Analysis
-
max time kernel
142s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
28-03-2023 06:06
Static task
static1
General
-
Target
b625fb6849eed0feea2c9d5032600f75a524e2f20d023b7ba5da7b4fe1ab9ce9.exe
-
Size
3.4MB
-
MD5
63e0898dbf0716369acd4395fe105646
-
SHA1
62324fe2edac77742878e2b5dc875ad1bfefd015
-
SHA256
b625fb6849eed0feea2c9d5032600f75a524e2f20d023b7ba5da7b4fe1ab9ce9
-
SHA512
eaa497b514b0e2520c93a85fe4f51b34d55fb3bc629cd1286e6022b379647b16eb703f550e79d814b21bb4dac50602ba445834802aa76dd35bf8b803c81a1dd2
-
SSDEEP
98304:AJuR21C/yIq/dhl/O4i/TksjdFwvhzjMSwRV6:A8D/yIqlhlW4i/QsnwZzjMSeV6
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
DocumentsDesktop-type1.1.3.0.exeDocumentsDesktop-type1.1.3.0.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ DocumentsDesktop-type1.1.3.0.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ DocumentsDesktop-type1.1.3.0.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
DocumentsDesktop-type1.1.3.0.exeDocumentsDesktop-type1.1.3.0.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion DocumentsDesktop-type1.1.3.0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion DocumentsDesktop-type1.1.3.0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion DocumentsDesktop-type1.1.3.0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion DocumentsDesktop-type1.1.3.0.exe -
Executes dropped EXE 2 IoCs
Processes:
DocumentsDesktop-type1.1.3.0.exeDocumentsDesktop-type1.1.3.0.exepid process 2832 DocumentsDesktop-type1.1.3.0.exe 4760 DocumentsDesktop-type1.1.3.0.exe -
Modifies file permissions 1 TTPs 3 IoCs
Processes:
icacls.exeicacls.exeicacls.exepid process 3860 icacls.exe 1424 icacls.exe 948 icacls.exe -
Processes:
resource yara_rule C:\ProgramData\DocumentsDesktop-type1.1.3.0\DocumentsDesktop-type1.1.3.0.exe upx C:\ProgramData\DocumentsDesktop-type1.1.3.0\DocumentsDesktop-type1.1.3.0.exe upx C:\ProgramData\DocumentsDesktop-type1.1.3.0\DocumentsDesktop-type1.1.3.0.exe upx behavioral1/memory/2832-154-0x00007FF6416A0000-0x00007FF641BBF000-memory.dmp upx behavioral1/memory/2832-152-0x00007FF6416A0000-0x00007FF641BBF000-memory.dmp upx behavioral1/memory/2832-155-0x00007FF6416A0000-0x00007FF641BBF000-memory.dmp upx behavioral1/memory/2832-156-0x00007FF6416A0000-0x00007FF641BBF000-memory.dmp upx C:\ProgramData\DocumentsDesktop-type1.1.3.0\DocumentsDesktop-type1.1.3.0.exe upx behavioral1/memory/4760-158-0x00007FF6416A0000-0x00007FF641BBF000-memory.dmp upx behavioral1/memory/4760-159-0x00007FF6416A0000-0x00007FF641BBF000-memory.dmp upx behavioral1/memory/4760-160-0x00007FF6416A0000-0x00007FF641BBF000-memory.dmp upx behavioral1/memory/4760-161-0x00007FF6416A0000-0x00007FF641BBF000-memory.dmp upx behavioral1/memory/4760-162-0x00007FF6416A0000-0x00007FF641BBF000-memory.dmp upx -
Processes:
DocumentsDesktop-type1.1.3.0.exeDocumentsDesktop-type1.1.3.0.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DocumentsDesktop-type1.1.3.0.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DocumentsDesktop-type1.1.3.0.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
b625fb6849eed0feea2c9d5032600f75a524e2f20d023b7ba5da7b4fe1ab9ce9.exedescription pid process target process PID 1876 set thread context of 3352 1876 b625fb6849eed0feea2c9d5032600f75a524e2f20d023b7ba5da7b4fe1ab9ce9.exe AppLaunch.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4072 1876 WerFault.exe b625fb6849eed0feea2c9d5032600f75a524e2f20d023b7ba5da7b4fe1ab9ce9.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
b625fb6849eed0feea2c9d5032600f75a524e2f20d023b7ba5da7b4fe1ab9ce9.exeAppLaunch.exedescription pid process target process PID 1876 wrote to memory of 3352 1876 b625fb6849eed0feea2c9d5032600f75a524e2f20d023b7ba5da7b4fe1ab9ce9.exe AppLaunch.exe PID 1876 wrote to memory of 3352 1876 b625fb6849eed0feea2c9d5032600f75a524e2f20d023b7ba5da7b4fe1ab9ce9.exe AppLaunch.exe PID 1876 wrote to memory of 3352 1876 b625fb6849eed0feea2c9d5032600f75a524e2f20d023b7ba5da7b4fe1ab9ce9.exe AppLaunch.exe PID 1876 wrote to memory of 3352 1876 b625fb6849eed0feea2c9d5032600f75a524e2f20d023b7ba5da7b4fe1ab9ce9.exe AppLaunch.exe PID 1876 wrote to memory of 3352 1876 b625fb6849eed0feea2c9d5032600f75a524e2f20d023b7ba5da7b4fe1ab9ce9.exe AppLaunch.exe PID 3352 wrote to memory of 3860 3352 AppLaunch.exe icacls.exe PID 3352 wrote to memory of 3860 3352 AppLaunch.exe icacls.exe PID 3352 wrote to memory of 3860 3352 AppLaunch.exe icacls.exe PID 3352 wrote to memory of 1424 3352 AppLaunch.exe icacls.exe PID 3352 wrote to memory of 1424 3352 AppLaunch.exe icacls.exe PID 3352 wrote to memory of 1424 3352 AppLaunch.exe icacls.exe PID 3352 wrote to memory of 948 3352 AppLaunch.exe icacls.exe PID 3352 wrote to memory of 948 3352 AppLaunch.exe icacls.exe PID 3352 wrote to memory of 948 3352 AppLaunch.exe icacls.exe PID 3352 wrote to memory of 3828 3352 AppLaunch.exe schtasks.exe PID 3352 wrote to memory of 3828 3352 AppLaunch.exe schtasks.exe PID 3352 wrote to memory of 3828 3352 AppLaunch.exe schtasks.exe PID 3352 wrote to memory of 2832 3352 AppLaunch.exe DocumentsDesktop-type1.1.3.0.exe PID 3352 wrote to memory of 2832 3352 AppLaunch.exe DocumentsDesktop-type1.1.3.0.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b625fb6849eed0feea2c9d5032600f75a524e2f20d023b7ba5da7b4fe1ab9ce9.exe"C:\Users\Admin\AppData\Local\Temp\b625fb6849eed0feea2c9d5032600f75a524e2f20d023b7ba5da7b4fe1ab9ce9.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\ProgramData\DocumentsDesktop-type1.1.3.0" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\ProgramData\DocumentsDesktop-type1.1.3.0" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\ProgramData\DocumentsDesktop-type1.1.3.0" /inheritance:e /deny "admin:(R,REA,RA,RD)"3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /TN "DocumentsDesktop-type1.1.3.0\DocumentsDesktop-type1.1.3.0" /TR "C:\ProgramData\DocumentsDesktop-type1.1.3.0\DocumentsDesktop-type1.1.3.0.exe" /SC MINUTE3⤵
- Creates scheduled task(s)
-
C:\ProgramData\DocumentsDesktop-type1.1.3.0\DocumentsDesktop-type1.1.3.0.exe"C:\ProgramData\DocumentsDesktop-type1.1.3.0\DocumentsDesktop-type1.1.3.0.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1876 -s 3002⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1876 -ip 18761⤵
-
C:\ProgramData\DocumentsDesktop-type1.1.3.0\DocumentsDesktop-type1.1.3.0.exeC:\ProgramData\DocumentsDesktop-type1.1.3.0\DocumentsDesktop-type1.1.3.0.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\DocumentsDesktop-type1.1.3.0\DocumentsDesktop-type1.1.3.0.exeFilesize
600.5MB
MD5b94fd7fb0431c298a66bbacfe6f50a16
SHA1f1c44fb092e291d4186347aad4811ac140f3b27f
SHA256451edc811975289c9bbad1c28a819ddbaf2da600fef17d1b949cb2c50ca14a8d
SHA5127946fb8bf1e5312f38986a73133edc2e2b3c645250e7743a2724940b26896fe6d4b001f8639cc4023d73f099cdcb7b71aa901ba000322f913d0c2a7b6e97e4a7
-
C:\ProgramData\DocumentsDesktop-type1.1.3.0\DocumentsDesktop-type1.1.3.0.exeFilesize
444.2MB
MD5bf5c9876befcd4d60dbc1ba5bf968c42
SHA1404c92f276f9acc025cf3d2d64d97f9f59c831a2
SHA256e966205e6ede7b584ea36fda52396ee6fbb63b7b9ac8e9f3c730439c9a0ca114
SHA512e628040fb2e17ca5cb95422b68f604c58580bb31fef370cf0f3c12d8ad596e9e46899aac3c903d8aa238f103b4ce13b9b58d6eb91ff3a569fa2392643010a739
-
C:\ProgramData\DocumentsDesktop-type1.1.3.0\DocumentsDesktop-type1.1.3.0.exeFilesize
569.6MB
MD57de247289b7bac0eed28c053f7e45bff
SHA1eb9f10757c9039d8eb18ca47eade0c7bd2c5fab2
SHA256f5bfae366b66887409b41e7318a33ec07d17007521ec7a938ea8ff36645bffbd
SHA5126d23eca98b5c182aaa9985a181b846d7743d093e5ec8320604c89e695134da8584656ab8bc07e14a499ba2a9244a35e82828b34193a7567efccdf2d69d3b3917
-
C:\ProgramData\DocumentsDesktop-type1.1.3.0\DocumentsDesktop-type1.1.3.0.exeFilesize
357.1MB
MD5a50ede865b3adfdb8c31c5dcb7f3bd1a
SHA1643d8d1d69eeedfa5a101566c47a5427bd43fa77
SHA2565a30ac464cafe8690d7b27d1d5012369f4759b8d3ad835237a94b9d98c0be26c
SHA512fd024f1cf7f4cca2744c0c17b747b2f02d57b78f90526b489aa504bd0c46fc08f878fbd3b50c4de02930b70509ab0e122468f6bacd2508fbedd12b01b6d04f7b
-
memory/2832-154-0x00007FF6416A0000-0x00007FF641BBF000-memory.dmpFilesize
5.1MB
-
memory/2832-156-0x00007FF6416A0000-0x00007FF641BBF000-memory.dmpFilesize
5.1MB
-
memory/2832-155-0x00007FF6416A0000-0x00007FF641BBF000-memory.dmpFilesize
5.1MB
-
memory/2832-152-0x00007FF6416A0000-0x00007FF641BBF000-memory.dmpFilesize
5.1MB
-
memory/3352-140-0x00000000057D0000-0x00000000057DA000-memory.dmpFilesize
40KB
-
memory/3352-139-0x00000000057F0000-0x0000000005882000-memory.dmpFilesize
584KB
-
memory/3352-138-0x0000000005DA0000-0x0000000006344000-memory.dmpFilesize
5.6MB
-
memory/3352-141-0x0000000005780000-0x0000000005790000-memory.dmpFilesize
64KB
-
memory/3352-144-0x0000000005780000-0x0000000005790000-memory.dmpFilesize
64KB
-
memory/3352-143-0x0000000005780000-0x0000000005790000-memory.dmpFilesize
64KB
-
memory/3352-142-0x0000000005780000-0x0000000005790000-memory.dmpFilesize
64KB
-
memory/3352-133-0x0000000000400000-0x000000000075C000-memory.dmpFilesize
3.4MB
-
memory/4760-158-0x00007FF6416A0000-0x00007FF641BBF000-memory.dmpFilesize
5.1MB
-
memory/4760-159-0x00007FF6416A0000-0x00007FF641BBF000-memory.dmpFilesize
5.1MB
-
memory/4760-160-0x00007FF6416A0000-0x00007FF641BBF000-memory.dmpFilesize
5.1MB
-
memory/4760-161-0x00007FF6416A0000-0x00007FF641BBF000-memory.dmpFilesize
5.1MB
-
memory/4760-162-0x00007FF6416A0000-0x00007FF641BBF000-memory.dmpFilesize
5.1MB