b1041d76466ba59f9c180b44594362735de4a93c3cbc72fb053fae1db1cc1410

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12-02-2024 04:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b1041d76466ba59f9c180b44594362735de4a93c3cbc72fb053fae1db1cc1410.exe
Size

60KB
MD5

b8d234fdeaea24be7a20b19a2f8c133e
SHA1

78c0da0d476cf855c4eeb9f08d3048f3342dc4e2
SHA256

b1041d76466ba59f9c180b44594362735de4a93c3cbc72fb053fae1db1cc1410
SHA512

f54648981fe26435c8683b09863e8cb3d30044dbc20ff8d8dddcf4cd06a43ddfd99f816ed4e06f35d9de6dcbf5575054c611acaadce32ac0752b1b689fd2732e
SSDEEP

1536:K4dJooh0Wa0aer344Jw/ytUqVS5EkIijQ1fTNPUtU7xu:K4dzVTaer344JzthRZijQ1JPU

Score

9^/10

evasion upx

Malware Config

Signatures

UPX dump on OEP (original entry point) 2 IoCs

resource	yara_rule
behavioral2/memory/4660-0-0x0000000140000000-0x0000000140028000-memory.dmp	UPX
behavioral2/memory/4660-15-0x0000000140000000-0x0000000140028000-memory.dmp	UPX

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	reg.exe

Disables Task Manager via registry modification
evasion

Drops file in Drivers directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system32\drivers\vwififlt.sys	cmd.exe
File opened for modification	\??\c:\windows\system32\drivers\bam.sys	cmd.exe
File opened for modification	\??\c:\windows\system32\drivers\rasacd.sys	cmd.exe
File opened for modification	\??\c:\windows\system32\drivers\UMDF\en-US\wpdmtpdr.dll.mui	cmd.exe
File opened for modification	\??\c:\windows\system32\drivers\PktMon.sys	cmd.exe
File opened for modification	\??\c:\windows\system32\drivers\umpass.sys	cmd.exe
File opened for modification	\??\c:\windows\system32\drivers\usbccgp.sys	cmd.exe
File opened for modification	\??\c:\windows\system32\drivers\ntosext.sys	cmd.exe
File opened for modification	\??\c:\windows\system32\drivers\tape.sys	cmd.exe
File opened for modification	\??\c:\windows\system32\drivers\en-US\scsiport.sys.mui	cmd.exe
File opened for modification	\??\c:\windows\system32\drivers\nwifi.sys	cmd.exe
File opened for modification	\??\c:\windows\system32\drivers\rdyboost.sys	cmd.exe
File opened for modification	\??\c:\windows\system32\drivers\USBXHCI.SYS	cmd.exe
File opened for modification	\??\c:\windows\system32\drivers\amdppm.sys	cmd.exe
File opened for modification	\??\c:\windows\system32\drivers\UcmCx.sys	cmd.exe
File opened for modification	\??\c:\windows\system32\drivers\UMDF\en-US\hidscanner.dll.mui	cmd.exe
File opened for modification	\??\c:\windows\system32\drivers\en-US\mrxsmb.sys.mui	cmd.exe
File opened for modification	\??\c:\windows\system32\drivers\tpm.sys	cmd.exe
File opened for modification	\??\c:\windows\system32\drivers\wimmount.sys	cmd.exe
File opened for modification	\??\c:\windows\system32\drivers\en-US\tpm.sys.mui	cmd.exe
File opened for modification	\??\c:\windows\system32\drivers\en-US\storqosflt.sys.mui	cmd.exe
File opened for modification	\??\c:\windows\system32\drivers\hidclass.sys	cmd.exe
File opened for modification	\??\c:\windows\system32\drivers\http.sys	cmd.exe
File opened for modification	\??\c:\windows\system32\drivers\mshwnclx.sys	cmd.exe
File opened for modification	\??\c:\windows\system32\drivers\rdpbus.sys	cmd.exe
File opened for modification	\??\c:\windows\system32\drivers\Rtnic64.sys	cmd.exe
