Overview

overview

7

Static

static

1

BackUpDongle.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    86s
  • max time network
    91s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-08-2023 13:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    BackUpDongle.exe

  • Size

    2.4MB

  • MD5

    1f00ebec1f321ab83b3816338b4afbc6

  • SHA1

    03ca0085bcf19aa6cbb9703aae58301864d093ea

  • SHA256

    97a602f1a2b1c4c0ad3fc9cf7ed620c374ee23663aa419ec76349607538865c8

  • SHA512

    0a7aa88cfe5bb97975fc806a1b79305ad883389a66c528425313cf6e1021a8da24ad7cc0067acdc38f24d38abe8a984c5c5d873524f3f793cd5740bc74b2dac8

  • SSDEEP

    24576:Q4nXubIQGyxbPV0db26SoBk7YvOf66CXBiNnajc7DOfyeJLRh7zsDBSnk25cbPy/:Qqe3f69Gf63sao7DkLRVz2w5qjnpxsb

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 6 IoCs
  • Drops file in System32 directory 10 IoCs
  • Drops file in Windows directory 4 IoCs
  • Modifies data under HKEY_USERS 41 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\BackUpDongle.exe
    "C:\Users\Admin\AppData\Local\Temp\BackUpDongle.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2032
    • C:\Users\Admin\AppData\Local\Temp\is-PH66Q.tmp\BackUpDongle.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-PH66Q.tmp\BackUpDongle.tmp" /SL5="$701EA,1620061,1337344,C:\Users\Admin\AppData\Local\Temp\BackUpDongle.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:3600
      • C:\Users\Admin\AppData\Local\Temp\is-MP7BJ.tmp\devcon.exe
        "C:\Users\Admin\AppData\Local\Temp\is-MP7BJ.tmp\devcon.exe" remove root\multikey
        3⤵
        • Executes dropped EXE
        PID:840
      • C:\Users\Admin\AppData\Local\Temp\is-MP7BJ.tmp\devcon.exe
        "C:\Users\Admin\AppData\Local\Temp\is-MP7BJ.tmp\devcon.exe" disable root\Mkbus
        3⤵
        • Executes dropped EXE
        PID:3180
      • C:\Users\Admin\AppData\Local\Temp\is-MP7BJ.tmp\devcon.exe
        "C:\Users\Admin\AppData\Local\Temp\is-MP7BJ.tmp\devcon.exe" disable root\Mkbuz
        3⤵
        • Executes dropped EXE
        PID:4516
      • C:\Users\Admin\AppData\Local\Temp\is-MP7BJ.tmp\devcon.exe
        "C:\Users\Admin\AppData\Local\Temp\is-MP7BJ.tmp\devcon.exe" remove root\Mkbus
        3⤵
        • Executes dropped EXE
        PID:1232
      • C:\Users\Admin\AppData\Local\Temp\is-MP7BJ.tmp\devcon.exe
        "C:\Users\Admin\AppData\Local\Temp\is-MP7BJ.tmp\devcon.exe" install Mkbus.inf root\Mkbus
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        PID:3456
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2408
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{932c79bf-7892-ef4a-9d33-d47e1c4fe55e}\mkbus.inf" "9" "4200a6b1b" "0000000000000158" "WinSta0\Default" "0000000000000100" "208" "c:\users\admin\appdata\local\temp\is-mp7bj.tmp"
      2⤵
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      PID:2204
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "3" "1" "ROOT\SYSTEM\0001" "" "" "4200a6b1b" "0000000000000158"
      2⤵
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:2232

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\is-MP7BJ.tmp\Mkbus.inf
    Filesize

    1KB

    MD5

    24fa055a86ceea072292ebfb70855806

    SHA1

    ef00cf44dcb3878031bc61c950140fd57d333e45

    SHA256

    f34fec14b7798861296322d72d147ce9081e0e37bd8cead7797c98d123544804

    SHA512

    02d8e284bdc01d96c7dc899d1652535a38d323b88207bd0b24ba87adec5373bb9b0a9d994a2bf60fd8c7a593d99cd305ce9e3ff85d44a9bfd65fb7fdc71ed8a9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-MP7BJ.tmp\devcon.exe
    Filesize

    81KB

    MD5

    816c4e245b286b4e4903131f75a94948

    SHA1

    eda70c1fc8a461efb0e376d42e35a72b96175e4d

    SHA256

    aca1bda08690dcca930254f96f9185c776671a85a58ffa1b59cf16017546f218

    SHA512

    d0dc74956c57403c0638e6595aaf1c2eb75233997a15170b064261a5d3f1f525a3e35e13fef04c36cc20fd1d5d1cf000a5fb7a646bf2cf1cea73817e5d3335b3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-MP7BJ.tmp\devcon.exe
    Filesize

