6ad4cc84eae2dd853e7043e260a7f2e6e50f217a4c79e7caa010152f78552864

Analysis

max time kernel
156s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
28/12/2023, 20:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f70eb3880f4a85d4bcaa0c88e42888d6.exe
Size

3.4MB
MD5

f70eb3880f4a85d4bcaa0c88e42888d6
SHA1

049b0c6436718603e60a9faa1cd2d74087448dde
SHA256

6ad4cc84eae2dd853e7043e260a7f2e6e50f217a4c79e7caa010152f78552864
SHA512

b402309f30f843cd7f1c4841d56ec747c1e600983f57da18547e66a0d91f6bd40074b6837618fb71841ea244304fd875371f051122d46176d4ffa68b27e42feb
SSDEEP

98304:NEb9Vmsnb34B7SBayHN8rX/cBHjPh3msIGS4:qBbO7SBayH+TiPhWs7S4

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	ventrilo-3.0.1-windows-i386.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	prog2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	hkuhsfom.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	f70eb3880f4a85d4bcaa0c88e42888d6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	ventrilo-3.0.1-widnows-i386.exe

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\texe32.exe	hkuhsfom.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\texe32.exe:Zone.Identifier	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\texe32.exe	hkuhsfom.exe

Executes dropped EXE 5 IoCs

pid	Process
2924	ventrilo-3.0.1-widnows-i386.exe
3580	ventrilo-3.0.1-windows-i386.exe
2616	prog2.exe
3516	hkuhsfom.exe
2780	texe32.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\Wise Installation Wizard\WIS789289CAF73A4A16A33154D498CE069F_3_0_1.MSI	ventrilo-3.0.1-windows-i386.exe
File opened for modification	C:\Program Files (x86)\Common Files\Wise Installation Wizard\WIS789289CAF73A4A16A33154D498CE069F_3_0_1.MSI	ventrilo-3.0.1-windows-i386.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2780	texe32.exe
2780	texe32.exe
2780	texe32.exe
2780	texe32.exe
2780	texe32.exe
2780	texe32.exe
2780	texe32.exe
2780	texe32.exe
2780	texe32.exe
2780	texe32.exe
2780	texe32.exe
2780	texe32.exe
2780	texe32.exe
2780	texe32.exe
2780	texe32.exe
2780	texe32.exe
2780	texe32.exe
2780	texe32.exe
2780	texe32.exe
2780	texe32.exe
2780	texe32.exe
2780	texe32.exe
2780	texe32.exe
2780	texe32.exe
2780	texe32.exe
2780	texe32.exe
2780	texe32.exe
2780	texe32.exe
2780	texe32.exe
2780	texe32.exe
2780	texe32.exe
2780	texe32.exe
2780	texe32.exe
2780	texe32.exe
2780	texe32.exe
2780	texe32.exe
2780	texe32.exe
2780	texe32.exe
2780	texe32.exe
2780	texe32.exe
2780	texe32.exe
2780	texe32.exe
2780	texe32.exe
2780	texe32.exe
2780	texe32.exe
2780	texe32.exe
2780	texe32.exe
2780	texe32.exe
2780	texe32.exe
2780	texe32.exe
2780	texe32.exe
2780	texe32.exe
2780	texe32.exe
2780	texe32.exe
2780	texe32.exe
2780	texe32.exe
2780	texe32.exe
2780	texe32.exe
2780	texe32.exe
2780	texe32.exe
2780	texe32.exe
2780	texe32.exe
2780	texe32.exe
2780	texe32.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1908	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1908	msiexec.exe
Token: SeSecurityPrivilege	1740	msiexec.exe
Token: SeCreateTokenPrivilege	1908	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1908	msiexec.exe
Token: SeLockMemoryPrivilege	1908	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1908	msiexec.exe
Token: SeMachineAccountPrivilege	1908	msiexec.exe
Token: SeTcbPrivilege	1908	msiexec.exe
Token: SeSecurityPrivilege	1908	msiexec.exe
Token: SeTakeOwnershipPrivilege	1908	msiexec.exe
Token: SeLoadDriverPrivilege	1908	msiexec.exe
Token: SeSystemProfilePrivilege	1908	msiexec.exe
Token: SeSystemtimePrivilege	1908	msiexec.exe
Token: SeProfSingleProcessPrivilege	1908	msiexec.exe
Token: SeIncBasePriorityPrivilege	1908	msiexec.exe
Token: SeCreatePagefilePrivilege	1908	msiexec.exe
Token: SeCreatePermanentPrivilege	1908	msiexec.exe
Token: SeBackupPrivilege	1908	msiexec.exe
Token: SeRestorePrivilege	1908	msiexec.exe
Token: SeShutdownPrivilege	1908	msiexec.exe
Token: SeDebugPrivilege	1908	msiexec.exe
Token: SeAuditPrivilege	1908	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1908	msiexec.exe
Token: SeChangeNotifyPrivilege	1908	msiexec.exe
Token: SeRemoteShutdownPrivilege	1908	msiexec.exe
Token: SeUndockPrivilege	1908	msiexec.exe
Token: SeSyncAgentPrivilege	1908	msiexec.exe
Token: SeEnableDelegationPrivilege	1908	msiexec.exe
Token: SeManageVolumePrivilege	1908	msiexec.exe
Token: SeImpersonatePrivilege	1908	msiexec.exe
Token: SeCreateGlobalPrivilege	1908	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1908	msiexec.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2596 wrote to memory of 2924	2596	f70eb3880f4a85d4bcaa0c88e42888d6.exe	91
PID 2596 wrote to memory of 2924	2596	f70eb3880f4a85d4bcaa0c88e42888d6.exe	91
PID 2596 wrote to memory of 2924	2596	f70eb3880f4a85d4bcaa0c88e42888d6.exe	91
PID 2596 wrote to memory of 3580	2596	f70eb3880f4a85d4bcaa0c88e42888d6.exe	92
PID 2596 wrote to memory of 3580	2596	f70eb3880f4a85d4bcaa0c88e42888d6.exe	92
PID 2596 wrote to memory of 3580	2596	f70eb3880f4a85d4bcaa0c88e42888d6.exe	92
PID 3580 wrote to memory of 1908	3580	ventrilo-3.0.1-windows-i386.exe	94
PID 3580 wrote to memory of 1908	3580	ventrilo-3.0.1-windows-i386.exe	94
PID 3580 wrote to memory of 1908	3580	ventrilo-3.0.1-windows-i386.exe	94
PID 2924 wrote to memory of 2616	2924	ventrilo-3.0.1-widnows-i386.exe	95
PID 2924 wrote to memory of 2616	2924	ventrilo-3.0.1-widnows-i386.exe	95
PID 2924 wrote to memory of 2616	2924	ventrilo-3.0.1-widnows-i386.exe	95
PID 2616 wrote to memory of 3516	2616	prog2.exe	96
PID 2616 wrote to memory of 3516	2616	prog2.exe	96
PID 2616 wrote to memory of 3516	2616	prog2.exe	96
PID 3516 wrote to memory of 2452	3516	hkuhsfom.exe	98
PID 3516 wrote to memory of 2452	3516	hkuhsfom.exe	98
PID 3516 wrote to memory of 2452	3516	hkuhsfom.exe	98
PID 3516 wrote to memory of 2780	3516	hkuhsfom.exe	100
PID 3516 wrote to memory of 2780	3516	hkuhsfom.exe	100
PID 3516 wrote to memory of 2780	3516	hkuhsfom.exe	100

C:\Users\Admin\AppData\Local\Temp\f70eb3880f4a85d4bcaa0c88e42888d6.exe
"C:\Users\Admin\AppData\Local\Temp\f70eb3880f4a85d4bcaa0c88e42888d6.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Users\Admin\AppData\Local\Temp\ventrilo-3.0.1-widnows-i386.exe
  "C:\Users\Admin\AppData\Local\Temp\ventrilo-3.0.1-widnows-i386.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Users\Admin\AppData\Local\Temp\prog2.exe
    "C:\Users\Admin\AppData\Local\Temp\prog2.exe" -pwr
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Users\Admin\AppData\Local\Temp\hkuhsfom.exe
      "C:\Users\Admin\AppData\Local\Temp\hkuhsfom.exe"
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3516
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C echo>"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\texe32.exe:Zone.Identifier"
        5⤵
        Drops startup file
        
