Overview

overview

8

Static

static

7

Android Fa....7.msi

windows7-x64

7

Android Fa....7.msi

windows10-2004-x64

7

Android Fa...up.msi

windows7-x64

8

Android Fa...up.msi

windows10-2004-x64

7

Android Fa....3.exe

windows7-x64

7

Android Fa....3.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    127s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    19-01-2024 15:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Android Fastboot & mini ADB Drivers/adb-setup-1.4.3.exe

  • Size

    9.2MB

  • MD5

    8c9085d4f753a2aab26082fd2eb46a8e

  • SHA1

    eae637085255a1c7d903a880374b20d108a3c38b

  • SHA256

    ca297f88ae58cc436028e07482e04e429e6bc81eab291cba814aa196d2c4f419

  • SHA512

    4163b79dda651eaef83408ceac6b6d4cfadb940be816c5261f0decd203324899d40779203eee8734d8616eb14cd5bf3a13bf649977856ac823f3b7723c7629e4

  • SSDEEP

    196608:cwYvfXDBYhBpeLHe3+EPegZT3VCz0TByC+Py7FU+LCZAsdX3LBO9:3ibBYDey3PFCuByPyhRwxBBI

Score
7/10
discoveryupx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 21 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\Android Fastboot & mini ADB Drivers\adb-setup-1.4.3.exe
    "C:\Users\Admin\AppData\Local\Temp\Android Fastboot & mini ADB Drivers\adb-setup-1.4.3.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2364
    • C:\Users\Admin\AppData\Local\Temp\Android Fastboot & mini ADB Drivers\adb-setup-1.4.3.exe
      "C:\Users\Admin\AppData\Local\Temp\Android Fastboot & mini ADB Drivers\adb-setup-1.4.3.exe" -sfxwaitall:0 "install.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2740
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\install.bat" "
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2588
        • C:\Windows\SysWOW64\xcopy.exe
          XCOPY adb\adb.exe C:\adb\ /y /q
          4⤵
          • Enumerates system info in registry
          PID:2148
        • C:\Windows\SysWOW64\xcopy.exe
          XCOPY adb\AdbWinUsbApi.dll C:\adb\ /y /q
          4⤵
          • Enumerates system info in registry
          PID:2292
        • C:\Windows\SysWOW64\xcopy.exe
          XCOPY adb\AdbWinApi.dll C:\adb\ /y /q
          4⤵
          • Enumerates system info in registry
          PID:2456
        • C:\Windows\SysWOW64\find.exe
          FIND "C:\adb" PATH.TMP
          4⤵
            PID:708
          • C:\Windows\SysWOW64\setx.exe
            SETX PATH "C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\adb" /m
            4⤵
              PID:2216
            • C:\Windows\SysWOW64\find.exe
              FIND "5.1"
              4⤵
                PID:812
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" VER "
                4⤵
                  PID:1680
                • C:\Windows\SysWOW64\xcopy.exe
                  XCOPY adb\fastboot.exe C:\adb\ /y /q
                  4⤵
                  • Enumerates system info in registry
                  PID:2484
                • C:\Windows\SysWOW64\PING.EXE
                  PING localhost -n 1
                  4⤵
                  • Runs ping.exe
                  PID:2444
                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\driver\DPInst_x64.exe
                  driver\DPInst_x64 /f
                  4⤵
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • Drops file in Program Files directory
                  • Drops file in Windows directory
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2220
                • C:\Windows\SysWOW64\PING.EXE
                  PING localhost -n 2
                  4⤵
                  • Runs ping.exe
                  PID:2756
          • C:\Windows\system32\rundll32.exe
            rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{3c441f10-7c54-166e-76e4-cc351ed1c372} Global\{3f95a5ca-6090-7cbb-eb6e-766095214d25} C:\Windows\System32\DriverStore\Temp\{6159ea91-29fd-1bad-f109-1e6f668f5e2c}\android_winusb.inf C:\Windows\System32\DriverStore\Temp\{6159ea91-29fd-1bad-f109-1e6f668f5e2c}\androidwinusba64.cat
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1876
          • C:\Windows\system32\DrvInst.exe
            DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{5f46a85d-075a-2929-bf65-907c48c45809}\android_winusb.inf" "9" "683c9e8f3" "0000000000000060" "WinSta0\Default" "00000000000003A8" "208" "c:\users\admin\appdata\local\temp\7zipsfx.000\driver"
            1⤵
            • Drops file in System32 directory
            • Drops file in Windows directory
            • Modifies data under HKEY_USERS
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1892
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1996
          • C:\Windows\system32\DrvInst.exe
            DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005B4" "00000000000005B0"
            1⤵
            • Drops file in Windows directory
            • Modifies data under HKEY_USERS
            • Suspicious use of AdjustPrivilegeToken
            PID:2068

