Overview
overview
10Static
static
3ussm_setup.exe
windows10-2004-x64
10$APPDATA/L...er.scr
windows10-2004-x64
1$PLUGINSDI...ol.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...fo.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3$PLUGINSDI...id.dll
windows10-2004-x64
3$SYSDIR/Li...er.scr
windows10-2004-x64
1ISCC.exe
windows10-2004-x64
1ISCmplr.dll
windows10-2004-x64
3ISPP.dll
windows10-2004-x64
3LiveScreensaver.exe
windows10-2004-x64
1LiveScreen...or.exe
windows10-2004-x64
Setup.exe
windows10-2004-x64
1SetupLdr.exe
windows10-2004-x64
1islzma.dll
windows10-2004-x64
3ss.exe
windows10-2004-x64
1ussm.exe
windows10-2004-x64
Analysis
-
max time kernel
145s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
17-06-2024 13:31
Static task
static1
Behavioral task
behavioral1
Sample
ussm_setup.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral2
Sample
$APPDATA/Live Screensaver/$SYSDIR/Ultra Screen Saver.scr
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/AccessControl.dll
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
$PLUGINSDIR/nsis_appid.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral8
Sample
$SYSDIR/Live Screensaver.scr
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
ISCC.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral10
Sample
ISCmplr.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
ISPP.dll
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral12
Sample
LiveScreensaver.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
LiveScreensaverCreator.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral14
Sample
Setup.exe
Resource
win10v2004-20240611-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
SetupLdr.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral16
Sample
islzma.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
ss.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral18
Sample
ussm.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
General
-
Target
ussm_setup.exe
-
Size
13.5MB
-
MD5
98b8665b96a90c222664747ba5ce87ca
-
SHA1
978f73a86c03e03082140ce62b8ec9befd8f68f3
-
SHA256
79d09a008ac61e606845d0e17b4fd423bb584807a5c6ae8eb6584215c6856e7b
-
SHA512
153adbc03c7fc3172e63433fe21c2df36c162aa67d868f94b2fc5c23c016550378a043acaeeab1fdc0d27ad1cce69393f42a95d4af7880f16eb4ea444ca30585
-
SSDEEP
393216:TBK1BgFlNlvvA0fEPi4YGplf1oRm5TyEsOPuzffKD:TA1BgFZv4443B1oM5TZs5rW
Malware Config
Signatures
-
Banload
Banload variants download malicious files, then install and execute the files.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
ussm.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ussm.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
ussm.exedescription ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ussm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate ussm.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ussm_setup.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation ussm_setup.exe -
Drops file in System32 directory 2 IoCs
Processes:
ussm_setup.exedescription ioc Process File created C:\Windows\SysWOW64\Live Screensaver.scr ussm_setup.exe File created C:\Windows\SysWOW64\Ultra Screen Saver.scr ussm_setup.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 40 IoCs
Processes:
ussm_setup.exedescription ioc Process File created C:\Program Files (x86)\Ultra Screen Saver Maker\icon.ico ussm_setup.exe File created C:\Program Files (x86)\Ultra Screen Saver Maker\Languages\Icelandic.isl ussm_setup.exe File created C:\Program Files (x86)\Ultra Screen Saver Maker\ISCmplr.dll ussm_setup.exe File created C:\Program Files (x86)\Ultra Screen Saver Maker\LiveScreensaverCreator.exe ussm_setup.exe File created C:\Program Files (x86)\Ultra Screen Saver Maker\ISPP.dll ussm_setup.exe File created C:\Program Files (x86)\Ultra Screen Saver Maker\Languages\French.isl ussm_setup.exe File created C:\Program Files (x86)\Ultra Screen Saver Maker\islzma.dll ussm_setup.exe File created C:\Program Files (x86)\Ultra Screen Saver Maker\ss.exe ussm_setup.exe File created C:\Program Files (x86)\Ultra Screen Saver Maker\Default.isl ussm_setup.exe File created C:\Program Files (x86)\Ultra Screen Saver Maker\Languages\Armenian.isl ussm_setup.exe File created C:\Program Files (x86)\Ultra Screen Saver Maker\Languages\Bulgarian.isl ussm_setup.exe File created C:\Program Files (x86)\Ultra Screen Saver Maker\Languages\Danish.isl ussm_setup.exe File created C:\Program Files (x86)\Ultra Screen Saver Maker\Languages\Finnish.isl ussm_setup.exe File created C:\Program Files (x86)\Ultra Screen Saver Maker\uninst.exe ussm_setup.exe File created C:\Program Files (x86)\Ultra Screen Saver Maker\LiveScreensaver.exe ussm_setup.exe File created C:\Program Files (x86)\Ultra Screen Saver Maker\Languages\Hebrew.isl ussm_setup.exe File created C:\Program Files (x86)\Ultra Screen Saver Maker\Languages\Polish.isl ussm_setup.exe File created C:\Program Files (x86)\Ultra Screen Saver Maker\Languages\Portuguese.isl ussm_setup.exe File created C:\Program Files (x86)\Ultra Screen Saver Maker\Languages\Slovenian.isl ussm_setup.exe File created C:\Program Files (x86)\Ultra Screen Saver Maker\SetupLdr.e32 ussm_setup.exe File created C:\Program Files (x86)\Ultra Screen Saver Maker\WizModernImage-IS.bmp ussm_setup.exe File created C:\Program Files (x86)\Ultra Screen Saver Maker\ussm.exe ussm_setup.exe File created C:\Program Files (x86)\Ultra Screen Saver Maker\Languages\Corsican.isl ussm_setup.exe File created C:\Program Files (x86)\Ultra Screen Saver Maker\Languages\Dutch.isl ussm_setup.exe File created C:\Program Files (x86)\Ultra Screen Saver Maker\Languages\German.isl ussm_setup.exe File created C:\Program Files (x86)\Ultra Screen Saver Maker\Languages\Norwegian.isl ussm_setup.exe File created C:\Program Files (x86)\Ultra Screen Saver Maker\ISCC.exe ussm_setup.exe File created C:\Program Files (x86)\Ultra Screen Saver Maker\Languages\Czech.isl ussm_setup.exe File created C:\Program Files (x86)\Ultra Screen Saver Maker\Languages\Japanese.isl ussm_setup.exe File created C:\Program Files (x86)\Ultra Screen Saver Maker\Languages\Slovak.isl ussm_setup.exe File created C:\Program Files (x86)\Ultra Screen Saver Maker\Languages\Turkish.isl ussm_setup.exe File created C:\Program Files (x86)\Ultra Screen Saver Maker\ISPPBuiltins.iss ussm_setup.exe File created C:\Program Files (x86)\Ultra Screen Saver Maker\Setup.e32 ussm_setup.exe File created C:\Program Files (x86)\Ultra Screen Saver Maker\Languages\Catalan.isl ussm_setup.exe File created C:\Program Files (x86)\Ultra Screen Saver Maker\Languages\Italian.isl ussm_setup.exe File created C:\Program Files (x86)\Ultra Screen Saver Maker\Languages\Russian.isl ussm_setup.exe File created C:\Program Files (x86)\Ultra Screen Saver Maker\Languages\Spanish.isl ussm_setup.exe File created C:\Program Files (x86)\Ultra Screen Saver Maker\WizModernSmallImage-IS.bmp ussm_setup.exe File created C:\Program Files (x86)\Ultra Screen Saver Maker\Languages\BrazilianPortuguese.isl ussm_setup.exe File created C:\Program Files (x86)\Ultra Screen Saver Maker\Languages\Ukrainian.isl ussm_setup.exe -
Executes dropped EXE 2 IoCs
Processes:
ussm.exeussm.exepid Process 4796 ussm.exe 876 ussm.exe -
Loads dropped DLL 7 IoCs
Processes:
ussm_setup.exepid Process 3272 ussm_setup.exe 3272 ussm_setup.exe 3272 ussm_setup.exe 3272 ussm_setup.exe 3272 ussm_setup.exe 3272 ussm_setup.exe 3272 ussm_setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Processes:
ussm_setup.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Live Screensaver.scr = "11000" ussm_setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING\Live Screensaver.scr = "1" ussm_setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALIGNED_TIMERS\LIVESC~1.SCR = "1" ussm_setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\LiveScreensaver.exe = "11000" ussm_setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALIGNED_TIMERS\LiveScreensaver.exe = "1" ussm_setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\LIVESC~2.EXE = "11000" ussm_setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\LIVESC~1.SCR = "11000" ussm_setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING\LIVESC~1.SCR = "1" ussm_setup.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING ussm_setup.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALIGNED_TIMERS ussm_setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING\LIVESC~2.EXE = "1" ussm_setup.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION ussm_setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING\LiveScreensaver.exe = "1" ussm_setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALIGNED_TIMERS\LIVESC~2.EXE = "1" ussm_setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALIGNED_TIMERS\Live Screensaver.scr = "1" ussm_setup.exe -
Modifies registry class 38 IoCs
Processes:
ussm.exeussm_setup.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E3823A2-15C5-CC15-1F99-8B637696AC1D}\NotInsertable ussm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E3823A2-15C5-CC15-1F99-8B637696AC1D}\Server ussm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\UltraScreenSaverMaker.File\shell\open ussm_setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lsc\ = "LiveScreensaverCreator.File" ussm_setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LiveScreensaverCreator.File\shell\open ussm_setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LiveScreensaverCreator.File\shell\ = "open" ussm_setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E3823A2-15C5-CC15-1F99-8B637696AC1D}\InprocServer32\ = "C:\\Windows\\SysWOW64\\mscoree.dll" ussm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E3823A2-15C5-CC15-1F99-8B637696AC1D}\InprocServer32\ThreadingModel = "Both" ussm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.lsc ussm_setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LiveScreensaverCreator.File\ = "Live Screensaver Creator File" ussm_setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LiveScreensaverCreator.File\DefaultIcon\ = "C:\\Program Files (x86)\\Ultra Screen Saver Maker\\LiveScreensaverCreator.exe" ussm_setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LiveScreensaverCreator.File\shell\open\command ussm_setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E3823A2-15C5-CC15-1F99-8B637696AC1D}\ProgID\ = "ComPlusDebug.CorpubPublish.1" ussm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LiveScreensaverCreator.File ussm_setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E3823A2-15C5-CC15-1F99-8B637696AC1D} ussm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E3823A2-15C5-CC15-1F99-8B637696AC1D}\ = "Microsoft Common Language Runtime Debugger Publisher" ussm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E3823A2-15C5-CC15-1F99-8B637696AC1D}\InprocServer32\4.0.30319 ussm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E3823A2-15C5-CC15-1F99-8B637696AC1D}\ProgID ussm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\UltraScreenSaverMaker.File\ = "Ultra Screen Saver Maker File" ussm_setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\UltraScreenSaverMaker.File\shell\ = "open" ussm_setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\UltraScreenSaverMaker.File\shell\open\command\ = "C:\\Program Files (x86)\\Ultra Screen Saver Maker\\ussm.exe \"%1\"" ussm_setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E3823A2-15C5-CC15-1F99-8B637696AC1D}\VersionIndependentProgID\ = "ComPlusDebug.CorpubPublish" ussm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ssp\ = "UltraScreenSaverMaker.File" ussm_setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LiveScreensaverCreator.File\shell ussm_setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E3823A2-15C5-CC15-1F99-8B637696AC1D}\InprocServer32\4.0.30319\ImplementedInThisVersion ussm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\UltraScreenSaverMaker.File\shell\open\command ussm_setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LiveScreensaverCreator.File\DefaultIcon ussm_setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E3823A2-15C5-CC15-1F99-8B637696AC1D}\InprocServer32\2.0.50727\ImplementedInThisVersion ussm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\UltraScreenSaverMaker.File ussm_setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\UltraScreenSaverMaker.File\DefaultIcon ussm_setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\UltraScreenSaverMaker.File\DefaultIcon\ = "C:\\Program Files (x86)\\Ultra Screen Saver Maker\\ussm.exe" ussm_setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LiveScreensaverCreator.File\shell\open\command\ = "C:\\Program Files (x86)\\Ultra Screen Saver Maker\\LiveScreensaverCreator.exe \"%1\"" ussm_setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E3823A2-15C5-CC15-1F99-8B637696AC1D}\InprocServer32\2.0.50727 ussm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E3823A2-15C5-CC15-1F99-8B637696AC1D}\Server\ = "mscordbi.dll" ussm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E3823A2-15C5-CC15-1F99-8B637696AC1D}\VersionIndependentProgID ussm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ssp ussm_setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\UltraScreenSaverMaker.File\shell ussm_setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E3823A2-15C5-CC15-1F99-8B637696AC1D}\InprocServer32 ussm.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
ussm_setup.exepid Process 3272 ussm_setup.exe 3272 ussm_setup.exe 3272 ussm_setup.exe 3272 ussm_setup.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
ussm.exedescription pid Process Token: 33 876 ussm.exe Token: SeIncBasePriorityPrivilege 876 ussm.exe Token: 33 876 ussm.exe Token: SeIncBasePriorityPrivilege 876 ussm.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
ussm.exepid Process 876 ussm.exe 876 ussm.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
ussm.exepid Process 876 ussm.exe 876 ussm.exe 876 ussm.exe 876 ussm.exe 876 ussm.exe 876 ussm.exe 876 ussm.exe 876 ussm.exe 876 ussm.exe 876 ussm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ussm_setup.exeussm.exedescription pid Process procid_target PID 3272 wrote to memory of 4796 3272 ussm_setup.exe 93 PID 3272 wrote to memory of 4796 3272 ussm_setup.exe 93 PID 3272 wrote to memory of 4796 3272 ussm_setup.exe 93 PID 4796 wrote to memory of 876 4796 ussm.exe 94 PID 4796 wrote to memory of 876 4796 ussm.exe 94 PID 4796 wrote to memory of 876 4796 ussm.exe 94 PID 4796 wrote to memory of 876 4796 ussm.exe 94 PID 4796 wrote to memory of 876 4796 ussm.exe 94 PID 4796 wrote to memory of 876 4796 ussm.exe 94 PID 4796 wrote to memory of 876 4796 ussm.exe 94 PID 4796 wrote to memory of 876 4796 ussm.exe 94 PID 4796 wrote to memory of 876 4796 ussm.exe 94 PID 4796 wrote to memory of 876 4796 ussm.exe 94 PID 4796 wrote to memory of 876 4796 ussm.exe 94 PID 4796 wrote to memory of 876 4796 ussm.exe 94 PID 4796 wrote to memory of 876 4796 ussm.exe 94 PID 4796 wrote to memory of 876 4796 ussm.exe 94 PID 4796 wrote to memory of 876 4796 ussm.exe 94 PID 4796 wrote to memory of 876 4796 ussm.exe 94 PID 4796 wrote to memory of 876 4796 ussm.exe 94 PID 4796 wrote to memory of 876 4796 ussm.exe 94 PID 4796 wrote to memory of 876 4796 ussm.exe 94 PID 4796 wrote to memory of 876 4796 ussm.exe 94 PID 4796 wrote to memory of 876 4796 ussm.exe 94 PID 4796 wrote to memory of 876 4796 ussm.exe 94 PID 4796 wrote to memory of 876 4796 ussm.exe 94 PID 4796 wrote to memory of 876 4796 ussm.exe 94 PID 4796 wrote to memory of 876 4796 ussm.exe 94 PID 4796 wrote to memory of 876 4796 ussm.exe 94 PID 4796 wrote to memory of 876 4796 ussm.exe 94 PID 4796 wrote to memory of 876 4796 ussm.exe 94 PID 4796 wrote to memory of 876 4796 ussm.exe 94 PID 4796 wrote to memory of 876 4796 ussm.exe 94 PID 4796 wrote to memory of 876 4796 ussm.exe 94 PID 4796 wrote to memory of 876 4796 ussm.exe 94 PID 4796 wrote to memory of 876 4796 ussm.exe 94 PID 4796 wrote to memory of 876 4796 ussm.exe 94 PID 4796 wrote to memory of 876 4796 ussm.exe 94 PID 4796 wrote to memory of 876 4796 ussm.exe 94 PID 4796 wrote to memory of 876 4796 ussm.exe 94 PID 4796 wrote to memory of 876 4796 ussm.exe 94 PID 4796 wrote to memory of 876 4796 ussm.exe 94 PID 4796 wrote to memory of 876 4796 ussm.exe 94 PID 4796 wrote to memory of 876 4796 ussm.exe 94 PID 4796 wrote to memory of 876 4796 ussm.exe 94 PID 4796 wrote to memory of 876 4796 ussm.exe 94 PID 4796 wrote to memory of 876 4796 ussm.exe 94 PID 4796 wrote to memory of 876 4796 ussm.exe 94 PID 4796 wrote to memory of 876 4796 ussm.exe 94 PID 4796 wrote to memory of 876 4796 ussm.exe 94 PID 4796 wrote to memory of 876 4796 ussm.exe 94 PID 4796 wrote to memory of 876 4796 ussm.exe 94 PID 4796 wrote to memory of 876 4796 ussm.exe 94 PID 4796 wrote to memory of 876 4796 ussm.exe 94 PID 4796 wrote to memory of 876 4796 ussm.exe 94 PID 4796 wrote to memory of 876 4796 ussm.exe 94 PID 4796 wrote to memory of 876 4796 ussm.exe 94 PID 4796 wrote to memory of 876 4796 ussm.exe 94 PID 4796 wrote to memory of 876 4796 ussm.exe 94 PID 4796 wrote to memory of 876 4796 ussm.exe 94 PID 4796 wrote to memory of 876 4796 ussm.exe 94 PID 4796 wrote to memory of 876 4796 ussm.exe 94 PID 4796 wrote to memory of 876 4796 ussm.exe 94 PID 4796 wrote to memory of 876 4796 ussm.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\ussm_setup.exe"C:\Users\Admin\AppData\Local\Temp\ussm_setup.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Program Files directory
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3272 -
C:\Program Files (x86)\Ultra Screen Saver Maker\ussm.exe"C:\Program Files (x86)\Ultra Screen Saver Maker\ussm.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Program Files (x86)\Ultra Screen Saver Maker\ussm.exe"C:\Program Files (x86)\Ultra Screen Saver Maker\ussm.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:876
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
854KB
MD5272761722fad70322be6d2f89839f329
SHA1c894f5d96e81cf5bd8d03d6586c9bd412f508f27
SHA2560d02e30a6ad432a50eb86f1ecf330147046e671de340bcb43a170fecbd19bf51
SHA512ba4e0ce3a511eff43dce2999bc3905580bc19858dd1e73e5cf1b9dc7a7fa6848d11821e1db8d2af968728f2aebb18ce330cad775b640e718201d6c899b8027ef
-
Filesize
1.6MB
MD5f70a42376ca3c3b6ccec8b1b52f6018d
SHA124d735c4f17514ab9a68fe3344dcf0b23b99e99a
SHA2565ea9bb338795bffa33da5581e5fe1c976a561f6dc32105635dcd518fbb5a33b4
SHA512051720c8e9b5fa2fb754b361aee8681563d5edce393eb9bab004d496e7d5a2abfffab583936df4e7af24c11ee8f46c6973dbb52e162de0b66f187a057d764bad
-
Filesize
994KB
MD537f945c55cc916c2cb79eb9b063f9e46
SHA17ef72b485ff971d24d9d98bce4da803a28642768
SHA2561be06b60090221d7a7d236d374ab4ff7e6a56013107f806be4bea2b79dad3703
SHA512cce739d33e152d1606227d34c8c241954ee0643e9970a8858fad47a97c69986b715932638fa605cae3f639b208deeccc8b01b2ced135103634a830ed91e6af3e
-
Filesize
10KB
MD5bde376560fe6a3cad7a393a30cf863bf
SHA1deaac09e57b97090329ec6eee5f6e147c238b7ec
SHA256a7c5a10f4aac60862082985cfdf8bc5e703fa7fb9cfff4e1deb1d9452862057f
SHA51243c94de9b7d29639168f3c10a333f5354d6ca69587fa086fa128be28a7b3e3c95d463eaf62c8b844c43fd4d7d1122ff25f0f782633ed8d59f36b5d5cb336ccce
-
Filesize
5.2MB
MD59bea00faab802ecc7784fb8323cc1ff6
SHA1744e723df975d0d512bfe384abfe09e07398ae51
SHA2569e6bfd21c88607f962fa00eac5cb054eeb0daad5bae871cc1f07742992f5a7bd
SHA512971a971b8f46a6450ed54c6bc496f63f31e47960877d04b150d641b829a6e68919421d029d1532bcbdc0a4addbee6d22fa7b533757425e5c819e4fb8008ced79
-
Filesize
3.0MB
MD580de36c7c5092a3b21f923d408033df0
SHA155036034ab43264e53b41a7f9582e938e9ec557b
SHA256088622096c373250d04e46de5cda072a921a89900c57988bbe52f1e308e48043
SHA5124e4a4d6d10f8f3e732806abc9eb9d8f01455325bd92d68c6b195ced23e900c5cbd5931c5a80b8b8e6923a97face299e6965e7a8a7c2c1c6c2921db82c085a959
-
Filesize
813KB
MD5410e3415c9ff3e83d68bdb4a3b513903
SHA1c86daeb8822baf3a4889bddbc6aeca0ca25a320c
SHA25686154d725c21660f220e957eb6dcaf73ca609eef486dcdce6d5d7c286abd03d5
SHA512fcc2f69c1703b0fd0aa07883246909860ecfc6077b8a78a4f0260a5979cd8d5eb56bcbb2bdf734f81ff3012a34cd822f9d380088620784b24b308dfa90a33d22
-
Filesize
155KB
MD55c0d40a01b451941e856c7261bdfc7ac
SHA11575207e12921f9e4fce6002820aaecd2858b8e1
SHA256cc5213e87eb184c852dcce9cd5f8d3d3d3223f5365b0cedc5f4f35d2b777f358
SHA5129b54a53c18e17eca861848bfb96b48fca88ae7c46659fbed1e97ebb60eeffa0ff4b51e901fde0b9b55f9cceeac4d3f959e080a85a0b6525d5601d2e52a2fdfb2
-
Filesize
88KB
MD5a3ddc4cd74cc38811ca2ab4c7e51b8f6
SHA107963ac2321779410262fc65ee79395d3e2463a1
SHA2560b2e19e473a47e10578b05a2f3b43ad96603f3ee1e397c06a280c3b7458a76e2
SHA512baaafbda169958b9855394ffc6063034e73bfe54896a05f5e64fc754d1a72d3a45d55d665c6d71e325c9433116db769bc1913cc83327c6a5394e9d1f3ddefc17
-
Filesize
2.8MB
MD53866bd93ab8c237a9bc5c3d1d047c632
SHA17696fde299a1a1711f13d267f31b0c44a5981e97
SHA256c05a3af16e2069e02c3c890d4dda948b0877761c9ec8a240a5e3f79e25c9f8a1
SHA5126ef9bbe3987883214cd692f3c5abb432f78e11d965dcf1b9e1b6ed912c96df19644fef812fa69bf32be3741b6660982923568213e65dbe878946206db2a1fcc2
-
Filesize
6.3MB
MD5112c2f03fe651139465d896e17f77155
SHA189c590af52a060c7385978130681e0ca12347dda
SHA256dfb9ffcecf7789723093dd47ed449c9b226550c26815993e9957679afff04c3a
SHA512d271793ad80f482be2e8ee39816cb55c39d4df5c5b8e14c056bd02ab5878b5f37482121ec873c1a4b5a74a346484057601827ae51193b4d7cc0a0504a268f8bf
-
Filesize
13KB
MD59e7d36edcc188e166dee9552017ac94f
SHA10378843fe1e7fb2ad97b8432fbdcb44faa6fc48a
SHA256d52a83c2a8551cebf48ff7a8d5930be1873bce990f855ccab4d7479cfeb22e3d
SHA51292c31355cd124ba28c0ff9aa8fa34d5db9db0b093edb8978bc3cf94e1f72d526603d5d5c1e221dcb2ac6648bc420f4df9847c2b1e71046384d827814a77d1783
-
Filesize
12KB
MD5cff85c549d536f651d4fb8387f1976f2
SHA1d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
SHA2568dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
SHA512531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88
-
Filesize
4KB
MD52f69afa9d17a5245ec9b5bb03d56f63c
SHA1e0a133222136b3d4783e965513a690c23826aec9
SHA256e54989d2b83e7282d0bec56b098635146aab5d5a283f1f89486816851ef885a0
SHA512bfd4af50e41ebc56e30355c722c2a55540a5bbddb68f1522ef7aabfe4f5f2a20e87fa9677ee3cdb3c0bf5bd3988b89d1224d32c9f23342a16e46c542d8dc0926
-
Filesize
50KB
MD5a1fe198047d3bc7fa0d6b40ed3f56487
SHA10b291e3c7cc1d634f0115c3541ca5f74f628a8b6
SHA25678279eccf4b61be5fe39498aec40e9f3268d9a8ba38619fc2b901eaed61ac4f2
SHA512060b610d860b026f5d1082457787b8445e15dcfe5ba3edfa4fcc561b5b0d5ef711763b12d3d2d3ff57384242504bb4cb5fb930f9591adb0324a3b957d6f61789
-
Filesize
9KB
MD56c3f8c94d0727894d706940a8a980543
SHA10d1bcad901be377f38d579aafc0c41c0ef8dcefd
SHA25656b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2
SHA5122094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355
-
Filesize
3KB
MD519071761e91c43c115a16b52458869b7
SHA175ddb807157f1aa31a08f87be0270f60990bcbbc
SHA256e9e1ba410636698d666b328eea71346b8287248d262e44da07ce8b5fa24c5e5f
SHA512bc0eab51cf27f657cd3fd62a47894ee13f3f561feaa565f16ba15088be39be73c9839a3cf35b538219ec83a03d48970b89258c5f20c37bcaf76438998437786c
