Malware Analysis Report

2024-09-11 04:03

Sample ID 240624-km3gpstdkh
Target MicrosoftToolkit.exe
SHA256 2a9b1c1f730c4146ff4356e3c5b6329ff5ea6f022d51146b61df8d276afd90df
Tags
discovery spyware stealer upx exploit
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

2a9b1c1f730c4146ff4356e3c5b6329ff5ea6f022d51146b61df8d276afd90df

Threat Level: Likely malicious

The file MicrosoftToolkit.exe was found to be: Likely malicious.

Malicious Activity Summary

discovery spyware stealer upx exploit

Possible privilege escalation attempt

Checks computer location settings

Reads user/profile data of web browsers

Modifies file permissions

Loads dropped DLL

Checks BIOS information in registry

Executes dropped EXE

UPX packed file

Checks installed software on the system

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Enumerates physical storage devices

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
File and Directory Permissions Modification
T1222
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-24 08:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-24 08:43

Reported

2024-06-24 08:47

Platform

win11-20240611-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MicrosoftToolkit.exe"

Signatures

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicrosoftToolkit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicrosoftToolkit.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\MicrosoftToolkit.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\MicrosoftToolkit.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key created \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicrosoftToolkit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicrosoftToolkit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 760 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\MicrosoftToolkit.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 760 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\MicrosoftToolkit.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 760 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\MicrosoftToolkit.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe

Processes

C:\Users\Admin\AppData\Local\Temp\MicrosoftToolkit.exe

"C:\Users\Admin\AppData\Local\Temp\MicrosoftToolkit.exe"

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 rxfor4vs.top udp
RU 2.59.42.250:80 rxfor4vs.top tcp
RU 2.59.42.250:80 rxfor4vs.top tcp
RU 2.59.42.250:80 rxfor4vs.top tcp

Files

memory/760-0-0x00000000152A0000-0x00000000152A1000-memory.dmp

memory/760-1-0x00000000152B0000-0x00000000152B1000-memory.dmp

memory/760-2-0x0000000000840000-0x0000000001840000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Setup.exe

MD5 323c0fd51071400b51eedb1be90a8188
SHA1 0efc35935957c25193bbe9a83ab6caa25a487ada
SHA256 2f2aba1e074f5f4baa08b524875461889f8f04d4ffc43972ac212e286022ab94
SHA512 4c501c7135962e2f02b68d6069f2191ddb76f990528dacd209955a44972122718b9598400ba829abab2d4345b4e1a4b93453c8e7ba42080bd492a34cf8443e7e

memory/1444-16-0x0000000000400000-0x0000000000623000-memory.dmp

memory/1444-17-0x0000000000B70000-0x0000000000B83000-memory.dmp

memory/1444-38-0x0000000010000000-0x0000000010021000-memory.dmp

memory/1444-62-0x0000000002490000-0x00000000024A0000-memory.dmp

memory/1444-46-0x0000000002460000-0x0000000002471000-memory.dmp

memory/1444-71-0x00000000024A0000-0x00000000024C0000-memory.dmp

memory/1444-30-0x0000000002440000-0x0000000002452000-memory.dmp

memory/1444-54-0x0000000002480000-0x0000000002490000-memory.dmp

memory/1444-25-0x0000000000B20000-0x0000000000B30000-memory.dmp

memory/1444-80-0x0000000000400000-0x0000000000623000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-24 08:43

Reported

2024-06-24 08:46

Platform

win7-20240611-en

Max time kernel

62s

Max time network

36s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MicrosoftToolkit.exe"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\bootsect.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicrosoftToolkit.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicrosoftToolkit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicrosoftToolkit.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\MicrosoftToolkit.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\MicrosoftToolkit.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key created \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicrosoftToolkit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2236 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\MicrosoftToolkit.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 2236 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\MicrosoftToolkit.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 2236 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\MicrosoftToolkit.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 2236 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\MicrosoftToolkit.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 2236 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\MicrosoftToolkit.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 2236 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\MicrosoftToolkit.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 2236 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\MicrosoftToolkit.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 2260 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 2260 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 2260 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 2260 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 2588 wrote to memory of 2400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2588 wrote to memory of 2400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2588 wrote to memory of 2400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2588 wrote to memory of 2400 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2400 wrote to memory of 760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2400 wrote to memory of 760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2400 wrote to memory of 760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2400 wrote to memory of 760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2260 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 2260 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 2260 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 2260 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 940 wrote to memory of 2672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 940 wrote to memory of 2672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 940 wrote to memory of 2672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 940 wrote to memory of 2672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 2260 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 2260 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 2260 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 2260 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 936 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 936 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 936 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 936 wrote to memory of 2800 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 2812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2800 wrote to memory of 2812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2800 wrote to memory of 2812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2800 wrote to memory of 2812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 2260 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 2260 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 2260 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 2260 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 1668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 2704 wrote to memory of 1668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 2704 wrote to memory of 1668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 2704 wrote to memory of 1668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 2260 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\system32\cmd.exe
PID 2260 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\system32\cmd.exe
PID 2260 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\system32\cmd.exe
PID 2260 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\system32\cmd.exe
PID 1640 wrote to memory of 1708 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cscript.exe
PID 1640 wrote to memory of 1708 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cscript.exe
PID 1640 wrote to memory of 1708 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cscript.exe
PID 2260 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\system32\cmd.exe
PID 2260 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\system32\cmd.exe
PID 2260 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\system32\cmd.exe
PID 2260 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\system32\cmd.exe
PID 2948 wrote to memory of 2936 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cscript.exe
PID 2948 wrote to memory of 2936 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cscript.exe
PID 2948 wrote to memory of 2936 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cscript.exe
PID 2260 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 2260 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 2260 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\MicrosoftToolkit.exe

"C:\Users\Admin\AppData\Local\Temp\MicrosoftToolkit.exe"

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /A /C "cmd.exe /c takeown /f C:\ldrscan\bootwin"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c takeown /f C:\ldrscan\bootwin

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\ldrscan\bootwin

C:\Windows\SysWOW64\cmd.exe

cmd.exe /A /C "icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)"

C:\Windows\SysWOW64\icacls.exe

icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)

C:\Windows\SysWOW64\cmd.exe

cmd.exe /A /C "cmd.exe /c takeown /f C:\ldrscan\bootwin"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c takeown /f C:\ldrscan\bootwin

C:\Windows\SysWOW64\takeown.exe

takeown /f C:\ldrscan\bootwin

C:\Windows\SysWOW64\cmd.exe

cmd.exe /A /C "icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)"

C:\Windows\SysWOW64\icacls.exe

icacls C:\ldrscan\bootwin /grant *S-1-1-0:(F)

C:\Windows\system32\cmd.exe

cmd.exe /A /C "C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ilc "C:\Acer.XRM-MS""

C:\Windows\System32\cscript.exe

C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ilc "C:\Acer.XRM-MS"

C:\Windows\system32\cmd.exe

cmd.exe /A /C "C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ipk FJGCP-4DFJD-GJY49-VJBQ7-HYRR2"

C:\Windows\System32\cscript.exe

C:\Windows\System32\cscript.exe //nologo C:\Windows\System32\slmgr.vbs -ipk FJGCP-4DFJD-GJY49-VJBQ7-HYRR2

C:\Windows\SysWOW64\cmd.exe

cmd.exe /A /C "compact /u \\?\Volume{b9263cc3-28a0-11ef-8413-806e6f6e6963}\HBAQK"

C:\Windows\SysWOW64\compact.exe

compact /u \\?\Volume{b9263cc3-28a0-11ef-8413-806e6f6e6963}\HBAQK

C:\Windows\SysWOW64\cmd.exe

cmd.exe /A /C "C:\bootsect.exe /nt60 SYS /force"

C:\bootsect.exe

C:\bootsect.exe /nt60 SYS /force

C:\Windows\System32\control.exe

"C:\Windows\System32\control.exe" SYSTEM

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}

Network

Country Destination Domain Proto
US 8.8.8.8:53 rxfor4vs.top udp
RU 2.59.42.250:80 rxfor4vs.top tcp
RU 2.59.42.250:80 rxfor4vs.top tcp
RU 2.59.42.250:80 rxfor4vs.top tcp

Files

memory/2236-4-0x0000000000020000-0x0000000000021000-memory.dmp

memory/2236-2-0x0000000000020000-0x0000000000021000-memory.dmp

memory/2236-0-0x0000000000020000-0x0000000000021000-memory.dmp

memory/2236-5-0x0000000000030000-0x0000000000031000-memory.dmp

memory/2236-7-0x0000000000030000-0x0000000000031000-memory.dmp

memory/2236-9-0x0000000000030000-0x0000000000031000-memory.dmp

memory/2236-10-0x00000000011F0000-0x00000000021F0000-memory.dmp

\Users\Admin\AppData\Local\Temp\Setup.exe

MD5 323c0fd51071400b51eedb1be90a8188
SHA1 0efc35935957c25193bbe9a83ab6caa25a487ada
SHA256 2f2aba1e074f5f4baa08b524875461889f8f04d4ffc43972ac212e286022ab94
SHA512 4c501c7135962e2f02b68d6069f2191ddb76f990528dacd209955a44972122718b9598400ba829abab2d4345b4e1a4b93453c8e7ba42080bd492a34cf8443e7e

memory/2236-17-0x0000000017170000-0x0000000017393000-memory.dmp

memory/2260-21-0x0000000000400000-0x0000000000623000-memory.dmp

memory/2260-22-0x0000000000640000-0x0000000000653000-memory.dmp

memory/2260-35-0x0000000000670000-0x0000000000682000-memory.dmp

memory/2260-67-0x00000000006C0000-0x00000000006D0000-memory.dmp

memory/2260-59-0x00000000006B0000-0x00000000006C0000-memory.dmp

memory/2260-51-0x0000000000690000-0x00000000006A1000-memory.dmp

memory/2260-43-0x0000000010000000-0x0000000010021000-memory.dmp

memory/2260-30-0x0000000000660000-0x0000000000670000-memory.dmp

C:\Acer.XRM-MS

MD5 f25832af6a684360950dbb15589de34a
SHA1 17ff1d21005c1695ae3dcbdc3435017c895fff5d
SHA256 266d64637cf12ff961165a018f549ff41002dc59380605b36d65cf1b8127c96f
SHA512 e0cf23351c02f4afa85eedc72a86b9114f539595cbd6bcd220e8b8d70fa6a7379dcd947ea0d59332ba672f36ebda6bd98892d9b6b20eedafc8be168387a3dd5f

memory/2260-89-0x0000000000400000-0x0000000000623000-memory.dmp

\??\Volume{b9263cc3-28a0-11ef-8413-806e6f6e6963}\HBAQK

MD5 da484d4cc3f831a84fa8fa0a2f44d73b
SHA1 6f3acbd82137a49cb4115bbc32b321dd0c8cba57
SHA256 9381d50bd1f24c7a93c362803025790bd88c826491a4b8362484b30dde23385a
SHA512 352abc87f3334fb0fbb2d82b5f0207d8d0facc6ccc87c299161c4a7080fa0267c1974bf93d897ea143d7000823836e094c2900059c40923a1e63ad4b369fe4b9

C:\bootsect.exe

MD5 6230892eb4956ba523fe87e35687e772
SHA1 7c5850aeae751865a4981c26eb4e8378a17abd6d
SHA256 1c90b2d8138b8f68301c817f2d119cde629bf8d746b4d49238e460ddb6bc8fd8
SHA512 b9e416a56803ef91935d618367197631f657575bc38607c91af424e1414fc62b9e044dd384704bff643bd70721d754c8f6384605dfd548d5d3667567710dfe71

memory/2260-101-0x0000000000400000-0x0000000000623000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-24 08:43

Reported

2024-06-24 08:47

Platform

win10-20240404-en

Max time kernel

150s

Max time network

80s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MicrosoftToolkit.exe"

Signatures

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicrosoftToolkit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicrosoftToolkit.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\MicrosoftToolkit.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\MicrosoftToolkit.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key created \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicrosoftToolkit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicrosoftToolkit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4400 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\MicrosoftToolkit.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 4400 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\MicrosoftToolkit.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 4400 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\MicrosoftToolkit.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe

Processes

C:\Users\Admin\AppData\Local\Temp\MicrosoftToolkit.exe

"C:\Users\Admin\AppData\Local\Temp\MicrosoftToolkit.exe"

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 rxfor4vs.top udp
RU 2.59.42.250:80 rxfor4vs.top tcp
US 8.8.8.8:53 250.42.59.2.in-addr.arpa udp
RU 2.59.42.250:80 rxfor4vs.top tcp
RU 2.59.42.250:80 rxfor4vs.top tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/4400-0-0x00000000149E0000-0x00000000149E1000-memory.dmp

memory/4400-1-0x00000000149F0000-0x00000000149F1000-memory.dmp

memory/4400-4-0x0000000000080000-0x0000000001080000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Setup.exe

MD5 323c0fd51071400b51eedb1be90a8188
SHA1 0efc35935957c25193bbe9a83ab6caa25a487ada
SHA256 2f2aba1e074f5f4baa08b524875461889f8f04d4ffc43972ac212e286022ab94
SHA512 4c501c7135962e2f02b68d6069f2191ddb76f990528dacd209955a44972122718b9598400ba829abab2d4345b4e1a4b93453c8e7ba42080bd492a34cf8443e7e

memory/2996-10-0x0000000000400000-0x0000000000623000-memory.dmp

memory/2996-11-0x0000000002A10000-0x0000000002A23000-memory.dmp

memory/2996-19-0x0000000000920000-0x0000000000930000-memory.dmp

memory/2996-24-0x0000000002A30000-0x0000000002A42000-memory.dmp

memory/2996-32-0x0000000010000000-0x0000000010021000-memory.dmp

memory/2996-64-0x0000000002DC0000-0x0000000002DE0000-memory.dmp

memory/2996-56-0x0000000002DB0000-0x0000000002DC0000-memory.dmp

memory/2996-48-0x0000000002310000-0x0000000002320000-memory.dmp

memory/2996-40-0x0000000002D90000-0x0000000002DA1000-memory.dmp

memory/2996-74-0x0000000000400000-0x0000000000623000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-24 08:43

Reported

2024-06-24 08:47

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\MicrosoftToolkit.exe"

Signatures

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\MicrosoftToolkit.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicrosoftToolkit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicrosoftToolkit.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key created \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicrosoftToolkit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MicrosoftToolkit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1628 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\MicrosoftToolkit.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 1628 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\MicrosoftToolkit.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 1628 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\MicrosoftToolkit.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe

Processes

C:\Users\Admin\AppData\Local\Temp\MicrosoftToolkit.exe

"C:\Users\Admin\AppData\Local\Temp\MicrosoftToolkit.exe"

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 rxfor4vs.top udp
US 8.8.8.8:53 rxfor4vs.top udp
US 8.8.8.8:53 rxfor4vs.top udp
US 8.8.8.8:53 rxfor4vs.top udp
US 8.8.8.8:53 rxfor4vs.top udp
US 8.8.8.8:53 rxfor4vs.top udp
US 8.8.8.8:53 rxfor4vs.top udp
US 8.8.8.8:53 rxfor4vs.top udp
US 8.8.8.8:53 rxfor4vs.top udp
US 8.8.8.8:53 rxfor4vs.top udp

Files

memory/1628-0-0x0000000014D00000-0x0000000014D01000-memory.dmp

memory/1628-1-0x0000000014D10000-0x0000000014D11000-memory.dmp

memory/1628-2-0x00000000000A0000-0x00000000010A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Setup.exe

MD5 323c0fd51071400b51eedb1be90a8188
SHA1 0efc35935957c25193bbe9a83ab6caa25a487ada
SHA256 2f2aba1e074f5f4baa08b524875461889f8f04d4ffc43972ac212e286022ab94
SHA512 4c501c7135962e2f02b68d6069f2191ddb76f990528dacd209955a44972122718b9598400ba829abab2d4345b4e1a4b93453c8e7ba42080bd492a34cf8443e7e

memory/2628-16-0x0000000000400000-0x0000000000623000-memory.dmp

memory/2628-62-0x0000000002E50000-0x0000000002E60000-memory.dmp

memory/2628-70-0x0000000002E60000-0x0000000002E80000-memory.dmp

memory/2628-54-0x00000000024F0000-0x0000000002500000-memory.dmp

memory/2628-46-0x00000000024D0000-0x00000000024E1000-memory.dmp

memory/2628-38-0x0000000010000000-0x0000000010021000-memory.dmp

memory/2628-31-0x00000000024B0000-0x00000000024C2000-memory.dmp

memory/2628-25-0x0000000002230000-0x0000000002240000-memory.dmp

memory/2628-17-0x0000000002490000-0x00000000024A3000-memory.dmp

memory/2628-80-0x0000000000400000-0x0000000000623000-memory.dmp