eed3682106a52740f17f27bfb177acb0ee88888096f93af0c14a2d5ae52e9e1d

Analysis

max time kernel
152s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
23/02/2024, 16:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

UEPrereqSetup_x64.exe
Size

48.0MB
MD5

0770b62d856e784f932d2938cd4bb902
SHA1

b2c028220476431228e5b8e223ef2c3f72746bcb
SHA256

48f5444f4bac99500b996cf7138bd14c11e34a049f61bec801e72445fe8b44ec
SHA512

dc55cce33f3f8ecac2870b4699c2cb090f59fc782d46aef12e0cd5fcbda6d46b812bd14ccd0162013eef5c4444deab33e3bbbc34e81b5cdbe6eb223fc1296721
SSDEEP

786432:D/bdC1Q6cdW2xTDUANjtdoTtwe/UUjwirV6po5O5wnbKJO56XN4yfQSyABGO1:L5xTLNjtdoTtd/djwiB6po5UwnbSOMeY

Score

4^/10

discovery

Malware Config

Signatures

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Loads dropped DLL 1 IoCs

pid	Process
1364	UEPrereqSetup_x64.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2828	taskmgr.exe
Token: SeSystemProfilePrivilege	2828	taskmgr.exe
Token: SeCreateGlobalPrivilege	2828	taskmgr.exe
Token: SeSecurityPrivilege	2828	taskmgr.exe
Token: SeTakeOwnershipPrivilege	2828	taskmgr.exe
Token: SeBackupPrivilege	4216	svchost.exe
Token: SeRestorePrivilege	4216	svchost.exe
Token: SeSecurityPrivilege	4216	svchost.exe
Token: SeTakeOwnershipPrivilege	4216	svchost.exe
Token: 35	4216	svchost.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe
2828	taskmgr.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3748 wrote to memory of 1364	3748	UEPrereqSetup_x64.exe	89
PID 3748 wrote to memory of 1364	3748	UEPrereqSetup_x64.exe	89
PID 3748 wrote to memory of 1364	3748	UEPrereqSetup_x64.exe	89

C:\Users\Admin\AppData\Local\Temp\UEPrereqSetup_x64.exe
"C:\Users\Admin\AppData\Local\Temp\UEPrereqSetup_x64.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3748
- C:\Users\Admin\AppData\Local\Temp\UEPrereqSetup_x64.exe
  "C:\Users\Admin\AppData\Local\Temp\UEPrereqSetup_x64.exe" -burn.unelevated BurnPipe.{341B0063-6E03-4B5D-956D-127BD1E71376} {1CC8A2A3-66A6-46DE-9F3C-01947D09E045} 3748
  2⤵
  - Loads dropped DLL
  PID:1364

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2828

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\{aad8a4b2-74da-409d-abb6-79a299008692}\.ba1\Banner.bmp

Filesize
123KB

MD5
87300b4c1b1d79f75e3c406043d73acb

SHA1
de7ed5119f1caf8d11d30810c28031b37d1485aa

SHA256
b76bbf9f7b8da4ca886f3b97d7db00ab1d38a9bb3b9567f4e1c3e30203098add

SHA512
1d482404dcbcb3326e0efa4cdf46253be374f83d5c0f1051c15d4b1625b4e1e61adf017d037f8f4cc643e205be657cf5cc4edeb566f7eb44a89729ee050280da

Download Submit
C:\Users\Admin\AppData\Local\Temp\{aad8a4b2-74da-409d-abb6-79a299008692}\.ba1\LogoSide.png

Filesize
6KB

MD5
702684ff196740ebaedb34beca30346f

SHA1
1f3af4bdac42b973b05dc121fc00c804aa3c28ec

SHA256
988c657d1cc77aceb4804c5217bf756eaa2b4defcb4d03f47aea83ccda3d3672

SHA512
ff4eec96f733ed32280123f5a6bff4a488eab4586a9740416125ceef1b4e1ce85dddb4524589111d1c6c57fb9d561a3586b637f8b17e8ff8dd2bf736b484b676

Download Submit
C:\Users\Admin\AppData\Local\Temp\{aad8a4b2-74da-409d-abb6-79a299008692}\.ba1\wixstdba.dll

Filesize
135KB

MD5
36b53c5299a3b39e5c9cdbbd28a09506

SHA1
9f4c767ef7ea887a88a698bcd66e4ba691e1c17a

SHA256
97f1901e7c928b9231e503cd3a1315f0d8449356b9f25e7eb4c2cebeee72012a

SHA512
af4c7cea8bebe0f125b59eed11fa0053178dd546784f68ad7a642eb128ed0d05dd6ccfe685b912381b61becf9c336dcbbc8c4ce56884a511f3f0a69826d8de83

Download Submit
memory/2828-49-0x00000224CD400000-0x00000224CD401000-memory.dmp

Filesize
4KB

Download
memory/2828-45-0x00000224CD400000-0x00000224CD401000-memory.dmp

Filesize
4KB

Download
memory/2828-44-0x00000224CD400000-0x00000224CD401000-memory.dmp

Filesize
4KB

Download
memory/2828-43-0x00000224CD400000-0x00000224CD401000-memory.dmp

Filesize
4KB

Download
memory/2828-51-0x00000224CD400000-0x00000224CD401000-memory.dmp

Filesize
4KB

Download
memory/2828-50-0x00000224CD400000-0x00000224CD401000-memory.dmp

Filesize
4KB

Download
memory/2828-52-0x00000224CD400000-0x00000224CD401000-memory.dmp

Filesize
4KB

Download
memory/2828-53-0x00000224CD400000-0x00000224CD401000-memory.dmp

Filesize
4KB

Download
memory/2828-54-0x00000224CD400000-0x00000224CD401000-memory.dmp

Filesize
4KB

Download
memory/2828-55-0x00000224CD400000-0x00000224CD401000-memory.dmp

Filesize
4KB

Download
memory/2828-56-0x00000224CB970000-0x00000224CB980000-memory.dmp

Filesize
64KB

Download
memory/2828-62-0x00000224CB9D0000-0x00000224CB9E0000-memory.dmp

Filesize
64KB

Download