1dfcce1ce83f53c469c4e45cccd2a372a2bb97d7e3992f92161314a4c33e57e1

Analysis

max time kernel
142s
max time network
39s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
12/04/2023, 01:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f607bf5852d3f70dfbf006efa7520d1b9f71ecf8b3e56fc0301d2334e434bee.exe
Size

3.5MB
MD5

22de181249b690fe72765d7ea88261aa
SHA1

74bef0075a62ab823ecd3218c83d44e5b878b99a
SHA256

0f607bf5852d3f70dfbf006efa7520d1b9f71ecf8b3e56fc0301d2334e434bee
SHA512

f4ae5196c921e9becf8837b84af2f86153c7d99fb54da6d8453ebdeb53509f9be02a288c0c26ab2340ace94fbaa351302425164febd928b02fdeaaa2302123f2
SSDEEP

49152:b/beXS0wKk0PlMb79rofRV649W3gHCPCOLnlDoftbvDGxhrIASdNmYU7ex:LbQwKpPiCWltPC6MftbrGXNMNF

Score

9^/10

discovery evasion trojan upx

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	FavoritesTemplates-type8.6.2.5.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	FavoritesTemplates-type8.6.2.5.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	FavoritesTemplates-type8.6.2.5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	FavoritesTemplates-type8.6.2.5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	FavoritesTemplates-type8.6.2.5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	FavoritesTemplates-type8.6.2.5.exe

Executes dropped EXE 2 IoCs

pid	Process
1744	FavoritesTemplates-type8.6.2.5.exe
1748	FavoritesTemplates-type8.6.2.5.exe

Loads dropped DLL 4 IoCs

pid	Process
1664	AppLaunch.exe
1664	AppLaunch.exe
1636	taskeng.exe
1636	taskeng.exe

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1656	icacls.exe
1572	icacls.exe
976	icacls.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000014149-69.dat	upx
behavioral1/files/0x0006000000014149-74.dat	upx
behavioral1/files/0x0006000000014149-73.dat	upx
behavioral1/files/0x0006000000014149-70.dat	upx
behavioral1/memory/1744-77-0x000000013F6D0000-0x000000013FBEF000-memory.dmp	upx
behavioral1/memory/1744-78-0x000000013F6D0000-0x000000013FBEF000-memory.dmp	upx
behavioral1/memory/1744-79-0x000000013F6D0000-0x000000013FBEF000-memory.dmp	upx
behavioral1/files/0x0006000000014149-80.dat	upx
behavioral1/memory/1744-81-0x000000013F6D0000-0x000000013FBEF000-memory.dmp	upx
behavioral1/files/0x0006000000014149-84.dat	upx
behavioral1/files/0x0006000000014149-83.dat	upx
behavioral1/files/0x0006000000014149-82.dat	upx
behavioral1/memory/1748-85-0x000000013FC40000-0x000000014015F000-memory.dmp	upx
behavioral1/memory/1748-86-0x000000013FC40000-0x000000014015F000-memory.dmp	upx
behavioral1/memory/1748-89-0x000000013FC40000-0x000000014015F000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	FavoritesTemplates-type8.6.2.5.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	FavoritesTemplates-type8.6.2.5.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1052 set thread context of 1664	1052	0f607bf5852d3f70dfbf006efa7520d1b9f71ecf8b3e56fc0301d2334e434bee.exe	29

