Resubmissions

07/03/2023, 13:26

230307-qpnn8aab39 7

Analysis

  • max time kernel
    77s
  • max time network
    110s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/03/2023, 13:26

General

  • Target

    ISSetupPrerequisites/USBWin8.bat

  • Size

    72B

  • MD5

    306d0c087795c34e27308a787947d130

  • SHA1

    9399a7fec392844973ef5ed3c2b7dda46c4f0578

  • SHA256

    f661626802bc4cf3394cee22c991a272fb083dd8f856279798b7b097c2336b53

  • SHA512

    d333ae68c2127191fb3e9a6186217360aab8afe7e2bf2b5df76db596440fabd32e50c315edf33593a4964bb6d323d56d3ed5fbf9324e172555e8e672e3a0c997

Score
5/10

Malware Config

Signatures

  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 3 IoCs
  • Checks SCSI registry key(s) 3 TTPs 10 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 41 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ISSetupPrerequisites\USBWin8.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3300
    • C:\Users\Admin\AppData\Local\Temp\ISSetupPrerequisites\certutil.exe
      certutil.exe -p 1354 -importPFX cdcseries.pfx
      2⤵
        PID:2104
      • C:\Users\Admin\AppData\Local\Temp\ISSetupPrerequisites\PnPutil.exe
        pnputil.exe -a usbser.inf
        2⤵
        • Drops file in Windows directory
        PID:2948
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
      1⤵
      • Drops file in Windows directory
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:336
      • C:\Windows\system32\DrvInst.exe
        DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{616a9b3d-6862-1045-9316-16edd4b1ea03}\usbser.inf" "9" "4d994a78b" "0000000000000160" "WinSta0\Default" "0000000000000170" "208" "C:\Users\Admin\AppData\Local\Temp\ISSetupPrerequisites"
        2⤵
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Modifies data under HKEY_USERS
        • Suspicious use of WriteProcessMemory
        PID:3924
        • C:\Windows\system32\rundll32.exe
          rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{f79dd26e-ea86-3144-a8e8-d04d1aa09358} Global\{5cd69b88-39a5-cc4e-b19b-be59f5f66090} C:\Windows\System32\DriverStore\Temp\{926b30ec-31ef-9c46-95d8-a2a64d5026b3}\usbser.inf C:\Windows\System32\DriverStore\Temp\{926b30ec-31ef-9c46-95d8-a2a64d5026b3}\usbser.cat
          3⤵
            PID:3416

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\{616A9~1\usbser.cat

        Filesize

        4KB

        MD5

        74f5266295df09d62df4702d25f2b721

        SHA1

        4c9ea23d35c75367aba4e15fab51ee7c724fdf09

        SHA256

        750254c1f2ced29119a83b71e91e9acca0c6b9082839fafc4eb8cc82f840bd93

        SHA512

        bd67d2eee5d516b0b48d1ba4bb908ae2e16d374e59915d598068329317126c4a4af1d1d652af00a596f93b6e406545c89d1b4923c388cc68eb62e30dde884947

      • C:\Users\Admin\AppData\Local\Temp\{616a9b3d-6862-1045-9316-16edd4b1ea03}\usbser.inf

        Filesize

        891B

        MD5

        67d6edf78385537e7ddbaafc25e651c6

        SHA1

        0a844f64786ea9f292efbb8ae7706feaba0eeccf

        SHA256

        8af2489e6c855907fa31344468fecfd432b73c84fe58ca657633423ba9af78a4

        SHA512

        c074417af7cc1bad995b4f9fb501cf70efc4af111065d81ebba2117f08e9e5a427bf93678b165249f92ddb711ab09a3c0ef5d270006d340f37128d0f13b19d3c

      • C:\Windows\System32\DriverStore\Temp\{926b30ec-31ef-9c46-95d8-a2a64d5026b3}\SET6AF4.tmp

        Filesize

        4KB

        MD5

        74f5266295df09d62df4702d25f2b721

        SHA1

        4c9ea23d35c75367aba4e15fab51ee7c724fdf09

        SHA256

        750254c1f2ced29119a83b71e91e9acca0c6b9082839fafc4eb8cc82f840bd93

        SHA512

        bd67d2eee5d516b0b48d1ba4bb908ae2e16d374e59915d598068329317126c4a4af1d1d652af00a596f93b6e406545c89d1b4923c388cc68eb62e30dde884947

      • C:\Windows\System32\DriverStore\Temp\{926b30ec-31ef-9c46-95d8-a2a64d5026b3}\SET6B04.tmp

        Filesize

        891B

        MD5

        67d6edf78385537e7ddbaafc25e651c6

        SHA1

        0a844f64786ea9f292efbb8ae7706feaba0eeccf

        SHA256

        8af2489e6c855907fa31344468fecfd432b73c84fe58ca657633423ba9af78a4

        SHA512

        c074417af7cc1bad995b4f9fb501cf70efc4af111065d81ebba2117f08e9e5a427bf93678b165249f92ddb711ab09a3c0ef5d270006d340f37128d0f13b19d3c

      • C:\Windows\System32\DriverStore\Temp\{926b30ec-31ef-9c46-95d8-a2a64d5026b3}\usbser.cat

        Filesize

        4KB

        MD5

        74f5266295df09d62df4702d25f2b721

        SHA1

        4c9ea23d35c75367aba4e15fab51ee7c724fdf09

        SHA256

        750254c1f2ced29119a83b71e91e9acca0c6b9082839fafc4eb8cc82f840bd93

        SHA512

        bd67d2eee5d516b0b48d1ba4bb908ae2e16d374e59915d598068329317126c4a4af1d1d652af00a596f93b6e406545c89d1b4923c388cc68eb62e30dde884947

      • C:\Windows\System32\DriverStore\Temp\{926b30ec-31ef-9c46-95d8-a2a64d5026b3}\usbser.inf

        Filesize

        891B

        MD5

        67d6edf78385537e7ddbaafc25e651c6

        SHA1

        0a844f64786ea9f292efbb8ae7706feaba0eeccf

        SHA256

        8af2489e6c855907fa31344468fecfd432b73c84fe58ca657633423ba9af78a4

        SHA512

        c074417af7cc1bad995b4f9fb501cf70efc4af111065d81ebba2117f08e9e5a427bf93678b165249f92ddb711ab09a3c0ef5d270006d340f37128d0f13b19d3c