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\PATH.TMP
            Filesize

            102B

            MD5

            1b0dba10ccd1379d3be40c0554a79ab5

            SHA1

            6a20f456d4a6f450c000c717a8ab94725515dd08

            SHA256

            7c08da48c79651fc0ab4cadb07d922353a655aae137e130ccd901c8c8da19657

            SHA512

            4c7d5d95b4ee64d51f439c77efcade8a29328976f457f080663ecc4166639d997d48a0d332d4711adb35b45d9af68caa01e6c6fd090bbeb54baf63e245525328

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\adb\adb.exe
            Filesize

            922KB

            MD5

            775416971e2a69064b8acd575d3dff4d

            SHA1

            ea44d51285330e198d79baebe224c884ccbb2442

            SHA256

            1a7919487ff69796754219239d5d5b5472d019af988757b5c4092253e7a78f2b

            SHA512

            9d4c95970f057aad33591f4c797df375c34a20d44d5b6dff1fe2b76ea16a3d2d259b42931d9e6af3936f40318a213b45dca89034dc1042b090351efc930129db

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\driver\DPInst_x64.exe
            Filesize

            506KB

            MD5

            58bbdf03ec4da6b838c7e98c590af92a

            SHA1

            482057c8677a715691bdc7779cc7b2d0b990fd30

            SHA256

            915cd5e195a8ceadf9a4cc350cb949c16b8fbd6e2e9f55d0915cc035a14caa40

            SHA512

            cb0d998d5ddf7fe3aff92bb975864380e6011ecdf82a34b9a420d3881736ada7fa58e7539155fe598b568321e859281ea2fe1118aea50ca74f0d8bdf73b588c2

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\driver\DPInst_x64.exe
            Filesize

            374KB

            MD5

            4c01c9ed3806b14a6294d053a789333f

            SHA1

            91a2983c6bcf1bb6c75ebf0c6d5d52e0ce04efa7

            SHA256

            507dfb0fc49c4539bd24ed8d9f0b177e8205c0bd46208cf8af21047be3939f41

            SHA512

            ebe07bed61ecdd6fef83ba147a969ca8315f1c3418daad180d1299e63563b02a1b22d8ee8fad02388b9e8fd7b5086b75fbb0cb612ae2e59742f4c7862528c1ef

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\driver\amd64\NOTICE.txt
            Filesize

            236B

            MD5

            ea7f2158b930baf2c0fe799566489716

            SHA1

            f103d72fd8ee8240aab21f526ed0e4c8ee3a1525

            SHA256

            a19b767b9ddda7306c78232e4a223d0ba966471b74dce3c0c995307cab5bf7b7

            SHA512

            20351c59a906dff9622625f12e3bbe0b2260999913d4b2f18ec43e66656f1a9251e2462f269c7919f59c89a9b4569d505a095b50d8cfccfe0d37c0abf9ff79cb

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\install.bat
            Filesize

            5KB

            MD5

            6f6edb4834bd4afe36503a447bffeccf

            SHA1

            3bedc0fb247bb98203a25115780b4a0958778e24

            SHA256

            151a3ea2b30720d1462109ca4563e42ec6a6709c502941aa533476858a6f3657

            SHA512

            c72dfdecf92d332c5bb4a03c656f4cb304e377a92edfa16d884355f3211f654121035c0f76380140df3147b458017c421b929a4d26a11f6fbc5545033a36fec0

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\{5F46A~1\amd64\WdfCoInstaller01009.dll
            Filesize

            956KB

            MD5

            880a35354dcb85f6b4825af4add1fd92

            SHA1

            bf4093f67625844527fecd3863f9e58154608b57

            SHA256

            83e6e0b60e2e1f8c5b4f709a86d465d5fdcdafcfc824f2424bd1c799c38547f9

            SHA512

            938f61019be86c0d531addcd46d92d9a95a181147f82b2a474e2548d9c1ac03a3d269b1cbf637e0bafaffa962332873382aed13dca135ee8a5109687cd979e40

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\{5F46A~1\amd64\WinUSBCoInstaller2.dll
            Filesize

            966KB

            MD5

            fe4d80c0950528106a962b2e3cab6b65

            SHA1

            81a0bd5913de99eabcd8b6ca217d2a588578cd0e

            SHA256

            998e650df0d1791969c2afa9346bdd0a849e2163002f8cc8609ea233cf401c53

            SHA512

            cf0fcc4ec32fa68c091e63b72ae96ba5779ed643e6b573ec901fb3dcaf4e153d7a027b8269aacc2e91873bec7917cd26b607c8a8041d6613edca035dcdbfabab

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\{5f46a85d-075a-2929-bf65-907c48c45809}\amd64\WdfCoInstaller01009.dll
            Filesize

            1017KB

            MD5

            f817325d0cf3dfdbfb1bc169db61a8c6

            SHA1

            e063e83fa9015addf3f1d59b6dfc35535209e132

            SHA256

            8d65777a81a8958f74a730976d8b7929f9444b7f56e5b3666f5d94b7aa7fb90a

            SHA512

            004cf76974f332bde2f27c4f6eb9ed5911ccc08e21643efde68d587c6e9e212ce58679346f99b43c376c0501ba6200c3786303aab6f64a84d6cfa226279da1a4

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\{5f46a85d-075a-2929-bf65-907c48c45809}\amd64\WinUSBCoInstaller2.dll
            Filesize

            43KB

            MD5

            bcc93ac8fb54521e5324bd5f397d90e6

            SHA1

            49fa22fed6bdd4bd9a3e50503f8fcddbc387ed19

            SHA256

            f13e7416ef9f36d623867f098f975aa76d1c9a19f08bb058108730034c2ccbee

            SHA512

            57701e06f825ff247c119f0498b0143be2923e0643c87e1e1c1b164e7d0cac41ac2bdcf6393f7622e35c8b7a9207a97d01d04c3acabc220c033247a3e0ee0ad0

            Download Submit

          • C:\Windows\System32\DriverStore\FileRepository\android_winusb.inf_amd64_neutral_bd75d06c56998078\android_winusb.PNF
            Filesize

            12KB

            MD5

            f92bf5bec4e8a747759eed4cef98c65f

            SHA1

            18b51c0422ff9c69e411f7cb6474d221b6cde457

            SHA256

            f5c6ad0902bb801c8377f00b6f07c07e70e60c218ca4275e40c7bed332575977

            SHA512

            3de8a7aacf0f4e17f06383ad21cf859d4a7d6187674f6396f0b58948231891b7bab30a7bad783a07e77555371b716b249728e6873405b6f85bb60935f7691ec3

