Overview

overview

5

Static

static

3

usermode.exe

windows7-x64

5

usermode.exe

windows10-2004-x64

5

Analysis

  • max time kernel
    35s
  • max time network
    71s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    20/08/2024, 14:18

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    usermode.exe

  • Size

    1.2MB

  • MD5

    2cbb06b192641e3f512b3a3ff9e53360

  • SHA1

    574c4c3a895867738b2a2777eebdd296c454ae9f

  • SHA256

    e7a38fbc39d8d3074d1adab51c1fd226346f40066f8cf525de60797cac03c732

  • SHA512

    112c632ba721d1c6c5c7f19c14bcca0c646b635de64701bc53d6ea852ded11dfe30d938395feee8b099e0706c39f439c3464da68da01ec8c1f6e335120134894

  • SSDEEP

    24576:LWecub3XtqO9zmFwb6tZJ7kBuGKFbnVy47QGKTUrE+:jcuLNFmKwZ9dnVy47QPe

Score
5/10

Malware Config

Signatures

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\usermode.exe
    "C:\Users\Admin\AppData\Local\Temp\usermode.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1752
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\usermode.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2328
      • C:\Windows\system32\certutil.exe
        certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\usermode.exe" MD5
        3⤵
          PID:2376
        • C:\Windows\system32\find.exe
          find /i /v "md5"
          3⤵
            PID:2696
          • C:\Windows\system32\find.exe
            find /i /v "certutil"
            3⤵
              PID:3032
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c cls
            2⤵
              PID:2828
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo Signature checksum failed. Request was tampered with or session ended most likely. & echo: & echo Message: Session not found. Use latest code. You can only have app opened 1 at a time. && timeout /t 5"
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:2728
              • C:\Windows\system32\cmd.exe
                cmd /C "color b && title Error && echo Signature checksum failed. Request was tampered with or session ended most likely. & echo: & echo Message: Session not found. Use latest code. You can only have app opened 1 at a time. && timeout /t 5"
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:2744
                • C:\Windows\system32\timeout.exe
                  timeout /t 5
                  4⤵
                  • Delays execution with timeout.exe
                  PID:2392
            • C:\Windows\system32\WerFault.exe
              C:\Windows\system32\WerFault.exe -u -p 1752 -s 856
              2⤵
                PID:2752

            Network

                  MITRE ATT&CK Matrix

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads