Analysis

  • max time kernel
    140s
  • max time network
    119s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/10/2024, 19:33

General

  • Target

    project1.exe

  • Size

    2.5MB

  • MD5

    f3346cec01e6868ec4f593e7169dec18

  • SHA1

    6edc85958c45aa4d27bfa604b507fd032656dfd7

  • SHA256

    a29451e1b94ab7a4a4de84be214d39d3c6ff3343dc5df041e627d1071b70201c

  • SHA512

    a4bef1622a434c19329e9d8a26b93687bb5b5658d97d071817efed856c6156e997970dea29cac81b5d45c48d350b6546ca56c2290b919187cb9094e8632e366f

  • SSDEEP

    49152:fyVIxBwpXBdjmo4k1H5QCsqzklVs1HB4sb:XBFfo5QCsPOB

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 18 IoCs
  • Modifies security service 2 TTPs 7 IoCs
  • Disables RegEdit via registry modification 2 IoCs
  • Disables Task Manager via registry modification
  • Disables use of System Restore points 1 TTPs
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
  • Executes dropped EXE 22 IoCs
  • Modifies system executable filetype association 2 TTPs 32 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 16 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
  • UPX packed file 24 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 24 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks SCSI registry key(s) 3 TTPs 12 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Modifies Control Panel 2 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 32 IoCs
  • NTFS ADS 8 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 8 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\project1.exe
    "C:\Users\Admin\AppData\Local\Temp\project1.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies security service
    • Disables RegEdit via registry modification
    • Event Triggered Execution: Image File Execution Options Injection
    • Modifies system executable filetype association
    • Sets desktop wallpaper using registry
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3244
    • C:\Windows\mbr.exe
      "C:\Windows\mbr.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Writes to the Master Boot Record (MBR)
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4008
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks.exe /Create /TN wininit /ru SYSTEM /SC ONSTART /TR "C:\Windows\mbr.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:1712
    • C:\Windows\nt.exe
      C:\Windows\nt.exe
      2⤵
      • Executes dropped EXE
      • Writes to the Master Boot Record (MBR)
      PID:4764
  • C:\Users\Admin\AppData\Local\Temp\project1.exe
    C:\Users\Admin\AppData\Local\Temp\project1.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
    1⤵
    • Modifies WinLogon for persistence
    • Event Triggered Execution: Image File Execution Options Injection
    • Modifies system executable filetype association
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1156
    • C:\Windows\mbr.exe
      "C:\Windows\mbr.exe"
      2⤵
      • Executes dropped EXE
      • Writes to the Master Boot Record (MBR)
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3904
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks.exe /Create /TN wininit /ru SYSTEM /SC ONSTART /TR "C:\Windows\mbr.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2668
    • C:\Windows\nt.exe
      C:\Windows\nt.exe
      2⤵
      • Executes dropped EXE
      • Writes to the Master Boot Record (MBR)
      PID:4864
  • C:\Windows\system32\dwm.exe
    "dwm.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:4852
  • C:\Users\Admin\AppData\Local\Temp\project1.exe
    C:\Users\Admin\AppData\Local\Temp\project1.exe explorer.exe
    1⤵
    • Modifies WinLogon for persistence
    • Disables RegEdit via registry modification
    • Event Triggered Execution: Image File Execution Options Injection
    • Executes dropped EXE
    • Modifies system executable filetype association
    • Sets desktop wallpaper using registry
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies registry class
    • NTFS ADS
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2124
    • C:\Windows\mbr.exe
      "C:\Windows\mbr.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Writes to the Master Boot Record (MBR)
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1172
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks.exe /Create /TN wininit /ru SYSTEM /SC ONSTART /TR "C:\Windows\mbr.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:4948
    • C:\Windows\nt.exe
      C:\Windows\nt.exe
      2⤵
      • Executes dropped EXE
      • Writes to the Master Boot Record (MBR)
      PID:1176
  • C:\Windows\system32\dwm.exe
    "dwm.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:4368
  • C:\Users\Admin\AppData\Local\Temp\project1.exe
    C:\Users\Admin\AppData\Local\Temp\project1.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
    1⤵
    • Modifies WinLogon for persistence
    • Event Triggered Execution: Image File Execution Options Injection
    • Executes dropped EXE
    • Modifies system executable filetype association
