Analysis
-
max time kernel
141s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
-
submitted
03/10/2023, 22:46
General
-
Target
84c4OGF1.exe
-
Size
3.4MB
-
MD5
ee1a1964f97f469e9ede06c68f5b2111
-
SHA1
cc0bea12750522e977d5fce70fb0087f2d10cacc
-
SHA256
83a5e511ea183acb772e4e24277419f5f8d20c3dc5ce11a6438a4913e6789b74
-
SHA512
eecd8982b5ad80b0824ef07185d246aca16528d1c846a04fb2ce46122d85b31330b20630dd6e4a4c7d5f3519e3b21e9cfa90e18a335646734abcf396f9c3bc18
-
SSDEEP
98304:JUwOIEK84WQsykAeYXkAeYUaMImg8C0Qu9JuR21C/yIq/dhl/O4i/TksjdFwvhzh:JUwOIEK84WQsykAeYXkAeYUaMImg8C0j
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 5 IoCs
-
Modifies file permissions 1 TTPs 3 IoCs
-
UPX packed file 20 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Program crash 1 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 19 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 31 IoCs
-
Suspicious use of SendNotifyMessage 30 IoCs
-
Suspicious use of WriteProcessMemory 48 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\84c4OGF1.exe"C:\Users\Admin\AppData\Local\Temp\84c4OGF1.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38Microsoft-type5.0.5.5" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38Microsoft-type5.0.5.5" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\icacls.exe"C:\Windows\System32\icacls.exe" "C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38Microsoft-type5.0.5.5" /inheritance:e /deny "admin:(R,REA,RA,RD)"3⤵
- Modifies file permissions
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /CREATE /TN "Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38Microsoft-type5.0.5.5\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38Microsoft-type5.0.5.5" /TR "C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38Microsoft-type5.0.5.5\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38Microsoft-type5.0.5.5.exe" /SC MINUTE3⤵
- Creates scheduled task(s)
-
-
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38Microsoft-type5.0.5.5\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38Microsoft-type5.0.5.5.exe"C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38Microsoft-type5.0.5.5\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38Microsoft-type5.0.5.5.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 362⤵
- Program crash
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\taskeng.exetaskeng.exe {11498E83-6725-47F1-BA6D-0D00B152D2B5} S-1-5-21-607259312-1573743425-2763420908-1000:NGTQGRML\Admin:Interactive:[1]1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38Microsoft-type5.0.5.5\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38Microsoft-type5.0.5.5.exeC:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38Microsoft-type5.0.5.5\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38Microsoft-type5.0.5.5.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
155.5MB
MD59e5adafae90074af5abc01815ea82adf
SHA1afb698866307596cfc4b284527d84f31f8f77b48
SHA2568b2a9ebe010624ba077acba1ef88549b34495acd58c09fc7b6e737ec5635e11b
SHA51295881d2051201b743545544f62b658e5d12d64d7a969e9c3ae75988687062bd7ab16af5155e249adf610ccec2a29a4323fe8912d95bc60ef1cc4bf8a3d9905eb
-
Filesize
230.5MB
MD5789ebf464f6efa6153f76c88c405dba7
SHA15525cd50f621bdf7214436be787abecc33b6f2fb
SHA2569eb508dc090573466449d0bc0969ffb338fe56fb33eb27cc2157c34a942fb77c
SHA512d8ef91a701e831e5ef9521ff25e0b15261f18e05c21f6784c445343920dcbe88c745d78b429e5c08f9f11da1fc5779c0896b727ed4c751dbcdad1f91b1c4835f
-
Filesize
228.4MB
MD55cae17e3eccda61bb0295b2e8d50ac51
SHA1ba4fc8f1e871f81f5e29647714726db5daa80d8b
SHA256ca75ecc49b5bfff2f582d5cc4b860e13d3335cf8ee2ca232f66f944fd5732371
SHA5124b70d7ba2a8f5eeb18f12a614173bd23daf3fb294240a5a6095bbd68fb61f27776cadfa27388dcc658351eb35acc8d8e1dc2ebf114da4135b4e58303180f2777
-
Filesize
134.9MB
MD51d5765bf47166545c32e4a25507910c1
SHA18a1a8ae64aed951615b50b5728c0d3516bff2724
SHA2569e40a26d07b61fbce370b4bcd5fe62618e3665a1298570a22e2c4c5d8ee15ea8
SHA5127b80e1f255c5ce227e6c07a9aaf2ba150a622b7273f67e2e3d2ae5992f509f70602e314516855c07f5060b48ce1e00abcb100ef2c596805d731b82a2974c0ced
-
Filesize
170.9MB
MD565ebca3923bb9ed25dc99cf26ebd3026
SHA1e7f75c8e5d4a068f17f6e3d99cfc284ff20d4b08
SHA2567c485bbc66afb42f73569c52cc9a4b0827fa917d9b3a82bec65d2d00546f6a61
SHA51263328b2ed89475cf6a9148fdabbf4bd24548870409703a605ce6d357a29ee336abb93276ff287a5d113a44d4427988c038c926a8cc8255183d48883e5358dccd
-
Filesize
230.2MB
MD5d0fb0f744b42b2faca8b4574220cda45
SHA10669e363c2e5a7ad0bc9b0776313a4016c714ad3
SHA25634721b522705e594e1f5c77e91529874f1ea3e2b4bf0ad6631ef50453c8f80b8
SHA51257ea45f15f525a1cf51fb6f6897b55625e3ed3985f34d445a7b593eb77f2a30702fd8a7e1adf007961a6f455c29add9e230ab0846d2048dc83a1d7726b06d888
-
Filesize
135.6MB
MD5290ca1159b1bb0aae09b25d356dd52ef
SHA110e42e6c79c6d61afe19980aac033f4694be95f2
SHA256619459b9c2bce2d49ad84ad7b6507c27d7e2f58968493923f87d1c3740cd9e72
SHA512121ef19c8dee6376eed4fb621619ec79cc0a139cc41f509da6f993d4d3735b962a36151b8071c7c856b23b3ae4b2da40f09dbde2ff8e3fc96279248f88c64407
-
Filesize
135.4MB
MD5177c9eb1331d74acf486c82a18805b29
SHA1fb8e9592c5efcdf150506fcf2ef13085ccc5f6a8
SHA256ef5bba295ba52fe21f3648bfdcaa97f3aa3d45c9870affbc856e4bee6b5f8b23
SHA5124aea6f07f761eb43f47e4f1efcd0a5f26c9dea617c6c64e33cd0e76d3b0ba0ee4e19e0ebb8d4d19d0b0f1e1cf53efe8c0d8d801067b1b764c94745e163d33e6f
-
Filesize
135.6MB
MD5290ca1159b1bb0aae09b25d356dd52ef
SHA110e42e6c79c6d61afe19980aac033f4694be95f2
SHA256619459b9c2bce2d49ad84ad7b6507c27d7e2f58968493923f87d1c3740cd9e72
SHA512121ef19c8dee6376eed4fb621619ec79cc0a139cc41f509da6f993d4d3735b962a36151b8071c7c856b23b3ae4b2da40f09dbde2ff8e3fc96279248f88c64407
-
Filesize
5.1MB
-
Filesize
5.1MB
-
Filesize
3.4MB
-
Filesize
3.4MB
-
Filesize
5.1MB
-
Filesize
5.1MB
-
Filesize
3.4MB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
3.4MB
-
Filesize
256KB
-
Filesize
3.4MB
-
Filesize
3.4MB
-
Filesize
256KB
-
Filesize
6.9MB
-
Filesize
5.1MB
-
Filesize
256KB
-
Filesize
6.9MB
-
Filesize
256KB
-
Filesize
5.1MB
-
Filesize
5.1MB
-
Filesize
5.1MB
-
Filesize
5.1MB
-
Filesize
5.1MB
-
Filesize
5.1MB
-
Filesize
5.1MB
-
Filesize
5.1MB
-
Filesize
5.1MB
-
Filesize
5.1MB
-
Filesize
5.1MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.1MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB