Overview

overview

9

Static

static

1

84c4OGF1.exe

windows7-x64

9

84c4OGF1.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    141s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/10/2023, 22:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    84c4OGF1.exe

  • Size

    3.4MB

  • MD5

    ee1a1964f97f469e9ede06c68f5b2111

  • SHA1

    cc0bea12750522e977d5fce70fb0087f2d10cacc

  • SHA256

    83a5e511ea183acb772e4e24277419f5f8d20c3dc5ce11a6438a4913e6789b74

  • SHA512

    eecd8982b5ad80b0824ef07185d246aca16528d1c846a04fb2ce46122d85b31330b20630dd6e4a4c7d5f3519e3b21e9cfa90e18a335646734abcf396f9c3bc18

  • SSDEEP

    98304:JUwOIEK84WQsykAeYXkAeYUaMImg8C0Qu9JuR21C/yIq/dhl/O4i/TksjdFwvhzh:JUwOIEK84WQsykAeYXkAeYUaMImg8C0j

Score
9/10
discoveryevasiontrojanupx

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 2 IoCs
  • Modifies file permissions 1 TTPs 3 IoCs
    discovery
  • UPX packed file 15 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\84c4OGF1.exe
    "C:\Users\Admin\AppData\Local\Temp\84c4OGF1.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:924
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3084
      • C:\Windows\SysWOW64\icacls.exe
        "C:\Windows\System32\icacls.exe" "C:\ProgramData\WindowsHolographicDevicesDesktop-type3.7.4.1" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:708
      • C:\Windows\SysWOW64\icacls.exe
        "C:\Windows\System32\icacls.exe" "C:\ProgramData\WindowsHolographicDevicesDesktop-type3.7.4.1" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:3788
      • C:\Windows\SysWOW64\icacls.exe
        "C:\Windows\System32\icacls.exe" "C:\ProgramData\WindowsHolographicDevicesDesktop-type3.7.4.1" /inheritance:e /deny "admin:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:844
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /CREATE /TN "WindowsHolographicDevicesDesktop-type3.7.4.1\WindowsHolographicDevicesDesktop-type3.7.4.1" /TR "C:\ProgramData\WindowsHolographicDevicesDesktop-type3.7.4.1\WindowsHolographicDevicesDesktop-type3.7.4.1.exe" /SC MINUTE
        3⤵
        • Creates scheduled task(s)
        PID:2116
      • C:\ProgramData\WindowsHolographicDevicesDesktop-type3.7.4.1\WindowsHolographicDevicesDesktop-type3.7.4.1.exe
        "C:\ProgramData\WindowsHolographicDevicesDesktop-type3.7.4.1\WindowsHolographicDevicesDesktop-type3.7.4.1.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Checks whether UAC is enabled
        PID:1300
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 924 -s 160
      2⤵
      • Program crash
      PID:880
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 924 -ip 924
    1⤵
      PID:1500
    • C:\ProgramData\WindowsHolographicDevicesDesktop-type3.7.4.1\WindowsHolographicDevicesDesktop-type3.7.4.1.exe
      C:\ProgramData\WindowsHolographicDevicesDesktop-type3.7.4.1\WindowsHolographicDevicesDesktop-type3.7.4.1.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Checks whether UAC is enabled
      PID:2992

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\WindowsHolographicDevicesDesktop-type3.7.4.1\WindowsHolographicDevicesDesktop-type3.7.4.1.exe
      Filesize

      706.5MB

      MD5

      ccfe0ecb6f290c27c366aa8c823039db

      SHA1

      fc933a1e7e0563bac9680b88ff8aabf28d6e0a4f

      SHA256

      618aeaf84337f824e3f5783bfd46905977ce11ffb69663893a7c4617d8931359

      SHA512

      448dcd644003b4aefc9019dc1e83cebd2739eb632e70792db75ace650949af88df42643c7bf82bfce2cda520df592356feeefe010f6e4f587669f55553b2b63f

      Download Submit

    • C:\ProgramData\WindowsHolographicDevicesDesktop-type3.7.4.1\WindowsHolographicDevicesDesktop-type3.7.4.1.exe
      Filesize

      706.5MB

      MD5

      ccfe0ecb6f290c27c366aa8c823039db

      SHA1

      fc933a1e7e0563bac9680b88ff8aabf28d6e0a4f

      SHA256

      618aeaf84337f824e3f5783bfd46905977ce11ffb69663893a7c4617d8931359

      SHA512

      448dcd644003b4aefc9019dc1e83cebd2739eb632e70792db75ace650949af88df42643c7bf82bfce2cda520df592356feeefe010f6e4f587669f55553b2b63f

      Download Submit

    • C:\ProgramData\WindowsHolographicDevicesDesktop-type3.7.4.1\WindowsHolographicDevicesDesktop-type3.7.4.1.exe
      Filesize

      493.7MB

      MD5

      a9e1ffba16430da00871fe21802c4a60

      SHA1

      66e5ea09d38091dd2adb60300ba0142f9ece8aed

      SHA256

      55e9db98536d12db9c10d5650e030356aa99f1f1ff41d1f10e1679ca3c4142a2

      SHA512

      6f510d42050d1307c4d3e4e9563c78b90b57ef57a2388007c382aacb599d774f9b3432041e789113be5f534ea2edb260ad1a8a18c388ae3e5722d6f152bdbd81

      Download Submit

    • memory/924-11-0x0000000000400000-0x0000000000772000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/924-0-0x0000000000400000-0x0000000000772000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/1300-21-0x00007FF6EFAD0000-0x00007FF6EFFEF000-memory.dmp

      Filesize

      5.1MB

      Download

    • memory/1300-29-0x00007FF6EFAD0000-0x00007FF6EFFEF000-memory.dmp

      Filesize

      5.1MB

      Download

    • memory/1300-28-0x00007FF6EFAD0000-0x00007FF6EFFEF000-memory.dmp

      Filesize

      5.1MB

      Download

    • memory/1300-27-0x00007FF6EFAD0000-0x00007FF6EFFEF000-memory.dmp

      Filesize

      5.1MB

      Download

    • memory/1300-26-0x00007FF6EFAD0000-0x00007FF6EFFEF000-memory.dmp

      Filesize

      5.1MB

      Download

    • memory/1300-25-0x00007FF6EFAD0000-0x00007FF6EFFEF000-memory.dmp

      Filesize

      5.1MB

      Download

    • memory/1300-24-0x00007FF6EFAD0000-0x00007FF6EFFEF000-memory.dmp

      Filesize

      5.1MB

      Download

    • memory/2992-31-0x00007FF6EFAD0000-0x00007FF6EFFEF000-memory.dmp

      Filesize

      5.1MB

      Download

    • memory/2992-35-0x00007FF6EFAD0000-0x00007FF6EFFEF000-memory.dmp

      Filesize

      5.1MB

      Download

    • memory/2992-34-0x00007FF6EFAD0000-0x00007FF6EFFEF000-memory.dmp

      Filesize

      5.1MB

      Download

    • memory/2992-33-0x00007FF6EFAD0000-0x00007FF6EFFEF000-memory.dmp

      Filesize

      5.1MB

      Download

    • memory/2992-32-0x00007FF6EFAD0000-0x00007FF6EFFEF000-memory.dmp

      Filesize

      5.1MB

      Download

    • memory/3084-15-0x0000000005E50000-0x0000000005E60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3084-13-0x00000000749E0000-0x0000000075190000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3084-12-0x0000000005E50000-0x0000000005E60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3084-9-0x0000000005E50000-0x0000000005E60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3084-10-0x0000000005DF0000-0x0000000005DFA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3084-1-0x00000000013B0000-0x000000000170C000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/3084-14-0x0000000005E50000-0x0000000005E60000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3084-8-0x0000000005CF0000-0x0000000005D82000-memory.dmp

      Filesize

      584KB

      Download

    • memory/3084-23-0x00000000749E0000-0x0000000075190000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3084-6-0x00000000749E0000-0x0000000075190000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3084-7-0x0000000006200000-0x00000000067A4000-memory.dmp

      Filesize

      5.6MB

      Download