Analysis
-
max time kernel
602s -
max time network
431s -
platform
windows11_x64 -
resource
win11 -
submitted
12-08-2021 21:22
General
-
Target
VersiumResearch64bit.exe
-
Size
252KB
-
MD5
ee19bc8a2b6c6fd7c30037389457a4df
-
SHA1
e1fca1cc33574e59dec62763ee6e7de1a5198095
-
SHA256
76af8837a5ac0384faeeeff8c8987f796206fc4a1691428dbd44a14378ff28c0
-
SHA512
38db6d4ca6f106849f2ba173e20dae0a53c3e558eb676adba380761cc0318769c6add3a2e816705c094596fc305dab1dd39eb2b83e9f3e066ffc90de580af001
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Executes dropped EXE 4 IoCs
-
UPX packed file 5 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in Windows directory 11 IoCs
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies data under HKEY_USERS 8 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of SetWindowsHookEx 11 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\VersiumResearch64bit.exe"C:\Users\Admin\AppData\Local\Temp\VersiumResearch64bit.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
- Executes dropped EXE
-
C:\Windows\System32\ATBroker.exeC:\Windows\System32\ATBroker.exe /start osk2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\osk.exe"C:\Windows\System32\osk.exe"3⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc1⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\pcaui.exeC:\Windows\System32\pcaui.exe -n 0 -a "" -v "" -g "" -x ""2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Windows Defender\mpcmdrun.exe"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable2⤵
-
C:\Windows\ImmersiveControlPanel\SystemSettings.exe"C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s BthAvctpSvc1⤵
-
C:\Windows\uus\AMD64\MoUsoCoreWorker.exeC:\Windows\uus\AMD64\MoUsoCoreWorker.exe1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\oobe\UserOOBEBroker.exeC:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding1⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding1⤵
-
C:\Windows\uus\AMD64\MoUsoCoreWorker.exeC:\Windows\uus\AMD64\MoUsoCoreWorker.exe1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\USOPrivate\UpdateStore\store.dbMD5
61b7e1e741b9da5e662eb1a13743e2a6
SHA1ca662ac60a6478177dce7739c983631f1afabbb1
SHA2568d2411487966a7906f3eb597574d05ed3aa39dda3d2ab43aaf168e8a48b9e96c
SHA512b7dbdde5c7edd37d9e7b5294fd44d7d1856e21966932429f86e6f78678f7a62fb6fa257bf6c3bfb3f57ebf19e7b168ca72b22f2084b02ea4c7109ebc63c70aac
-
C:\Users\Admin\AppData\Local\Temp\11111.exeMD5
7fee8223d6e4f82d6cd115a28f0b6d58
SHA11b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA5123ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4
-
C:\Users\Admin\AppData\Local\Temp\11111.exeMD5
7fee8223d6e4f82d6cd115a28f0b6d58
SHA11b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA5123ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4
-
C:\Users\Admin\AppData\Local\Temp\11111.exeMD5
7fee8223d6e4f82d6cd115a28f0b6d58
SHA11b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA5123ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4
-
C:\Users\Admin\AppData\Local\Temp\11111.exeMD5
7fee8223d6e4f82d6cd115a28f0b6d58
SHA11b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA5123ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4
-
C:\Users\Admin\AppData\Local\Temp\11111.exeMD5
7fee8223d6e4f82d6cd115a28f0b6d58
SHA11b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA5123ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4
-
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txtMD5
9cf4803f539b6a0878817ae001351bf9
SHA1f015c3f043945373279ca1bc509c97c4998016d0
SHA256e6cde050dbb2c206b951b4e15509cdfee63c49505b183faa52696bdcfeb21bea