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
648	schtasks.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 1052 wrote to memory of 1664	1052	0f607bf5852d3f70dfbf006efa7520d1b9f71ecf8b3e56fc0301d2334e434bee.exe	29
PID 1052 wrote to memory of 1664	1052	0f607bf5852d3f70dfbf006efa7520d1b9f71ecf8b3e56fc0301d2334e434bee.exe	29
PID 1052 wrote to memory of 1664	1052	0f607bf5852d3f70dfbf006efa7520d1b9f71ecf8b3e56fc0301d2334e434bee.exe	29
PID 1052 wrote to memory of 1664	1052	0f607bf5852d3f70dfbf006efa7520d1b9f71ecf8b3e56fc0301d2334e434bee.exe	29
PID 1052 wrote to memory of 1664	1052	0f607bf5852d3f70dfbf006efa7520d1b9f71ecf8b3e56fc0301d2334e434bee.exe	29
PID 1052 wrote to memory of 1664	1052	0f607bf5852d3f70dfbf006efa7520d1b9f71ecf8b3e56fc0301d2334e434bee.exe	29
PID 1052 wrote to memory of 1664	1052	0f607bf5852d3f70dfbf006efa7520d1b9f71ecf8b3e56fc0301d2334e434bee.exe	29
PID 1052 wrote to memory of 1664	1052	0f607bf5852d3f70dfbf006efa7520d1b9f71ecf8b3e56fc0301d2334e434bee.exe	29
PID 1052 wrote to memory of 1664	1052	0f607bf5852d3f70dfbf006efa7520d1b9f71ecf8b3e56fc0301d2334e434bee.exe	29
PID 1664 wrote to memory of 1656	1664	AppLaunch.exe	30
PID 1664 wrote to memory of 1656	1664	AppLaunch.exe	30
PID 1664 wrote to memory of 1656	1664	AppLaunch.exe	30
PID 1664 wrote to memory of 1656	1664	AppLaunch.exe	30
PID 1664 wrote to memory of 1656	1664	AppLaunch.exe	30
PID 1664 wrote to memory of 1656	1664	AppLaunch.exe	30
PID 1664 wrote to memory of 1656	1664	AppLaunch.exe	30
PID 1664 wrote to memory of 1572	1664	AppLaunch.exe	31
PID 1664 wrote to memory of 1572	1664	AppLaunch.exe	31
PID 1664 wrote to memory of 1572	1664	AppLaunch.exe	31
PID 1664 wrote to memory of 1572	1664	AppLaunch.exe	31
PID 1664 wrote to memory of 1572	1664	AppLaunch.exe	31
PID 1664 wrote to memory of 1572	1664	AppLaunch.exe	31
PID 1664 wrote to memory of 1572	1664	AppLaunch.exe	31
PID 1664 wrote to memory of 976	1664	AppLaunch.exe	32
PID 1664 wrote to memory of 976	1664	AppLaunch.exe	32
PID 1664 wrote to memory of 976	1664	AppLaunch.exe	32
PID 1664 wrote to memory of 976	1664	AppLaunch.exe	32
PID 1664 wrote to memory of 976	1664	AppLaunch.exe	32
PID 1664 wrote to memory of 976	1664	AppLaunch.exe	32
PID 1664 wrote to memory of 976	1664	AppLaunch.exe	32
PID 1664 wrote to memory of 648	1664	AppLaunch.exe	33
PID 1664 wrote to memory of 648	1664	AppLaunch.exe	33
PID 1664 wrote to memory of 648	1664	AppLaunch.exe	33
PID 1664 wrote to memory of 648	1664	AppLaunch.exe	33
PID 1664 wrote to memory of 648	1664	AppLaunch.exe	33
PID 1664 wrote to memory of 648	1664	AppLaunch.exe	33
PID 1664 wrote to memory of 648	1664	AppLaunch.exe	33
PID 1664 wrote to memory of 1744	1664	AppLaunch.exe	34
PID 1664 wrote to memory of 1744	1664	AppLaunch.exe	34
PID 1664 wrote to memory of 1744	1664	AppLaunch.exe	34
PID 1664 wrote to memory of 1744	1664	AppLaunch.exe	34
PID 1636 wrote to memory of 1748	1636	taskeng.exe	40
PID 1636 wrote to memory of 1748	1636	taskeng.exe	40
PID 1636 wrote to memory of 1748	1636	taskeng.exe	40

C:\Users\Admin\AppData\Local\Temp\0f607bf5852d3f70dfbf006efa7520d1b9f71ecf8b3e56fc0301d2334e434bee.exe
"C:\Users\Admin\AppData\Local\Temp\0f607bf5852d3f70dfbf006efa7520d1b9f71ecf8b3e56fc0301d2334e434bee.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\FavoritesTemplates-type8.6.2.5" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:1656
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\FavoritesTemplates-type8.6.2.5" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:1572
- - C:\Windows\SysWOW64\icacls.exe
    "C:\Windows\System32\icacls.exe" "C:\ProgramData\FavoritesTemplates-type8.6.2.5" /inheritance:e /deny "admin:(R,REA,RA,RD)"
    3⤵
    - Modifies file permissions
    PID:976
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /CREATE /TN "FavoritesTemplates-type8.6.2.5\FavoritesTemplates-type8.6.2.5" /TR "C:\ProgramData\FavoritesTemplates-type8.6.2.5\FavoritesTemplates-type8.6.2.5.exe" /SC MINUTE
    3⤵
    - Creates scheduled task(s)
    PID:648
- - C:\ProgramData\FavoritesTemplates-type8.6.2.5\FavoritesTemplates-type8.6.2.5.exe
    "C:\ProgramData\FavoritesTemplates-type8.6.2.5\FavoritesTemplates-type8.6.2.5.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    PID:1744

