Analysis
-
max time kernel
145s -
max time network
147s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
29/03/2023, 18:25
Static task
static1
General
-
Target
36e377a0a7999f24ce2110311847d4c35fb43c39c8939fa218aaf06427315dba.exe
-
Size
3.5MB
-
MD5
f73ff75729d6b75e6471e831de9da26c
-
SHA1
d2ad907db9be23213a56841811bf3fdd40167e14
-
SHA256
36e377a0a7999f24ce2110311847d4c35fb43c39c8939fa218aaf06427315dba
-
SHA512
3fa2b19407fa423937a14777e50473f5783eeaafe901ac89525dcff84b2bbd076cbfa25bc5d8a0788520eee1ddfc439ce5a3b11828a55f49a3bd00c5028fac03
-
SSDEEP
49152:lkygYIBuLxcnsis7wVFEIRmQJcCT7KZLDMGLRwHyp9lcOP7UuziMddsruFXKQnLw:aYdxcnsEcI4QJhOOHyuM4u+UdJAqERL
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ OracleTemplates-type3.1.4.0.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ OracleTemplates-type3.1.4.0.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion OracleTemplates-type3.1.4.0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion OracleTemplates-type3.1.4.0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion OracleTemplates-type3.1.4.0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion OracleTemplates-type3.1.4.0.exe -
Executes dropped EXE 2 IoCs
pid Process 2528 OracleTemplates-type3.1.4.0.exe 3520 OracleTemplates-type3.1.4.0.exe -
Modifies file permissions 1 TTPs 3 IoCs
pid Process 3952 icacls.exe 1012 icacls.exe 4572 icacls.exe -
resource yara_rule behavioral1/files/0x000600000001aeff-148.dat upx behavioral1/files/0x000600000001aeff-149.dat upx behavioral1/memory/2528-150-0x00007FF718910000-0x00007FF718E2F000-memory.dmp upx behavioral1/memory/2528-153-0x00007FF718910000-0x00007FF718E2F000-memory.dmp upx behavioral1/memory/2528-154-0x00007FF718910000-0x00007FF718E2F000-memory.dmp upx behavioral1/memory/2528-155-0x00007FF718910000-0x00007FF718E2F000-memory.dmp upx behavioral1/memory/2528-156-0x00007FF718910000-0x00007FF718E2F000-memory.dmp upx behavioral1/memory/2528-157-0x00007FF718910000-0x00007FF718E2F000-memory.dmp upx behavioral1/files/0x000600000001aeff-158.dat upx behavioral1/memory/3520-159-0x00007FF718910000-0x00007FF718E2F000-memory.dmp upx behavioral1/memory/3520-160-0x00007FF718910000-0x00007FF718E2F000-memory.dmp upx -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA OracleTemplates-type3.1.4.0.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA OracleTemplates-type3.1.4.0.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 996 set thread context of 4156 996 36e377a0a7999f24ce2110311847d4c35fb43c39c8939fa218aaf06427315dba.exe 67 -
Program crash 1 IoCs
pid pid_target Process procid_target 2100 996 WerFault.exe 65 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4760 schtasks.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 996 wrote to memory of 4156 996 36e377a0a7999f24ce2110311847d4c35fb43c39c8939fa218aaf06427315dba.exe 67 PID 996 wrote to memory of 4156 996 36e377a0a7999f24ce2110311847d4c35fb43c39c8939fa218aaf06427315dba.exe 67 PID 996 wrote to memory of 4156 996 36e377a0a7999f24ce2110311847d4c35fb43c39c8939fa218aaf06427315dba.exe 67 PID 996 wrote to memory of 4156 996 36e377a0a7999f24ce2110311847d4c35fb43c39c8939fa218aaf06427315dba.exe 67 PID 996 wrote to memory of 4156 996 36e377a0a7999f24ce2110311847d4c35fb43c39c8939fa218aaf06427315dba.exe 67 PID 4156 wrote to memory of 3952 4156 AppLaunch.exe 70 PID 4156 wrote to memory of 3952 4156 AppLaunch.exe 70 PID 4156 wrote to memory of 3952 4156 AppLaunch.exe 70 PID 4156 wrote to memory of 1012 4156 AppLaunch.exe 72 PID 4156 wrote to memory of 1012 4156 AppLaunch.exe 72 PID 4156 wrote to memory of 1012 4156 AppLaunch.exe 72 PID 4156 wrote to memory of 4572 4156 AppLaunch.exe 73 PID 4156 wrote to memory of 4572 4156 AppLaunch.exe 73 PID 4156 wrote to memory of 4572 4156 AppLaunch.exe 73 PID 4156 wrote to memory of 4760 4156 AppLaunch.exe 76 PID 4156 wrote to memory of 4760 4156 AppLaunch.exe 76 PID 4156 wrote to memory of 4760 4156 AppLaunch.exe 76 PID 4156 wrote to memory of 2528 4156 AppLaunch.exe 78 PID 4156 wrote to memory of 2528 4156 AppLaunch.exe 78
Processes
-
C:\Users\Admin\AppData\Local\Temp\36e377a0a7999f24ce2110311847d4c35fb43c39c8939fa218aaf06427315dba.exe"C:\Users\Admin\AppData\Local\Temp\36e377a0a7999f24ce2110311847d4c35fb43c39c8939fa218aaf06427315dba.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:996 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4156 -
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\ProgramData\OracleTemplates-type3.1.4.0" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"3⤵
- Modifies file permissions
PID:3952
-
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\ProgramData\OracleTemplates-type3.1.4.0" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"3⤵
- Modifies file permissions
PID:1012
-
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\ProgramData\OracleTemplates-type3.1.4.0" /inheritance:e /deny "admin:(R,REA,RA,RD)"3⤵
- Modifies file permissions
PID:4572
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /TN "OracleTemplates-type3.1.4.0\OracleTemplates-type3.1.4.0" /TR "C:\ProgramData\OracleTemplates-type3.1.4.0\OracleTemplates-type3.1.4.0.exe" /SC MINUTE3⤵
- Creates scheduled task(s)
PID:4760
-
-
C:\ProgramData\OracleTemplates-type3.1.4.0\OracleTemplates-type3.1.4.0.exe"C:\ProgramData\OracleTemplates-type3.1.4.0\OracleTemplates-type3.1.4.0.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:2528
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 996 -s 5082⤵
- Program crash
PID:2100
-
-
C:\ProgramData\OracleTemplates-type3.1.4.0\OracleTemplates-type3.1.4.0.exeC:\ProgramData\OracleTemplates-type3.1.4.0\OracleTemplates-type3.1.4.0.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:3520
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
955.6MB
MD5fe83ff2c94df77062bb5e12e06ebb0f3
SHA19c6e16e96654f62b461547aec7faa63e5d2ea604
SHA25625dfc22eb572b78f65c246eac6b2f4a0227585fed5dece61dc232c4761dfa3d1
SHA512a7a137d3b0a1a92cd52cfa8d206ef8503535141c9dfb489cf37664304e5ed234fffd19617962bcc36b41d98c7a31e4a5f02dc412f73bb756859b9d30e0785603
-
Filesize
955.6MB
MD5fe83ff2c94df77062bb5e12e06ebb0f3
SHA19c6e16e96654f62b461547aec7faa63e5d2ea604
SHA25625dfc22eb572b78f65c246eac6b2f4a0227585fed5dece61dc232c4761dfa3d1
SHA512a7a137d3b0a1a92cd52cfa8d206ef8503535141c9dfb489cf37664304e5ed234fffd19617962bcc36b41d98c7a31e4a5f02dc412f73bb756859b9d30e0785603
-
Filesize
54.7MB
MD5bfa1db0bb85805cabfc07ab23b81ae19
SHA1fb87ee1400af198d747b80dae0d36e47dbe68190
SHA25615754ec720dd1d3c7972f5aef388c6ff2d39e8c89722b39057719a130e0dd32c
SHA5126e7403c35390a2f475e8cb5b82e32788cc9c8c1a06c6b2f29c087c50c8b67592b893846d099bc69d828053ada20fd269ff31e556fef809a6b2959c27ccd9f645