Overview

overview

7

Static

static

3

vm-uw.exe

windows7-x64

7

vm-uw.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    11-06-2024 17:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    vm-uw.exe

  • Size

    566KB

  • MD5

    78c6129bfd81f88cfb7171caf2d386a1

  • SHA1

    f626224572dea0bc2983e3b3986bd1c1af5533ce

  • SHA256

    aa1ad7c508d497292d1e017b946cc381be204bd641543bcf584da286eb6f685f

  • SHA512

    38d0f61a25f015ad149765ced45ab81591ec02f9fe290c1560db9f53f9b7e6edc371eaebbcc54156006e63fe323b976bf560b9db69328f5ffe0fd9b734a9717b

  • SSDEEP

    12288:LQM9bROJmafSPZDz7qElw2KxPo0q7qzC9b/uEvtHKYTsviIR8Cufe9ZqQwExr//R:Ld9Mrf7iaNVxowGT/M

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Windows directory 7 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs ping.exe 1 TTPs 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\vm-uw.exe
    "C:\Users\Admin\AppData\Local\Temp\vm-uw.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1160
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Windows\Fonts\systkm32\vv.bat" "
      2⤵
      • Loads dropped DLL
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:1976
      • C:\Windows\SysWOW64\mode.com
        mode con: cols=16 lines=2
        3⤵
          PID:1472
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1
          3⤵
          • Runs ping.exe
          PID:2688
        • C:\Windows\Fonts\systkm32\csrss.exe
          C:\Windows\Fonts\systkm32\csrss.exe WMPNetworkSxc C:\Windows\Fonts\systkm32\svchost.exe
          3⤵
          • Executes dropped EXE
          PID:2640
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1
          3⤵
          • Runs ping.exe
          PID:2756
        • C:\Windows\SysWOW64\reg.exe
          reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSxc /v Description /d "Shares Windows Media Player libraries to other networked players and media devices using Universal Plug and Play." /t reg_sz /f
          3⤵
            PID:2780
          • C:\Windows\SysWOW64\reg.exe
            reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSxc /v DisplayName /d "Windows Media Player Network Sharing Service." /t reg_sz /f
            3⤵
              PID:2580
            • C:\Windows\SysWOW64\reg.exe
              reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSxc\Parameters
              3⤵
                PID:2616
              • C:\Windows\SysWOW64\reg.exe
                reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSxc\Parameters /v AppDirectory /d "C:\Windows\Fonts\systkm32" /t reg_sz /f
                3⤵
                  PID:2372
                • C:\Windows\SysWOW64\reg.exe
                  reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSxc\Parameters /v Application /d ""C:\Program Files (x86)\VMware\VMware Workstation\vmware.exe" -x "C:\Windows\Logs\ubu\3333.vmx"" /t reg_sz /f
                  3⤵
                    PID:2504
                  • C:\Windows\SysWOW64\PING.EXE
                    ping 127.0.0.1
                    3⤵
                    • Runs ping.exe
                    PID:2736
                  • C:\Windows\SysWOW64\sc.exe
                    sc start WMPNetworkSxc
                    3⤵
                    • Launches sc.exe
                    PID:2500
                  • C:\Windows\SysWOW64\PING.EXE
                    ping 127.0.0.1
                    3⤵
                    • Runs ping.exe
                    PID:2208
                  • C:\Windows\SysWOW64\regini.exe
                    regini 1.ini
                    3⤵
                      PID:1232
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\HZ~14B9.tmp.bat"
                    2⤵
                    • Deletes itself
                    • Suspicious use of WriteProcessMemory
                    PID:1068
                    • C:\Windows\SysWOW64\PING.EXE
                      ping 127.0.0.1 -n 2
                      3⤵
                      • Runs ping.exe
                      PID:2588
                • C:\Windows\Fonts\systkm32\svchost.exe
                  C:\Windows\Fonts\systkm32\svchost.exe
                  1⤵
                  • Executes dropped EXE
                  PID:2516

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\HZ~14B9.tmp.bat
                  Filesize

                  148B

                  MD5

                  b74dc9a1382752e7c17b02aa1b1a8d65

                  SHA1

                  3488ecdae20892ce6bca3a76cd1ecd6c847ad204

                  SHA256

                  ed455d5ce44ed20f2589d1e1c166df5586b812902990d9396f5bc227b1be94f3

                  SHA512

                  5d32f79ee394907c4fbc84e85cd4981faa3a3ef6be9737bf5bc88f139f4a744515e2ff86cd4ca6b00e4ec464283be980a8f90b46aa097aea357e977849aafe2d

                  Download Submit

                • C:\Windows\Fonts\systkm32\1.ini
                  Filesize

                  74B

                  MD5

                  33568e8baab39ef9097f9b78fe231fb1

                  SHA1

                  45c01839b0afef46ebfb4a884ab3ff24ef6ecd49

                  SHA256

                  e5c492b214d845af45727327e9aecacbd9632d1aa6dcfb0308abcdb18ca4d5e8

                  SHA512

                  f6f432c0aced10fb60aa148939ec9efa7830b98eaf8b4b93c16dc74e9955d712056f4462f93d668cfd4d9b7ff2cab1a823f918ec0b4261f40933075f9a16c2de

                  Download Submit

                • C:\Windows\Fonts\systkm32\csrss.exe
                  Filesize

                  18KB

                  MD5

                  c43d1b84143fb2561f22e1a2c8facf53

                  SHA1

                  3f1357007f61f02f97f0aaabb8756c6eca2acebd

                  SHA256

                  bbf4c224f9861b2c1f5a1364ee71e38728495b2709621763053b979ba88522f1

                  SHA512

                  27a25ab6045498e0b7131be58556c685dfa01596675c3af689e61d8329e1a0eff4128c57e202c32c69271b84f57e7425c45fb5fa132ec0f5b352f86323ffa13e

                  Download Submit

                • C:\Windows\Fonts\systkm32\svchost.exe
                  Filesize

                  8KB

                  MD5

                  4635935fc972c582632bf45c26bfcb0e

                  SHA1

                  7c5329229042535fe56e74f1f246c6da8cea3be8

                  SHA256

                  abd4afd71b3c2bd3f741bbe3cec52c4fa63ac78d353101d2e7dc4de2725d1ca1

                  SHA512

                  167503133b5a0ebd9f8b2971bca120e902497eb21542d6a1f94e52ae8e5b6bde1e4cae1a2c905870a00d772e0df35f808701e2cfbd26dcbb130a5573fa590060

                  Download Submit

                • C:\Windows\Fonts\systkm32\vv.bat
                  Filesize

                  1KB

                  MD5

                  ed936fd33024ac753e8e7be6b4c39f69

                  SHA1

                  2a9329edec6273cb30dfd420bde80a4e7675ffc7

                  SHA256

                  038a41e1cc19bf3833333dc8997b633cf33500a13c373593408e3416447b8553

                  SHA512

                  60c95eb51c5dede283581badf970b6722013a7cb3ced4716dcc74674fdd9b75227300db0edb8f70dc5c760d4bb8313bea1f9403bce2a5b9ac9bbcd10214f6d3f

                  Download Submit

                • memory/2640-20-0x0000000000400000-0x000000000040A000-memory.dmp

                  Filesize

                  40KB

                  Download