Analysis

  • max time kernel
    148s
  • max time network
    132s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02-03-2024 20:29

General

  • Target

    TheMalwaredev-s-garbage-main/Install Windows20/installer/res.exe

  • Size

    22.0MB

  • MD5

    80d4dbeb01772ef8099c55c1f58d7ce1

  • SHA1

    7a6e504c80069c2e3bfe25e00cd5bd43fcbf0565

  • SHA256

    52518fb62c991f5f3ff28cbf823703273069830b2aca8ab21e2a8831db4db21c

  • SHA512

    2135e31ee83a1bbae77fea41429f23fdc8d2f558f925e78df564fee33723861e9f01539664adf8af0a774ce3e8b00ab97c1bb7260cb2c1795fe7fe4669518246

  • SSDEEP

    393216:CHErXhRqTOmlqwnqDSB5DrQr3BloMv06j8wkvSy0ZyWN2ZXos1kPEpjrchaQXAyT:NThRqam5nqDSfwjX738wjyWN2Cs1kPc0

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 20 IoCs
  • Kills process with taskkill 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\res.exe
    "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\res.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2492
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\run.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2636
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\cmd.bat" "
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2836
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\snd.vbs"
          4⤵
          • Enumerates connected drives
          • Suspicious use of AdjustPrivilegeToken
          PID:2948
        • C:\Windows\SysWOW64\timeout.exe
          timeout 80
          4⤵
          • Delays execution with timeout.exe
          PID:2620
        • C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\melter.exe
          melter.exe
          4⤵
          • Executes dropped EXE
          PID:2612
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\likeme.vbs"
          4⤵
            PID:2796
          • C:\Windows\SysWOW64\timeout.exe
            timeout 2
            4⤵
            • Delays execution with timeout.exe
            PID:2784
          • C:\Windows\SysWOW64\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\likeme.vbs"
            4⤵
              PID:1196
            • C:\Windows\SysWOW64\timeout.exe
              timeout 2
              4⤵
              • Delays execution with timeout.exe
              PID:2060
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\likeme.vbs"
              4⤵
                PID:2588
              • C:\Windows\SysWOW64\timeout.exe
                timeout 2
                4⤵
                • Delays execution with timeout.exe
                PID:828
              • C:\Windows\SysWOW64\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\likeme.vbs"
                4⤵
                  PID:1020
                • C:\Windows\SysWOW64\timeout.exe
                  timeout 2
                  4⤵
                  • Delays execution with timeout.exe
                  PID:2040
                • C:\Windows\SysWOW64\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\likeme.vbs"
                  4⤵
                    PID:1628
                  • C:\Windows\SysWOW64\timeout.exe
                    timeout 2
                    4⤵
                    • Delays execution with timeout.exe
                    PID:2856
                  • C:\Windows\SysWOW64\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\likeme.vbs"
                    4⤵
                      PID:3064
                    • C:\Windows\SysWOW64\timeout.exe
                      timeout 2
                      4⤵
                      • Delays execution with timeout.exe
                      PID:1076
                    • C:\Windows\SysWOW64\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\likeme.vbs"
                      4⤵
                        PID:3000
                      • C:\Windows\SysWOW64\timeout.exe
                        timeout 2
                        4⤵
                        • Delays execution with timeout.exe
                        PID:2080
                      • C:\Windows\SysWOW64\WScript.exe
                        "C:\Windows\System32\WScript.exe" "C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\likeme.vbs"
                        4⤵
                          PID:584
                        • C:\Windows\SysWOW64\timeout.exe
                          timeout 2
                          4⤵
                          • Delays execution with timeout.exe
                          PID:3048
                        • C:\Windows\SysWOW64\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\likeme.vbs"
                          4⤵
                            PID:2296
                          • C:\Windows\SysWOW64\timeout.exe
                            timeout 2
                            4⤵
                            • Delays execution with timeout.exe
                            PID:900
                          • C:\Windows\SysWOW64\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\likeme.vbs"
                            4⤵
                              PID:1680
                            • C:\Windows\SysWOW64\timeout.exe
                              timeout 2
                              4⤵
                              • Delays execution with timeout.exe
                              PID:2496
                            • C:\Windows\SysWOW64\WScript.exe
                              "C:\Windows\System32\WScript.exe" "C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\likeme.vbs"
                              4⤵
                                PID:2824
                              • C:\Windows\SysWOW64\timeout.exe
                                timeout 2
                                4⤵
                                • Delays execution with timeout.exe
                                PID:1880
                              • C:\Windows\SysWOW64\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\likeme.vbs"
                                4⤵
                                  PID:2664
                                • C:\Windows\SysWOW64\timeout.exe
                                  timeout 2
                                  4⤵
                                  • Delays execution with timeout.exe
                                  PID:2640
                                • C:\Windows\SysWOW64\WScript.exe
                                  "C:\Windows\System32\WScript.exe" "C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\likeme.vbs"
                                  4⤵
                                    PID:2104
                                  • C:\Windows\SysWOW64\timeout.exe
                                    timeout 5
                                    4⤵
                                    • Delays execution with timeout.exe
                                    PID:2804
                                  • C:\Windows\SysWOW64\WScript.exe
                                    "C:\Windows\System32\WScript.exe" "C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\NoEscape.vbs"
                                    4⤵
                                      PID:2928
                                    • C:\Windows\SysWOW64\timeout.exe
                                      timeout 5
                                      4⤵
                                      • Delays execution with timeout.exe
                                      PID:684
                                    • C:\Windows\SysWOW64\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\NoEscape.vbs"
                                      4⤵
                                        PID:2692
                                      • C:\Windows\SysWOW64\timeout.exe
                                        timeout 5
                                        4⤵
                                        • Delays execution with timeout.exe
                                        PID:1616
                                      • C:\Windows\SysWOW64\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\NoEscape.vbs"
                                        4⤵
                                          PID:280
                                        • C:\Windows\SysWOW64\timeout.exe
                                          timeout 5
                                          4⤵
                                          • Delays execution with timeout.exe
                                          PID:2776
                                        • C:\Windows\SysWOW64\WScript.exe
                                          "C:\Windows\System32\WScript.exe" "C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\op.vbs"
                                          4⤵
                                            PID:2568
                                          • C:\Windows\SysWOW64\timeout.exe
                                            timeout 8
                                            4⤵
                                            • Delays execution with timeout.exe
                                            PID:1976
                                          • C:\Windows\SysWOW64\WScript.exe
                                            "C:\Windows\System32\WScript.exe" "C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\op.vbs"
                                            4⤵
                                              PID:3060
                                            • C:\Windows\SysWOW64\timeout.exe
                                              timeout 8
                                              4⤵
                                              • Delays execution with timeout.exe
                                              PID:2760
                                            • C:\Windows\SysWOW64\taskkill.exe
                                              taskkill /f /im melter.exe
                                              4⤵
                                              • Kills process with taskkill
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:1912
                                            • C:\Windows\SysWOW64\timeout.exe
                                              timeout 20
                                              4⤵
                                              • Delays execution with timeout.exe
                                              PID:876

                                      Network

                                      MITRE ATT&CK Enterprise v15

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\NoEscape.vbs

                                        Filesize

                                        62B

                                        MD5

                                        c613a5c08c5326e673704395d63dcdcc

                                        SHA1

                                        dbccc7410a67d633bef046dab24ee55b64d0f1af

                                        SHA256

                                        8c7609a125582d9d5bab8b5b020e4f9ef9467795fecc9a5fb38895ee7f6e9418

                                        SHA512

                                        d02fc6e220f7f5a7acedc1fece4e282f4889f824e926d73a3ed573767eb8a86c8d21dbd1ed63627b9cc8ad2c4aa532c58adebad98f7c8d3cdaa360a1198c2c9e

                                      • C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\boom.wav

                                        Filesize

                                        6.1MB

                                        MD5

                                        475f4bfd5056d438d8daf8179b53aca1

                                        SHA1

                                        b2b5f744c88925b53aac42aa2c5694d954e44adb

                                        SHA256

                                        7eea211b1f67cf2d3404fe5b0dae02b0b3ad50e4c3311791c651f2a712436092

                                        SHA512

                                        a664f9391ba0066cc6daa11c63903e89e424b1cf9f3217490c477bdf5ccda917f9e8f11e17a7df2f2816bc10f9a761428c194c7e5f710b0adbb4aa7033bc5920

                                      • C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\cmd.bat

                                        Filesize

                                        787B

                                        MD5

                                        dfd87cce00d2ea4bb4bf851f28cc0d8f

                                        SHA1

                                        d8e679b4bc879ee3ce960fc675a2e32cf9ec4c73

                                        SHA256

                                        d036988fa00174c637f2fafa9ac0ca3150bdc4bc9449b319536dfafc33abe4e1

                                        SHA512

                                        0356c8b95e0f18b79ead2cf74368e779b145c7c3436123d2034996a91e9dae2d3a7fe84dde5a7a1572686cd76422d261ef3f6c307ddfaa8badc4d5d66350006d

                                      • C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\likeme.vbs

                                        Filesize

                                        26B

                                        MD5

                                        c11dcd084c37d3efafe67ba11bb6c02a

                                        SHA1

                                        7041fe5b22b2a373593601a0f7b53bf91b4f8468

                                        SHA256

                                        9faf3a654b5139565960b5977d08ca08e03667c2bd1b151d4813a01555f7ec64

                                        SHA512

                                        e8d7ba4e76997a144d6a4538ddba5c31e77d2d48c67efa88e86809b5de4748c7ba9a08b4e98582f7a5e07a62bc9c5c98fe16ab947bc8a1b0ea7821cf0a69da1a

                                      • C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\melter.exe

                                        Filesize

                                        3KB

                                        MD5

                                        d9baac374cc96e41c9f86c669e53f61c

                                        SHA1

                                        b0ba67bfac3d23e718b3bfdfe120e5446d0229e8

                                        SHA256

                                        a1d883577bcb6c4f9de47b06fe97c370c09bddffb6569b6cf93576371bdbc412

                                        SHA512

                                        4ecdf8757e75b02da06a9d42a8ca62b9f2ef292dc04fa37d96603af78433f8aa9dd82fcf1e128a8f463b9691dcc1645b4a64e34f3c5d631f3a0e0670da0d0457

                                      • C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\op.vbs

                                        Filesize

                                        16B

                                        MD5

                                        b03f8296e9ca8c4e0775aa97046e7b0f

                                        SHA1

                                        ad54c88af769649efbf634050050da2a93fb5699

                                        SHA256

                                        9a9c16495a8222ec14d2a276d9235751b498a7cd4c69ab4a78b41f7a7462ea98

                                        SHA512

                                        1b3a71e7e7f7a90bcad2ff37727881f3a2063d796ff4551a36eae5ad923c081dd6f0dd2d0ec568b8a94defd5bb9dd2678b1c2a55791784590a605752b566fb6d

                                      • C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\run.vbs

                                        Filesize

                                        55B

                                        MD5

                                        cdfafa9e845ccc0facf0e9338c1ef55c

                                        SHA1

                                        ac8e7e70cd63fbb5cb2c3d1635117e9308946cb2

                                        SHA256

                                        e8dcb3afcd37591ebc9e959151f1249dab477ac68ad01761600f07dda804d2d2

                                        SHA512

                                        01bb8942927bd050d35bd30937ab9d4380b5bd2722da58d0347e3d0f8d39b2ac626ad36fd505c25816b5fcc67635f754cdf7ca19df9af066b4deceb23a0f3803

                                      • C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\snd.vbs

                                        Filesize

                                        221B

                                        MD5

                                        7f1f2f18b81c7ff47430c518defb9f48

                                        SHA1

                                        33642f35825428762b8133721ca38466e7b69559

                                        SHA256

                                        208337c0a3656061ad50d85b608cc0fec353f71d16ccd6896aae2ed4e5bdfa58

                                        SHA512

                                        c441e17a5f48c7b381a233f95b88b640f167ac053584a77e20cf5f9cc0e199527051ce7d39d450573af6db4ea5c8056ed62189322c2e0ba9a6779dae1dbbfc04

                                      • memory/2948-47-0x0000000073030000-0x0000000073342000-memory.dmp

                                        Filesize

                                        3.1MB

                                      • memory/2948-48-0x0000000073030000-0x0000000073342000-memory.dmp

                                        Filesize

                                        3.1MB