Analysis

  • max time kernel
    155s
  • max time network
    182s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-03-2024 20:29

General

  • Target

    TheMalwaredev-s-garbage-main/Install Windows20/installer/res.exe

  • Size

    22.0MB

  • MD5

    80d4dbeb01772ef8099c55c1f58d7ce1

  • SHA1

    7a6e504c80069c2e3bfe25e00cd5bd43fcbf0565

  • SHA256

    52518fb62c991f5f3ff28cbf823703273069830b2aca8ab21e2a8831db4db21c

  • SHA512

    2135e31ee83a1bbae77fea41429f23fdc8d2f558f925e78df564fee33723861e9f01539664adf8af0a774ce3e8b00ab97c1bb7260cb2c1795fe7fe4669518246

  • SSDEEP

    393216:CHErXhRqTOmlqwnqDSB5DrQr3BloMv06j8wkvSy0ZyWN2ZXos1kPEpjrchaQXAyT:NThRqam5nqDSfwjX738wjyWN2Cs1kPc0

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 20 IoCs
  • Kills process with taskkill 1 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\res.exe
    "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\res.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2800
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\run.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:3608
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\cmd.bat" "
        3⤵
        • Checks computer location settings
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:4380
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\snd.vbs"
          4⤵
          • Enumerates connected drives
          • Suspicious use of AdjustPrivilegeToken
          PID:2352
        • C:\Windows\SysWOW64\timeout.exe
          timeout 80
          4⤵
          • Delays execution with timeout.exe
          PID:1784
        • C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\melter.exe
          melter.exe
          4⤵
          • Executes dropped EXE
          PID:5104
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\likeme.vbs"
          4⤵
            PID:3496
          • C:\Windows\SysWOW64\timeout.exe
            timeout 2
            4⤵
            • Delays execution with timeout.exe
            PID:4152
          • C:\Windows\SysWOW64\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\likeme.vbs"
            4⤵
              PID:3128
            • C:\Windows\SysWOW64\timeout.exe
              timeout 2
              4⤵
              • Delays execution with timeout.exe
              PID:3912
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\likeme.vbs"
              4⤵
                PID:1192
              • C:\Windows\SysWOW64\timeout.exe
                timeout 2
                4⤵
                • Delays execution with timeout.exe
                PID:4044
              • C:\Windows\SysWOW64\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\likeme.vbs"
                4⤵
                  PID:2364
                • C:\Windows\SysWOW64\timeout.exe
                  timeout 2
                  4⤵
                  • Delays execution with timeout.exe
                  PID:4496
                • C:\Windows\SysWOW64\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\likeme.vbs"
                  4⤵
                    PID:848
                  • C:\Windows\SysWOW64\timeout.exe
                    timeout 2
                    4⤵
                    • Delays execution with timeout.exe
                    PID:4348
                  • C:\Windows\SysWOW64\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\likeme.vbs"
                    4⤵
                      PID:1500
                    • C:\Windows\SysWOW64\timeout.exe
                      timeout 2
                      4⤵
                      • Delays execution with timeout.exe
                      PID:2600
                    • C:\Windows\SysWOW64\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\likeme.vbs"
                      4⤵
                        PID:2480
                      • C:\Windows\SysWOW64\timeout.exe
                        timeout 2
                        4⤵
                        • Delays execution with timeout.exe
                        PID:1928
                      • C:\Windows\SysWOW64\WScript.exe
                        "C:\Windows\System32\WScript.exe" "C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\likeme.vbs"
                        4⤵
                          PID:752
                        • C:\Windows\SysWOW64\timeout.exe
                          timeout 2
                          4⤵
                          • Delays execution with timeout.exe
                          PID:456
                        • C:\Windows\SysWOW64\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\likeme.vbs"
                          4⤵
                            PID:2512
                          • C:\Windows\SysWOW64\timeout.exe
                            timeout 2
                            4⤵
                            • Delays execution with timeout.exe
                            PID:440
                          • C:\Windows\SysWOW64\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\likeme.vbs"
                            4⤵
                              PID:1720
                            • C:\Windows\SysWOW64\timeout.exe
                              timeout 2
                              4⤵
                              • Delays execution with timeout.exe
                              PID:4704
                            • C:\Windows\SysWOW64\WScript.exe
                              "C:\Windows\System32\WScript.exe" "C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\likeme.vbs"
                              4⤵
                                PID:5048
                              • C:\Windows\SysWOW64\timeout.exe
                                timeout 2
                                4⤵
                                • Delays execution with timeout.exe
                                PID:3860
                              • C:\Windows\SysWOW64\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\likeme.vbs"
                                4⤵
                                  PID:1784
                                • C:\Windows\SysWOW64\timeout.exe
                                  timeout 2
                                  4⤵
                                  • Delays execution with timeout.exe
                                  PID:5072
                                • C:\Windows\SysWOW64\WScript.exe
                                  "C:\Windows\System32\WScript.exe" "C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\likeme.vbs"
                                  4⤵
                                    PID:1956
                                  • C:\Windows\SysWOW64\timeout.exe
                                    timeout 5
                                    4⤵
                                    • Delays execution with timeout.exe
                                    PID:4300
                                  • C:\Windows\SysWOW64\WScript.exe
                                    "C:\Windows\System32\WScript.exe" "C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\NoEscape.vbs"
                                    4⤵
                                      PID:208
                                    • C:\Windows\SysWOW64\timeout.exe
                                      timeout 5
                                      4⤵
                                      • Delays execution with timeout.exe
                                      PID:2336
                                    • C:\Windows\SysWOW64\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\NoEscape.vbs"
                                      4⤵
                                        PID:3240
                                      • C:\Windows\SysWOW64\timeout.exe
                                        timeout 5
                                        4⤵
                                        • Delays execution with timeout.exe
                                        PID:2544
                                      • C:\Windows\SysWOW64\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\NoEscape.vbs"
                                        4⤵
                                          PID:2148
                                        • C:\Windows\SysWOW64\timeout.exe
                                          timeout 5
                                          4⤵
                                          • Delays execution with timeout.exe
                                          PID:4480
                                        • C:\Windows\SysWOW64\WScript.exe
                                          "C:\Windows\System32\WScript.exe" "C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\op.vbs"
                                          4⤵
                                            PID:1944
                                          • C:\Windows\SysWOW64\timeout.exe
                                            timeout 8
                                            4⤵
                                            • Delays execution with timeout.exe
                                            PID:3824
                                          • C:\Windows\SysWOW64\WScript.exe
                                            "C:\Windows\System32\WScript.exe" "C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\op.vbs"
                                            4⤵
                                              PID:3376
                                            • C:\Windows\SysWOW64\timeout.exe
                                              timeout 8
                                              4⤵
                                              • Delays execution with timeout.exe
                                              PID:1884
                                            • C:\Windows\SysWOW64\taskkill.exe
                                              taskkill /f /im melter.exe
                                              4⤵
                                              • Kills process with taskkill
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:3340
                                            • C:\Windows\SysWOW64\timeout.exe
                                              timeout 20
                                              4⤵
                                              • Delays execution with timeout.exe
                                              PID:1456
                                      • C:\Windows\system32\AUDIODG.EXE
                                        C:\Windows\system32\AUDIODG.EXE 0x2f8 0x450
                                        1⤵
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:2568
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4244 --field-trial-handle=2588,i,14229658658073991926,6938034815163866135,262144 --variations-seed-version /prefetch:8
                                        1⤵
                                          PID:2464

                                        Network

                                        MITRE ATT&CK Enterprise v15

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

                                          Filesize

                                          64KB

                                          MD5

                                          b17223e59994f60c5833030795f2bcac

                                          SHA1

                                          66f5f5caf68849cfe574cbef7f8278dacdafdd5f

                                          SHA256

                                          49fdaa4ee215c3a142144184d0e82964efb4c11c7d8ce726c5806bfca13888ca

                                          SHA512

                                          c7aea16c9327e9c19860c4a1487a94cb7edc8953d57aef9617a6d9accd645eb3fecf5e81f0eca6348f9dea86077d55d00546fc270bcd5d5cb9d8c864d9bf0003

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

                                          Filesize

                                          9KB

                                          MD5

                                          7050d5ae8acfbe560fa11073fef8185d

                                          SHA1

                                          5bc38e77ff06785fe0aec5a345c4ccd15752560e

                                          SHA256

                                          cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

                                          SHA512

                                          a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

                                        • C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\NoEscape.vbs

                                          Filesize

                                          62B

                                          MD5

                                          c613a5c08c5326e673704395d63dcdcc

                                          SHA1

                                          dbccc7410a67d633bef046dab24ee55b64d0f1af

                                          SHA256

                                          8c7609a125582d9d5bab8b5b020e4f9ef9467795fecc9a5fb38895ee7f6e9418

                                          SHA512

                                          d02fc6e220f7f5a7acedc1fece4e282f4889f824e926d73a3ed573767eb8a86c8d21dbd1ed63627b9cc8ad2c4aa532c58adebad98f7c8d3cdaa360a1198c2c9e

                                        • C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\boom.wav

                                          Filesize

                                          1.8MB

                                          MD5

                                          fb74ebc977bcb28d26d23989dfded4fe

                                          SHA1

                                          f2e419d0605de9682496a7c191a9723fe55c1779

                                          SHA256

                                          d2466e56374b453b8a0c0df3be04b8dd5aa002f3113c73525d586d42f080e434

                                          SHA512

                                          b33a23b4c76c9d22df7e738a1ecab0d717d748ef1c2a73cac6362ec8ee18b356a9811996d24d6b4c150bab88137d48910a08e91652c3b6d1f120378083cc88f2

                                        • C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\cmd.bat

                                          Filesize

                                          787B

                                          MD5

                                          dfd87cce00d2ea4bb4bf851f28cc0d8f

                                          SHA1

                                          d8e679b4bc879ee3ce960fc675a2e32cf9ec4c73

                                          SHA256

                                          d036988fa00174c637f2fafa9ac0ca3150bdc4bc9449b319536dfafc33abe4e1

                                          SHA512

                                          0356c8b95e0f18b79ead2cf74368e779b145c7c3436123d2034996a91e9dae2d3a7fe84dde5a7a1572686cd76422d261ef3f6c307ddfaa8badc4d5d66350006d

                                        • C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\likeme.vbs

                                          Filesize

                                          26B

                                          MD5

                                          c11dcd084c37d3efafe67ba11bb6c02a

                                          SHA1

                                          7041fe5b22b2a373593601a0f7b53bf91b4f8468

                                          SHA256

                                          9faf3a654b5139565960b5977d08ca08e03667c2bd1b151d4813a01555f7ec64

                                          SHA512

                                          e8d7ba4e76997a144d6a4538ddba5c31e77d2d48c67efa88e86809b5de4748c7ba9a08b4e98582f7a5e07a62bc9c5c98fe16ab947bc8a1b0ea7821cf0a69da1a

                                        • C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\melter.exe

                                          Filesize

                                          3KB

                                          MD5

                                          d9baac374cc96e41c9f86c669e53f61c

                                          SHA1

                                          b0ba67bfac3d23e718b3bfdfe120e5446d0229e8

                                          SHA256

                                          a1d883577bcb6c4f9de47b06fe97c370c09bddffb6569b6cf93576371bdbc412

                                          SHA512

                                          4ecdf8757e75b02da06a9d42a8ca62b9f2ef292dc04fa37d96603af78433f8aa9dd82fcf1e128a8f463b9691dcc1645b4a64e34f3c5d631f3a0e0670da0d0457

                                        • C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\op.vbs

                                          Filesize

                                          16B

                                          MD5

                                          b03f8296e9ca8c4e0775aa97046e7b0f

                                          SHA1

                                          ad54c88af769649efbf634050050da2a93fb5699

                                          SHA256

                                          9a9c16495a8222ec14d2a276d9235751b498a7cd4c69ab4a78b41f7a7462ea98

                                          SHA512

                                          1b3a71e7e7f7a90bcad2ff37727881f3a2063d796ff4551a36eae5ad923c081dd6f0dd2d0ec568b8a94defd5bb9dd2678b1c2a55791784590a605752b566fb6d

                                        • C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\run.vbs

                                          Filesize

                                          55B

                                          MD5

                                          cdfafa9e845ccc0facf0e9338c1ef55c

                                          SHA1

                                          ac8e7e70cd63fbb5cb2c3d1635117e9308946cb2

                                          SHA256

                                          e8dcb3afcd37591ebc9e959151f1249dab477ac68ad01761600f07dda804d2d2

                                          SHA512

                                          01bb8942927bd050d35bd30937ab9d4380b5bd2722da58d0347e3d0f8d39b2ac626ad36fd505c25816b5fcc67635f754cdf7ca19df9af066b4deceb23a0f3803

                                        • C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\snd.vbs

                                          Filesize

                                          221B

                                          MD5

                                          7f1f2f18b81c7ff47430c518defb9f48

                                          SHA1

                                          33642f35825428762b8133721ca38466e7b69559

                                          SHA256

                                          208337c0a3656061ad50d85b608cc0fec353f71d16ccd6896aae2ed4e5bdfa58

                                          SHA512

                                          c441e17a5f48c7b381a233f95b88b640f167ac053584a77e20cf5f9cc0e199527051ce7d39d450573af6db4ea5c8056ed62189322c2e0ba9a6779dae1dbbfc04

                                        • memory/2352-45-0x0000000005620000-0x0000000005630000-memory.dmp

                                          Filesize

                                          64KB

                                        • memory/2352-50-0x0000000005620000-0x0000000005630000-memory.dmp

                                          Filesize

                                          64KB

                                        • memory/2352-49-0x0000000005620000-0x0000000005630000-memory.dmp

                                          Filesize

                                          64KB

                                        • memory/2352-51-0x0000000005620000-0x0000000005630000-memory.dmp

                                          Filesize

                                          64KB

                                        • memory/2352-48-0x0000000005620000-0x0000000005630000-memory.dmp

                                          Filesize

                                          64KB

                                        • memory/2352-43-0x0000000005620000-0x0000000005630000-memory.dmp

                                          Filesize

                                          64KB

                                        • memory/2352-46-0x0000000005620000-0x0000000005630000-memory.dmp

                                          Filesize

                                          64KB

                                        • memory/2352-47-0x0000000005620000-0x0000000005630000-memory.dmp

                                          Filesize

                                          64KB

                                        • memory/2352-44-0x0000000005620000-0x0000000005630000-memory.dmp

                                          Filesize

                                          64KB

                                        • memory/5104-69-0x0000000000400000-0x0000000000402000-memory.dmp

                                          Filesize

                                          8KB