606575d889927654aaa3b7bb84bba5abb3d03c8c256a4d38dbdfcffe55c28d56

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
25/04/2024, 19:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

606575d889927654aaa3b7bb84bba5abb3d03c8c256a4d38dbdfcffe55c28d56.exe
Size

1.5MB
MD5

ae2daca993fa505d4e5f93564d04096f
SHA1

26e7824310b7a3797f1acff1ccc255bc145698f9
SHA256

606575d889927654aaa3b7bb84bba5abb3d03c8c256a4d38dbdfcffe55c28d56
SHA512

332de87c47dfb9d6012616977e9f809c17233906f87bae492545def129583834dbf11cabcd719dd468c0edd6f9147085839d9071311c025ea5bcdecdd9b626ab
SSDEEP

24576:wTRRgkObgBSIiDfYCwwAYKIK+8Z1vD7EP2dys1LqH5HpuEf6eIZ2w9chVPkTI:wTznniXwKorbY2LcpXpMt9ch5kTI

Score

8^/10

persistence upx

Malware Config

Signatures

Sets service image path in registry 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Windows\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\~3702108478055595473\\Windows.sys"	Windows.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MAC\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\~3702108478055595473\\MAC.sys"	SMR.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SMR\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\~3702108478055595473\\SMR.sys"	SMR.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VhegZOmAhkHmLhLzKzcNwfnf\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\VhegZOmAhkHmLhLzKzcNwfnf"	kdmapper.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Windowss\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\~3702108478055595473\\Windowss.sys"	Windows.exe

Executes dropped EXE 4 IoCs

pid	Process
2504	sg.tmp
5044	kdmapper.exe
4828	Windows.exe
1784	SMR.exe

Loads dropped DLL 6 IoCs

pid	Process
5044	kdmapper.exe
5044	kdmapper.exe
5044	kdmapper.exe
5044	kdmapper.exe
5044	kdmapper.exe
5044	kdmapper.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5088-0-0x0000000000400000-0x0000000000556000-memory.dmp	upx
behavioral2/memory/5088-2-0x0000000000400000-0x0000000000556000-memory.dmp	upx
behavioral2/memory/5088-38-0x0000000000400000-0x0000000000556000-memory.dmp	upx
behavioral2/memory/5088-77-0x0000000000400000-0x0000000000556000-memory.dmp	upx
behavioral2/memory/2024-78-0x0000000000400000-0x0000000000556000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 3 IoCs

evasion

pid	Process
3660	taskkill.exe
4080	taskkill.exe
1188	taskkill.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5088	606575d889927654aaa3b7bb84bba5abb3d03c8c256a4d38dbdfcffe55c28d56.exe
5088	606575d889927654aaa3b7bb84bba5abb3d03c8c256a4d38dbdfcffe55c28d56.exe

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
5044	kdmapper.exe
4828	Windows.exe
1784	SMR.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeBackupPrivilege	5088	606575d889927654aaa3b7bb84bba5abb3d03c8c256a4d38dbdfcffe55c28d56.exe
Token: SeRestorePrivilege	5088	606575d889927654aaa3b7bb84bba5abb3d03c8c256a4d38dbdfcffe55c28d56.exe
Token: 33	5088	606575d889927654aaa3b7bb84bba5abb3d03c8c256a4d38dbdfcffe55c28d56.exe
Token: SeIncBasePriorityPrivilege	5088	606575d889927654aaa3b7bb84bba5abb3d03c8c256a4d38dbdfcffe55c28d56.exe
Token: 33	5088	606575d889927654aaa3b7bb84bba5abb3d03c8c256a4d38dbdfcffe55c28d56.exe
Token: SeIncBasePriorityPrivilege	5088	606575d889927654aaa3b7bb84bba5abb3d03c8c256a4d38dbdfcffe55c28d56.exe
Token: 33	5088	606575d889927654aaa3b7bb84bba5abb3d03c8c256a4d38dbdfcffe55c28d56.exe
Token: SeIncBasePriorityPrivilege	5088	606575d889927654aaa3b7bb84bba5abb3d03c8c256a4d38dbdfcffe55c28d56.exe
Token: SeRestorePrivilege	2504	sg.tmp
Token: 35	2504	sg.tmp
Token: SeSecurityPrivilege	2504	sg.tmp
Token: SeSecurityPrivilege	2504	sg.tmp
Token: 33	5088	606575d889927654aaa3b7bb84bba5abb3d03c8c256a4d38dbdfcffe55c28d56.exe
Token: SeIncBasePriorityPrivilege	5088	606575d889927654aaa3b7bb84bba5abb3d03c8c256a4d38dbdfcffe55c28d56.exe
Token: SeLoadDriverPrivilege	5044	kdmapper.exe
Token: SeLoadDriverPrivilege	4828	Windows.exe
Token: SeLoadDriverPrivilege	1784	SMR.exe
Token: SeDebugPrivilege	3660	taskkill.exe
Token: SeDebugPrivilege	4080	taskkill.exe
Token: SeDebugPrivilege	1188	taskkill.exe
Token: SeDebugPrivilege	5088	606575d889927654aaa3b7bb84bba5abb3d03c8c256a4d38dbdfcffe55c28d56.exe
Token: 33	5088	606575d889927654aaa3b7bb84bba5abb3d03c8c256a4d38dbdfcffe55c28d56.exe
Token: SeIncBasePriorityPrivilege	5088	606575d889927654aaa3b7bb84bba5abb3d03c8c256a4d38dbdfcffe55c28d56.exe
Token: SeBackupPrivilege	2024	606575d889927654aaa3b7bb84bba5abb3d03c8c256a4d38dbdfcffe55c28d56.exe
Token: SeRestorePrivilege	2024	606575d889927654aaa3b7bb84bba5abb3d03c8c256a4d38dbdfcffe55c28d56.exe
Token: 33	2024	606575d889927654aaa3b7bb84bba5abb3d03c8c256a4d38dbdfcffe55c28d56.exe
Token: SeIncBasePriorityPrivilege	2024	606575d889927654aaa3b7bb84bba5abb3d03c8c256a4d38dbdfcffe55c28d56.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 5088 wrote to memory of 3952	5088	606575d889927654aaa3b7bb84bba5abb3d03c8c256a4d38dbdfcffe55c28d56.exe	92
PID 5088 wrote to memory of 3952	5088	606575d889927654aaa3b7bb84bba5abb3d03c8c256a4d38dbdfcffe55c28d56.exe	92
PID 5088 wrote to memory of 2504	5088	606575d889927654aaa3b7bb84bba5abb3d03c8c256a4d38dbdfcffe55c28d56.exe	94
PID 5088 wrote to memory of 2504	5088	606575d889927654aaa3b7bb84bba5abb3d03c8c256a4d38dbdfcffe55c28d56.exe	94
PID 5088 wrote to memory of 2504	5088	606575d889927654aaa3b7bb84bba5abb3d03c8c256a4d38dbdfcffe55c28d56.exe	94
PID 5088 wrote to memory of 1684	5088	606575d889927654aaa3b7bb84bba5abb3d03c8c256a4d38dbdfcffe55c28d56.exe	96
PID 5088 wrote to memory of 1684	5088	606575d889927654aaa3b7bb84bba5abb3d03c8c256a4d38dbdfcffe55c28d56.exe	96
PID 1684 wrote to memory of 5044	1684	cmd.exe	98
PID 1684 wrote to memory of 5044	1684	cmd.exe	98
PID 1684 wrote to memory of 4828	1684	cmd.exe	99
PID 1684 wrote to memory of 4828	1684	cmd.exe	99
PID 1684 wrote to memory of 1784	1684	cmd.exe	100
PID 1684 wrote to memory of 1784	1684	cmd.exe	100
PID 1684 wrote to memory of 3660	1684	cmd.exe	101
PID 1684 wrote to memory of 3660	1684	cmd.exe	101
PID 1684 wrote to memory of 4080	1684	cmd.exe	103
PID 1684 wrote to memory of 4080	1684	cmd.exe	103
PID 1684 wrote to memory of 1188	1684	cmd.exe	105
PID 1684 wrote to memory of 1188	1684	cmd.exe	105
PID 5088 wrote to memory of 2024	5088	606575d889927654aaa3b7bb84bba5abb3d03c8c256a4d38dbdfcffe55c28d56.exe	107
PID 5088 wrote to memory of 2024	5088	606575d889927654aaa3b7bb84bba5abb3d03c8c256a4d38dbdfcffe55c28d56.exe	107
PID 5088 wrote to memory of 2024	5088	606575d889927654aaa3b7bb84bba5abb3d03c8c256a4d38dbdfcffe55c28d56.exe	107
PID 2024 wrote to memory of 4016	2024	606575d889927654aaa3b7bb84bba5abb3d03c8c256a4d38dbdfcffe55c28d56.exe	108
PID 2024 wrote to memory of 4016	2024	606575d889927654aaa3b7bb84bba5abb3d03c8c256a4d38dbdfcffe55c28d56.exe	108

C:\Users\Admin\AppData\Local\Temp\606575d889927654aaa3b7bb84bba5abb3d03c8c256a4d38dbdfcffe55c28d56.exe
"C:\Users\Admin\AppData\Local\Temp\606575d889927654aaa3b7bb84bba5abb3d03c8c256a4d38dbdfcffe55c28d56.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5088
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c set
  2⤵
  PID:3952
- C:\Users\Admin\AppData\Local\Temp\~7923470281995106946~\sg.tmp
  7zG_exe x "C:\Users\Admin\AppData\Local\Temp\606575d889927654aaa3b7bb84bba5abb3d03c8c256a4d38dbdfcffe55c28d56.exe" -y -aoa -o"C:\Users\Admin\AppData\Local\Temp\~3702108478055595473"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\~3702108478055595473\start.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1684
- - C:\Users\Admin\AppData\Local\Temp\~3702108478055595473\kdmapper.exe
    kdmapper.exe AAA.sys
    3⤵
    - Sets service image path in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: LoadsDriver
    - Suspicious use of AdjustPrivilegeToken
    PID:5044
- - C:\Users\Admin\AppData\Local\Temp\~3702108478055595473\Windows.exe
    Windows.exe Windows.sys Windowss.sys
    3⤵
    - Sets service image path in registry
    - Executes dropped EXE
    - Suspicious behavior: LoadsDriver
    - Suspicious use of AdjustPrivilegeToken
    PID:4828
- - C:\Users\Admin\AppData\Local\Temp\~3702108478055595473\SMR.exe
    SMR.exe SMR.sys MAC.sys
    3⤵
    - Sets service image path in registry
    - Executes dropped EXE
    - Suspicious behavior: LoadsDriver
    - Suspicious use of AdjustPrivilegeToken
    PID:1784
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM WmiPrvSE.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3660
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM WmiPrvSE.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4080
- - C:\Windows\system32\taskkill.exe
    taskkill /F /IM WmiPrvSE.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1188
- C:\Users\Admin\AppData\Local\Temp\606575d889927654aaa3b7bb84bba5abb3d03c8c256a4d38dbdfcffe55c28d56.exe
  PECMD**pecmd-cmd* EXEC -wd:C: -hide cmd /c "C:\Users\Admin\AppData\Local\Temp\~8952211335035857504.cmd"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Windows\SYSTEM32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\~8952211335035857504.cmd"
    3⤵
    PID:4016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4060 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:8
1⤵
PID:4880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~3702108478055595473\AAA.sys

Filesize
17KB

MD5
b23b71e6cb0e518a632f539de513c390

SHA1
9d9732282710eeeae05f22a10e7064613f79db32

SHA256
757ec00a8199ba3c57b280f41aac71e980cd49c681b072d0072cb02115ba86f3

SHA512
8bded4c4f1b537f0b1a87b60a9952b7220efd4090ec24854510a4b8b3d8d684583e75f98a1eb6a7127e2b3c3340d8bfae87a5251e27fa528828fba2f56f70eed

Download Submit
C:\Users\Admin\AppData\Local\Temp\~3702108478055595473\MAC.sys

Filesize
13KB

MD5
3db1e4c6e75d0b4067edaed949cbcc51

SHA1
a09cde3f7051d91ca3fb7521b2c7ed3a558eb3e9

SHA256
0f720887cf290eaeba8b5ad2c6f329c4697a1501aa04b7433bac827f179af397

SHA512
4adc25638b5e2ca01624685e5710cb28bf05cea0293ca55603ef9996dbe969e73d4fc4aabd3660f0869aa097097a4b23157a1212b9ec6d365bc3540a5bf4e199

Download Submit
C:\Users\Admin\AppData\Local\Temp\~3702108478055595473\MSVCP140D.dll

Filesize
977KB

MD5
37dc8cc78ecbcd12f27e665b70baefa7

SHA1
46fb9910cc10c4c0c52b547700e1950ce233be89

SHA256
b53add5b7bd6bb11fecc7be159885d0b75736d02423c11edc6eeb6f4bea80f6c

SHA512
078b0b408510c07eac85518f03a9e3fac8e4c8e2e36ccb8cd26962498c7f5bedbd79f7034af3ebfef9984f85d81c9032446b1b5c156b2174a769657ea0ab60a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\~3702108478055595473\SMR.sys

Filesize
25KB

MD5
9ab9f3b75a2eb87fafb1b7361be9dfb3

SHA1
fe10018af723986db50701c8532df5ed98b17c39

SHA256
31f4cfb4c71da44120752721103a16512444c13c2ac2d857a7e6f13cb679b427

SHA512
5b37fb591670329a6b030bd9d2cbee48e9d56c7c7d2752e6049f551d869298d1ec6cea6c83e0301699e0873d1fdf0c49b4a4092c6aca750dc23b1ab95dbd1ae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\~3702108478055595473\Windows.exe

Filesize
26KB

MD5
8c22c58462de942a035635dd2d0de0d7

SHA1
774041f552054f9e6d980b0d3b3b58bf4c45e347

SHA256
14a4b765fde1c8d470c2d312d83dc95c0159c8c5c691b7f8eae4b487000e763e

SHA512
a6590b8fb20ee646252d6b55be54beef615f458a87bb4166e35af21c1ef5e2aa33337d6c4616b49a312779030325a853894fc1cfa5e94cf5367718025944a165

Download Submit
C:\Users\Admin\AppData\Local\Temp\~3702108478055595473\Windowss.sys

Filesize
28KB

MD5
63da14319bf7f6f174ca86e7d280119d

SHA1
7a5e8fc0eb5c5a6693d7905d2f2e8c93dde3a9bf

SHA256
d4c2892a6b5533122d8ea700f693e912c15062a63610cd793354b6a7ab18628b

SHA512
fa11779e251bc623635e67698a412ae2c602532c74ccaf57c52498d63c2aae4f816b00c3ebaf06b88836a58376fd7b2714cfa09dc4008b5a143509acb6f7b985

Download Submit
C:\Users\Admin\AppData\Local\Temp\~3702108478055595473\kdmapper.exe

Filesize
488KB

MD5
eadf9e47d29fb308d78d758c14f1e7b1

SHA1
d21aa0bd12d5c814dbe5bc63e7d3a29bcd59e92d

SHA256
92ad580913f71cb2f5aba0bc8270c73bc268caeb8386ed1bd93ee189892cf86e

SHA512
c3c7f648c66d8bb3473a845f35cfda2b04522fbba2153775a247823a29549e991014f381bbf930b19e30851164b906d88a1dd47af9ade82195b0dd0baa97712c

Download Submit
C:\Users\Admin\AppData\Local\Temp\~3702108478055595473\start.bat

Filesize
364B

MD5
ea09da48d9674c40460e878cd7d1c3d9

SHA1
1a6e29000edee09bf25433a04b249a9d436ab291

SHA256
081650fd106884900842219cb775743dd04a09b8891944098ba2f377f04af489

SHA512
572d9d42aba8d73483cfb9d0428c2251c6d52d776b1e9291aaab6132e4f5544a5db0669d012504268171603f1f31c6ce55a30902c86c8efef746388fdb578add

Download Submit
C:\Users\Admin\AppData\Local\Temp\~3702108478055595473\ucrtbased.dll

Filesize
1.7MB

MD5
c3130cfb00549a5a92da60e7f79f5fc9

SHA1
56c2e8fb1af609525b0f732bb67b806bddab3752

SHA256
eee42eabc546e5aa760f8df7105fcf505abffcb9ec4bf54398436303e407a3f8

SHA512
29bab5b441484bdfac9ec21cd4f0f7454af05bfd7d77f7d4662aeaeaa0d3e25439d52aa341958e7896701546b4a607d3c7a32715386c78b746dfae8529a70748

Download Submit
C:\Users\Admin\AppData\Local\Temp\~3702108478055595473\vcruntime140_1d.dll

Filesize
58KB

MD5
868fd5f1ab2d50204c6b046fe172d4b8

SHA1
f2b43652ef62cba5f6f04f32f16b6b89819bc978

SHA256
104e5817ece4831e9989d8937c8dfe55d581db6b5bc8e22a1b492ca872eda70e

SHA512
402a0402b318539f26eac2fcd890700d2103f8eabd4b5289b64e2cdb5c30f4bb2b18f342c8a1ecc2cafb3f1d4258387a5300f9a86056f27b176b3fe995f9fc9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\~3702108478055595473\vcruntime140d.dll

Filesize
128KB

MD5
f57fb935a9a76e151229f547c2204bba

SHA1
4021b804469816c3136b40c4ceb44c8d60ed15f5

SHA256
a77277af540d411ae33d371cc6f54d7b0a1937e0c14db7666d32c22fc5dca9c0

SHA512
cd9fc3fc460eba6a1b9f984b794940d28705ecb738df8595c2341abe4347141db14a9ff637c9f902e8742f5c48bbb61da7d5e231cc5b2bad2e8746c5a3e3e6ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\~7923470281995106946~\sg.tmp

Filesize
715KB

MD5
7c4718943bd3f66ebdb47ccca72c7b1e

SHA1
f9edfaa7adb8fa528b2e61b2b251f18da10a6969

SHA256
4cc32d00338fc7b206a7c052297acf9ac304ae7de9d61a2475a116959c1524fc

SHA512
e18c40d646fa4948f90f7471da55489df431f255041ebb6dcef86346f91078c9b27894e27216a4b2fe2a1c5e501c7953c77893cf696930123d28a322d49e1516

Download Submit
C:\Users\Admin\AppData\Local\Temp\~8952211335035857504.cmd

Filesize
373B

MD5
f30234439e7a7719811a9415d9d9fc85

SHA1
efc7d9a1aaef88c4b0cffab960ed9bd242975ad1

SHA256
ede88ceb89a5029fa9903ec9369b1847e72d84ff914045a200e63088a808e164

SHA512
59cf1eed0b54637524f461468271503450648f75d8086d1a7f2678f56756e400d7f354dc364dd0c9ca16c3c5b8518a9826a3641af9dba7b310594092e0a5e7dc

Download Submit
memory/2024-78-0x0000000000400000-0x0000000000556000-memory.dmp

Filesize
1.3MB

Download
memory/5044-53-0x00007FF7BB980000-0x00007FF7BBA24000-memory.dmp

Filesize
656KB

Download
memory/5044-43-0x00007FF7BB980000-0x00007FF7BBA24000-memory.dmp

Filesize
656KB

Download
memory/5088-0-0x0000000000400000-0x0000000000556000-memory.dmp

Filesize
1.3MB

Download
memory/5088-38-0x0000000000400000-0x0000000000556000-memory.dmp

Filesize
1.3MB

Download
memory/5088-2-0x0000000000400000-0x0000000000556000-memory.dmp

Filesize
1.3MB

Download
memory/5088-77-0x0000000000400000-0x0000000000556000-memory.dmp

Filesize
1.3MB

Download