C:\Windows\system32\taskeng.exe
taskeng.exe {6BEF5408-3EBE-4548-AE50-0D60E15A3826} S-1-5-21-3430344531-3702557399-3004411149-1000:WFSTZEPN\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1636
- C:\ProgramData\FavoritesTemplates-type8.6.2.5\FavoritesTemplates-type8.6.2.5.exe
  C:\ProgramData\FavoritesTemplates-type8.6.2.5\FavoritesTemplates-type8.6.2.5.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  PID:1748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\FavoritesTemplates-type8.6.2.5\FavoritesTemplates-type8.6.2.5.exe

Filesize
279.9MB

MD5
acf8e540ddc52d633384e57a37d028ff

SHA1
5eae76994dfdb293a254ab8bed7f41a0f24e62b9

SHA256
b4b849e3111c677d6cfa8db83e9b57300060f31b1dc505a3614e27293e9c6936

SHA512
707e92388665ebe6ffb6635df5c619d01d8713d2738bbd20209dd2e2e570ce45a219ff77a8bc1183bdbfe6babe10fbb15f7105ef1286a58a247a817f75f9a7ed

Download Submit
C:\ProgramData\FavoritesTemplates-type8.6.2.5\FavoritesTemplates-type8.6.2.5.exe

Filesize
279.6MB

MD5
049d8eb07f3224bf834d9d0a46366555

SHA1
5052edb3aab8b3bbf903f76a5679549160057bd4

SHA256
72341e0075861bbe8e18df960cbed4cf7ab030110c8b5d95e1836161e59b8343

SHA512
b466d9054d0e378ae314318a2868364ed02d09b3db98e177b7242140e873e488e8c961b7768c8339065407d7635a6395a972f8245c26148578a717f759e0eb8f

Download Submit
C:\ProgramData\FavoritesTemplates-type8.6.2.5\FavoritesTemplates-type8.6.2.5.exe

Filesize
264.5MB

MD5
563550984b58eacf3f0e641cf594fa96

SHA1
e3b4551b83141841662de5fd3b70cec8d9081ece

SHA256
05e71e125cd72e125e7b0867f89222a6a7a7d7f473dce0016ff200382943cca3

SHA512
3d4106a5d461db95bf4c7ba23669be8e9e2b1cabe9a5a1c7285c836071808555703a22f1876f1b1c2b8636e7f9bf963f48dc842e0ea36dc0da291050b8ed7547

Download Submit
C:\ProgramData\FavoritesTemplates-type8.6.2.5\FavoritesTemplates-type8.6.2.5.exe

Filesize
185.5MB

MD5
37739d5ec55eac9294ad54283dabd2b5

SHA1
1da8ef01b6aa66fb2a3dbea95b8b894482b0cd97

SHA256
dfc6ebf66a2a3e471b9771a52e7e3511fcd75cf4f1c2df3451c0b08f33020e0d

SHA512
631b7b8c077395ef8ed97bff49fe2be83fc8337d3d96960fb43aec4d5973401bad4972c3d2f6a91d3e280a61219ca02e83f16f6c0afe7858770c3920537274f0

Download Submit
\ProgramData\FavoritesTemplates-type8.6.2.5\FavoritesTemplates-type8.6.2.5.exe

Filesize
278.9MB

MD5
c82cac267dbcc8d6b11f8ec3c71b12d9

SHA1
f70f9b456c6dc21152f1901c74a95a9fe4e8bdb6

SHA256
cd0d61600d3ef4281e5f94952e73538aa9ba1f60768580634b45f6f5867e9e6e

SHA512
647616cc9b5cc996115f8ae86db5b81251e9420dbdb77da023f3c63544d3c8f81ed1f5d87f206e80f84ece25c0be9420b5a15b345878a80627ddc398f41f8aaf

Download Submit
\ProgramData\FavoritesTemplates-type8.6.2.5\FavoritesTemplates-type8.6.2.5.exe