        PID:2452
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\texe32.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\texe32.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2780
- C:\Users\Admin\AppData\Local\Temp\ventrilo-3.0.1-windows-i386.exe
  "C:\Users\Admin\AppData\Local\Temp\ventrilo-3.0.1-windows-i386.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:3580
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\System32\msiexec.exe" /I "C:\Program Files (x86)\Common Files\Wise Installation Wizard\WIS789289CAF73A4A16A33154D498CE069F_3_0_1.MSI" WISE_SETUP_EXE_PATH="C:\Users\Admin\AppData\Local\Temp\ventrilo-3.0.1-windows-i386.exe"
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:1908

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\Wise Installation Wizard\WIS789289CAF73A4A16A33154D498CE069F_3_0_1.MSI

Filesize
453KB

MD5
9eae1495030a22e1cb3ea30d935827a8

SHA1
2eab19bcd98dde6077ffdf93ff6b72494e447201

SHA256
6a8001085d2be6dad2b62b3f8941d904063fea38571f66c6a37db83267bb5076

SHA512
02b853930540285fd7938a96d6201c4532c10545077da3fd10b9b3b5511141780d365a11a855750e39ea11a1b49465070c0e1ffdc840ced1ebafff16f7cb5345

Download Submit
C:\Users\Admin\AppData\Local\Temp\hkuhsfom.exe

Filesize
393KB

MD5
955fb49d116ae8c6beb488947bcadc01

SHA1
87ded5b3a966146a3e5e0c32259ac5cb8283f8d4

SHA256
84b38954f3cc70cdfdc9a76e2546e5ee9a7b85ace86e2218b19cadd108aadbcf

SHA512
11bd2ac28baa4e7c6e1487e01792ae5bc4085d0c1adb6da1555b1cc7c6472572e61517fe7ed6679f6a01655e4497bfe789c095dd6e45429fcfc88fbc0d254e71

Download Submit
C:\Users\Admin\AppData\Local\Temp\hkuhsfom.exe

Filesize
94KB

MD5
dd0f54342e382e7fdccc83208faf39d8

SHA1
63a7cb7876863be43ebe0ac2cc30bc6bedb165c4

SHA256
2cde3850f6cf177ab6b8a60ecae9eef5008dd41c546f3f1db21f7e3133785315

SHA512
2b5242b3ccb1be5df34e7fbe214184b419eb7d4300136c46c506190595731cefbdefa9885e6fbe5595f36d99fee1b573117789f6b5b42c955b34f75d5bed2e2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hkuhsfom.exe

Filesize
475KB

MD5
01ec6717bc0a58630f43c876ebdde3fb

SHA1
beb1eb8c3d4f40b5c7f6a1209fd9c65b89f25962

SHA256
9a60c83f9f8ed95407db3438c32e4b48dd0c5b3b0eaef73915f2d6d033328b7c

SHA512
2ad20a5c053ffb10e43affe435a167f106d612c845daa866194c50a1b2f1e05d4cb949d63408141b8e5df38d9cf133d5beb4a4462419b84a6d2fba3cc5dd0448

Download Submit
C:\Users\Admin\AppData\Local\Temp\prog2.exe

Filesize
381KB

MD5
fdd34267749d3b9a91897f361a7f5eb6

SHA1
17e2d2114361a83760415c4dce89bae9e5807ad5

SHA256
9dba1d5131a1ed8cf0dd9b7c390eab98599bd46b92c1f68d3ee2092cbbcc5d7d

SHA512
c9f70ffbf1fafe321c27bc9c12acc99744898994b09d7c0a88be38cac17bc8e357b49411af488dc145432b05b3879da365e59724236c6de3feed99ffadc6cd75

Download Submit
C:\Users\Admin\AppData\Local\Temp\prog2.exe

Filesize
901KB

MD5
b052a36e1701a7a58abf9d973c1d6917

SHA1
1e1e4fb8494b965913629888c31409f17a988a36

SHA256
f1106b60f74a51959568378100402f06ef26de4678994a7d23aa14d9dbe520df

SHA512
266fa6cd419422d849bfed7d52626733d099d4f37f982c1ccece37958ba22749aec04e631dff743aa5502fc8a6e584a3e7b5072d654d548ce773d8e659b8123d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ventrilo-3.0.1-widnows-i386.exe

Filesize
1.1MB

MD5
29d0baec598b0e720e86381149396882

SHA1
723d17b9a607292f2b83559d1f11a81d4f4b6781

SHA256
9ecef74353031b56c40f1fde752d7a5bc3d12373648e8c63448e09a0ec8273a4

SHA512
0527252659e674368c9b3636bdfa0c908323001e2ba211a272d449d131ab4d3e1947bfe42385b74c34dc053c7acaa4ce73951967e9ae0a182f7afed44aac0a06

Download Submit
C:\Users\Admin\AppData\Local\Temp\ventrilo-3.0.1-windows-i386.exe

Filesize
1.5MB

MD5
3b276ea0ba5c312cc6c797e1b5d2a8a9

SHA1
aa683a6a5bc79e0c1958334319bcfcabea240c0f

SHA256
5d87ba2185c2e90016e9a965b3afa089ff748c2c1c65b397b57ee6a033dec151

SHA512
5e3d25fed7ab3635a9a5cd21724e5d02993c08c1b039b271cc8ec6f241ea981e40539e6708c8ded69bc3f25095f1349cc57c5e09b28f677f5f83916ab7eaa503

Download Submit
C:\Users\Admin\AppData\Local\Temp\ventrilo-3.0.1-windows-i386.exe

Filesize
893KB

MD5
18092fb3237cd0a5bd13359e05a16bf9

SHA1
82e413a5806f68963175bbf0e1aca7412d52a2e5

SHA256
981950043eaf60e1cf537c1d8754aac4e96143bee8cf9327602d59ab16b3f2f5

SHA512
6fc490f73274acb8dd1b2efaa7e9f6982bf1a3953a80f231bb80807ce9c7a4a8e0498d4f5ef8cd36795c0cd2cfcb6e32426c33de4bf2f8d3d61e2f113a1775fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ventrilo-3.0.1-windows-i386.exe

Filesize
1.1MB

MD5
502f507638a216e00d8a50011320a0b6

SHA1
9d7bbb3c8e276c00da26f750cb0e338586111434

SHA256
e605dcf1bd24958598ef9c120b006f5150bdb1607aad618b0a1f84a40e0f041f

SHA512
5382b308708600d29fda1a5707c1d6f44021372cbc333e1e7db8381d8212ba81ab96dd928be636cc8c942a5bf6709cee9a585bf064ce74fcff22edac39e7fdf3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\texe32.exe

Filesize
127KB

MD5
80c5d8487d6ecb43fb2a464c350f1676

SHA1
b506622b7ddf3c3ddcd26348bf840ac103844fc2

SHA256
52470731413a9ee5c6d68be252e55f1ae5e7a6b2fdbed36b1e78fdd18110ccad

SHA512
46b2a748cb58c3060bd97401dcd62a10c0b55f3406c83083a855f3da3f9b0c556bd5e20e4d5e3f7af0c0cd1e43df996aa59346b143e62c08ec334607b331622a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\texe32.exe

Filesize
39KB

MD5
55e21c23f07bd1217ebb42d7ef99c94e

SHA1
8ea40366827ad6996152def8f412637b0d656d21

SHA256
57b6dbe1d6726c347dc333bce9e4f6d7e85d62a50b8880c6227ecd74c019c687

SHA512
60760bd610e7d1a676008234331fccc0cce65e93038b1270a1ab3205fd0b0dc677edfd52b3073156392a59042d75f09e7cbafc52c1d4ac3006bab6b519c5852f

Download Submit
memory/2780-51-0x0000000002700000-0x0000000002701000-memory.dmp

Filesize
4KB

Download
memory/2780-52-0x0000000000400000-0x000000000061B000-memory.dmp

Filesize
2.1MB

Download
memory/2780-54-0x0000000000400000-0x000000000061B000-memory.dmp

Filesize
2.1MB

Download
memory/2780-55-0x0000000000400000-0x000000000061B000-memory.dmp

Filesize
2.1MB

Download
memory/2780-62-0x0000000000400000-0x000000000061B000-memory.dmp

Filesize
2.1MB

Download
memory/3516-50-0x0000000000400000-0x000000000061B000-memory.dmp

Filesize
2.1MB

Download
memory/3516-44-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download