    81KB

    MD5

    816c4e245b286b4e4903131f75a94948

    SHA1

    eda70c1fc8a461efb0e376d42e35a72b96175e4d

    SHA256

    aca1bda08690dcca930254f96f9185c776671a85a58ffa1b59cf16017546f218

    SHA512

    d0dc74956c57403c0638e6595aaf1c2eb75233997a15170b064261a5d3f1f525a3e35e13fef04c36cc20fd1d5d1cf000a5fb7a646bf2cf1cea73817e5d3335b3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-MP7BJ.tmp\devcon.exe
    Filesize

    81KB

    MD5

    816c4e245b286b4e4903131f75a94948

    SHA1

    eda70c1fc8a461efb0e376d42e35a72b96175e4d

    SHA256

    aca1bda08690dcca930254f96f9185c776671a85a58ffa1b59cf16017546f218

    SHA512

    d0dc74956c57403c0638e6595aaf1c2eb75233997a15170b064261a5d3f1f525a3e35e13fef04c36cc20fd1d5d1cf000a5fb7a646bf2cf1cea73817e5d3335b3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-MP7BJ.tmp\devcon.exe
    Filesize

    81KB

    MD5

    816c4e245b286b4e4903131f75a94948

    SHA1

    eda70c1fc8a461efb0e376d42e35a72b96175e4d

    SHA256

    aca1bda08690dcca930254f96f9185c776671a85a58ffa1b59cf16017546f218

    SHA512

    d0dc74956c57403c0638e6595aaf1c2eb75233997a15170b064261a5d3f1f525a3e35e13fef04c36cc20fd1d5d1cf000a5fb7a646bf2cf1cea73817e5d3335b3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-MP7BJ.tmp\devcon.exe
    Filesize

    81KB

    MD5

    816c4e245b286b4e4903131f75a94948

    SHA1

    eda70c1fc8a461efb0e376d42e35a72b96175e4d

    SHA256

    aca1bda08690dcca930254f96f9185c776671a85a58ffa1b59cf16017546f218

    SHA512

    d0dc74956c57403c0638e6595aaf1c2eb75233997a15170b064261a5d3f1f525a3e35e13fef04c36cc20fd1d5d1cf000a5fb7a646bf2cf1cea73817e5d3335b3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-MP7BJ.tmp\devcon.exe
    Filesize

    81KB

    MD5

    816c4e245b286b4e4903131f75a94948

    SHA1

    eda70c1fc8a461efb0e376d42e35a72b96175e4d

    SHA256

    aca1bda08690dcca930254f96f9185c776671a85a58ffa1b59cf16017546f218

    SHA512

    d0dc74956c57403c0638e6595aaf1c2eb75233997a15170b064261a5d3f1f525a3e35e13fef04c36cc20fd1d5d1cf000a5fb7a646bf2cf1cea73817e5d3335b3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-PH66Q.tmp\BackUpDongle.tmp
    Filesize

    3.4MB

    MD5

    e024835477eb922c12d453fd28d943a3

    SHA1

    ae50777e1fb17616063ef60d7f88ab8ba834f516

    SHA256

    5aea88f4df80da0c97bc8d5d08fba59b4c862359b65875a6508545ac32b88a9e

    SHA512

    5512231052d87191d59e998da54eca2be0458aa004b55628da81adcc39fbc46eb01e608cfe1022b6d62b2fa38a91c750975e2ffbc59dbd41ab6bf3bbde79f704

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\{932C7~1\Mkbus.cat
    Filesize

    2KB

    MD5

    8aa6a0572cc918591ecbdf71aaaa749a

    SHA1

    e9faff5dd36bb14957b86ed8bf4162b2f2c01425

    SHA256

    227a95aa5fb730a37206249a195f04e973c45bea3bcdac2e016b892c129cb7d9

    SHA512

    6e3d26190fb311705816d23e62f9ba10d8ada98a55e7ddcaa6e66412c6ca229d12c636e588081b2eb8cbe1763616421290dd4897c4ea9d389841c243c94c2df9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\{932C7~1\Mkbuz.sys
    Filesize

    50KB

    MD5

    cedf5ecdec3cf71408a7084b1631dd9a

    SHA1

    f1eb4641bb4ef0530862ba98f2c99251cbb821e7

    SHA256

    645bd9acbe06c8f4862934e8107a92af33e097b3ee40a6c55420781f8cc4c13a

    SHA512

    70101e83fe6ccce8861ad9d3624ec9979623a46ae5de7be2888257a49ff3a68359f47809d6e409023ff7e2a0f9ab30275a03cc91a40473d5089e05c39c5aa0b5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\{932c79bf-7892-ef4a-9d33-d47e1c4fe55e}\Mkbus.cat
    Filesize

    2KB

    MD5

    8aa6a0572cc918591ecbdf71aaaa749a

    SHA1

    e9faff5dd36bb14957b86ed8bf4162b2f2c01425

    SHA256

    227a95aa5fb730a37206249a195f04e973c45bea3bcdac2e016b892c129cb7d9

    SHA512

    6e3d26190fb311705816d23e62f9ba10d8ada98a55e7ddcaa6e66412c6ca229d12c636e588081b2eb8cbe1763616421290dd4897c4ea9d389841c243c94c2df9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\{932c79bf-7892-ef4a-9d33-d47e1c4fe55e}\Mkbuz.sys
    Filesize

    50KB

    MD5

    cedf5ecdec3cf71408a7084b1631dd9a

    SHA1

    f1eb4641bb4ef0530862ba98f2c99251cbb821e7

    SHA256

    645bd9acbe06c8f4862934e8107a92af33e097b3ee40a6c55420781f8cc4c13a

    SHA512

    70101e83fe6ccce8861ad9d3624ec9979623a46ae5de7be2888257a49ff3a68359f47809d6e409023ff7e2a0f9ab30275a03cc91a40473d5089e05c39c5aa0b5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\{932c79bf-7892-ef4a-9d33-d47e1c4fe55e}\mkbus.inf
    Filesize

    1KB

    MD5

    24fa055a86ceea072292ebfb70855806

    SHA1

    ef00cf44dcb3878031bc61c950140fd57d333e45

    SHA256

    f34fec14b7798861296322d72d147ce9081e0e37bd8cead7797c98d123544804

    SHA512

    02d8e284bdc01d96c7dc899d1652535a38d323b88207bd0b24ba87adec5373bb9b0a9d994a2bf60fd8c7a593d99cd305ce9e3ff85d44a9bfd65fb7fdc71ed8a9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\{932c79bf-7892-ef4a-9d33-d47e1c4fe55e}\mkbus.inf
    Filesize

    1KB

    MD5

    24fa055a86ceea072292ebfb70855806

    SHA1

    ef00cf44dcb3878031bc61c950140fd57d333e45

    SHA256

    f34fec14b7798861296322d72d147ce9081e0e37bd8cead7797c98d123544804

    SHA512

    02d8e284bdc01d96c7dc899d1652535a38d323b88207bd0b24ba87adec5373bb9b0a9d994a2bf60fd8c7a593d99cd305ce9e3ff85d44a9bfd65fb7fdc71ed8a9

    Download Submit

  • \??\c:\users\admin\appdata\local\temp\is-mp7bj.tmp\Mkbus.cat
    Filesize

    2KB

    MD5

    8aa6a0572cc918591ecbdf71aaaa749a

    SHA1

    e9faff5dd36bb14957b86ed8bf4162b2f2c01425

    SHA256

    227a95aa5fb730a37206249a195f04e973c45bea3bcdac2e016b892c129cb7d9

    SHA512

    6e3d26190fb311705816d23e62f9ba10d8ada98a55e7ddcaa6e66412c6ca229d12c636e588081b2eb8cbe1763616421290dd4897c4ea9d389841c243c94c2df9

    Download Submit

  • \??\c:\users\admin\appdata\local\temp\is-mp7bj.tmp\Mkbuz.sys
    Filesize

    50KB

    MD5

    cedf5ecdec3cf71408a7084b1631dd9a

    SHA1

    f1eb4641bb4ef0530862ba98f2c99251cbb821e7

    SHA256

    645bd9acbe06c8f4862934e8107a92af33e097b3ee40a6c55420781f8cc4c13a

    SHA512

    70101e83fe6ccce8861ad9d3624ec9979623a46ae5de7be2888257a49ff3a68359f47809d6e409023ff7e2a0f9ab30275a03cc91a40473d5089e05c39c5aa0b5

    Download Submit

  • memory/2032-101-0x0000000000400000-0x0000000000554000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2032-7-0x0000000000400000-0x0000000000554000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2032-0-0x0000000000400000-0x0000000000554000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/3600-5-0x0000000000990000-0x0000000000991000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3600-9-0x0000000000990000-0x0000000000991000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3600-73-0x0000000000400000-0x000000000077E000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/3600-99-0x0000000000400000-0x000000000077E000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/3600-8-0x0000000000400000-0x000000000077E000-memory.dmp

    Filesize

    3.5MB

    Download