Filesize
294.2MB

MD5
38a41282c3aa62386223427291de2b00

SHA1
d9c12d630a75c50b3fa5d470b9cee15cd7e42ab3

SHA256
38197b6c54b8b6d3bdff0133e2f3e04bde54d0e6ad62b6f4e548f60fb50f3955

SHA512
dad88f2bd1b39df89c85ebfd4b6e59df301ab866d2560dc3a45bd8bd9bc12d88e34d084b83a80e021fade746b69948c561d05745e6f5cdbb2db91d729aaf98f3

Download Submit
\ProgramData\FavoritesTemplates-type8.6.2.5\FavoritesTemplates-type8.6.2.5.exe

Filesize
166.2MB

MD5
d4ffe4bdca95fa9593e0f9c7fd617c86

SHA1
7c4c7cb88d7b59cf78c172454234710892b1f153

SHA256
d0851b7c27003808b8011106cf2bdad000bad9f9571843be32a595d474c683ef

SHA512
6b2c50b6bdb1d2a9ddcb0368c140c9578e639583ed4d4cd91e42f7d82fdb879c172cce2b6047002c7a2c3d485c3757d7660ac356b03ee04fa3886abac7211620

Download Submit
\ProgramData\FavoritesTemplates-type8.6.2.5\FavoritesTemplates-type8.6.2.5.exe

Filesize
161.6MB

MD5
d4f7f218205b6af712e66790e096a8dc

SHA1
82fd4d1bf9e36a40809f177c8f30b212d780c227

SHA256
416dda56d99b52ecb8bcdee37174792f36b5c44375ca93800342c8c9643bb0c0

SHA512
41e20ec305082a750725cc94c18532a81b75526e17f86d08355b6c9afe96b721ae9bb93dbed6c1f31c4d2e58c43ffe2ae24b7ac590dd8ed8a3446ef4b8253a2b

Download Submit
memory/1636-91-0x000000013FC40000-0x000000014015F000-memory.dmp

Filesize
5.1MB

Download
memory/1636-88-0x000000013FC40000-0x000000014015F000-memory.dmp

Filesize
5.1MB

Download
memory/1636-87-0x000000013FC40000-0x000000014015F000-memory.dmp

Filesize
5.1MB

Download
memory/1664-65-0x0000000004FC0000-0x0000000005000000-memory.dmp

Filesize
256KB

Download
memory/1664-62-0x0000000000430000-0x000000000078C000-memory.dmp

Filesize
3.4MB

Download
memory/1664-75-0x0000000008170000-0x000000000868F000-memory.dmp

Filesize
5.1MB

Download
memory/1664-76-0x0000000008170000-0x000000000868F000-memory.dmp

Filesize
5.1MB

Download
memory/1664-55-0x0000000000430000-0x000000000078C000-memory.dmp

Filesize
3.4MB

Download
memory/1664-66-0x0000000004FC0000-0x0000000005000000-memory.dmp

Filesize
256KB

Download
memory/1664-59-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1664-54-0x0000000000430000-0x000000000078C000-memory.dmp

Filesize
3.4MB

Download
memory/1664-61-0x0000000000430000-0x000000000078C000-memory.dmp

Filesize
3.4MB

Download
memory/1664-64-0x0000000004FC0000-0x0000000005000000-memory.dmp

Filesize
256KB

Download
memory/1664-63-0x0000000004FC0000-0x0000000005000000-memory.dmp

Filesize
256KB

Download
memory/1744-78-0x000000013F6D0000-0x000000013FBEF000-memory.dmp

Filesize
5.1MB

Download
memory/1744-81-0x000000013F6D0000-0x000000013FBEF000-memory.dmp

Filesize
5.1MB

Download
memory/1744-79-0x000000013F6D0000-0x000000013FBEF000-memory.dmp

Filesize
5.1MB

Download
memory/1744-77-0x000000013F6D0000-0x000000013FBEF000-memory.dmp

Filesize
5.1MB

Download
memory/1748-85-0x000000013FC40000-0x000000014015F000-memory.dmp

Filesize
5.1MB

Download
memory/1748-86-0x000000013FC40000-0x000000014015F000-memory.dmp

Filesize
5.1MB

Download
memory/1748-89-0x000000013FC40000-0x000000014015F000-memory.dmp

Filesize
5.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads