Analysis

  • max time kernel
    92s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-03-2024 18:08

General

  • Target

    Checkm8.info Software.exe

  • Size

    152.7MB

  • MD5

    a5b6acf1acb70f2cdf0539d0701d103c

  • SHA1

    269ef4e0f732bc5f0d2ee3fc28fa6351ee0cc901

  • SHA256

    df8bc2dfd6961766452c508d84917c40c109b8920d9c617b08cb62dc7c6668da

  • SHA512

    6404e5329e59062bbb650d74e6b9545dfc509748dd253096255372c0f25714b03201a1eab8270cbdcfbe20ea3ca8f0cdfd83fd74dafef15029384dec7dc32b55

  • SSDEEP

    3145728:D9CQPQmwzUK+vcNuD/AA8sSC23nLxtEvw7cftKUX1bDXADDe0/wDe0/0XUme:DjPpvAOSJ3nL7Evw7cVdRADDe04De0S4

Score
8/10

Malware Config

Signatures

  • Manipulates Digital Signatures 1 TTPs 3 IoCs

    Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 28 IoCs
  • Obfuscated with Agile.Net obfuscator 2 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 23 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 3 IoCs
  • Modifies registry class 26 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe
    "C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1480
    • C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe
      "C:\Users\Admin\AppData\Local\Temp\Checkm8.info Software.exe" /i "C:\Users\Admin\AppData\Roaming\Checkm8.info\Checkm8.info Software 4.7.1\install\Checkm8.info Software.msi" AI_EUIMSI=1 APPDIR="C:\Program Files (x86)\Checkm8.info\Checkm8.info Software" SHORTCUTDIR="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Checkm8.info Software" SECONDSEQUENCE="1" CLIENTPROCESSID="1480" AI_MORE_CMD_LINE=1
      2⤵
      • Enumerates connected drives
      PID:5112
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1176
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding BD49349032AB90093502E8CA3CDA94E9 C
      2⤵
      • Loads dropped DLL
      PID:392
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:4660
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding DFCA3F5A85B994EAB48DFD1B0147455D
        2⤵
        • Loads dropped DLL
        PID:216
      • C:\Windows\Installer\MSI9EF8.tmp
        "C:\Windows\Installer\MSI9EF8.tmp" /RunAsAdmin /HideWindow "C:\Windows\SysWOW64\certutil.exe" -addstore "Root" C:\Users\Admin\AppData\Local\Temp\simple.cer
        2⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1036
        • C:\Windows\SysWOW64\certutil.exe
          "C:\Windows\SysWOW64\certutil.exe" -addstore "Root" C:\Users\Admin\AppData\Local\Temp\simple.cer
          3⤵
          • Manipulates Digital Signatures
          PID:2336
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding 6630498F59D52E88991F2D47BA4A8D98 E Global\MSI0000
        2⤵
        • Loads dropped DLL
        PID:1316
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      PID:828

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\e579711.rbs

      Filesize

      251KB

      MD5

      10082e05f14d8d54f8a6c8031de624a2

      SHA1

      9f2673db73d9e734adc0cad65b171909b4035e34

      SHA256

      28e1470d2abc5bc558cfcb0bebbdaddd6cd0f97f73bdd27122eaad902bd1b7f5

      SHA512

      216f8dbc45f4d598c1e62e200f52b487fd1db9a0ff54a98caaaa49d2176625656bb83f4e60177b3effe00265b89513df9414ad16d0fdd58776d318471ca76889

    • C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe

      Filesize

      3.3MB

      MD5

      642830c52513d475ee8d8a1a6a9d6070

      SHA1

      e041aa66d3f130f3a944ce3f399bcb9b5a6d44f7

      SHA256

      1a94c162122cabdd2540dd9fa20072594894edade4a7a2e2b70b30145cf6ef7d

      SHA512

      f6a10eb2179ef4ec67ae383a56dee611a1ffec3b58a225441b3731a0819a985fd7d7e7e9e107468f68ebc776122373f70c61ca6051fcbde595b08e183c20fb4d

    • C:\Program Files (x86)\Checkm8.info\Checkm8.info Software\Checkm8.info Software.exe

      Filesize

      2.7MB

      MD5

      e07ef4a93adc7b34c1fe8679c1061946

      SHA1

      186f09239c1c9fdaed250fc5f2f362f86ed4f3ba

      SHA256

      ef7312cf24d0e533691cd04057e305b79892fad6914cb43fec187a48541ff332

      SHA512

      a173aa95e005388986a3538f7cfb8c399542094b80336e7c8ac8086b0ef696c47381fc2150b2d985347b087f1ec082999d99216a390bba018b7ae1111c8b66d3

    • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Checkm8.info Software\Checkm8.info Software.lnk

      Filesize

      2KB

      MD5

      2f4e775a2c5dcaee85315aaf2297289a

      SHA1

      11c8fd38f8655efa2ac4d44a8f2554e9b4a32645

      SHA256

      98dbb109125c66650a56e1cff1155bb8c552d2b5ec4b5f1ec46062611c8ed91e

      SHA512

      2ea2e0af6db3967d9ca1c0adff92f2de8fb5ac4f9a7132f614de29f4b2820c2941a95e178962db627041c3742517a08623f621a741bb782fad8cc1ca6f892b73

    • C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1480\banner

      Filesize

      22KB

      MD5

      495a895d0a2feeba59737c745aa3f8ce

      SHA1

      48d5ea108fe612904ad80dc9e4296107d566131b

      SHA256

      26fb568a4bf976c45eae8d0c948a6ec2361bd0c027d1c325eb2d4319febaafb6

      SHA512

      7c11b9b9e14691b074ac507b1f37ba1ea107ef6fa617fc309dc29cc93b896486dc2bf575bc91334435457ac7fe4fa214c902c6c3d615093674c1828f9db2ba17

    • C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1480\dialog

      Filesize

      9KB

      MD5

      d1880a8297f8f1ff8cb4ee2dc1058a17

      SHA1

      9fedea64be231c77c8c10b0bc6e4224632fd8dc3

      SHA256

      893454cc12eb3b298cf50e5915f890c86a314fce41ca3062c524ebb83349161f

      SHA512

      cb1f50427d04628f102eafc239ada43d72bc7371cbf86d4311f4a47e9223b511a375c92b22748d54a88586b4f0436cb328c992f424c6873c9a1a5b88fdfad699

    • C:\Users\Admin\AppData\Local\Temp\MSI4BBF.tmp

      Filesize

      374KB

      MD5

      5e33a5224c4d523a2517ba8a96aaff42

      SHA1

      12e41a9380cc890053b5c7e19769c76bfa1608d4

      SHA256

      d64407a6d5a5d48ddefd8376d8e7732f6e5d2318cf1671cb367302d566ed958c

      SHA512

      bdb2d57de5104db15c06e5aa4b852a007ef29139750eec050cd3ee013b7df1e15376b01528e32a1859a2132452032f27a4fcd58d163dd927b4b00a6b1b2ad8f1

    • C:\Users\Admin\AppData\Local\Temp\MSI4C4D.tmp

      Filesize

      831KB

      MD5

      0cca4ccd0c4a2712301f4488180404b7

      SHA1

      ee44cd435225b02709bb4b904e97d630d4ebe7df

      SHA256

      fbae7c3613e76953e08e58b4c48c9eb9cb2bcbca977cf4a04d614016d9b73cb6

      SHA512

      362e20be4d993111a6b469c8bd5cf8aeb167ed4e3bb1f0685f4dc81cb906b60d77f38a34fb2a0734484a424e8d550bcfd70170b40fda950e44b131713a2b2553

    • C:\Users\Admin\AppData\Local\Temp\MSI4E66.tmp

      Filesize

      533KB

      MD5

      2b6fa5bfa4831df74de91db162bfaad1

      SHA1

      83c0bf7bbdecd65bcae1757a6a400ed8606cf8ab

      SHA256

      005e3260c33fb8c8033dec123d4e71613523fc5d11b32c93c74e86a35c876740

      SHA512

      fc4739b9fc23fb13765c107aa61ea57ae965d329874c4a57a62b980bb363939c53d8a966c0bc9bb92a794ebe6e3b52672bb403f684a273bce7193164d19ecc1c

    • C:\Users\Admin\AppData\Local\Temp\MSI4ED6.tmp

      Filesize

      200KB

      MD5

      eb6c9388e07bc78ab4503a4f81f7928e

      SHA1

      5e835188376fb2e1a1fd641009cb03e675acd475

      SHA256

      5ff1e9d42d26f6b6324a5a4400c99d62d1c84a323c4f71bb2098e6478206d677

      SHA512

      65e65d5b7fccc243bb8d0787c9cc9a6b59780ee76d3e2800b8005412788093c476ebd19b1a1e326581ad77e22ca93080f453a2aedfcc008755b494afc30ca41d

    • C:\Users\Admin\AppData\Local\Temp\shi687E.tmp

      Filesize

      4.8MB

      MD5

      77d6c08c6448071b47f02b41fa18ed37

      SHA1

      e7fdb62abdb6d4131c00398f92bc72a3b9b34668

      SHA256

      047e2df9ccf0ce298508ee7f0db0abcb2ff9cff9916b6e8a1fbd806b7a9d064b

      SHA512

      e1aeb8e8b441d755a119f45a465ca5660678f4131984322252bfb6d2cec52e7ee54d65a64b98429b23915eb5707b04b5cd62a85446c60de8842314130a926dbd

    • C:\Users\Admin\AppData\Local\Temp\shi9A9A.tmp

      Filesize

      76KB

      MD5

      fdce43712079c189e993ff27df2911bc

      SHA1

      6f0465aeedb699de995e1c3b25f8f902bc05545f

      SHA256

      47267b3ddec6deeb0b018afbde2b99d17350329a52f0ae49f66b5edc5fcc4366

      SHA512

      c09215b7d0f567ed20e08c8b16a6738f07c7631e25f4bcf68f4d072016f509378eb1e9b4d519afa1e19c0aa11d104051d8c47732e39bc48d78be8f5d5696fc71

    • C:\Users\Admin\AppData\Local\Temp\simple.cer

      Filesize

      774B

      MD5

      4cdd2cf4c808076df09707ba72575a18

      SHA1

      cc9545c6ff2707b14018698e4d393a54475e6944

      SHA256

      0ed5ded8ba4300affef23a9ceed5e0c1de2303c2dc30b12e80be6eb9c5d02712

      SHA512

      49422b97a06ab4d01fc92f049670125fc82bfc0124688e793aed1f6ab3fb513685714596e7f8fcb7634d3d1bddde5bf09417634f3da8db42cef062807d52bdba

    • C:\Users\Admin\AppData\Roaming\Checkm8.info\Checkm8.info Software 4.7.1\install\Checkm8.info Software.msi

      Filesize

      2.8MB

      MD5

      30c152f87f12ab86a690f12d6c426fbb

      SHA1

      7672e0681df44cd40370d5bc9dbc3a787df829a6

      SHA256

      8eb7d687c3f364b997dceb9a88238baf9f9d4222994df7988513fba6b9ddda7a

      SHA512

      db7642ee854a4ee4f9d738ff85ea726ab0d097157f6aa4c9731a54a89caab34293b4955c7705a863efe467bc38fe2e6084166e44aa87e92f700810a57725cccf

    • C:\Users\Admin\AppData\Roaming\Checkm8.info\Checkm8.info Software 4.7.1\install\Checkm8.info Software1.cab

      Filesize

      8.6MB

      MD5

      1059a5c067618f5d3808347b85eeaaa9

      SHA1

      16072db6591f520836efb03f472f15ae22d96d1b

      SHA256

      8f9fc9df3c12319a123d09e5bbf0f980cc7699698176f4fb7c319cd82f14b80c

      SHA512

      4fc721453ea2f96c00358d8850e0632a8dff2e921fc7f029d083eac8beae2b49e2fe874431ccb96c1d6f4e9af89614783c43286c8a446ff0a760e24774150a32

    • C:\Users\Public\Desktop\Checkm8.info Software.lnk

      Filesize

      2KB

      MD5

      862142eec666f0e194a3dc1aacffc2a5

      SHA1

      62bd64cb71368d8f246413d9ff86d57644702603

      SHA256

      650b95f1ebb25cbe83bef97f75a90bcbeda282e94b688fbacc9096aec26ca019

      SHA512

      c85231ed5d0cf3d29c9865e1ed4655e6d1d9106da02ebbd259c56b391cd69ad37517312e6ec2d68e36dd72a5f9e8e60c5178ed03ddf693577d8e8e7e688d8359

    • C:\Windows\Installer\MSI9EA9.tmp

      Filesize

      275KB

      MD5

      dcb6b94b4a41fabdbdbb6fe2a362681d

      SHA1

      efd8d4c271178a6cc37a265f287abfbc6ea91e13

      SHA256

      7a370cdf28500d571d1562a9ddb4977f6a837a7b095de9a7c469c7079923da95

      SHA512

      5dc3fda6012667cdf6f9a5ba96b01a4d74b0d4dc1f53ce2ad36296d79591c8eb34ec787ced4862b768523c3fa69ffef4b88ff653774357d7d5a052efde3bd87d

    • C:\Windows\Installer\MSI9EF8.tmp

      Filesize

      396KB

      MD5

      79f3b2b5594d100ca5bd27ca85939224

      SHA1

      6cea8cc4638baee738e7174f33ee6281e5c4c059

      SHA256

      bc20f45927b68af1c6f4ce602bad6350756cacc74398901e654e93511a43e6d7

      SHA512

      79b1a330425c3c39f00f319b26ac57dc361510c722a26842e29769e07287f23766d8cbe5603bd16d494735cb78b2a49a87964fff2043e7b92a2799bd0bf76c8c

    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

      Filesize

      23.7MB

      MD5

      d3dff0247176ba3e6b861fac60f7fea2

      SHA1

      809da7e52f413e67bca3ac40ce3a7297e2ae1388

      SHA256

      1b3f8a623f4a7aa00ddccf5ce01bdf7868927588a0eda396384c3e6ca505b5ad

      SHA512

      89888f47021b51e2fb03b42095e37dab20153c242a779e941255016fe41761add01abbf0963cd86e5172adcf6295f5be27066c7b16f4f9eccff5b910b4d587c1

    • \??\Volume{78362842-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{eb4e9959-f44b-4621-a74f-f00bae37fc94}_OnDiskSnapshotProp

      Filesize

      6KB

      MD5

      811a8ba0081d5ab241d277c603af4a37

      SHA1

      d217a3da04b8d9292ab415d89b1dd184fe7323ed

      SHA256

      07304d693ffa65508f6abd6aa9aac91766e1909581e85ec1352e0ee061851cc8

      SHA512

      968213df44786aa4fae2068f8c968b8dfd1d2557387ff1caffea03dde3fcc02c81f181f57511cb069afe1eac0bd40b5572af95e7177206b59a97212943a62a25