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • NTFS ADS
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4776
    • C:\Windows\mbr.exe
      "C:\Windows\mbr.exe"
      2⤵
      • Executes dropped EXE
      • Writes to the Master Boot Record (MBR)
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Suspicious use of WriteProcessMemory
      PID:372
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks.exe /Create /TN wininit /ru SYSTEM /SC ONSTART /TR "C:\Windows\mbr.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:3600
    • C:\Windows\nt.exe
      C:\Windows\nt.exe
      2⤵
      • Executes dropped EXE
      • Writes to the Master Boot Record (MBR)
      PID:3784
  • C:\Users\Admin\AppData\Local\Temp\project1.exe
    C:\Users\Admin\AppData\Local\Temp\project1.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
    1⤵
    • Modifies WinLogon for persistence
    • Event Triggered Execution: Image File Execution Options Injection
    • Executes dropped EXE
    • Modifies system executable filetype association
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • NTFS ADS
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2916
    • C:\Windows\mbr.exe
      "C:\Windows\mbr.exe"
      2⤵
      • Executes dropped EXE
      • Writes to the Master Boot Record (MBR)
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Suspicious use of WriteProcessMemory
      PID:3684
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks.exe /Create /TN wininit /ru SYSTEM /SC ONSTART /TR "C:\Windows\mbr.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:5116
    • C:\Windows\nt.exe
      C:\Windows\nt.exe
      2⤵
      • Executes dropped EXE
      • Writes to the Master Boot Record (MBR)
      PID:4588
  • C:\Users\Admin\AppData\Local\Temp\project1.exe
    C:\Users\Admin\AppData\Local\Temp\project1.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
    1⤵
    • Modifies WinLogon for persistence
    • Event Triggered Execution: Image File Execution Options Injection
    • Executes dropped EXE
    • Modifies system executable filetype association
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • NTFS ADS
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3448
    • C:\Windows\mbr.exe
      "C:\Windows\mbr.exe"
      2⤵
      • Executes dropped EXE
      • Writes to the Master Boot Record (MBR)
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Suspicious use of WriteProcessMemory
      PID:4028
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks.exe /Create /TN wininit /ru SYSTEM /SC ONSTART /TR "C:\Windows\mbr.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:4276
    • C:\Windows\nt.exe
      C:\Windows\nt.exe
      2⤵
      • Executes dropped EXE
      • Writes to the Master Boot Record (MBR)
      PID:1040
  • C:\Users\Admin\AppData\Local\Temp\project1.exe
    C:\Users\Admin\AppData\Local\Temp\project1.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
    1⤵
    • Modifies WinLogon for persistence
    • Event Triggered Execution: Image File Execution Options Injection
    • Executes dropped EXE
    • Modifies system executable filetype association
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • NTFS ADS
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4660
    • C:\Windows\mbr.exe
      "C:\Windows\mbr.exe"
      2⤵
      • Executes dropped EXE
      • Writes to the Master Boot Record (MBR)
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Suspicious use of WriteProcessMemory
      PID:4484
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks.exe /Create /TN wininit /ru SYSTEM /SC ONSTART /TR "C:\Windows\mbr.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:1712
    • C:\Windows\nt.exe
      C:\Windows\nt.exe
      2⤵
      • Executes dropped EXE
      • Writes to the Master Boot Record (MBR)
      PID:2240
  • C:\Users\Admin\AppData\Local\Temp\project1.exe
    C:\Users\Admin\AppData\Local\Temp\project1.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
    1⤵
    • Modifies WinLogon for persistence
    • Event Triggered Execution: Image File Execution Options Injection
    • Executes dropped EXE
    • Modifies system executable filetype association
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • NTFS ADS
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1512
    • C:\Windows\mbr.exe
      "C:\Windows\mbr.exe"
      2⤵
      • Executes dropped EXE
      • Writes to the Master Boot Record (MBR)
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      PID:2260
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks.exe /Create /TN wininit /ru SYSTEM /SC ONSTART /TR "C:\Windows\mbr.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:1484
    • C:\Windows\nt.exe
      C:\Windows\nt.exe
      2⤵
      • Executes dropped EXE
      • Writes to the Master Boot Record (MBR)
      PID:3668
  • C:\Users\Admin\AppData\Local\Temp\project1.exe
    C:\Users\Admin\AppData\Local\Temp\project1.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
    1⤵
      PID:3636

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\project1.exe

            Filesize

            2.5MB

            MD5

            f3346cec01e6868ec4f593e7169dec18

            SHA1

            6edc85958c45aa4d27bfa604b507fd032656dfd7

            SHA256

            a29451e1b94ab7a4a4de84be214d39d3c6ff3343dc5df041e627d1071b70201c

            SHA512

            a4bef1622a434c19329e9d8a26b93687bb5b5658d97d071817efed856c6156e997970dea29cac81b5d45c48d350b6546ca56c2290b919187cb9094e8632e366f

          • C:\Windows\666.bmp

            Filesize

            370KB

            MD5

            95b1a43e40e5080a626372c916bc04aa

            SHA1

            b969b8cc0580abe72547e4b70e6f25f24494fa46

            SHA256

            432b44507d1665f903a65d3b04ef0e0c45ce9c03d1bf6b46d556e01c06138aa2

            SHA512

            93c91951fa4f5554d40871519903435ec50c415c8ae6e808c30f5ad09912d51659680ba500d2abba1de05bd646616cf57305f3f54f64a0dcd64a14348f5f23ea

          • C:\Windows\mbr.exe

            Filesize

            60KB

            MD5

            e134054e9b86ca5fd7f6102874fa2b1b

            SHA1

            8c31adb4c04754463dfa72f9fda21c86584b68d6

            SHA256

            ac6b7a459ab2ae4b618ffb392746ef5ecafcc2d74ad0538698d598ddeb6229c4

            SHA512

            cfc63ef3c57a912b02d1bbdbcaae0dfc917e0ceb30e91868313769fb1be1722d68cd9afc84f399df149c01193a984c1a09d360aaa78d8b9d3fac780ae5b28845

          • C:\Windows\nt.exe

            Filesize

            35KB

            MD5

            462fcc409a04c19841d97845878a2103

            SHA1

            ea46e199131e6275cc9636d624c1edad25b16303

            SHA256

            985e9ffaed5dfcfd00b33e5c2af3cb7284475172f8b7bfbd4393a94a31fcb96b

            SHA512

            d222770d23c20865f9929284687967a6ad9cbc4b92de8d7ee053dc432e808ba7d9e50669184076407a4e0f6a4269a2bee3fad6cab3126c3744977d3e52fc3a0f

          • memory/372-51-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

          • memory/1040-87-0x0000000000250000-0x000000000026A000-memory.dmp

            Filesize

            104KB

          • memory/1040-85-0x0000000000250000-0x000000000026A000-memory.dmp

            Filesize

            104KB

          • memory/1172-36-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

          • memory/1172-34-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

          • memory/1176-41-0x0000000000D50000-0x0000000000D6A000-memory.dmp

            Filesize

            104KB

          • memory/2240-100-0x00000000004E0000-0x00000000004FA000-memory.dmp

            Filesize

            104KB

          • memory/2240-102-0x00000000004E0000-0x00000000004FA000-memory.dmp

            Filesize

            104KB

          • memory/2260-111-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

          • memory/3668-118-0x0000000000530000-0x000000000054A000-memory.dmp

            Filesize

            104KB

          • memory/3668-116-0x0000000000530000-0x000000000054A000-memory.dmp

            Filesize

            104KB

          • memory/3684-66-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

          • memory/3784-56-0x0000000000030000-0x000000000004A000-memory.dmp

            Filesize

            104KB

          • memory/3904-14-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

          • memory/4008-7-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

          • memory/4008-4-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

          • memory/4028-80-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

          • memory/4484-95-0x0000000000400000-0x000000000043F000-memory.dmp

            Filesize

            252KB

          • memory/4588-71-0x0000000000DF0000-0x0000000000E0A000-memory.dmp

            Filesize

            104KB

          • memory/4764-25-0x00000000003F0000-0x000000000040A000-memory.dmp

            Filesize

            104KB

          • memory/4864-21-0x00000000006A0000-0x00000000006BA000-memory.dmp

            Filesize

            104KB

          • memory/4864-18-0x00000000006A0000-0x00000000006BA000-memory.dmp

            Filesize

            104KB