Analysis
-
max time kernel
153s -
max time network
141s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
28-03-2023 10:26
Static task
static1
General
-
Target
abdd9b57ce77b1b7c8cc86dfe1ca6b2d5ff2a7096800ae56c0b5f10627b180da.exe
-
Size
3.4MB
-
MD5
6af5b2e6866ba28d18b951b63c4def4d
-
SHA1
aa43b24fa0080621db487b91937cde636faba824
-
SHA256
abdd9b57ce77b1b7c8cc86dfe1ca6b2d5ff2a7096800ae56c0b5f10627b180da
-
SHA512
eb83cb73ef0c53b578a5b700deb95e1cc4bdc252cf39d0800bb12f2e107bda8c2f0bebca4ff37ff628cb856ddb7327fe494ddc2fecaa6f4d3fd8eb2fec298c9c
-
SSDEEP
98304:XUwOIEK84WQsykAeYYkAeYUaMImg8C0QuNAJuR21C/yIq/dhl/O4i/TksjdFwvhW:XUwOIEK84WQsykAeYYkAeYUaMImg8C0l
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
DesktopUSOPrivate-type4.5.8.9.exeDesktopUSOPrivate-type4.5.8.9.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ DesktopUSOPrivate-type4.5.8.9.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ DesktopUSOPrivate-type4.5.8.9.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
DesktopUSOPrivate-type4.5.8.9.exeDesktopUSOPrivate-type4.5.8.9.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion DesktopUSOPrivate-type4.5.8.9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion DesktopUSOPrivate-type4.5.8.9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion DesktopUSOPrivate-type4.5.8.9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion DesktopUSOPrivate-type4.5.8.9.exe -
Executes dropped EXE 2 IoCs
Processes:
DesktopUSOPrivate-type4.5.8.9.exeDesktopUSOPrivate-type4.5.8.9.exepid process 4324 DesktopUSOPrivate-type4.5.8.9.exe 3644 DesktopUSOPrivate-type4.5.8.9.exe -
Modifies file permissions 1 TTPs 3 IoCs
Processes:
icacls.exeicacls.exeicacls.exepid process 944 icacls.exe 1368 icacls.exe 1940 icacls.exe -
Processes:
resource yara_rule C:\ProgramData\DesktopUSOPrivate-type4.5.8.9\DesktopUSOPrivate-type4.5.8.9.exe upx C:\ProgramData\DesktopUSOPrivate-type4.5.8.9\DesktopUSOPrivate-type4.5.8.9.exe upx behavioral1/memory/4324-146-0x00007FF6E0E70000-0x00007FF6E138F000-memory.dmp upx behavioral1/memory/4324-147-0x00007FF6E0E70000-0x00007FF6E138F000-memory.dmp upx behavioral1/memory/4324-150-0x00007FF6E0E70000-0x00007FF6E138F000-memory.dmp upx behavioral1/memory/4324-151-0x00007FF6E0E70000-0x00007FF6E138F000-memory.dmp upx C:\ProgramData\DesktopUSOPrivate-type4.5.8.9\DesktopUSOPrivate-type4.5.8.9.exe upx behavioral1/memory/3644-153-0x00007FF6E0E70000-0x00007FF6E138F000-memory.dmp upx behavioral1/memory/3644-154-0x00007FF6E0E70000-0x00007FF6E138F000-memory.dmp upx behavioral1/memory/3644-155-0x00007FF6E0E70000-0x00007FF6E138F000-memory.dmp upx behavioral1/memory/3644-156-0x00007FF6E0E70000-0x00007FF6E138F000-memory.dmp upx -
Processes:
DesktopUSOPrivate-type4.5.8.9.exeDesktopUSOPrivate-type4.5.8.9.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DesktopUSOPrivate-type4.5.8.9.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DesktopUSOPrivate-type4.5.8.9.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
abdd9b57ce77b1b7c8cc86dfe1ca6b2d5ff2a7096800ae56c0b5f10627b180da.exedescription pid process target process PID 4604 set thread context of 2112 4604 abdd9b57ce77b1b7c8cc86dfe1ca6b2d5ff2a7096800ae56c0b5f10627b180da.exe AppLaunch.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4724 4604 WerFault.exe abdd9b57ce77b1b7c8cc86dfe1ca6b2d5ff2a7096800ae56c0b5f10627b180da.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
abdd9b57ce77b1b7c8cc86dfe1ca6b2d5ff2a7096800ae56c0b5f10627b180da.exeAppLaunch.exedescription pid process target process PID 4604 wrote to memory of 2112 4604 abdd9b57ce77b1b7c8cc86dfe1ca6b2d5ff2a7096800ae56c0b5f10627b180da.exe AppLaunch.exe PID 4604 wrote to memory of 2112 4604 abdd9b57ce77b1b7c8cc86dfe1ca6b2d5ff2a7096800ae56c0b5f10627b180da.exe AppLaunch.exe PID 4604 wrote to memory of 2112 4604 abdd9b57ce77b1b7c8cc86dfe1ca6b2d5ff2a7096800ae56c0b5f10627b180da.exe AppLaunch.exe PID 4604 wrote to memory of 2112 4604 abdd9b57ce77b1b7c8cc86dfe1ca6b2d5ff2a7096800ae56c0b5f10627b180da.exe AppLaunch.exe PID 4604 wrote to memory of 2112 4604 abdd9b57ce77b1b7c8cc86dfe1ca6b2d5ff2a7096800ae56c0b5f10627b180da.exe AppLaunch.exe PID 2112 wrote to memory of 944 2112 AppLaunch.exe icacls.exe PID 2112 wrote to memory of 944 2112 AppLaunch.exe icacls.exe PID 2112 wrote to memory of 944 2112 AppLaunch.exe icacls.exe PID 2112 wrote to memory of 1368 2112 AppLaunch.exe icacls.exe PID 2112 wrote to memory of 1368 2112 AppLaunch.exe icacls.exe PID 2112 wrote to memory of 1368 2112 AppLaunch.exe icacls.exe PID 2112 wrote to memory of 1940 2112 AppLaunch.exe icacls.exe PID 2112 wrote to memory of 1940 2112 AppLaunch.exe icacls.exe PID 2112 wrote to memory of 1940 2112 AppLaunch.exe icacls.exe PID 2112 wrote to memory of 4984 2112 AppLaunch.exe schtasks.exe PID 2112 wrote to memory of 4984 2112 AppLaunch.exe schtasks.exe PID 2112 wrote to memory of 4984 2112 AppLaunch.exe schtasks.exe PID 2112 wrote to memory of 4324 2112 AppLaunch.exe DesktopUSOPrivate-type4.5.8.9.exe PID 2112 wrote to memory of 4324 2112 AppLaunch.exe DesktopUSOPrivate-type4.5.8.9.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\abdd9b57ce77b1b7c8cc86dfe1ca6b2d5ff2a7096800ae56c0b5f10627b180da.exe"C:\Users\Admin\AppData\Local\Temp\abdd9b57ce77b1b7c8cc86dfe1ca6b2d5ff2a7096800ae56c0b5f10627b180da.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\ProgramData\DesktopUSOPrivate-type4.5.8.9" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\ProgramData\DesktopUSOPrivate-type4.5.8.9" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\ProgramData\DesktopUSOPrivate-type4.5.8.9" /inheritance:e /deny "admin:(R,REA,RA,RD)"3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /TN "DesktopUSOPrivate-type4.5.8.9\DesktopUSOPrivate-type4.5.8.9" /TR "C:\ProgramData\DesktopUSOPrivate-type4.5.8.9\DesktopUSOPrivate-type4.5.8.9.exe" /SC MINUTE3⤵
- Creates scheduled task(s)
-
C:\ProgramData\DesktopUSOPrivate-type4.5.8.9\DesktopUSOPrivate-type4.5.8.9.exe"C:\ProgramData\DesktopUSOPrivate-type4.5.8.9\DesktopUSOPrivate-type4.5.8.9.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1282⤵
- Program crash
-
C:\ProgramData\DesktopUSOPrivate-type4.5.8.9\DesktopUSOPrivate-type4.5.8.9.exeC:\ProgramData\DesktopUSOPrivate-type4.5.8.9\DesktopUSOPrivate-type4.5.8.9.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\DesktopUSOPrivate-type4.5.8.9\DesktopUSOPrivate-type4.5.8.9.exeFilesize
676.8MB
MD59f78fdc5d772920b3e6e6961d67397c7
SHA1e6b6428fd0c48d3782ffb8386ef74b03c890b207
SHA25696da6126cd5d4ec17caae05125b3c255340dee4694c4dbac636e7ac0f40356f3
SHA5122cecb62618971ed95ef08040f6913ed87d8c145dde2122b42b49fc91336b4bfc725f5bde16a19875a9c5cf65a16b2389d9ae6622fb00be69757652d3ef2c459d
-
C:\ProgramData\DesktopUSOPrivate-type4.5.8.9\DesktopUSOPrivate-type4.5.8.9.exeFilesize
676.8MB
MD59f78fdc5d772920b3e6e6961d67397c7
SHA1e6b6428fd0c48d3782ffb8386ef74b03c890b207
SHA25696da6126cd5d4ec17caae05125b3c255340dee4694c4dbac636e7ac0f40356f3
SHA5122cecb62618971ed95ef08040f6913ed87d8c145dde2122b42b49fc91336b4bfc725f5bde16a19875a9c5cf65a16b2389d9ae6622fb00be69757652d3ef2c459d
-
C:\ProgramData\DesktopUSOPrivate-type4.5.8.9\DesktopUSOPrivate-type4.5.8.9.exeFilesize
651.5MB
MD5dee5b843ab9dc0dfc5b1037f484d249c
SHA1ae4dfd9161f19860855eff0ab8917667f500978c
SHA256ca7c1f5bbfc43c31c8894fdf069517f2553caad4c4628422ca1f59eeb9ba3b08
SHA5127410c1fb5b9e8960abca6c38a26a4336607906741733bc8f2f0d2dba3eba87174cde8ae6e334e514a5fc2b3a7d68508a1b841a2630937f5e1b3feb71a5a44a82
-
memory/2112-126-0x0000000009C10000-0x000000000A10E000-memory.dmpFilesize
5.0MB
-
memory/2112-127-0x00000000095B0000-0x0000000009642000-memory.dmpFilesize
584KB
-
memory/2112-128-0x0000000009880000-0x0000000009890000-memory.dmpFilesize
64KB
-
memory/2112-129-0x0000000009590000-0x000000000959A000-memory.dmpFilesize
40KB
-
memory/2112-119-0x0000000000400000-0x000000000075C000-memory.dmpFilesize
3.4MB
-
memory/3644-153-0x00007FF6E0E70000-0x00007FF6E138F000-memory.dmpFilesize
5.1MB
-
memory/3644-154-0x00007FF6E0E70000-0x00007FF6E138F000-memory.dmpFilesize
5.1MB
-
memory/3644-155-0x00007FF6E0E70000-0x00007FF6E138F000-memory.dmpFilesize
5.1MB
-
memory/3644-156-0x00007FF6E0E70000-0x00007FF6E138F000-memory.dmpFilesize
5.1MB
-
memory/4324-150-0x00007FF6E0E70000-0x00007FF6E138F000-memory.dmpFilesize
5.1MB
-
memory/4324-151-0x00007FF6E0E70000-0x00007FF6E138F000-memory.dmpFilesize
5.1MB
-
memory/4324-147-0x00007FF6E0E70000-0x00007FF6E138F000-memory.dmpFilesize
5.1MB
-
memory/4324-146-0x00007FF6E0E70000-0x00007FF6E138F000-memory.dmpFilesize
5.1MB