Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/06/2024, 21:36

General

  • Target

    48073376b0a99b7c8f11427dbc92eec03f0ada9976b27e4a8c4f2b6634c2c9f9.exe

  • Size

    423KB

  • MD5

    ad7cf66560e0c2c57ae299f8c727bf66

  • SHA1

    e160143b3037d72a551cfb02a0b98ce32f92dae4

  • SHA256

    48073376b0a99b7c8f11427dbc92eec03f0ada9976b27e4a8c4f2b6634c2c9f9

  • SHA512

    ec3feb22cdd7bcada254123424e402e7ddc142b48b5b1b2ee11afdb6f7cc7276787542a6f4fa7e2cb53bef7c4d13ec6cb2b5aee476a4a954748ec5b49ce0fc71

  • SSDEEP

    6144:DP+PtrmEs7eVyYr9AmEcmI5qpYDb1MV+w1ILKcelS4:DP+Pt9sKVyY3EcmIopMbv1Ockd

Score
9/10
upx

Malware Config

Signatures

  • UPX dump on OEP (original entry point) 10 IoCs
  • Drops file in Drivers directory 39 IoCs
  • Manipulates Digital Signatures 2 IoCs

    Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 3 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops desktop.ini file(s) 57 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 26 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 49 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\48073376b0a99b7c8f11427dbc92eec03f0ada9976b27e4a8c4f2b6634c2c9f9.exe
    "C:\Users\Admin\AppData\Local\Temp\48073376b0a99b7c8f11427dbc92eec03f0ada9976b27e4a8c4f2b6634c2c9f9.exe"
    1⤵
    • Drops file in Drivers directory
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3152
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\System32\msiexec.exe" /i "C:\Windows\AE 0124 BE.msi"
      2⤵
      • Enumerates connected drives
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:4500
    • C:\Windows\SysWOW64\drivers\winlogon.exe
      "C:\Windows\System32\drivers\winlogon.exe"
      2⤵
      • Drops file in Drivers directory
      • Checks computer location settings
      • Executes dropped EXE
      • Drops autorun.inf file
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1576
      • C:\Windows\AE 0124 BE.exe
        "C:\Windows\AE 0124 BE.exe"
        3⤵
        • Drops file in Drivers directory
        • Manipulates Digital Signatures
        • Checks computer location settings
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops desktop.ini file(s)
        • Drops autorun.inf file
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4628
        • C:\Windows\SysWOW64\drivers\winlogon.exe
          "C:\Windows\System32\drivers\winlogon.exe"
          4⤵
          • Drops file in Drivers directory
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetWindowsHookEx
          PID:2052
      • C:\Windows\SysWOW64\drivers\winlogon.exe
        "C:\Windows\System32\drivers\winlogon.exe"
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:4868
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3964
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1228
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    PID:844

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\AE 0124 BE.msi

          Filesize

          423KB

          MD5

          486f9620b2994ba36ef9902cf9753c22

          SHA1

          9bc137af24575692930bc1a5072f5190471a82e8

          SHA256

          9c2bac7144ebb4fff2ae479fcd2a40cbf57ef41e609af4f4b53be7f39b915d23

          SHA512

          dde4bcb0cd560bcf427c86e88f2e4e8eb0cdf1108e6b32d8228de9fef192f02906981c6f0572ecfc69929994b6f4f2d344bb8030ec8fcdd3686f7a1985beee9a

        • C:\Windows\Msvbvm60.dll

          Filesize

          1.4MB

          MD5

          25f62c02619174b35851b0e0455b3d94

          SHA1

          4e8ee85157f1769f6e3f61c0acbe59072209da71

          SHA256

          898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

          SHA512

          f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

        • C:\Windows\SysWOW64\drivers\winlogon.exe

          Filesize

          94KB

          MD5

          c9bbc3081799a8fecfa8360c8d0ba1a9

          SHA1

          956f852d525de269c36d356a73b43a42f839aba7

          SHA256

          1f13f61b6ab1621c02ba45ff6c5a0feb655a90226b05b0e2b5511d3a175a432f

          SHA512

          e62ba334df0c9921b7e9e8c79d1791a4e9c8f8181013bf46514b4b507d3092015d5626a4e1a9d1c62454deabcca6aad2a54cb311fe48c89bf73c93f29489a522

        • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

          Filesize

          23.7MB

          MD5

          ffe8dee603e50a28f5c44e370c3100f7

          SHA1

          fad7e4adb7f0011f0194d8fe74ec82993b697a23

          SHA256

          73884642e974f4cffd2f8d2883f6bc80b5d9fd4df5b606a03d3b1598acc4f654

          SHA512

          c9b335bfbce35fbe1e66f0a65c511a22291baae645ea5b98a0f62522d6369eb32eac9367a734b4f75277486e3c4bf62059c24112593f85ed44e5b9a632c22cda

        • \??\Volume{8ccc3c3f-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{5d675654-594c-4590-a5ee-1d1fa03c5e38}_OnDiskSnapshotProp

          Filesize

          6KB

          MD5

          87c1699893f155798530d90fa35a7226

          SHA1

          1d7672eeb569bc209b4614b5b77ce6977e32d226

          SHA256

          9fba6079a6eabbb53ee601eed3fe80ce706ab208f342d5a4764876219fa30d33

          SHA512

          42c8302cda5b1bc539e4767596143334e4fc127623d49ec4d767ee01725e74c43cb5a5961b0a9b501c764ef133a75369819d95b2a21d6dc9fd80598309d684bd

        • \??\c:\B1uv3nth3x1.diz

          Filesize

          21B

          MD5

          9cceaa243c5d161e1ce41c7dad1903dd

          SHA1

          e3da72675df53fffa781d4377d1d62116eafb35b

          SHA256

          814649b436ea43dd2abb99693e06019d4079ee74d02a0395913add0ba92d0189

          SHA512

          af9b75dc9a0b39d12d48bf6d40eb7d778eb9dd976302792271d8d4245a916027cf4e705d6cd7a5e6582ba94953346f291122f27d377b2c1a86e45f49e92efb5b

        • memory/1576-452-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

        • memory/2052-107-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

        • memory/2052-104-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

        • memory/3152-60-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

        • memory/3152-0-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

        • memory/4628-453-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

        • memory/4628-472-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

        • memory/4868-84-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

        • memory/4868-83-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB