4164e338de27efb3e64d641daa84975a9fc10119b6e0d75d8b448bd29916cc42

Analysis

max time kernel
300s
max time network
264s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
20-04-2023 15:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fillup.exe
Size

5.4MB
MD5

3645ddb74e1b29f3c9ece24aaf27499d
SHA1

39b7fb2479c4afe86f6b6c05001ae944503d7461
SHA256

4164e338de27efb3e64d641daa84975a9fc10119b6e0d75d8b448bd29916cc42
SHA512

8e8f3f2a319bf02fb3a157e82bed73483fe163bcc12d971bfcd2e20b5e4b74b5708e6e3195645694b9d332831820b98e01ca920e3417512a5664428ac09a1ec4
SSDEEP

98304:91KI9pzoLLJ3TbwaVvrZE0I8ayoFQK15W8ASLmbNYJERw1jrTHPxCQktD1FZm:9sI99onJ5hrZEjyiU8AdZYJERurTpCnq

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
1680	fillup.exe
1680	fillup.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3608	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3608	taskmgr.exe
Token: SeSystemProfilePrivilege	3608	taskmgr.exe
Token: SeCreateGlobalPrivilege	3608	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe
3608	taskmgr.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1348 wrote to memory of 1680	1348	fillup.exe	84
PID 1348 wrote to memory of 1680	1348	fillup.exe	84

C:\Users\Admin\AppData\Local\Temp\fillup.exe
"C:\Users\Admin\AppData\Local\Temp\fillup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1348
- C:\Users\Admin\AppData\Local\Temp\fillup.exe
  "C:\Users\Admin\AppData\Local\Temp\fillup.exe"
  2⤵
  - Loads dropped DLL
  PID:1680

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3608

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI13482\VCRUNTIME140.dll

Filesize
99KB

MD5
8697c106593e93c11adc34faa483c4a0

SHA1
cd080c51a97aa288ce6394d6c029c06ccb783790

SHA256
ff43e813785ee948a937b642b03050bb4b1c6a5e23049646b891a66f65d4c833

SHA512
724bbed7ce6f7506e5d0b43399fb3861dda6457a2ad2fafe734f8921c9a4393b480cdd8a435dbdbd188b90236cb98583d5d005e24fa80b5a0622a6322e6f3987

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13482\VCRUNTIME140.dll

Filesize
99KB

MD5
8697c106593e93c11adc34faa483c4a0

SHA1
cd080c51a97aa288ce6394d6c029c06ccb783790

SHA256
ff43e813785ee948a937b642b03050bb4b1c6a5e23049646b891a66f65d4c833

SHA512
724bbed7ce6f7506e5d0b43399fb3861dda6457a2ad2fafe734f8921c9a4393b480cdd8a435dbdbd188b90236cb98583d5d005e24fa80b5a0622a6322e6f3987

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13482\base_library.zip

Filesize
1006KB

MD5
79f9ff3b6adf6a5c852c849065ef6f3f

SHA1
fb3c2f71b4d3617509204a82045f0594359d1ce8

SHA256
c239272a262860d8aaea1e6347a9352bd5731734ce84f322f5995c9babc1f820

SHA512
6df4c85a7c05d14a0918f13262ee1772347f7862e41cf0c201c604debe639e5229c14331892f7fe01172aaab14c77ea032c084ddafa63218265b1ab1c3438a4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13482\python39.dll

Filesize
4.3MB

MD5
11c051f93c922d6b6b4829772f27a5be

SHA1
42fbdf3403a4bc3d46d348ca37a9f835e073d440

SHA256
0eabf135bb9492e561bbbc5602a933623c9e461aceaf6eb1ceced635e363cd5c

SHA512
1cdec23486cffcb91098a8b2c3f1262d6703946acf52aa2fe701964fb228d1411d9b6683bd54527860e10affc0e3d3de92a6ecf2c6c8465e9c8b9a7304e2a4a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13482\python39.dll

Filesize
4.3MB

MD5
11c051f93c922d6b6b4829772f27a5be

SHA1
42fbdf3403a4bc3d46d348ca37a9f835e073d440

SHA256
0eabf135bb9492e561bbbc5602a933623c9e461aceaf6eb1ceced635e363cd5c

SHA512
1cdec23486cffcb91098a8b2c3f1262d6703946acf52aa2fe701964fb228d1411d9b6683bd54527860e10affc0e3d3de92a6ecf2c6c8465e9c8b9a7304e2a4a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\thing4

Filesize
10KB

MD5
7c639f98d9124b6839bf3e3c4208c7fc

SHA1
4ac9b91ebb4df312794750bf31a6d2c9e153fbea

SHA256
2dae340d82eec26152f4cf1b9148b3a246a4cc9d63d1b98268e8de18d2bacf3d

SHA512
f5bf160b33dcc029e8a1517f0465813809e2f4e61db42497726b0a5d88f46cd7699c55d7dd1ae877a1873855a57bddcf1603ffee94a1b201428794a9db2e09c3

Download Submit
memory/3608-9895-0x000001FD4E1D0000-0x000001FD4E1D1000-memory.dmp

Filesize
4KB

Download
memory/3608-9936-0x000001FD4E1D0000-0x000001FD4E1D1000-memory.dmp

Filesize
4KB

Download
memory/3608-9886-0x000001FD4E1D0000-0x000001FD4E1D1000-memory.dmp

Filesize
4KB

Download
memory/3608-10014-0x000001FD4E1D0000-0x000001FD4E1D1000-memory.dmp

Filesize
4KB

Download
memory/3608-10099-0x000001FD4E1D0000-0x000001FD4E1D1000-memory.dmp

Filesize
4KB

Download
memory/3608-10160-0x000001FD4E1D0000-0x000001FD4E1D1000-memory.dmp

Filesize
4KB

Download
memory/3608-10041-0x000001FD4E1D0000-0x000001FD4E1D1000-memory.dmp

Filesize
4KB

Download
memory/3608-10164-0x000001FD4E1D0000-0x000001FD4E1D1000-memory.dmp

Filesize
4KB

Download
memory/3608-10197-0x000001FD4E1D0000-0x000001FD4E1D1000-memory.dmp

Filesize
4KB

Download
memory/3608-10258-0x000001FD4E1D0000-0x000001FD4E1D1000-memory.dmp

Filesize
4KB

Download