Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/06/2024, 01:10

General

  • Target

    9dc78a7c0120787631185f55bbed144e82c19e8eb0c2a66e445ed40db2ee4d99.exe

  • Size

    292KB

  • MD5

    a273044943723ee8f98fc5212a5176b2

  • SHA1

    83840f7c21ba99a59cbad0c3a80cdf4fb2d5460b

  • SHA256

    9dc78a7c0120787631185f55bbed144e82c19e8eb0c2a66e445ed40db2ee4d99

  • SHA512

    e3b7f6fd0a1bd922d091dafce5fa73b55a85917aa18a0067b7dc4e89501de916029c35ed46677e4bf24012c97f5347e32c119721bf866ba947bdf4a95660112e

  • SSDEEP

    3072:2r+Fu6eC0VjywzvcXcSqviamCIngQMTqGMWH2EZjg1wmxNAntKHzvtCQj:E5vcXgvibeqGNWE9+7AnAHzvtB

Score
9/10
upx

Malware Config

Signatures

  • UPX dump on OEP (original entry point) 10 IoCs
  • Drops file in Drivers directory 39 IoCs
  • Manipulates Digital Signatures 2 IoCs

    Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 3 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops desktop.ini file(s) 57 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 26 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 51 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\9dc78a7c0120787631185f55bbed144e82c19e8eb0c2a66e445ed40db2ee4d99.exe
    "C:\Users\Admin\AppData\Local\Temp\9dc78a7c0120787631185f55bbed144e82c19e8eb0c2a66e445ed40db2ee4d99.exe"
    1⤵
    • Drops file in Drivers directory
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1852
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\System32\msiexec.exe" /i "C:\Windows\AE 0124 BE.msi"
      2⤵
      • Enumerates connected drives
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:184
    • C:\Windows\SysWOW64\drivers\winlogon.exe
      "C:\Windows\System32\drivers\winlogon.exe"
      2⤵
      • Drops file in Drivers directory
      • Checks computer location settings
      • Executes dropped EXE
      • Drops autorun.inf file
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4192
      • C:\Windows\AE 0124 BE.exe
        "C:\Windows\AE 0124 BE.exe"
        3⤵
        • Drops file in Drivers directory
        • Manipulates Digital Signatures
        • Checks computer location settings
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops desktop.ini file(s)
        • Drops autorun.inf file
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3392
        • C:\Windows\SysWOW64\drivers\winlogon.exe
          "C:\Windows\System32\drivers\winlogon.exe"
          4⤵
          • Drops file in Drivers directory
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetWindowsHookEx
          PID:968
      • C:\Windows\SysWOW64\drivers\winlogon.exe
        "C:\Windows\System32\drivers\winlogon.exe"
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:2300
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1560
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4248
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    PID:2688

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\AE 0124 BE.msi

          Filesize

          292KB

          MD5

          5509e489819927ce83d9cdb410aa17dc

          SHA1

          87dab44eb3da7d0b538593b1ca854712f41d6b8e

          SHA256

          2a033498341bf9e3db3df3f46cf183c6fb5a9d86313cefb39271bfdd8b7dd834

          SHA512

          d82198c6667522cbd3789ff7f723c5a0c708a161443692ba6f3662aae77a64ca7fbbe802a1690c555444d3e7a1e0bab9d75f1b0a139be7dd14e71c18d4a38c50

        • C:\Windows\Msvbvm60.dll

          Filesize

          1.4MB

          MD5

          25f62c02619174b35851b0e0455b3d94

          SHA1

          4e8ee85157f1769f6e3f61c0acbe59072209da71

          SHA256

          898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

          SHA512

          f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

        • C:\Windows\SysWOW64\drivers\winlogon.exe

          Filesize

          48KB

          MD5

          833e9f4555d6dd92739f161eab2516a3

          SHA1

          f946f93117471d4fff1350a8b024f03b46de4ccd

          SHA256

          786d08a766f02b62f6a5886238867b73e0bb5fe28cf0c0bf31ed9c820444dbeb

          SHA512

          618f0ba39f7e5b251fac5c135bdf182dfadbb086d63983ddbaf1726c02a19d562c5504bacf042dcd72a982257a2af958257b1ab9b82f7f19b41f094e0f84df0a

        • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

          Filesize

          23.7MB

          MD5

          2440b992447fa1306bac42b144a83f64

          SHA1

          9e4ea56056af053b8bdaf07eb6e37687f814ca1f

          SHA256

          7420a6bbd7397feed1d32183dbc7372fa6c76bfb0f4d4f12b8b00c4a6842f2ac

          SHA512

          94fecddab8e6eba72ade1ff9b3b0aa2354d62a3096e939ba95c5ed7c1529d20609abd17e9ddecec624de525a9fa950d3b5536605f6b074234274539b18a57734

        • \??\Volume{8ccc3c3f-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{f73a5f3c-3a0a-4ff7-b790-72ae5d809bdc}_OnDiskSnapshotProp

          Filesize

          6KB

          MD5

          324a3418cb1dd4edf787a6b0b05d976c

          SHA1

          10428bcbf410dfe8169a1de6cde843dc8a8de4e6

          SHA256

          c8026051ccba231bf1c1c841a08a68850eeed47f2b0c1c943776af71184ece5a

          SHA512

          74f76ebe0cf0d802447a5de484e6841c88f819b45531ef673adf1478f95f068d11648959478c104e0cefa455eadda3e682cad46bab7288a3640750c80a5c3cd4

        • \??\c:\B1uv3nth3x1.diz

          Filesize

          21B

          MD5

          9cceaa243c5d161e1ce41c7dad1903dd

          SHA1

          e3da72675df53fffa781d4377d1d62116eafb35b

          SHA256

          814649b436ea43dd2abb99693e06019d4079ee74d02a0395913add0ba92d0189

          SHA512

          af9b75dc9a0b39d12d48bf6d40eb7d778eb9dd976302792271d8d4245a916027cf4e705d6cd7a5e6582ba94953346f291122f27d377b2c1a86e45f49e92efb5b

        • memory/968-90-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

        • memory/968-92-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

        • memory/1852-0-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

        • memory/1852-63-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

        • memory/2300-84-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

        • memory/3392-452-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

        • memory/3392-473-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

        • memory/4192-451-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB

        • memory/4192-55-0x0000000000400000-0x000000000040B000-memory.dmp

          Filesize

          44KB