4051d791566f289683ee377effd774a80b7eb2b251e604e3eeabf923d75c0c98

Resubmissions

19-10-2023 11:09

231019-m9hf6agh68 10

Analysis

max time kernel
594s
max time network
434s
platform
windows10-2004_x64
resource
win10v2004-20230915-ja
resource tags

arch:x64arch:x86image:win10v2004-20230915-jalocale:ja-jpos:windows10-2004-x64systemwindows
submitted
19-10-2023 11:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

USBDeview 2.73/USBDeview.exe
Size

69KB
MD5

d51df163ba66f6a6f73a5c397b77e15e
SHA1

651cec3a0844fd4b3b33aaec635e377b6adf0832
SHA256

a24f1bf5738049f87ecefdb0ea9c8cd34ad9fa9400a6ba4bd08543f38f71b01e
SHA512

cb198fcad6ebddd2feae99bfe977223e9ef39f5b0fd3a92c769c7609b50c9895e491539366c343d3a413c673c09bdbe52bdc0c40aaaeb561d073dcc73b8df12d
SSDEEP

1536:73YQKaOINUJ37gltDDoWFFBCQvZl9g33iBMm1z5nkGUbiK:7HKaPU6jllgHZmvkhd

Score

9^/10

upx

Malware Config

Signatures

Nirsoft 1 IoCs

resource	yara_rule
behavioral18/memory/1292-1-0x0000000000400000-0x0000000000425000-memory.dmp	Nirsoft

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral18/memory/1292-0-0x0000000000400000-0x0000000000425000-memory.dmp	upx
behavioral18/memory/1292-1-0x0000000000400000-0x0000000000425000-memory.dmp	upx

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	USBDeview.exe
File opened (read-only)	\??\F:	USBDeview.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	USBDeview.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	USBDeview.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1292	USBDeview.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	1292	USBDeview.exe
Token: SeUndockPrivilege	1292	USBDeview.exe
Token: SeRestorePrivilege	1292	USBDeview.exe

C:\Users\Admin\AppData\Local\Temp\USBDeview 2.73\USBDeview.exe
"C:\Users\Admin\AppData\Local\Temp\USBDeview 2.73\USBDeview.exe"
1⤵
- Enumerates connected drives
- Maps connected drives based on registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1292-0-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1292-1-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads