Overview

overview

10

Static

static

10

279f70f8d6...20.exe

windows7-x64

9

279f70f8d6...20.exe

windows10-2004-x64

9

$PLUGINSDI...LL.dll

windows7-x64

3

$PLUGINSDI...LL.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...fo.dll

windows7-x64

3

$PLUGINSDI...fo.dll

windows10-2004-x64

3

$PLUGINSDI...gs.dll

windows7-x64

3

$PLUGINSDI...gs.dll

windows10-2004-x64

3

Uninstall.exe

windows7-x64

3

Uninstall.exe

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...gs.dll

windows7-x64

3

$PLUGINSDI...gs.dll

windows10-2004-x64

3

W10Privacy.exe

windows7-x64

9

W10Privacy.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    151s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    25-03-2024 17:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    W10Privacy.exe

  • Size

    2.2MB

  • MD5

    7c7f987c87a6835fbe52d47940a75594

  • SHA1

    3a54bb33734dde54bb4da9c8064ddc85815de052

  • SHA256

    e5e428cedf327f8515bd56b22e4dda38623079543665cb94e4888e9a3d3815ce

  • SHA512

    7c2d0c93517b15b6a9dfa887864f418f22e73b862ebc77e9b511d5ee092dd0d2ddbc3bb2366a2872dd1b3bdd5897f8216da0ca09fb31b47c20406dbfcff80e35

  • SSDEEP

    49152:rw9VH4RfLtNwHxQB4YF0yRdcHgvg3KKUQ7t1:rUgSCB4YFBnvg2Q7t1

Score
9/10
evasionupx

Malware Config

Signatures

  • UPX dump on OEP (original entry point) 16 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • UPX packed file 16 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • AutoIT Executable 15 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 39 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\W10Privacy.exe
    "C:\Users\Admin\AppData\Local\Temp\W10Privacy.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2484
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C whoami /ALL > C:\Users\Admin\AppData\Local\Temp\whoami.txt
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2624
      • C:\Windows\SysWOW64\whoami.exe
        whoami /ALL
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:692
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /C del /s /q "C:\Users\Admin\AppData\Local\Temp\whoami.txt"
      2⤵
        PID:2420
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /C schtasks.exe /query /FO CSV > C:\Users\Admin\AppData\Local\Temp\tasks.txt
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1272
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks.exe /query /FO CSV
          3⤵
            PID:2380
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /C del /s /q "C:\Users\Admin\AppData\Local\Temp\tasks.txt"
          2⤵
            PID:1312
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /C "netsh advfirewall firewall show rule name=all dir=out verbose > C:\Users\Admin\AppData\Local\Temp\rules_out.txt"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2692
            • C:\Windows\SysWOW64\netsh.exe
              netsh advfirewall firewall show rule name=all dir=out verbose
              3⤵
              • Modifies Windows Firewall
              PID:564
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /C del /s /q "C:\Users\Admin\AppData\Local\Temp\rules_out.txt"
            2⤵
              PID:1528
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /C cscript //B "C:\Users\Admin\AppData\Local\Temp\Restore.vbs"
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:2888
              • C:\Windows\SysWOW64\cscript.exe
                cscript //B "C:\Users\Admin\AppData\Local\Temp\Restore.vbs"
                3⤵
                  PID:1980
              • C:\Windows\System32\rstrui.exe
                "C:\Windows\System32\rstrui.exe"
                2⤵
                • Drops file in Windows directory
                PID:1856
            • C:\Windows\system32\vssvc.exe
              C:\Windows\system32\vssvc.exe
              1⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:2500
            • C:\Windows\system32\DrvInst.exe
              DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003E4" "00000000000005B4"
              1⤵
              • Drops file in Windows directory
              • Modifies data under HKEY_USERS
              • Suspicious use of AdjustPrivilegeToken
              PID:2388
            • C:\Windows\system32\wbengine.exe
              "C:\Windows\system32\wbengine.exe"
              1⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:1100
            • C:\Windows\System32\vdsldr.exe
              C:\Windows\System32\vdsldr.exe -Embedding
              1⤵
                PID:2636
              • C:\Windows\System32\vds.exe
                C:\Windows\System32\vds.exe
                1⤵
                  PID:2408

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\Restore.vbs
                  Filesize

                  135B

                  MD5

                  c8077150813613076ef8929147ba2ad9

                  SHA1

                  6efbfa0f732d09eedcc49e8990d73842b52c15ea

                  SHA256

                  e41527b362bd64d789383b9f27b097ea6cf21ab28666c104077390c84e970919

                  SHA512

                  1cdc19c699961d3239381547045eb322ff41b7ca1d528ffcd45eb030ffaf324c08850d1ab755bef0735921a25c819a39bd5e4622d33ae617cecd1eb9b628633c

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\rules_out.txt
                  Filesize

                  148B

                  MD5

                  63cccdd9712d6aacbb2dd022038beed4

                  SHA1

                  805a982f25512edde06cc0f13b1240f1b0e408bc

                  SHA256

                  a48c6e1bab23b576b47ddc6bad150f8af2b9f75b1895071a19866a86f2df1d24

                  SHA512

                  ee93fa8d3aa49a6d12f95b120f6f1f478608b125794951fc5d8d39f5851436d6ee29840a745c825a1e4c165d872ea0bef8ac4150f1d17c56648e0a219854a4a7

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\tasks.txt
                  Filesize

                  295B

                  MD5

                  e0a3d03464193d267816b65786cdaa81

                  SHA1

                  12b2fd18191783eaedde82e95faa40877ecb8509

                  SHA256

                  82cbbc7efb37fa19cb14ff90df9de5c664032bab5e72b69b990077185e1fdb0d

                  SHA512

                  a98d57a8448b6521ad4d03e98b0178a629ddd6d0549f1ef739cc73f8f366bd8a60623a3721007639d266a8f1c390501cce40f00f9002a428314b82202de6d0ee

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\whoami.txt
                  Filesize

                  3KB

                  MD5

                  58c2dba56e39fcf086c5e513e0bb7b3c

                  SHA1

                  0a7179b2b4a47bbffb65918fc41db8e58e0845b6

                  SHA256

                  af0befed9a4612efb48d3055cc748e5bc5af9978cb90de574795cd00f58bb861

                  SHA512

                  7e77dc76ae6159a988cc54ab2c4bc7e0b0b8e95e35f5af9557ecca05c9cae19db58c8280d437658107955b395d9d437668d9dfa6cdf6453cd2237f5877d6c64f

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\W10Privacy\Cache.ini
                  Filesize

                  4KB

                  MD5

                  f4bd0c9376006354be6a5da2088e7c4b

                  SHA1

                  497bf2d6c1b2a667a47d53529b60bbabe6f97b8d

                  SHA256

                  1aa5922d1109a09c3cdff973e3ee304e5cf09dbdbb97e5f7923013df2ae9602f

                  SHA512

                  96bd8616b5d37d5556189affd9886304cc5c37b723f39a8ad84a79406de7d369cfec0e86cf0f2eb0303eff6d584a383a1e0d3002c050f3671bedcb58aa616a68

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\W10Privacy\Languages.ini
                  Filesize

                  1.1MB

                  MD5

                  23cdaef19b920f88d5ae54d8a90d74ef

                  SHA1

                  e9f1a583e7a30fc5fdb6548608bd6c775690cbb6

                  SHA256

                  24928712761116b686323da6b014c591c1a4608e9a7cebd050d17e808ba054b4

                  SHA512

                  01deb9d382b1ff0cc21ed17ef8b36add8f585c12643a878286a12c57f94095c96bfbd993df78d63e0abe5aaf2458286d8df5cfb48e6808ceb266d901123736c3

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\W10Privacy\W10Privacy.ini
                  Filesize

                  147B

                  MD5

                  6663d273ac89954cacd84fac82319bd8

                  SHA1

                  b48b18aa484e933f2c54ce635b96797a3a683d9f

                  SHA256

                  14a57f9627790cdb81710984e79caed310c56c71ebb4389d59d60069924e593c

                  SHA512

                  97ed16ed4724726eba0267513309e63a82794a0d002c0ba187c7852e05a586c2b254c05d5d86acdf6259424bb574dd48f8bf93d493bd0b3b9a3bf0efddd680df

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\W10Privacy\W10Privacy.ini
                  Filesize

                  231B

                  MD5

                  63071b3458351e67cf0ea69d0ba1c4f4

                  SHA1

                  0ebd0bb73624f8b8b70e4edde3cd41dce37207a4

                  SHA256

                  575547bec3e03839fb51bb113ada5aff9083fba0d3291e3ef9727f813123ff05

                  SHA512

                  b4e4e276359eb6a94b2e5e7f1b8823a6b5b70800b60d48f853755e5adc67a4facc170b45bcbc1bef7398fd588a42b1e17eb967d8dc19b1816123d9ab6beed085

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\W10Privacy\W10Privacy.ini
                  Filesize

                  264B

                  MD5

                  d405b28d215524d0e4079a31bba036b7

                  SHA1

                  de604be41edd50a988308df1a5c882e6c94c440e

                  SHA256

                  91d2018d0489774f30f13c6ef6d8cc74a86a3d47e8961b5e1c2032f9af5b894b

                  SHA512

                  5009d738a9afaf7dc10bc3ed031244cdf0c1efb7f362726838825a925b81508f9f886eaedbbfbe41861923dd942607a763c1dd060ed2f2d268bc34388ec040fb

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\W10Privacy\W10Privacy_Hosts.txt
                  Filesize

                  9KB

                  MD5

                  651ba8cd124db920497b1fc8c2ddcda6

                  SHA1

                  fe13f616ac92f6d1d0bdf34f062fe56772144379

                  SHA256

                  e9fd5189563bb924cd24682c68fd9004243c56385c79117fa9c6a3109a4e30c4

                  SHA512

                  190e2bf35232c69e957a64c9f8318e52d95e3679e68f50f30a61584deb8aae1fff378fec7abbbd8b16c963e56ed03011783e469ee2e06095a19f6ab83c4b6b30

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\W10Privacy\W10Privacy_Hosts_LIGHT.txt
                  Filesize

                  4KB

                  MD5

                  4d11bd7c524f99dc773ec3ad3bca1944

                  SHA1

                  c7824b9ee3eec8fa900b64e2d2eb6186c5d32273

                  SHA256

                  0ea68999329d2e542dc5c933dce7f8d57329c56d3c4326c4fb8fea0ee89e44cc

                  SHA512

                  e3032b95fa71f754755b3c2ae38774fe5aceb014077730dbddda5636c61fbc7f792f0a12ffd42d12077cf7b85d32131f3dde72eaad431bf48e9bc97591fde28c

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\W10Privacy\W10Privacy_IPs.txt
                  Filesize

                  185KB

                  MD5

                  dab0e50b50d9d10861b67fb60e03ba9b

                  SHA1

                  77b7feac28b7f963e5b648bb8893c1ffbd0f413a

                  SHA256

                  72023c7f1253a06f2db1529bc54a6a9f51f33fc0c075d175cb05d155ec7690c5

                  SHA512

                  8b7595c42b2d219419fb3f066bd9c70c212df613b2de1639dfee74c2dcf21f1e5896f33230bb96b68a4c5a2c5571bc50d8b073302ee6ddc946d42dee80dbb78c

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\W10Privacy\W10Privacy_Settings_First_Start_PIRBKNPS_Admin.ini
                  Filesize

                  347B

                  MD5

                  ab8586c9a9d474a0ece35cd91d22dcc6

                  SHA1

                  7e8132c639a19cee07b95afaac2cafaeb3134f24

                  SHA256

                  97c6e2f14ff664f1a52afa8be94a0eb6b407c6a52f1cb6727a11bb0d93ecf4aa

                  SHA512

                  7d589f99cd78b72017a184eec5a48e9042bef264648179ad547120d1167de2baf8fcb065d7af6110c73354bc0f073a271f928ea697c6cc556b69909f57acdbea

                  Download Submit

                • C:\Users\Admin\AppData\Roaming\W10Privacy\W10Privacy_Settings_First_Start_PIRBKNPS_Admin.ini
                  Filesize

                  503B

                  MD5

                  691af1095d633aefb33cdcfae4bf1e01

                  SHA1

                  95dcc994d94df1bdd53716afb34cc6a3b2ed4567

                  SHA256

                  a61317f68c4368ae7c64eb87124429e2503077cb31b4901c21b85d30113b1627

                  SHA512

                  a2351a89dec57a9eb6e5e75aefe48da201d74b19900f81ed1ae66f08e460673b18a48e4526352653781fc42bcaa94601baaabe0dd7a954a12904d00a0cefd76d

                  Download Submit

                • memory/1856-4816-0x0000000000260000-0x0000000000261000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1856-4497-0x0000000000260000-0x0000000000261000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2484-4784-0x0000000000A60000-0x0000000000F03000-memory.dmp

                  Filesize

                  4.6MB

                  Download

                • memory/2484-4663-0x0000000000A60000-0x0000000000F03000-memory.dmp

                  Filesize

                  4.6MB

                  Download

                • memory/2484-3354-0x0000000000A60000-0x0000000000F03000-memory.dmp

                  Filesize

                  4.6MB

                  Download

                • memory/2484-1501-0x0000000000A60000-0x0000000000F03000-memory.dmp

                  Filesize

                  4.6MB

                  Download

                • memory/2484-0-0x0000000000A60000-0x0000000000F03000-memory.dmp

                  Filesize

                  4.6MB

                  Download

                • memory/2484-3807-0x0000000000A60000-0x0000000000F03000-memory.dmp

                  Filesize

                  4.6MB

                  Download

                • memory/2484-4327-0x0000000000A60000-0x0000000000F03000-memory.dmp

                  Filesize

                  4.6MB

                  Download

                • memory/2484-4324-0x0000000000A60000-0x0000000000F03000-memory.dmp

                  Filesize

                  4.6MB

                  Download

                • memory/2484-4494-0x0000000000A60000-0x0000000000F03000-memory.dmp

                  Filesize

                  4.6MB

                  Download

                • memory/2484-4908-0x0000000000A60000-0x0000000000F03000-memory.dmp

                  Filesize

                  4.6MB

                  Download

                • memory/2484-5029-0x0000000000A60000-0x0000000000F03000-memory.dmp

                  Filesize

                  4.6MB

                  Download

                • memory/2484-5154-0x0000000000A60000-0x0000000000F03000-memory.dmp

                  Filesize

                  4.6MB

                  Download

                • memory/2484-5306-0x0000000000A60000-0x0000000000F03000-memory.dmp

                  Filesize

                  4.6MB

                  Download

                • memory/2484-5428-0x0000000000A60000-0x0000000000F03000-memory.dmp

                  Filesize

                  4.6MB

                  Download

                • memory/2484-5548-0x0000000000A60000-0x0000000000F03000-memory.dmp

                  Filesize

                  4.6MB

                  Download

                • memory/2484-5699-0x0000000000A60000-0x0000000000F03000-memory.dmp

                  Filesize

                  4.6MB

                  Download