Resubmissions

05-04-2024 11:34

240405-npwzgsaf61 1

05-04-2024 11:31

240405-nm5hvaae9z 8

Analysis

  • max time kernel
    149s
  • max time network
    136s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    05-04-2024 11:31

General

  • Target

    Windows10Upgrade9252.exe

  • Size

    3.2MB

  • MD5

    c0b25def4312fbddbcc4f01c6c0f5ba6

  • SHA1

    8d16a183d61233e7d6b6af7b3cafc6645ac2acb1

  • SHA256

    c0424d0ae06ca1e6e0249b40d33ac40d74075856d543ec0924884664fba52b79

  • SHA512

    8c67619747bb108dae5661688ec8fa4c62bc6ac38ee6ff14a4691aab04d7ddd870fee4262cb30624a6bd85ac1f7595af05311496b0336f979e7e5f797791bc0e

  • SSDEEP

    98304:GgjXlctych4cCzJ8k2omX8sUf0ht5f/LyXtcH/:JjKtych9CzJqXM32jyX

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 26 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 29 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
  • Modifies registry class 30 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 49 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Windows10Upgrade9252.exe
    "C:\Users\Admin\AppData\Local\Temp\Windows10Upgrade9252.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:352
    • C:\Program Files (x86)\WindowsInstallationAssistant\Windows10UpgraderApp.exe
      "C:\Program Files (x86)\WindowsInstallationAssistant\Windows10UpgraderApp.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:3868
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 1708
        3⤵
        • Program crash
        PID:4548
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Drops file in Windows directory
    • Checks SCSI registry key(s)
    • Modifies Internet Explorer settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3844
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      2⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Drops file in Windows directory
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:3712
  • C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
    1⤵
    • Drops file in Windows directory
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4392

Network

  • flag-us
    DNS
    58.28.101.95.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    58.28.101.95.in-addr.arpa
    IN PTR
    Response
    58.28.101.95.in-addr.arpa
    IN PTR
    a95-101-28-58deploystaticakamaitechnologiescom
  • flag-us
    DNS
    29.243.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    29.243.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    211.143.182.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    211.143.182.52.in-addr.arpa
    IN PTR
    Response
No results found
  • 8.8.8.8:53
    58.28.101.95.in-addr.arpa
    dns
    71 B
    135 B
    1
    1

    DNS Request

    58.28.101.95.in-addr.arpa

  • 8.8.8.8:53
    29.243.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    29.243.111.52.in-addr.arpa

  • 8.8.8.8:53
    211.143.182.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    211.143.182.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\WindowsInstallationAssistant\Configuration.ini

    Filesize

    27B

    MD5

    ca22263c7a6f965df18f5c601f5db7ce

    SHA1

    e4b1a401ed497523a583ae8613646b03778a33a6

    SHA256

    299fa3043627954c524b6171c26fcc3513790310aa2561e6f012eff15254381c

    SHA512

    3cd39b438f7cb34b38f32240b1ba6a5010f49e12123db770460cf74217bc6946e2032355376c203b68863ee85596d21aa7b2d77c94da48a54def111d147311f8

  • C:\Program Files (x86)\WindowsInstallationAssistant\Downloader.dll

    Filesize

    197KB

    MD5

    5b62ad6ae42f32806062ad1bcb3e2de5

    SHA1

    8d4a543eac9643931fcb620cd588e2cc1067920a

    SHA256

    96f7b268820511abeeb6bbfad0918cf9161366bc2f558ef7f011331e7de1d6f3

    SHA512

    af5bdbc5019b56eb9a32b6d264388e309e36013d43dbe09c61224ba6fabf1ff905371bc5b6ddaa0d5bfedae99cc5a7051f13fbf26cc756793799e568094eabcf

  • C:\Program Files (x86)\WindowsInstallationAssistant\Windows10UpgraderApp.exe

    Filesize

    3.5MB

    MD5

    ab38a78503d8ad3ce7d69f937d71a99c

    SHA1

    00b6a6f09dd45e356ef9e2cacd554c728313fa99

    SHA256

    f635cd1996967c2297e3f20c4838d2f45d1535cfea38971909683e26158fb782

    SHA512

    fe8e4c6973cb26b863ef97d95a7ae8b1b2dbce14bf3b317d085b38347be27db1adc46f5503c110df43e032911e5b070f3e9139857573fffdafff684f27ef1b8f

  • C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA.css

    Filesize

    82B

    MD5

    b81d1e97c529ac3d7f5a699afce27080

    SHA1

    0a981264db289afd71695b4d6849672187e8120f

    SHA256

    35c6e30c7954f7e4b806c883576218621e2620166c8940701b33157bdd0ba225

    SHA512

    e5a8c95d0e9f7464f7bd908cf2f76c89100e69d9bc2e9354c0519bf7da15c5665b3ed97cd676d960d48c024993de0e9eb6683352d902eb86b8af68692334e607

  • C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\default.css

    Filesize

    5KB

    MD5

    7f5fcac447cc2150ac90020f8dc8c98b

    SHA1

    5710398d65fba59bd91d603fc340bf2a101df40a

    SHA256

    453d8ca4f52fb8fd40d5b4596596911b9fb0794bb89fbf9b60dc27af3eaa2850

    SHA512

    b9fb315fdcf93d028423f49438b1eff40216b377d8c3bc866a20914c17e00bef58a18228bebb8b33c8a64fcaaa34bee84064bb24a525b4c9ac2f26e384edb1ff

  • C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\default.htm

    Filesize

    60KB

    MD5

    b2a06af2867a2bb3d4b198a22f7936b3

    SHA1

    98a28e15abdd2d6989d667cc578bf6ab954c29f5

    SHA256

    40f468006ab37ef4fcc54c5ff25005644f15d696f1269f67b450c9e3ce5e8d23

    SHA512

    eefc295a7cd517c93bbeadee51ab778f371be8b21a92b0c06339da2e624abd19c34907e0a8965e6bfe81863752c56cc509fcf015a3ee986d208a5fc7cac8bfc5

  • C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\loading.gif

    Filesize

    16KB

    MD5

    1a276cb116bdece96adf8e32c4af4fee

    SHA1

    6bc30738fcd0c04370436f4d3340d460d25b788f

    SHA256

    9d9a156c6ca2929f0f22c310260723e28428cb38995c0f940f2617b25e15b618

    SHA512

    5b515b5975fda333a6d9ca0e7de81dbc70311f4ecd8be22770d31c5f159807f653c87acf9df4a72b2d0664f0ef3141088de7f5aa12efc6307715c1c31ba55bb6

  • C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\logo.png

    Filesize

    2KB

    MD5

    afeed45df4d74d93c260a86e71e09102

    SHA1

    2cc520e3d23f6b371c288645649a482a5db7ccd9

    SHA256

    f5fb1e3a7bca4e2778903e8299c63ab34894e810a174b0143b79183c0fa5072f

    SHA512

    778a6c494eab333c5bb00905adf556c019160c5ab858415c1dd918933f494faf3650e60845d557171c6e1370bcff687672d5af0f647302867b449a2cff9b925d

  • C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\marketing.png

    Filesize

    420B

    MD5

    0968430a52f9f877d83ef2b46b107631

    SHA1

    c1436477b4ee1ee0b0c81c9036eb228e4038b376

    SHA256

    b210f3b072c60c2feb959e56c529e24cec77c1fcf933dcadad1f491f974f5e96

    SHA512

    7a8a15524aecdb48753cc201c215df19bc79950373adc6dd4a8f641e3add53eba31d1309bf671e3b9e696616a3badce65839b211591a2eeebb9306390d81cfcf

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

    Filesize

    14KB

    MD5

    93b13a3ba6c10444e382ea61adae8877

    SHA1

    1972b05417059836ae9ae1becb3617958018f93c

    SHA256

    ad625e4cd47b32ab60de59b874b23b88849e36b5161a0ca8b9476a7ff7b069f8

    SHA512

    ce7fa0a163a564e212dfb22ff73accc051d9f58c8e160a04345d772f9994d844e79b3b73966fdee9c0a3455164855446db97b7a097349a14f38445396b43adf0

  • C:\Users\Admin\AppData\Local\Temp\WXU63DA.tmp\appraiserxp.dll

    Filesize

    363KB

    MD5

    cbb270591c9a1bfb1b10559ab672f705

    SHA1

    fed0d59d60709b5b05b9d31030ea7a5422767a7e

    SHA256

    770a9a15e1eb8e2729f23a3d262b55bef16e4bb7822a2d16eeac3db35a116d7f

    SHA512

    67c4154d47981f22965966aa823dc0e05872b2f6d8fc7d80b4130f1cdb8bf9f326a20980e29c085e2940fc1f7b033b85d2eb192f5bda2da136364a842ea20f6a

  • C:\Users\Admin\AppData\Local\Temp\WXU63DA.tmp\resources\ux\Microsoft.WinJS\css\oobe-desktop.css

    Filesize

    39KB

    MD5

    5ad8ceea06e280b9b42e1b8df4b8b407

    SHA1

    693ea7ac3f9fed186e0165e7667d2c41376c5d61

    SHA256

    03a724309e738786023766fde298d17b6ccfcc3d2dbbf5c41725cf93eb891feb

    SHA512

    1694fa3b9102771eef8a42b367d076c691b002de81eb4334ac6bd7befde747b168e7ed8f94f1c8f8877280f51c44adb69947fc1d899943d25b679a1be71dec84

  • memory/3712-149-0x0000000002640000-0x0000000002641000-memory.dmp

    Filesize

    4KB

  • memory/4392-156-0x00000159510D0000-0x00000159510F0000-memory.dmp

    Filesize

    128KB

  • memory/4392-159-0x00000159517E0000-0x0000015951800000-memory.dmp

    Filesize

    128KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.