Analysis
-
max time kernel
152s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
23/02/2024, 16:08
Static task
static1
Behavioral task
behavioral1
Sample
UEPrereqSetup_x64.7z
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
UEPrereqSetup_x64.7z
Resource
win10v2004-20240221-en
Behavioral task
behavioral3
Sample
UEPrereqSetup_x64.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
UEPrereqSetup_x64.exe
Resource
win10v2004-20240221-en
General
-
Target
UEPrereqSetup_x64.exe
-
Size
48.0MB
-
MD5
0770b62d856e784f932d2938cd4bb902
-
SHA1
b2c028220476431228e5b8e223ef2c3f72746bcb
-
SHA256
48f5444f4bac99500b996cf7138bd14c11e34a049f61bec801e72445fe8b44ec
-
SHA512
dc55cce33f3f8ecac2870b4699c2cb090f59fc782d46aef12e0cd5fcbda6d46b812bd14ccd0162013eef5c4444deab33e3bbbc34e81b5cdbe6eb223fc1296721
-
SSDEEP
786432:D/bdC1Q6cdW2xTDUANjtdoTtwe/UUjwirV6po5O5wnbKJO56XN4yfQSyABGO1:L5xTLNjtdoTtd/djwiB6po5UwnbSOMeY
Malware Config
Signatures
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Loads dropped DLL 1 IoCs
pid Process 1364 UEPrereqSetup_x64.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeDebugPrivilege 2828 taskmgr.exe Token: SeSystemProfilePrivilege 2828 taskmgr.exe Token: SeCreateGlobalPrivilege 2828 taskmgr.exe Token: SeSecurityPrivilege 2828 taskmgr.exe Token: SeTakeOwnershipPrivilege 2828 taskmgr.exe Token: SeBackupPrivilege 4216 svchost.exe Token: SeRestorePrivilege 4216 svchost.exe Token: SeSecurityPrivilege 4216 svchost.exe Token: SeTakeOwnershipPrivilege 4216 svchost.exe Token: 35 4216 svchost.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe 2828 taskmgr.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3748 wrote to memory of 1364 3748 UEPrereqSetup_x64.exe 89 PID 3748 wrote to memory of 1364 3748 UEPrereqSetup_x64.exe 89 PID 3748 wrote to memory of 1364 3748 UEPrereqSetup_x64.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\UEPrereqSetup_x64.exe"C:\Users\Admin\AppData\Local\Temp\UEPrereqSetup_x64.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3748 -
C:\Users\Admin\AppData\Local\Temp\UEPrereqSetup_x64.exe"C:\Users\Admin\AppData\Local\Temp\UEPrereqSetup_x64.exe" -burn.unelevated BurnPipe.{341B0063-6E03-4B5D-956D-127BD1E71376} {1CC8A2A3-66A6-46DE-9F3C-01947D09E045} 37482⤵
- Loads dropped DLL
PID:1364
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2828
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SDRSVC1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4216
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
123KB
MD587300b4c1b1d79f75e3c406043d73acb
SHA1de7ed5119f1caf8d11d30810c28031b37d1485aa
SHA256b76bbf9f7b8da4ca886f3b97d7db00ab1d38a9bb3b9567f4e1c3e30203098add
SHA5121d482404dcbcb3326e0efa4cdf46253be374f83d5c0f1051c15d4b1625b4e1e61adf017d037f8f4cc643e205be657cf5cc4edeb566f7eb44a89729ee050280da
-
Filesize
6KB
MD5702684ff196740ebaedb34beca30346f
SHA11f3af4bdac42b973b05dc121fc00c804aa3c28ec
SHA256988c657d1cc77aceb4804c5217bf756eaa2b4defcb4d03f47aea83ccda3d3672
SHA512ff4eec96f733ed32280123f5a6bff4a488eab4586a9740416125ceef1b4e1ce85dddb4524589111d1c6c57fb9d561a3586b637f8b17e8ff8dd2bf736b484b676
-
Filesize
135KB
MD536b53c5299a3b39e5c9cdbbd28a09506
SHA19f4c767ef7ea887a88a698bcd66e4ba691e1c17a
SHA25697f1901e7c928b9231e503cd3a1315f0d8449356b9f25e7eb4c2cebeee72012a
SHA512af4c7cea8bebe0f125b59eed11fa0053178dd546784f68ad7a642eb128ed0d05dd6ccfe685b912381b61becf9c336dcbbc8c4ce56884a511f3f0a69826d8de83