44328d4960cf71ca7959c19d2d550803d3ea359f51ad729259c37e0597899439

Analysis

max time kernel
178s
max time network
181s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05-04-2024 01:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd65e13a564006f5379779eb0f93ee5c5cf6c594f0548ed893c141caf7d27f97.exe
Size

7.5MB
MD5

b8d467b5c37e97f35258efde96509fdb
SHA1

78f4a20e452c3594db24f484cd82e990ce525bdf
SHA256

bd65e13a564006f5379779eb0f93ee5c5cf6c594f0548ed893c141caf7d27f97
SHA512

a4d4edbf203a5e62804e883d440a795bbe06b4a1789c2e4e02533296c5e31ce84fcb7793f2e907483da2ede8f4ae8d38225b4d2f03afaabb16388d3dd3ead119
SSDEEP

196608:d1CvELcvKDeMf7NtTFHsMCVFPSBuW//YJiVgKu:dTLcvo7NJFHVCPPSBzoJMg7

Score

8^/10

persistence

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WpnUserService_6ac92\Parameters\ServiceDLL = "C:\\ProgramData\\Usoris\\Backup\\Remote Utilities\\msimg32.dll"	WDFHost.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	bd65e13a564006f5379779eb0f93ee5c5cf6c594f0548ed893c141caf7d27f97.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	WDFHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	WDFHost.exe

Executes dropped EXE 3 IoCs

pid	Process
5096	Silverlight.Configuration.exe
4624	WDFHost.exe
4868	WDFHost.exe

Loads dropped DLL 9 IoCs

pid	Process
3812	bd65e13a564006f5379779eb0f93ee5c5cf6c594f0548ed893c141caf7d27f97.exe
5096	Silverlight.Configuration.exe
4624	WDFHost.exe
4624	WDFHost.exe
4624	WDFHost.exe
3816	svchost.exe
4868	WDFHost.exe
4868	WDFHost.exe
4868	WDFHost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Silverlight.Configuration.exe = "\"C:\\ProgramData\\Usoris\\Backup\\Remote Utilities\\Silverlight.Configuration.exe\""	WDFHost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
1164	taskkill.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
5096	Silverlight.Configuration.exe
5096	Silverlight.Configuration.exe
4624	WDFHost.exe
4624	WDFHost.exe
4624	WDFHost.exe
4624	WDFHost.exe
4624	WDFHost.exe
4624	WDFHost.exe
5096	Silverlight.Configuration.exe
5096	Silverlight.Configuration.exe
4868	WDFHost.exe
4868	WDFHost.exe
4868	WDFHost.exe
4868	WDFHost.exe
4868	WDFHost.exe
4868	WDFHost.exe
4868	WDFHost.exe
4868	WDFHost.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeSecurityPrivilege	3812	bd65e13a564006f5379779eb0f93ee5c5cf6c594f0548ed893c141caf7d27f97.exe
Token: SeTakeOwnershipPrivilege	4624	WDFHost.exe
Token: SeTcbPrivilege	4624	WDFHost.exe
Token: SeTcbPrivilege	4624	WDFHost.exe
Token: SeDebugPrivilege	1164	taskkill.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
4624	WDFHost.exe
4624	WDFHost.exe
4624	WDFHost.exe
4624	WDFHost.exe
4624	WDFHost.exe
4868	WDFHost.exe
4868	WDFHost.exe
4868	WDFHost.exe
4868	WDFHost.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3812 wrote to memory of 5096	3812	bd65e13a564006f5379779eb0f93ee5c5cf6c594f0548ed893c141caf7d27f97.exe	89
PID 3812 wrote to memory of 5096	3812	bd65e13a564006f5379779eb0f93ee5c5cf6c594f0548ed893c141caf7d27f97.exe	89
PID 3812 wrote to memory of 5096	3812	bd65e13a564006f5379779eb0f93ee5c5cf6c594f0548ed893c141caf7d27f97.exe	89
PID 5096 wrote to memory of 4624	5096	Silverlight.Configuration.exe	90
PID 5096 wrote to memory of 4624	5096	Silverlight.Configuration.exe	90
PID 5096 wrote to memory of 4624	5096	Silverlight.Configuration.exe	90
PID 3816 wrote to memory of 4868	3816	svchost.exe	97
PID 3816 wrote to memory of 4868	3816	svchost.exe	97
PID 3816 wrote to memory of 4868	3816	svchost.exe	97
PID 4624 wrote to memory of 2256	4624	WDFHost.exe	100
PID 4624 wrote to memory of 2256	4624	WDFHost.exe	100
PID 4624 wrote to memory of 2256	4624	WDFHost.exe	100
PID 2256 wrote to memory of 1164	2256	cmd.exe	102
PID 2256 wrote to memory of 1164	2256	cmd.exe	102
PID 2256 wrote to memory of 1164	2256	cmd.exe	102

C:\Users\Admin\AppData\Local\Temp\bd65e13a564006f5379779eb0f93ee5c5cf6c594f0548ed893c141caf7d27f97.exe
"C:\Users\Admin\AppData\Local\Temp\bd65e13a564006f5379779eb0f93ee5c5cf6c594f0548ed893c141caf7d27f97.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3812
- C:\ProgramData\Usoris\Backup\Remote Utilities\Silverlight.Configuration.exe
  "C:\ProgramData\Usoris\Backup\Remote Utilities\Silverlight.Configuration.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5096
- - C:\ProgramData\Usoris\Backup\Remote Utilities\WDFHost.exe
    "C:\ProgramData\Usoris\Backup\Remote Utilities\WDFHost.exe"
    3⤵
    - Sets DLL path for service in the registry
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4624
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /f /im wmiprvse.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2256
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im wmiprvse.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1164

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "WpnUserService_6ac92" -s WpnUserService_6ac92
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3816
- \??\c:\programdata\usoris\backup\remote utilities\WDFHost.exe
  "c:\programdata\usoris\backup\remote utilities\WDFHost.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Usoris\Backup\Remote Utilities\MSIMG32.dll

Filesize
120KB

MD5
1d5cb4c71dc4b8f8028b05310b89c1f5

SHA1
01f60d295633398d3cf3a80df894cc5238fc3086

SHA256
26cae03cc82d7c7ce4a9ee0dc5759aa79dddd2d596f577aa339bf2c242ece74b

SHA512
2d44bbd8200ab3a047fd5ffc8d9a333d8caf38d1af00127da80a3bf79821991b6272e855870e3c7e5884496f35293b82932cff57f3b5100f41dee274b4b4a3fb

Download Submit
C:\ProgramData\Usoris\Backup\Remote Utilities\Silverlight.Configuration.exe

Filesize
231KB

MD5
17e40315660830aa625483bbf608730c

SHA1
c8f5825499315eaf4b5046ff79ac9553e71ad1c0

SHA256
f11009988b813821857c8d2db0f88e1d45b20762f62a3cf432339f352b12cefe

SHA512
0a3468dcff23ccb2458a8241388b7092d0711a4ebb491d5d8141cc352db8008fc6afc9af1e668104ac657fb4b3651ebcfdf1575557ff918d0f0905cd88c59e85

Download Submit
C:\ProgramData\Usoris\Backup\Remote Utilities\WDFHost.exe

Filesize
19.8MB

MD5
31c0bafc3f6e6c7322a7a32ac1bd87da

SHA1
42fd1a41e1eef5998de674ec068c702f1ee3b4f3

SHA256
f2a5023cd559597a1b70a7e02345fb9c80b740377fcf7341d5df2d462efafda5

SHA512
ab8dcda75a2e9c4d7dfcc23e76b3ca76b4ec5f1fbf24007bf0e9707de17461c5016ec9005dae3f62e34f586452aa145871d371536572365b35bf33b43a8d24ab

Download Submit
C:\ProgramData\Usoris\Backup\Remote Utilities\libeay32.dll

Filesize
1.3MB

MD5
d9871a6ba02aacf3d51e6c168d9c6066

SHA1
42012a0116a9e8aed16c7298bd43cb1206a0f0cd

SHA256
7975ac81130ae8fe09caf6bef313c44fe064b67ed9205f0bd11ac165386e2f95

SHA512
ae9118dac893097cd0e388ce45ff76c26b99b1cc9aea59547cc1dedf00bfbaf575f3d05317fac2f3f8b5c97896f6080bea9a90425333dbf02013eb01a002e43f

Download Submit
C:\ProgramData\Usoris\Backup\Remote Utilities\settings.dat

Filesize
5KB

MD5
0e7ba2cb293b0068f7016063f1724d50

SHA1
0a1fbad5c284cde95559e2ceb1a59579336337ff

SHA256
d36aa23d6d4d64937fb02f67da38a03f51221ed68917e7148ff005ba8bc4454d

SHA512
eb1a7309846c0cd614bb0de519248a2c17a3cbc6f06f8f45df4b1d04786687e1923c0ff2cdf08e7cf74a1071687160445ee6e76be8364b4a27befccab7e4fe5e

Download Submit
C:\ProgramData\Usoris\Backup\Remote Utilities\ssleay32.dll

Filesize
337KB

MD5
fe6d8feaeae983513e0a9a223604041b

SHA1
efa54892735d331a24b707068040e5a697455cee

SHA256
af029ac96a935594de92f771ef86c3e92fe22d08cb78ebf815cbfd4ef0cb94b0

SHA512
a78b1643c9ea02004aabefc9c72d418ee3292edb63a90002608ac02ad4e1a92d86b0fc95e66d6d4b49404c1fc75845d0e6262821b6052ab037b4542fcaf2047d

Download Submit
C:\ProgramData\Usoris\Backup\Remote Utilities\w32.dat

Filesize
197KB

MD5
fab0bad094f174cf69a52f2d7b7a29e3

SHA1
cc85cc377e61d547c2491a9b11d0db71fab21833

SHA256
20a33de39fec96acea42c63b14e0c35bfe0299609a7986e69226f6d40c07ef73

SHA512
652323dc2f333bbe406a027b227482553a5c930929cf937e4b68e935f89d9e6e41d5faecb5c3507baff55a665418e317d93625098ac5af7a6196aab957db73bc

Download Submit
C:\ProgramData\Usoris\Backup\Remote Utilities\w64.dat

Filesize
231KB

MD5
8c55b6dff2a4a0cd75abfcf7cb275140

SHA1
d01ba150f602b8deb3220795dd7f03ccbc105085

SHA256
82c4cdaf5ff442d574f29155efc39855b41dec1ee0c69be284522707a3e20c8e

SHA512
5620a78ce4edd5af0ba5b1cde0a15791f7f40b3346049ad22b76b62cbc5d75925b90ce5e4fa11c4daa0045782661b066d6ddd6b6a16df5c35bff8dc5baf101c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nssF369.tmp\nsis7z.dll

Filesize
436KB

MD5
d7778720208a94e2049972fb7a1e0637

SHA1
080d607b10f93c839ec3f07faec3548bb78ac4dc

SHA256
98f425f30e42e85f57e039356e30d929e878fdb551e67abfb9f71c31eeb5d44e

SHA512
98493ea271738ed6ba3a02de774deef267bfa3c16f3736f1a1a3856b9fecc07f0ea8670827e7eb4ed05c907e96425a0c762e7010cb55a09302ca3cfb3fe44b2b

Download Submit
memory/3816-61-0x00000000743B0000-0x00000000743D5000-memory.dmp

Filesize
148KB

Download
memory/4624-59-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/4624-77-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/4624-50-0x0000000005140000-0x0000000005141000-memory.dmp

Filesize
4KB

Download
memory/4624-53-0x0000000005150000-0x0000000005151000-memory.dmp

Filesize
4KB

Download
memory/4624-54-0x00000000068B0000-0x00000000068B1000-memory.dmp

Filesize
4KB

Download
memory/4624-83-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/4624-56-0x0000000006BE0000-0x0000000006BE1000-memory.dmp

Filesize
4KB

Download
memory/4624-57-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/4624-42-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/4624-82-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/4624-81-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/4624-80-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/4624-79-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/4624-78-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/4624-44-0x00000000743B0000-0x00000000743D5000-memory.dmp

Filesize
148KB

Download
memory/4624-71-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/4624-72-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/4624-73-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/4624-76-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/4868-70-0x00000000743B0000-0x00000000743D5000-memory.dmp

Filesize
148KB

Download
memory/4868-69-0x0000000000400000-0x0000000001896000-memory.dmp

Filesize
20.6MB

Download
memory/4868-65-0x00000000743B0000-0x00000000743D5000-memory.dmp

Filesize
148KB

Download
memory/4868-68-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/4868-63-0x0000000004F10000-0x0000000004F11000-memory.dmp

Filesize
4KB

Download
memory/5096-38-0x00000000743B0000-0x00000000743D5000-memory.dmp

Filesize
148KB

Download
memory/5096-55-0x00000000743B0000-0x00000000743D5000-memory.dmp

Filesize
148KB

Download