cc00f4cf49623023e6a13a500fda644a1d39703677b2abe0b73b4ccdf7e87c93

Analysis

max time kernel
148s
max time network
152s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
02-01-2025 18:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Chloride Tweaks Ultimate 2.0.0/2 Tools/6 WPD.exe
Size

576KB
MD5

65325f636ac238568a21f389387f0299
SHA1

acf8022648f3eab3b6da50e0f90301eefe64a3f7
SHA256

c21e9de5b28de8edfb6b2264b33846e842f7954ad70fa07b3c652feb5f0a09d7
SHA512

9580e5f040f7adb0cfd5dc8749ddc501c97c849fd7bde4b2d66af6beb5d4a2505546b053723d53009ece3014ee87723bbc23729e43c6aec0698ff514c2ac33a2
SSDEEP

6144:TRQucww8JJQLbRYX3XJ7Sjt52vljOwsxVDC5Mq7Zj2R7beOW2wmIyWk5QoBN6Z61:1cwoQkl2JI

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy	6 WPD.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	6 WPD.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1411052346-3904498293-150013998-1000\Control Panel\International\User Profile\HttpAcceptLanguageOptOut = "0"	6 WPD.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2984	6 WPD.exe
2984	6 WPD.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2984	6 WPD.exe
Token: SeBackupPrivilege	4064	vssvc.exe
Token: SeRestorePrivilege	4064	vssvc.exe
Token: SeAuditPrivilege	4064	vssvc.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Chloride Tweaks Ultimate 2.0.0\2 Tools\6 WPD.exe
"C:\Users\Admin\AppData\Local\Temp\Chloride Tweaks Ultimate 2.0.0\2 Tools\6 WPD.exe"
1⤵
- Drops file in System32 directory
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2984

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations=is-enterprise-managed=no --field-trial-handle=4616,i,3154206195988791752,9697906671389759283,262144 --variations-seed-version --mojo-platform-channel-handle=4052 /prefetch:8
1⤵
PID:2152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations=is-enterprise-managed=no --field-trial-handle=5192,i,3154206195988791752,9697906671389759283,262144 --variations-seed-version --mojo-platform-channel-handle=3268 /prefetch:8
1⤵
PID:4388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2984-0-0x00007FFD15613000-0x00007FFD15615000-memory.dmp

Filesize
8KB

Download
memory/2984-1-0x0000017065870000-0x0000017065904000-memory.dmp

Filesize
592KB

Download
memory/2984-2-0x00007FFD15610000-0x00007FFD160D2000-memory.dmp

Filesize
10.8MB

Download
memory/2984-5-0x0000017065CA0000-0x0000017065CA8000-memory.dmp

Filesize
32KB

Download
memory/2984-7-0x00007FFD15610000-0x00007FFD160D2000-memory.dmp

Filesize
10.8MB

Download
memory/2984-6-0x0000017065CC0000-0x0000017065CC8000-memory.dmp

Filesize
32KB

Download
memory/2984-8-0x00007FFD15610000-0x00007FFD160D2000-memory.dmp

Filesize
10.8MB

Download
memory/2984-9-0x00007FFD15610000-0x00007FFD160D2000-memory.dmp

Filesize
10.8MB

Download
memory/2984-11-0x0000017065CD0000-0x0000017065CDE000-memory.dmp

Filesize
56KB

Download
memory/2984-10-0x00000170675E0000-0x0000017067618000-memory.dmp

Filesize
224KB

Download
memory/2984-12-0x00007FFD15610000-0x00007FFD160D2000-memory.dmp

Filesize
10.8MB

Download
memory/2984-13-0x00000170675C0000-0x00000170675D2000-memory.dmp

Filesize
72KB

Download
memory/2984-15-0x00000170675B0000-0x00000170675BA000-memory.dmp

Filesize
40KB

Download
memory/2984-14-0x00007FFD15613000-0x00007FFD15615000-memory.dmp

Filesize
8KB

Download
memory/2984-16-0x000001707FD80000-0x000001707FDA6000-memory.dmp

Filesize
152KB

Download
memory/2984-17-0x00007FFD15610000-0x00007FFD160D2000-memory.dmp

Filesize
10.8MB

Download
memory/2984-18-0x00007FFD15610000-0x00007FFD160D2000-memory.dmp

Filesize
10.8MB

Download
memory/2984-19-0x00007FFD15610000-0x00007FFD160D2000-memory.dmp

Filesize
10.8MB

Download