            Download Submit

          • C:\Windows\Temp\CabAF54.tmp
            Filesize

            29KB

            MD5

            d59a6b36c5a94916241a3ead50222b6f

            SHA1

            e274e9486d318c383bc4b9812844ba56f0cff3c6

            SHA256

            a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

            SHA512

            17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

            Download Submit

          • C:\Windows\Temp\TarAF67.tmp
            Filesize

            81KB

            MD5

            b13f51572f55a2d31ed9f266d581e9ea

            SHA1

            7eef3111b878e159e520f34410ad87adecf0ca92

            SHA256

            725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

            SHA512

            f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

            Download Submit

          • C:\adb\AdbWinApi.dll
            Filesize

            94KB

            MD5

            47a6ee3f186b2c2f5057028906bac0c6

            SHA1

            fde9c22a2cfcd5e566cec2e987d942b78a4eeae8

            SHA256

            14a51482aa003db79a400f4b15c158397fe6d57ee6606b3d633fa431a7bfdf4b

            SHA512

            6a2675de0c445c75f7d5664ebe8f0e2f69c3312c50156161e483927e40235140d5e28e340112ac552d6462366143890a8ce32dbf65bd37e27cb1ea290fe14584

            Download Submit

          • C:\adb\AdbWinUsbApi.dll
            Filesize

            59KB

            MD5

            5f23f2f936bdfac90bb0a4970ad365cf

            SHA1

            12e14244b1a5d04a261759547c3d930547f52fa3

            SHA256

            041c6859bb4fc78d3a903dd901298cd1ecfb75b6be0646b74954cd722280a407

            SHA512

            49a7769d5e6cb2fda9249039d90465f7a4e612805bba48b7036456a3bbd230e4d13da72e4ade5155ddc08fe460735ec8d6df3bb11b72ff28e1149221e2fc3048

            Download Submit

          • C:\adb\fastboot.exe
            Filesize

            311KB

            MD5

            2f5c7248dbe051bec8ddedcf4c80a76f

            SHA1

            18ae54853b306628c64c316da38d770792e1c98e

            SHA256

            b1248744139082c4fe73af7bb02ea22e8a797169b004ed0c45e56883ef04238e

            SHA512

            0a2fbfc91068fdb61d5d48962d7efd99b06674d45cd5365398e09f944c8e66e0a92fed34709426dcfe68352f558f0d2bbffb9adb8d6fcb217b7a69c8272d1ce0

            Download Submit

          • \??\c:\users\admin\appdata\local\temp\7zipsfx.000\driver\amd64\WdfCoInstaller01009.dll
            Filesize

            957KB

            MD5

            f5a9b27bfc31e03db3c4be84088f7bae

            SHA1

            6c2f1e7d3b988f151ef12951badf7900dfb73302

            SHA256

            022e8dbd977f216a6f07675954d6bc91e32e1c0197c913823a214909c54b5c5b

            SHA512

            48721425ef8d255b9e1dd22b2a5931e0b5235b0770037016ae088f50e825047e31ed999d94c8f952ae6957a3f1d642abac9586f53bea5a66136b3654d202d9bb

            Download Submit

          • \??\c:\users\admin\appdata\local\temp\7zipsfx.000\driver\amd64\WinUSBCoInstaller2.dll
            Filesize

            878KB

            MD5

            1f9b94c34a7c1b24348904be5aa877a8

            SHA1

            69e21455ee2393588b2a12184ea7d5d761c6838e

            SHA256

            fc27af6e30ed71658ba4337134bdc7f67ea1d2064dea6cf69efa3ad71e5d1f74

            SHA512

            9714a40edad4ed778ef5f4728c491d27bd5e7bab80d5d026973670b011ce505360a4814d5a6046c6bbfc336bb7f015e262ae8f0a067a75f2be1b91ceb647a8f6

            Download Submit

          • \??\c:\users\admin\appdata\local\temp\7zipsfx.000\driver\android_winusb.inf
            Filesize

            5KB

            MD5

            bea78a10d31b64e81d007b4ce0ecd0ee

            SHA1

            092555911492c6959d2596d612f52dca71881ca2

            SHA256

            7984d14af8ebce8255448aa728a5436916fccb36d1814516301f04a7dea2a666

            SHA512

            5594757ba691ece935e872ead3ad6ee9b5b5a2f01fdf5db5aa657fba52b0db6f62337adbf882b2220251a8c747a42990e01c786e4f76aa9e823bf4298b8f9a4c

            Download Submit

          • \??\c:\users\admin\appdata\local\temp\7zipsfx.000\driver\androidwinusba64.cat
            Filesize

            10KB

            MD5

            b83f9fa084f11007c7e6c668e6fa9e54

            SHA1

            ebfb8e016adc7506ed55b4a797f8696dd50f27b1

            SHA256

            8f3f15baeaf50ae7388562be0303f5ac7ee3cb255448a24e3d33e1f094e0680e

            SHA512

            74b3370ef418d418d76ae1fcdd495cb56102bc4c6e0727a6882e80211d2db07e55ee594e11f893e17d004d6b671ce34048ab7736efea9782e4582b4252f7e9c7

            Download Submit

          • \Users\Admin\AppData\Local\Temp\7ZipSfx.000\driver\DPInst_x64.exe
            Filesize

            1016KB

            MD5

            4192a5b905374e423ec1e545599aa86e

            SHA1

            908c09de28bb3cc09601da5d4e1f44becc9df18f

            SHA256

            567f40a09f1d9e72396296ad194fa7cf48b72361d6e259d6b99da774c2cd8981

            SHA512

            33a3c8e6565fb88f5cc72cfaa553bb0ddb654a8721f356e542c0346468357d38913db03d5035bcf2c45254df1baf83cf3cded55c5d22d677379a4d648a65500a

            Download Submit

          • \Users\Admin\AppData\Local\Temp\7ZipSfx.000\driver\DPInst_x64.exe
            Filesize

            491KB

            MD5

            e44f355eb87246c0e07abd59285cc8c7

            SHA1

            c666ecd0be6464802394c3e621cc08fd828c9adf

            SHA256

            22bca296f01ca22dab981b3a10f6c21a56218a0c3c2ea098b8c7350146545f68

            SHA512

            56b6642eecefe2627682d75db24d42b9bf9eafcd37609508c2a980f1fd2a66996c6040e8079b4636de3f0bf1e9531461e2e65636125ded84289f540773aba529

            Download Submit

          • \Users\Admin\AppData\Local\Temp\7ZipSfx.000\driver\DPInst_x64.exe
            Filesize

            368KB

            MD5

            b42706042b91b0a010768f40415c4620

            SHA1

            bc36e2b3bed330d4f7f1bc6aa1a0dfd111fb390d

            SHA256

            5b875dec863d7a794c2c76edf5b8f7c24548c16f43452258b2c13ad5312b577d

            SHA512

            39487cb99d9723b93d50a555da1a3e1f1a80df0239de2de15e3f0355dca84e3e800c88a9268b7371824085f630eb8fe16f3a0e46691d55c881fa5c738b89b3ab

            Download Submit

          • memory/1876-153-0x0000000001D90000-0x0000000001D91000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2364-0-0x0000000000400000-0x00000000004B9000-memory.dmp

            Filesize

            740KB

            Download

          • memory/2364-44-0x0000000002200000-0x00000000022B9000-memory.dmp

            Filesize

            740KB

            Download

          • memory/2364-40-0x0000000000400000-0x00000000004B9000-memory.dmp

            Filesize

            740KB

            Download

          • memory/2364-198-0x0000000000400000-0x00000000004B9000-memory.dmp

            Filesize

            740KB

            Download

          • memory/2740-41-0x0000000000400000-0x00000000004B9000-memory.dmp

            Filesize

            740KB

            Download

          • memory/2740-179-0x0000000000400000-0x00000000004B9000-memory.dmp

            Filesize

            740KB

            Download