C:\ProgramData\DocumentsDesktop-type1.1.3.0\DocumentsDesktop-type1.1.3.0.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:2832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1876 -s 300
2⤵
- Program crash
PID:4072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1876 -ip 1876
1⤵
PID:4932

C:\ProgramData\DocumentsDesktop-type1.1.3.0\DocumentsDesktop-type1.1.3.0.exe
C:\ProgramData\DocumentsDesktop-type1.1.3.0\DocumentsDesktop-type1.1.3.0.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:4760

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

File Permissions Modification

1

T1222

Credential Access

Discovery

Query Registry

2

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\DocumentsDesktop-type1.1.3.0\DocumentsDesktop-type1.1.3.0.exe
Filesize
600.5MB

MD5
b94fd7fb0431c298a66bbacfe6f50a16

SHA1
f1c44fb092e291d4186347aad4811ac140f3b27f

SHA256
451edc811975289c9bbad1c28a819ddbaf2da600fef17d1b949cb2c50ca14a8d

SHA512
7946fb8bf1e5312f38986a73133edc2e2b3c645250e7743a2724940b26896fe6d4b001f8639cc4023d73f099cdcb7b71aa901ba000322f913d0c2a7b6e97e4a7

Download Submit
C:\ProgramData\DocumentsDesktop-type1.1.3.0\DocumentsDesktop-type1.1.3.0.exe
Filesize
444.2MB

MD5
bf5c9876befcd4d60dbc1ba5bf968c42

SHA1
404c92f276f9acc025cf3d2d64d97f9f59c831a2

SHA256
e966205e6ede7b584ea36fda52396ee6fbb63b7b9ac8e9f3c730439c9a0ca114

SHA512
e628040fb2e17ca5cb95422b68f604c58580bb31fef370cf0f3c12d8ad596e9e46899aac3c903d8aa238f103b4ce13b9b58d6eb91ff3a569fa2392643010a739

Download Submit
C:\ProgramData\DocumentsDesktop-type1.1.3.0\DocumentsDesktop-type1.1.3.0.exe
Filesize
569.6MB

MD5
7de247289b7bac0eed28c053f7e45bff

SHA1
eb9f10757c9039d8eb18ca47eade0c7bd2c5fab2

SHA256
f5bfae366b66887409b41e7318a33ec07d17007521ec7a938ea8ff36645bffbd

SHA512
6d23eca98b5c182aaa9985a181b846d7743d093e5ec8320604c89e695134da8584656ab8bc07e14a499ba2a9244a35e82828b34193a7567efccdf2d69d3b3917

Download Submit
C:\ProgramData\DocumentsDesktop-type1.1.3.0\DocumentsDesktop-type1.1.3.0.exe
Filesize
357.1MB

MD5
a50ede865b3adfdb8c31c5dcb7f3bd1a

SHA1
643d8d1d69eeedfa5a101566c47a5427bd43fa77

SHA256
5a30ac464cafe8690d7b27d1d5012369f4759b8d3ad835237a94b9d98c0be26c

SHA512
fd024f1cf7f4cca2744c0c17b747b2f02d57b78f90526b489aa504bd0c46fc08f878fbd3b50c4de02930b70509ab0e122468f6bacd2508fbedd12b01b6d04f7b

Download Submit
memory/2832-154-0x00007FF6416A0000-0x00007FF641BBF000-memory.dmp

Filesize
5.1MB

Download
memory/2832-156-0x00007FF6416A0000-0x00007FF641BBF000-memory.dmp

Filesize
5.1MB

Download
memory/2832-155-0x00007FF6416A0000-0x00007FF641BBF000-memory.dmp

Filesize
5.1MB

Download
memory/2832-152-0x00007FF6416A0000-0x00007FF641BBF000-memory.dmp

Filesize
5.1MB

Download
memory/3352-140-0x00000000057D0000-0x00000000057DA000-memory.dmp

Filesize
40KB

Download
memory/3352-139-0x00000000057F0000-0x0000000005882000-memory.dmp

Filesize
584KB

Download
memory/3352-138-0x0000000005DA0000-0x0000000006344000-memory.dmp

Filesize
5.6MB

Download
memory/3352-141-0x0000000005780000-0x0000000005790000-memory.dmp

Filesize
64KB

Download
memory/3352-144-0x0000000005780000-0x0000000005790000-memory.dmp

Filesize
64KB

Download
memory/3352-143-0x0000000005780000-0x0000000005790000-memory.dmp

Filesize
64KB

Download
memory/3352-142-0x0000000005780000-0x0000000005790000-memory.dmp

Filesize
64KB

Download
memory/3352-133-0x0000000000400000-0x000000000075C000-memory.dmp

Filesize
3.4MB

Download
memory/4760-158-0x00007FF6416A0000-0x00007FF641BBF000-memory.dmp

Filesize
5.1MB

Download
memory/4760-159-0x00007FF6416A0000-0x00007FF641BBF000-memory.dmp

Filesize
5.1MB

Download
memory/4760-160-0x00007FF6416A0000-0x00007FF641BBF000-memory.dmp

Filesize
5.1MB

Download
memory/4760-161-0x00007FF6416A0000-0x00007FF641BBF000-memory.dmp

Filesize
5.1MB

Download
memory/4760-162-0x00007FF6416A0000-0x00007FF641BBF000-memory.dmp

Filesize
5.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads