Analysis

  • max time kernel
    140s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/10/2024, 19:28

General

  • Target

    death.exe

  • Size

    2.5MB

  • MD5

    a39281364d707dd0921b0a36f4a25a4c

  • SHA1

    9e4bc8604667e6295900cc8c2813032206435c6f

  • SHA256

    85193644036aadb03b1573f25145fa89f13ee5b2399133a9424adb7609163b56

  • SHA512

    ee85be6af2692823391c66e957ccb1d187b1e20e94ee3662660a98dbdc1c48ac29dfa6890f80664850622994e8eaf14858e3cb31124b069990cd4fdfa22626dd

  • SSDEEP

    49152:pyqJLwC7u1n7I+uiSerQTEsEdUDxqu4B4sbD3I:RIZWerYD4Bx3

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 14 IoCs
  • Modifies security service 2 TTPs 7 IoCs
  • Disables RegEdit via registry modification 2 IoCs
  • Disables Task Manager via registry modification
  • Disables use of System Restore points 1 TTPs
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
  • Executes dropped EXE 17 IoCs
  • Modifies system executable filetype association 2 TTPs 24 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 12 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
  • UPX packed file 17 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 18 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks SCSI registry key(s) 3 TTPs 12 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies Control Panel 2 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 24 IoCs
  • NTFS ADS 6 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs
  • System policy modification 1 TTPs 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\death.exe
    "C:\Users\Admin\AppData\Local\Temp\death.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies security service
    • Disables RegEdit via registry modification
    • Event Triggered Execution: Image File Execution Options Injection
    • Modifies system executable filetype association
    • Sets desktop wallpaper using registry
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3612
    • C:\Windows\mbr.exe
      "C:\Windows\mbr.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Writes to the Master Boot Record (MBR)
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1408
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks.exe /Create /TN wininit /ru SYSTEM /SC ONSTART /TR "C:\Windows\mbr.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2584
    • C:\Windows\nt.exe
      C:\Windows\nt.exe
      2⤵
      • Executes dropped EXE
      • Writes to the Master Boot Record (MBR)
      • System Location Discovery: System Language Discovery
      PID:2108
  • C:\Windows\system32\dwm.exe
    "dwm.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:4852
  • C:\Users\Admin\AppData\Local\Temp\death.exe
    C:\Users\Admin\AppData\Local\Temp\death.exe explorer.exe
    1⤵
    • Modifies WinLogon for persistence
    • Disables RegEdit via registry modification
    • Event Triggered Execution: Image File Execution Options Injection
    • Executes dropped EXE
    • Modifies system executable filetype association
    • Sets desktop wallpaper using registry
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3112
    • C:\Windows\mbr.exe
      "C:\Windows\mbr.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Writes to the Master Boot Record (MBR)
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4960
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks.exe /Create /TN wininit /ru SYSTEM /SC ONSTART /TR "C:\Windows\mbr.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2900
    • C:\Windows\nt.exe
      C:\Windows\nt.exe
      2⤵
      • Executes dropped EXE
      • Writes to the Master Boot Record (MBR)
      PID:1456
  • C:\Windows\system32\dwm.exe
    "dwm.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:1720
  • C:\Users\Admin\AppData\Local\Temp\death.exe
    C:\Users\Admin\AppData\Local\Temp\death.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
    1⤵
    • Modifies WinLogon for persistence
    • Event Triggered Execution: Image File Execution Options Injection
    • Executes dropped EXE
    • Modifies system executable filetype association
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • NTFS ADS
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:424
    • C:\Windows\mbr.exe
      "C:\Windows\mbr.exe"
      2⤵
      • Executes dropped EXE
      • Writes to the Master Boot Record (MBR)
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Suspicious use of WriteProcessMemory
      PID:1248
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks.exe /Create /TN wininit /ru SYSTEM /SC ONSTART /TR "C:\Windows\mbr.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:552
    • C:\Windows\nt.exe
      C:\Windows\nt.exe
      2⤵
      • Executes dropped EXE
      • Writes to the Master Boot Record (MBR)
      PID:4652
  • C:\Users\Admin\AppData\Local\Temp\death.exe
    C:\Users\Admin\AppData\Local\Temp\death.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
    1⤵
    • Modifies WinLogon for persistence
    • Event Triggered Execution: Image File Execution Options Injection
    • Executes dropped EXE
    • Modifies system executable filetype association
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • NTFS ADS
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3284
    • C:\Windows\mbr.exe
      "C:\Windows\mbr.exe"
      2⤵
      • Executes dropped EXE
      • Writes to the Master Boot Record (MBR)
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Suspicious use of WriteProcessMemory
      PID:1592
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks.exe /Create /TN wininit /ru SYSTEM /SC ONSTART /TR "C:\Windows\mbr.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:4412
    • C:\Windows\nt.exe
      C:\Windows\nt.exe
      2⤵
      • Executes dropped EXE
      • Writes to the Master Boot Record (MBR)
      PID:1200
  • C:\Users\Admin\AppData\Local\Temp\death.exe
    C:\Users\Admin\AppData\Local\Temp\death.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
    1⤵
    • Modifies WinLogon for persistence
    • Event Triggered Execution: Image File Execution Options Injection
    • Executes dropped EXE
    • Modifies system executable filetype association
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • NTFS ADS
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4520
    • C:\Windows\mbr.exe
      "C:\Windows\mbr.exe"
      2⤵
      • Executes dropped EXE
      • Writes to the Master Boot Record (MBR)
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Suspicious use of WriteProcessMemory
      PID:1688
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks.exe /Create /TN wininit /ru SYSTEM /SC ONSTART /TR "C:\Windows\mbr.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:3776
    • C:\Windows\nt.exe
      C:\Windows\nt.exe
      2⤵
      • Executes dropped EXE
      • Writes to the Master Boot Record (MBR)
      PID:540
  • C:\Users\Admin\AppData\Local\Temp\death.exe
    C:\Users\Admin\AppData\Local\Temp\death.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
    1⤵
    • Modifies WinLogon for persistence
    • Event Triggered Execution: Image File Execution Options Injection
    • Executes dropped EXE
    • Modifies system executable filetype association
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • NTFS ADS
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4296
    • C:\Windows\mbr.exe
      "C:\Windows\mbr.exe"
      2⤵
      • Executes dropped EXE
      • Writes to the Master Boot Record (MBR)
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Suspicious use of WriteProcessMemory
      PID:232
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks.exe /Create /TN wininit /ru SYSTEM /SC ONSTART /TR "C:\Windows\mbr.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:3964
    • C:\Windows\nt.exe
      C:\Windows\nt.exe
      2⤵
      • Executes dropped EXE
      • Writes to the Master Boot Record (MBR)
      PID:2684
  • C:\Users\Admin\AppData\Local\Temp\death.exe
    C:\Users\Admin\AppData\Local\Temp\death.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
    1⤵
      PID:4404
      • C:\Windows\mbr.exe
        "C:\Windows\mbr.exe"
        2⤵
          PID:3020

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\death.exe

              Filesize

              2.5MB

              MD5

              a39281364d707dd0921b0a36f4a25a4c

              SHA1

              9e4bc8604667e6295900cc8c2813032206435c6f

              SHA256

              85193644036aadb03b1573f25145fa89f13ee5b2399133a9424adb7609163b56

              SHA512

              ee85be6af2692823391c66e957ccb1d187b1e20e94ee3662660a98dbdc1c48ac29dfa6890f80664850622994e8eaf14858e3cb31124b069990cd4fdfa22626dd

            • C:\Windows\666.bmp

              Filesize

              370KB

              MD5

              95b1a43e40e5080a626372c916bc04aa

              SHA1

              b969b8cc0580abe72547e4b70e6f25f24494fa46

              SHA256

              432b44507d1665f903a65d3b04ef0e0c45ce9c03d1bf6b46d556e01c06138aa2

              SHA512

              93c91951fa4f5554d40871519903435ec50c415c8ae6e808c30f5ad09912d51659680ba500d2abba1de05bd646616cf57305f3f54f64a0dcd64a14348f5f23ea

            • C:\Windows\mbr.exe

              Filesize

              60KB

              MD5

              e134054e9b86ca5fd7f6102874fa2b1b

              SHA1

              8c31adb4c04754463dfa72f9fda21c86584b68d6

              SHA256

              ac6b7a459ab2ae4b618ffb392746ef5ecafcc2d74ad0538698d598ddeb6229c4

              SHA512

              cfc63ef3c57a912b02d1bbdbcaae0dfc917e0ceb30e91868313769fb1be1722d68cd9afc84f399df149c01193a984c1a09d360aaa78d8b9d3fac780ae5b28845

            • C:\Windows\nt.exe

              Filesize

              35KB

              MD5

              462fcc409a04c19841d97845878a2103

              SHA1

              ea46e199131e6275cc9636d624c1edad25b16303

              SHA256

              985e9ffaed5dfcfd00b33e5c2af3cb7284475172f8b7bfbd4393a94a31fcb96b

              SHA512

              d222770d23c20865f9929284687967a6ad9cbc4b92de8d7ee053dc432e808ba7d9e50669184076407a4e0f6a4269a2bee3fad6cab3126c3744977d3e52fc3a0f

            • memory/232-90-0x0000000000400000-0x000000000043F000-memory.dmp

              Filesize

              252KB

            • memory/424-46-0x0000000000400000-0x0000000000697000-memory.dmp

              Filesize

              2.6MB

            • memory/540-78-0x0000000000AD0000-0x0000000000AEA000-memory.dmp

              Filesize

              104KB

            • memory/1200-60-0x0000000000300000-0x000000000031A000-memory.dmp

              Filesize

              104KB

            • memory/1248-39-0x0000000000400000-0x000000000043F000-memory.dmp

              Filesize

              252KB

            • memory/1408-9-0x0000000000400000-0x000000000043F000-memory.dmp

              Filesize

              252KB

            • memory/1408-6-0x0000000000400000-0x000000000043F000-memory.dmp

              Filesize

              252KB

            • memory/1456-29-0x0000000000CB0000-0x0000000000CCA000-memory.dmp

              Filesize

              104KB

            • memory/1592-55-0x0000000000400000-0x000000000043F000-memory.dmp

              Filesize

              252KB

            • memory/1688-75-0x0000000000400000-0x000000000043F000-memory.dmp

              Filesize

              252KB

            • memory/2108-16-0x00000000001D0000-0x00000000001EA000-memory.dmp

              Filesize

              104KB

            • memory/2108-13-0x00000000001D0000-0x00000000001EA000-memory.dmp

              Filesize

              104KB

            • memory/2684-97-0x0000000000DC0000-0x0000000000DDA000-memory.dmp

              Filesize

              104KB

            • memory/2684-95-0x0000000000DC0000-0x0000000000DDA000-memory.dmp

              Filesize

              104KB

            • memory/3112-18-0x0000000000400000-0x0000000000697000-memory.dmp

              Filesize

              2.6MB

            • memory/3112-80-0x0000000000400000-0x0000000000697000-memory.dmp

              Filesize

              2.6MB

            • memory/3284-63-0x0000000000400000-0x0000000000697000-memory.dmp

              Filesize

              2.6MB

            • memory/3612-0-0x0000000000400000-0x0000000000697000-memory.dmp

              Filesize

              2.6MB

            • memory/3612-64-0x0000000000400000-0x0000000000697000-memory.dmp

              Filesize

              2.6MB

            • memory/3612-1-0x0000000010000000-0x0000000010015000-memory.dmp

              Filesize

              84KB

            • memory/4296-98-0x0000000000400000-0x0000000000697000-memory.dmp

              Filesize

              2.6MB

            • memory/4404-100-0x0000000000400000-0x0000000000697000-memory.dmp

              Filesize

              2.6MB

            • memory/4520-82-0x0000000000400000-0x0000000000697000-memory.dmp

              Filesize

              2.6MB

            • memory/4520-65-0x0000000000400000-0x0000000000697000-memory.dmp

              Filesize

              2.6MB

            • memory/4652-44-0x0000000000810000-0x000000000082A000-memory.dmp

              Filesize

              104KB

            • memory/4960-25-0x0000000000400000-0x000000000043F000-memory.dmp

              Filesize

              252KB