File opened for modification	\??\c:\windows\system32\drivers\asyncmac.sys	cmd.exe
File opened for modification	\??\c:\windows\system32\drivers\dmvsc.sys	cmd.exe
File opened for modification	\??\c:\windows\system32\drivers\en-US\parport.sys.mui	cmd.exe
File opened for modification	\??\c:\windows\system32\drivers\en-US\USBHUB3.SYS.mui	cmd.exe
File opened for modification	\??\c:\windows\system32\drivers\fvevol.sys	cmd.exe
File opened for modification	\??\c:\windows\system32\drivers\partmgr.sys	cmd.exe
File opened for modification	\??\c:\windows\system32\drivers\beep.sys	cmd.exe
File opened for modification	\??\c:\windows\system32\drivers\en-US\MTConfig.sys.mui	cmd.exe
File opened for modification	\??\c:\windows\system32\drivers\mmcss.sys	cmd.exe
File opened for modification	\??\c:\windows\system32\drivers\mouhid.sys	cmd.exe
File opened for modification	\??\c:\windows\system32\drivers\RNDISMP.sys	cmd.exe
File opened for modification	\??\c:\windows\system32\drivers\smbdirect.sys	cmd.exe
File opened for modification	\??\c:\windows\system32\drivers\ahcache.sys	cmd.exe
File opened for modification	\??\c:\windows\system32\drivers\dxgmms1.sys	cmd.exe
File opened for modification	\??\c:\windows\system32\drivers\ipt.sys	cmd.exe
File opened for modification	\??\c:\windows\system32\drivers\msquic.sys	cmd.exe
File opened for modification	\??\c:\windows\system32\drivers\tcpipreg.sys	cmd.exe
File opened for modification	\??\c:\windows\system32\drivers\bthenum.sys	cmd.exe
File opened for modification	\??\c:\windows\system32\drivers\en-US\mouhid.sys.mui	cmd.exe
File opened for modification	\??\c:\windows\system32\drivers\vwifibus.sys	cmd.exe
File opened for modification	\??\c:\windows\system32\drivers\en-US\hidbth.sys.mui	cmd.exe
File opened for modification	\??\c:\windows\system32\drivers\volume.sys	cmd.exe
File opened for modification	\??\c:\windows\system32\drivers\wmilib.sys	cmd.exe
File opened for modification	\??\c:\windows\system32\drivers\hidusb.sys	cmd.exe
File opened for modification	\??\c:\windows\system32\drivers\UMDF\en-US\mgtdyn.dll.mui	cmd.exe
File opened for modification	\??\c:\windows\system32\drivers\UMDF\UsbXhciCompanion.dll	cmd.exe
File opened for modification	\??\c:\windows\system32\drivers\en-US\vmstorfl.sys.mui	cmd.exe
File opened for modification	\??\c:\windows\system32\drivers\UsbPmApi.sys	cmd.exe
File opened for modification	\??\c:\windows\system32\drivers\WUDFRd.sys	cmd.exe
File opened for modification	\??\c:\windows\system32\drivers\1394ohci.sys	cmd.exe
File opened for modification	\??\c:\windows\system32\drivers\fsdepends.sys	cmd.exe
File opened for modification	\??\c:\windows\system32\drivers\ksecdd.sys	cmd.exe
File opened for modification	\??\c:\windows\system32\drivers\ksecpkg.sys	cmd.exe
File opened for modification	\??\c:\windows\system32\drivers\serial.sys	cmd.exe
File opened for modification	\??\c:\windows\system32\drivers\storport.sys	cmd.exe
File opened for modification	\??\c:\windows\system32\drivers\Wdf01000.sys	cmd.exe
File opened for modification	\??\c:\windows\system32\drivers\en-US\mssmbios.sys.mui	cmd.exe
File opened for modification	\??\c:\windows\system32\drivers\en-US\kbdhid.sys.mui	cmd.exe

Manipulates Digital Signatures 2 IoCs

Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

description	ioc	Process
File opened for modification	\??\c:\windows\system32\WindowsPowerShell\v1.0\pwrshsip.dll	cmd.exe
File opened for modification	\??\c:\windows\system32\wintrust.dll	cmd.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	b1041d76466ba59f9c180b44594362735de4a93c3cbc72fb053fae1db1cc1410.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	cmd.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4660-0-0x0000000140000000-0x0000000140028000-memory.dmp	upx
behavioral2/memory/4660-15-0x0000000140000000-0x0000000140028000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system32\DriverStore\de-DE\netmscli.inf_loc	cmd.exe
File opened for modification	\??\c:\windows\system32\DriverStore\es-ES\oposdrv.inf_loc	cmd.exe
File opened for modification	\??\c:\windows\system32\DriverStore\FileRepository\prnms005.inf_amd64_add71423ba73e797\Amd64\MSxpsPS-pipelineconfig.xml	cmd.exe
File opened for modification	\??\c:\windows\system32\DriverStore\ja-JP\miradisp.inf_loc	cmd.exe
File opened for modification	\??\c:\windows\system32\dsclient.dll	cmd.exe
File opened for modification	\??\c:\windows\system32\fr-FR\certca.dll.mui	cmd.exe
File opened for modification	\??\c:\windows\system32\WindowsPowerShell\v1.0\Modules\TLS\tls.psd1	cmd.exe
File opened for modification	\??\c:\windows\system32\computenetwork.dll	cmd.exe
File opened for modification	\??\c:\windows\system32\DriverStore\FileRepository\netmlx4eth63.inf_amd64_3809a4a3e7e07703\netmlx4eth63.inf	cmd.exe
File opened for modification	\??\c:\windows\system32\es-ES\ntmarta.dll.mui	cmd.exe
File opened for modification	\??\c:\windows\system32\it-IT\rdpsign.exe.mui	cmd.exe
File opened for modification	\??\c:\windows\system32\it-IT\unimdmat.dll.mui	cmd.exe
File opened for modification	\??\c:\windows\system32\it-IT\wdmaud.drv.mui	cmd.exe
File opened for modification	\??\c:\windows\system32\ja-jp\cmdkey.exe.mui	cmd.exe
File opened for modification	\??\c:\windows\system32\DriverStore\FileRepository\NT2B13~1.INF\I386\PJLMON.DLL	cmd.exe
File opened for modification	\??\c:\windows\system32\es-ES\profext.dll.mui	cmd.exe
File opened for modification	\??\c:\windows\system32\fr-FR\DataExchangeHost.exe.mui	cmd.exe
File opened for modification	\??\c:\windows\system32\ja-jp\rdpendp.dll.mui	cmd.exe
File opened for modification	\??\c:\windows\system32\ja-jp\WMVDECOD.dll.mui	cmd.exe
File opened for modification	\??\c:\windows\system32\wbem\WMIPSESS.dll	cmd.exe
File opened for modification	\??\c:\windows\system32\DriverStore\fr-FR\scsidev.inf_loc	cmd.exe
File opened for modification	\??\c:\windows\system32\iumdll.dll	cmd.exe
File opened for modification	\??\c:\windows\system32\ja-jp\taskcomp.dll.mui	cmd.exe
File opened for modification	\??\c:\windows\system32\daxexec.dll	cmd.exe
File opened for modification	\??\c:\windows\system32\mfmpeg2srcsnk.dll	cmd.exe
File opened for modification	\??\c:\windows\system32\microsoft-windows-sleepstudy-events.dll	cmd.exe
File opened for modification	\??\c:\windows\system32\migwiz\replacementmanifests\DmrcWin7Replacement.man	cmd.exe
File opened for modification	\??\c:\windows\system32\es-ES\nlhtml.dll.mui	cmd.exe
File opened for modification	\??\c:\windows\system32\es-ES\xwtpdui.dll.mui	cmd.exe
File opened for modification	\??\c:\windows\system32\de-DE\DFDWiz.exe.mui	cmd.exe
File opened for modification	\??\c:\windows\system32\de-DE\rekeywiz.exe.mui	cmd.exe
File opened for modification	\??\c:\windows\system32\DriverStore\it-IT\netxex64.inf_loc	cmd.exe
File opened for modification	\??\c:\windows\system32\en-US\wlanmm.dll.mui	cmd.exe
File opened for modification	\??\c:\windows\system32\chartv.dll	cmd.exe
File opened for modification	\??\c:\windows\system32\downlevel\api-ms-win-core-url-l1-1-0.dll	cmd.exe
File opened for modification	\??\c:\windows\system32\DriverStore\fr-FR\kdnic.inf_loc	cmd.exe
File opened for modification	\??\c:\windows\system32\cscobj.dll	cmd.exe
File opened for modification	\??\c:\windows\system32\de-DE\LanguagePackDiskCleanup.dll.mui	cmd.exe
File opened for modification	\??\c:\windows\system32\DriverStore\en-US\ntprint.inf_loc	cmd.exe
File opened for modification	\??\c:\windows\system32\en-US\fwcfg.dll.mui	cmd.exe
File opened for modification	\??\c:\windows\system32\Taskmgr.exe	cmd.exe
File opened for modification	\??\c:\windows\system32\DriverStore\it-IT\sdstor.inf_loc	cmd.exe
File opened for modification	\??\c:\windows\system32\en-US\Narrator.exe.mui	cmd.exe
File opened for modification	\??\c:\windows\system32\it-IT\wininit.exe.mui	cmd.exe
File opened for modification	\??\c:\windows\system32\migwiz\replacementmanifests\sysdm-replacement.man	cmd.exe
File opened for modification	\??\c:\windows\system32\nl-NL\WWAHost.exe.mui	cmd.exe
File opened for modification	\??\c:\windows\system32\AppInstallerPrompt.Desktop.dll	cmd.exe
File opened for modification	\??\c:\windows\system32\DriverStore\en-US\netnvma.inf_loc	cmd.exe
File opened for modification	\??\c:\windows\system32\es-ES\wuapi.dll.mui	cmd.exe
File opened for modification	\??\c:\windows\system32\it-IT\DsmUserTask.exe.mui	cmd.exe
File opened for modification	\??\c:\windows\system32\it-IT\fvewiz.dll.mui	cmd.exe
File opened for modification	\??\c:\windows\system32\it-IT\oledlg.dll.mui	cmd.exe
File opened for modification	\??\c:\windows\system32\rdpcorets.dll	cmd.exe
File opened for modification	\??\c:\windows\system32\de-DE\propsys.dll.mui	cmd.exe
File opened for modification	\??\c:\windows\system32\DriverStore\FileRepository\percsas3i.inf_amd64_c17a63dada1eaa02\percsas3i.inf	cmd.exe
File opened for modification	\??\c:\windows\system32\DriverStore\ja-JP\netloop.inf_loc	cmd.exe
File opened for modification	\??\c:\windows\system32\Dism\LogProvider.dll	cmd.exe
File opened for modification	\??\c:\windows\system32\DriverStore\FileRepository\netax88772.inf_amd64_5d1c92f42d958529\netax88772.inf	cmd.exe
File opened for modification	\??\c:\windows\system32\es-ES\CertEnrollUI.dll.mui	cmd.exe
File opened for modification	\??\c:\windows\system32\SIHClient.exe	cmd.exe
File opened for modification	\??\c:\windows\system32\fr-FR\BthpanContextHandler.dll.mui	cmd.exe
File opened for modification	\??\c:\windows\system32\pt-PT\msprivs.dll.mui	cmd.exe
File opened for modification	\??\c:\windows\system32\WSReset.exe	cmd.exe
File opened for modification	\??\c:\windows\system32\de-DE\PeerDistSh.dll.mui	cmd.exe

Modifies termsrv.dll 1 TTPs 1 IoCs

Commonly used to allow simultaneous RDP sessions.

Remote Desktop Protocol

T1021.001

description	ioc	Process
File opened for modification	\??\c:\windows\system32\termsrv.dll	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000_Classes\Local Settings	cmd.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
2312	reg.exe
3720	reg.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4660 wrote to memory of 1840	4660	b1041d76466ba59f9c180b44594362735de4a93c3cbc72fb053fae1db1cc1410.exe	84
PID 4660 wrote to memory of 1840	4660	b1041d76466ba59f9c180b44594362735de4a93c3cbc72fb053fae1db1cc1410.exe	84
PID 1840 wrote to memory of 4148	1840	cmd.exe	86
PID 1840 wrote to memory of 4148	1840	cmd.exe	86
PID 1840 wrote to memory of 2312	1840	cmd.exe	91
PID 1840 wrote to memory of 2312	1840	cmd.exe	91
PID 1840 wrote to memory of 3720	1840	cmd.exe	92
PID 1840 wrote to memory of 3720	1840	cmd.exe	92

C:\Users\Admin\AppData\Local\Temp\b1041d76466ba59f9c180b44594362735de4a93c3cbc72fb053fae1db1cc1410.exe
"C:\Users\Admin\AppData\Local\Temp\b1041d76466ba59f9c180b44594362735de4a93c3cbc72fb053fae1db1cc1410.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4660
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6949.tmp\694A.tmp\694B.bat C:\Users\Admin\AppData\Local\Temp\b1041d76466ba59f9c180b44594362735de4a93c3cbc72fb053fae1db1cc1410.exe"
  2⤵
  - Drops file in Drivers directory
  - Manipulates Digital Signatures
  - Checks computer location settings
  - Drops file in System32 directory
  - Modifies termsrv.dll
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1840
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\prompt.vbs"
    3⤵
    PID:4148
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:2312
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f
    3⤵
    - Disables RegEdit via registry modification
    - Modifies registry key
    PID:3720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6949.tmp\694A.tmp\694B.bat

Filesize
6KB

MD5
af4bbe1f4a0d7b7fa7a66a791c08b33b

SHA1
c69fb58ed38cf1c540e5824a3f063508308839c1

SHA256
b5aa18e7351bf70137f770faed06ed9d98b5d8a17cc0f5e80ec3ebe5d6cd0f7b

SHA512
faa33009d55fde81c1ad67040796300c4547d659fc6fcbde31d89cfd1694acb8a093f06a6ec97e28f23e521a85685a9bd2351a4ea1b2737d53cc468028806b16

Download Submit
C:\Users\Admin\AppData\Local\Temp\prompt.vbs

Filesize
201B

MD5
bc3243d4bca0106a6d487df00ca128af

SHA1
51a1debbba0fe94be938e5f374a1aada913de2dc

SHA256
130e3660dea836f9f470f867a78f5e7c768d783f7ec5e60b373ea2d5c32e0ba0

SHA512
8ba0a21d909e4ca2c55c3d3611fabb28b65f46782e7422e87d4f3ca62af911e45d17b64ce2c3901f25eda86c1f763fa600ddcfa031763794ef652609c7a5d9e2

Download Submit
memory/4660-0-0x0000000140000000-0x0000000140028000-memory.dmp

Filesize
160KB

Download
memory/4660-15-0x0000000140000000-0x0000000140028000-memory.dmp

Filesize
160KB

Download