SHA5124ee11255ba9cbf76509ea078ca68111854c2440f0ced4c3761340e555613169f87f8b69ca0e8b9f35baf08833e9a73f091ff3d0426dd74aad1aa792a5730cf29
-
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txtMD5
b7161c0845a64ff6d7345b67ff97f3b0
SHA1d223f855da541fe8e4c1d5c50cb26da0a1deb5fc
SHA256fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66
SHA51298d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680
-
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txtMD5
b7161c0845a64ff6d7345b67ff97f3b0
SHA1d223f855da541fe8e4c1d5c50cb26da0a1deb5fc
SHA256fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66
SHA51298d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680
-
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txtMD5
b7161c0845a64ff6d7345b67ff97f3b0
SHA1d223f855da541fe8e4c1d5c50cb26da0a1deb5fc
SHA256fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66
SHA51298d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680
-
C:\Windows\Panther\UnattendGC\diagerr.xmlMD5
a1016423071a3b60559a284cf8f1eac6
SHA123c16221e153ccda4b26ab3dbdf5d6abf2cbe28d
SHA25666d330693a82ee50136be12b81dd915da5a9841a402d02db27dd9dc41112d8bb
SHA51236a4e05b1deca7e93a284a652b7ccf362f2b72a96e1113e88be957f67e51210cdd6fd03947a403071ff1dbbaf3ab24fc2834ab75a6492b54695aa22b691d715a
-
C:\Windows\Panther\UnattendGC\diagwrn.xmlMD5
a34fdd127f20a5810dbfc2666ff71cbc
SHA1d34f9d4d305e4fc53f9c9b6de00502e930dc3bf6
SHA256cfe4b22bb92de48c04bb6aa328989b9524b8dee900961005ad7588f4f81ac337
SHA51291647932dabd8dcc557c2870b53123bfdc4472179bbeb6a005d4a5968492253c962adf30649ed6131f35af16eff6f874d8c57a6886f6e7496e615bb319e407d8
-
memory/1056-164-0x0000000000000000-mapping.dmp
-
memory/1268-152-0x0000000000000000-mapping.dmp
-
memory/1964-148-0x0000000000000000-mapping.dmp
-
memory/3048-184-0x000001EF42FC0000-0x000001EF42FC1000-memory.dmpFilesize
4KB
-
memory/3048-188-0x000001EF42FC0000-0x000001EF42FC1000-memory.dmpFilesize
4KB
-
memory/3048-191-0x000001EF42FC0000-0x000001EF42FC1000-memory.dmpFilesize
4KB
-
memory/3048-190-0x000001EF42FC0000-0x000001EF42FC1000-memory.dmpFilesize
4KB
-
memory/3048-189-0x000001EF42FC0000-0x000001EF42FC1000-memory.dmpFilesize
4KB
-
memory/3048-187-0x000001EF42FC0000-0x000001EF42FC1000-memory.dmpFilesize
4KB
-
memory/3048-186-0x000001EF42FC0000-0x000001EF42FC1000-memory.dmpFilesize
4KB
-
memory/3048-185-0x000001EF42FC0000-0x000001EF42FC1000-memory.dmpFilesize
4KB
-
memory/3048-183-0x000001EF42FC0000-0x000001EF42FC1000-memory.dmpFilesize
4KB
-
memory/3048-182-0x000001EF42FC0000-0x000001EF42FC1000-memory.dmpFilesize
4KB
-
memory/4028-223-0x0000000000000000-mapping.dmp
-
memory/4144-155-0x0000000000000000-mapping.dmp
-
memory/4484-166-0x00000135A45C0000-0x00000135A45C4000-memory.dmpFilesize
16KB
-
memory/4484-162-0x00000135A1EA0000-0x00000135A1EB0000-memory.dmpFilesize
64KB
-
memory/4484-169-0x00000135A42F0000-0x00000135A42F1000-memory.dmpFilesize
4KB
-
memory/4484-163-0x00000135A42D0000-0x00000135A42D4000-memory.dmpFilesize
16KB
-
memory/4484-168-0x00000135A4300000-0x00000135A4304000-memory.dmpFilesize
16KB
-
memory/4484-167-0x00000135A4580000-0x00000135A4581000-memory.dmpFilesize
4KB
-
memory/4484-171-0x00000135A1FD0000-0x00000135A1FD1000-memory.dmpFilesize
4KB
-
memory/4484-170-0x00000135A42F0000-0x00000135A42F4000-memory.dmpFilesize
16KB
-
memory/4484-161-0x00000135A1C60000-0x00000135A1C70000-memory.dmpFilesize
64KB
-
memory/4496-147-0x000002D8F5660000-0x000002D8F5792000-memory.dmpFilesize
1.2MB
-
memory/4496-146-0x000002D8F5460000-0x000002D8F552D000-memory.dmpFilesize
820KB
-
memory/4504-158-0x0000000000000000-mapping.dmp
-
memory/4992-224-0x0000000000000000-mapping.dmp
-
memory/5004-165-0x0000000000000000-mapping.dmp