aa1ad7c508d497292d1e017b946cc381be204bd641543bcf584da286eb6f685f

Analysis

max time kernel
79s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11-06-2024 17:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

vm-uw.exe
Size

566KB
MD5

78c6129bfd81f88cfb7171caf2d386a1
SHA1

f626224572dea0bc2983e3b3986bd1c1af5533ce
SHA256

aa1ad7c508d497292d1e017b946cc381be204bd641543bcf584da286eb6f685f
SHA512

38d0f61a25f015ad149765ced45ab81591ec02f9fe290c1560db9f53f9b7e6edc371eaebbcc54156006e63fe323b976bf560b9db69328f5ffe0fd9b734a9717b
SSDEEP

12288:LQM9bROJmafSPZDz7qElw2KxPo0q7qzC9b/uEvtHKYTsviIR8Cufe9ZqQwExr//R:Ld9Mrf7iaNVxowGT/M

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	vm-uw.exe

Executes dropped EXE 2 IoCs

pid	Process
3752	csrss.exe
4560	svchost.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Fonts\systkm32\csrss.exe	vm-uw.exe
File created	C:\Windows\Fonts\systkm32\svchost.exe	vm-uw.exe
File opened for modification	C:\Windows\Fonts\systkm32\svchost.exe	vm-uw.exe
File created	C:\Windows\Fonts\systkm32\1.ini	cmd.exe
File created	C:\Windows\Fonts\systkm32\vv.bat	vm-uw.exe
File opened for modification	C:\Windows\Fonts\systkm32\vv.bat	vm-uw.exe
File created	C:\Windows\Fonts\systkm32\csrss.exe	vm-uw.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3240	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 5 IoCs

Remote System Discovery

T1018

pid	Process
1832	PING.EXE
4888	PING.EXE
4940	PING.EXE
2340	PING.EXE
3140	PING.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4764	vm-uw.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 4764 wrote to memory of 3084	4764	vm-uw.exe	83
PID 4764 wrote to memory of 3084	4764	vm-uw.exe	83
PID 4764 wrote to memory of 3084	4764	vm-uw.exe	83
PID 4764 wrote to memory of 4720	4764	vm-uw.exe	85
PID 4764 wrote to memory of 4720	4764	vm-uw.exe	85
PID 4764 wrote to memory of 4720	4764	vm-uw.exe	85
PID 3084 wrote to memory of 4528	3084	cmd.exe	87
PID 3084 wrote to memory of 4528	3084	cmd.exe	87
PID 3084 wrote to memory of 4528	3084	cmd.exe	87
PID 3084 wrote to memory of 1832	3084	cmd.exe	88
PID 3084 wrote to memory of 1832	3084	cmd.exe	88
PID 3084 wrote to memory of 1832	3084	cmd.exe	88
PID 4720 wrote to memory of 4888	4720	cmd.exe	89
PID 4720 wrote to memory of 4888	4720	cmd.exe	89
PID 4720 wrote to memory of 4888	4720	cmd.exe	89
PID 3084 wrote to memory of 3752	3084	cmd.exe	91
PID 3084 wrote to memory of 3752	3084	cmd.exe	91
PID 3084 wrote to memory of 3752	3084	cmd.exe	91
PID 3084 wrote to memory of 4940	3084	cmd.exe	92
PID 3084 wrote to memory of 4940	3084	cmd.exe	92
PID 3084 wrote to memory of 4940	3084	cmd.exe	92
PID 3084 wrote to memory of 912	3084	cmd.exe	93
PID 3084 wrote to memory of 912	3084	cmd.exe	93
PID 3084 wrote to memory of 912	3084	cmd.exe	93
PID 3084 wrote to memory of 1008	3084	cmd.exe	94
PID 3084 wrote to memory of 1008	3084	cmd.exe	94
PID 3084 wrote to memory of 1008	3084	cmd.exe	94
PID 3084 wrote to memory of 3912	3084	cmd.exe	95
PID 3084 wrote to memory of 3912	3084	cmd.exe	95
PID 3084 wrote to memory of 3912	3084	cmd.exe	95
PID 3084 wrote to memory of 1976	3084	cmd.exe	96
PID 3084 wrote to memory of 1976	3084	cmd.exe	96
PID 3084 wrote to memory of 1976	3084	cmd.exe	96
PID 3084 wrote to memory of 3988	3084	cmd.exe	97
PID 3084 wrote to memory of 3988	3084	cmd.exe	97
PID 3084 wrote to memory of 3988	3084	cmd.exe	97
PID 3084 wrote to memory of 2340	3084	cmd.exe	98
PID 3084 wrote to memory of 2340	3084	cmd.exe	98
PID 3084 wrote to memory of 2340	3084	cmd.exe	98
PID 3084 wrote to memory of 3240	3084	cmd.exe	99
PID 3084 wrote to memory of 3240	3084	cmd.exe	99
PID 3084 wrote to memory of 3240	3084	cmd.exe	99
PID 3084 wrote to memory of 3140	3084	cmd.exe	101
PID 3084 wrote to memory of 3140	3084	cmd.exe	101
PID 3084 wrote to memory of 3140	3084	cmd.exe	101
PID 3084 wrote to memory of 3136	3084	cmd.exe	102
PID 3084 wrote to memory of 3136	3084	cmd.exe	102
PID 3084 wrote to memory of 3136	3084	cmd.exe	102

C:\Users\Admin\AppData\Local\Temp\vm-uw.exe
"C:\Users\Admin\AppData\Local\Temp\vm-uw.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4764
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Windows\Fonts\systkm32\vv.bat" "
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:3084
- - C:\Windows\SysWOW64\mode.com
    mode con: cols=16 lines=2
    3⤵
    PID:4528
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1832
- - C:\Windows\Fonts\systkm32\csrss.exe
    C:\Windows\Fonts\systkm32\csrss.exe WMPNetworkSxc C:\Windows\Fonts\systkm32\svchost.exe
    3⤵
    - Executes dropped EXE
    PID:3752
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:4940
- - C:\Windows\SysWOW64\reg.exe
    reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSxc /v Description /d "Shares Windows Media Player libraries to other networked players and media devices using Universal Plug and Play." /t reg_sz /f
    3⤵
    PID:912
- - C:\Windows\SysWOW64\reg.exe
    reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSxc /v DisplayName /d "Windows Media Player Network Sharing Service." /t reg_sz /f
    3⤵
    PID:1008
- - C:\Windows\SysWOW64\reg.exe
    reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSxc\Parameters
    3⤵
    PID:3912
- - C:\Windows\SysWOW64\reg.exe
    reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSxc\Parameters /v AppDirectory /d "C:\Windows\Fonts\systkm32" /t reg_sz /f
    3⤵
    PID:1976
- - C:\Windows\SysWOW64\reg.exe
    reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSxc\Parameters /v Application /d ""C:\Program Files (x86)\VMware\VMware Workstation\vmware.exe" -x "C:\Windows\Logs\ubu\3333.vmx"" /t reg_sz /f
    3⤵
    PID:3988
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2340
- - C:\Windows\SysWOW64\sc.exe
    sc start WMPNetworkSxc
    3⤵
    - Launches sc.exe
    PID:3240
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:3140
- - C:\Windows\SysWOW64\regini.exe
    regini 1.ini
    3⤵
    PID:3136
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\HZ~4362.tmp.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4720
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 2
    3⤵
    - Runs ping.exe
    PID:4888

C:\Windows\Fonts\systkm32\svchost.exe
C:\Windows\Fonts\systkm32\svchost.exe
1⤵
- Executes dropped EXE
PID:4560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HZ~4362.tmp.bat

Filesize
148B

MD5
b74dc9a1382752e7c17b02aa1b1a8d65

SHA1
3488ecdae20892ce6bca3a76cd1ecd6c847ad204

SHA256
ed455d5ce44ed20f2589d1e1c166df5586b812902990d9396f5bc227b1be94f3

SHA512
5d32f79ee394907c4fbc84e85cd4981faa3a3ef6be9737bf5bc88f139f4a744515e2ff86cd4ca6b00e4ec464283be980a8f90b46aa097aea357e977849aafe2d

Download Submit
C:\Windows\Fonts\systkm32\1.ini

Filesize
74B

MD5
33568e8baab39ef9097f9b78fe231fb1

SHA1
45c01839b0afef46ebfb4a884ab3ff24ef6ecd49

SHA256
e5c492b214d845af45727327e9aecacbd9632d1aa6dcfb0308abcdb18ca4d5e8

SHA512
f6f432c0aced10fb60aa148939ec9efa7830b98eaf8b4b93c16dc74e9955d712056f4462f93d668cfd4d9b7ff2cab1a823f918ec0b4261f40933075f9a16c2de

Download Submit
C:\Windows\Fonts\systkm32\csrss.exe

Filesize
18KB

MD5
c43d1b84143fb2561f22e1a2c8facf53

SHA1
3f1357007f61f02f97f0aaabb8756c6eca2acebd

SHA256
bbf4c224f9861b2c1f5a1364ee71e38728495b2709621763053b979ba88522f1

SHA512
27a25ab6045498e0b7131be58556c685dfa01596675c3af689e61d8329e1a0eff4128c57e202c32c69271b84f57e7425c45fb5fa132ec0f5b352f86323ffa13e

Download Submit
C:\Windows\Fonts\systkm32\svchost.exe

Filesize
8KB

MD5
4635935fc972c582632bf45c26bfcb0e

SHA1
7c5329229042535fe56e74f1f246c6da8cea3be8

SHA256
abd4afd71b3c2bd3f741bbe3cec52c4fa63ac78d353101d2e7dc4de2725d1ca1

SHA512
167503133b5a0ebd9f8b2971bca120e902497eb21542d6a1f94e52ae8e5b6bde1e4cae1a2c905870a00d772e0df35f808701e2cfbd26dcbb130a5573fa590060

Download Submit
C:\Windows\Fonts\systkm32\vv.bat

Filesize
1KB

MD5
ed936fd33024ac753e8e7be6b4c39f69

SHA1
2a9329edec6273cb30dfd420bde80a4e7675ffc7

SHA256
038a41e1cc19bf3833333dc8997b633cf33500a13c373593408e3416447b8553

SHA512
60c95eb51c5dede283581badf970b6722013a7cb3ced4716dcc74674fdd9b75227300db0edb8f70dc5c760d4bb8313bea1f9403bce2a5b9ac9bbcd10214f6d3f

Download Submit
memory/3752-14-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download