8a19e614599148c986d418b262b9c83cf90f791e5dee17ac538e0e05eb595064

Analysis

max time kernel
443s
max time network
1167s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
11-12-2024 15:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

USBPcapSetup-1.5.4.0.exe
Size

190KB
MD5

93c9b5098b1d42c53c7bdd68fe9cd6cf
SHA1

ccfb1497abed432844ad972dea65853dd0e7cba1
SHA256

87a7edf9bbbcf07b5f4373d9a192a6770d2ff3add7aa1e276e82e38582ccb622
SHA512

dc6b84d0784ae36941615565ff21e8634bf36e3efdaff598d470035157a2f148cd1f10031504476f821cd0ce0180c61ee9fe6a7bd0beb3721c4b1c738f61fef1
SSDEEP

3072:PQZmPYFFiorvcQNpDjrc5nMDi93g6HC+0vaiFxMv6mwSARrwPKVvbygEXoHApLG6:PQLFhJXrcVMDcgoCtswShkTAoRA9

Score

8^/10

discovery persistence

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DRIVERS\SET1884.tmp	RUNDLL32.EXE
File created	C:\Windows\system32\DRIVERS\SET1884.tmp	RUNDLL32.EXE
File opened for modification	C:\Windows\system32\DRIVERS\USBPcap.sys	RUNDLL32.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	RUNDLL32.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\USBPcap\USBPcapCMD.exe	USBPcapSetup-1.5.4.0.exe
File created	C:\Program Files\USBPcap\USBPcap.inf	USBPcapSetup-1.5.4.0.exe
File created	C:\Program Files\USBPcap\USBPcap.sys	USBPcapSetup-1.5.4.0.exe
File created	C:\Program Files\USBPcap\usbpcapamd64.cat	USBPcapSetup-1.5.4.0.exe
File created	C:\Program Files\USBPcap\Uninstall.exe	USBPcapSetup-1.5.4.0.exe

Executes dropped EXE 1 IoCs

pid	Process
1712	USBPcapCMD.exe

Loads dropped DLL 2 IoCs

pid	Process
1172	USBPcapSetup-1.5.4.0.exe
1172	USBPcapSetup-1.5.4.0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	USBPcapSetup-1.5.4.0.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000008b4330a7ef31bdc60000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800008b4330a70000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809008b4330a7000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d8b4330a7000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000008b4330a700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeBackupPrivilege	4984	vssvc.exe
Token: SeRestorePrivilege	4984	vssvc.exe
Token: SeAuditPrivilege	4984	vssvc.exe
Token: SeBackupPrivilege	2736	srtasks.exe
Token: SeRestorePrivilege	2736	srtasks.exe
Token: SeSecurityPrivilege	2736	srtasks.exe
Token: SeTakeOwnershipPrivilege	2736	srtasks.exe
Token: SeBackupPrivilege	2736	srtasks.exe
Token: SeRestorePrivilege	2736	srtasks.exe
Token: SeSecurityPrivilege	2736	srtasks.exe
Token: SeTakeOwnershipPrivilege	2736	srtasks.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1172 wrote to memory of 4552	1172	USBPcapSetup-1.5.4.0.exe	93
PID 1172 wrote to memory of 4552	1172	USBPcapSetup-1.5.4.0.exe	93
PID 4552 wrote to memory of 1984	4552	RUNDLL32.EXE	94
PID 4552 wrote to memory of 1984	4552	RUNDLL32.EXE	94
PID 1984 wrote to memory of 4504	1984	runonce.exe	95
PID 1984 wrote to memory of 4504	1984	runonce.exe	95
PID 1172 wrote to memory of 1712	1172	USBPcapSetup-1.5.4.0.exe	97
PID 1172 wrote to memory of 1712	1172	USBPcapSetup-1.5.4.0.exe	97

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\USBPcapSetup-1.5.4.0.exe
"C:\Users\Admin\AppData\Local\Temp\USBPcapSetup-1.5.4.0.exe"
1⤵
- Drops file in Program Files directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1172
- C:\Windows\system32\RUNDLL32.EXE
  C:\Windows\system32\RUNDLL32.EXE SETUPAPI.DLL,InstallHinfSection DefaultInstall 132 .\USBPcap.inf
  2⤵
  - Drops file in Drivers directory
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4552
- - C:\Windows\system32\runonce.exe
    "C:\Windows\system32\runonce.exe" -r
    3⤵
    - Checks processor information in registry
    - Suspicious use of WriteProcessMemory
    PID:1984
  - - C:\Windows\System32\grpconv.exe
      "C:\Windows\System32\grpconv.exe" -o
      4⤵
      PID:4504
- C:\Program Files\USBPcap\USBPcapCMD.exe
  "C:\Program Files\USBPcap\USBPcapCMD.exe" -I
  2⤵
  - Executes dropped EXE
  PID:1712

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4984

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~1\USBPcap\USBPcap.sys

Filesize
51KB

MD5
01304fc31498030c789e80910a356e6b

SHA1
8a8da048c75a6a587b7636ade603cc611b3c4833

SHA256
f340a8cf2f127be2e6b558586b76b51ba5e8c58c462a8d9eecc1955771cb2974

SHA512
48921040e1108478f5bc5969ede09c9fdc1cb76df05cee47fd97502343e2975b0e161607596eaf6e384586e006da4820adbd65937d65d51e14fb9bdcb4d4c7fd

Download Submit
C:\Program Files\USBPcap\USBPcap.inf

Filesize
1KB

MD5
98ccf371dde01388184d06b470ce4303

SHA1
0a7b549c80fea977aa8073facfacd33d548c8746

SHA256
08289f227abc0ee9a681f6af3f9abb12c160f95c37f02691e46b70305961f76e

SHA512
757ed42e4372228818d61eae83c605d86e604e49441d795a2d4caf4fe8c3164263deb1868b795fb0e5a9c8f9236ab733c15cd1c906b9affa28c98717ed072e8a

Download Submit
C:\Program Files\USBPcap\USBPcapCMD.exe

Filesize
55KB

MD5
939020f02ba0dffd7a7a1d45182c3bc4

SHA1
c219269325c53ed5d69343086dfdd853e533b072

SHA256
8b13173e9453fda9914d707c732880de44081e20e1113b3a2c827abd7a28b15d

SHA512
d0c09838a028bfbf3477fbf13d05753a3ec2fa7f87b92d94c516fbe9d35fb4c9b7fb85efa78d6c8fff8b4105cd8e2db107974800695b49dc85e3745b646c4055

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd68ED.tmp\SysRestore.dll

Filesize
5KB

MD5
c1e07f0ea14ebf4142176d340ed421f3

SHA1
f3524213ebbb53b4ce9ae1a1172897d4438445ed

SHA256
9176c65e37d931edeeb51f9deb1ab9b5ac2d1c6311ad85339bb79f0f2840b2a9

SHA512
3e69f403bdd041ce9da91307659645f44a760360e69e986c1740b04be0dd66bfa017ce8783f9f4f81d545eb43eb68df09c90c8391c2a417cf611064dba5453a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd68ED.tmp\System.dll

Filesize
11KB

MD5
0063d48afe5a0cdc02833145667b6641

SHA1
e7eb614805d183ecb1127c62decb1a6be1b4f7a8

SHA256
ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7

SHA512
71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads