Overview

overview

10

Static

static

3

USDT Token....2.zip

windows10-ltsc_2021-x64

4

USDT Flasher.exe

windows10-ltsc_2021-x64

10

bin/app.exe

windows10-ltsc_2021-x64

1

lang/Japanese.ps1

windows10-ltsc_2021-x64

3

lang/lang.exe

windows10-ltsc_2021-x64

10

tls/qschan...nd.dll

windows10-ltsc_2021-x64

1

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-ltsc_2021_x64
  • resource
    win10ltsc2021-20250314-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
  • submitted
    06/04/2025, 04:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    USDT Flasher.exe

  • Size

    360KB

  • MD5

    114d06d61ef7e48db10937be060a6dab

  • SHA1

    76ab812ba791639069b7b102db780c1a99e397a2

  • SHA256

    9542a0999fef704961e3095ab05d1bde47b062674ca999ab69864a58d8d02883

  • SHA512

    357700eebab2caf87a45da85f0b34a0141604254a14fc23ed16203ec9cdfd49700c88bdacfe6060a8231d1e0d7dfd1fee66b9f8aca8d1652f2ffa260cbff20ab

  • SSDEEP

    3072:dWTIRnSS15FzgY3PGYnNBXBxJ2ftvNMDfs6STuvw/T5ddmwOPj4r+m9n7:dWknt15FUY3PHNN8tHJN/FIjzW

Score
10/10
svcstealerdefense_evasiondiscoverydownloaderexecutionpersistencestealer

Malware Config

Signatures

  • Detects SvcStealer Payload 9 IoCs

    SvcStealer aka Diamotrix Clipper is a stealer/downloader written in C++.

  • Disables service(s) 3 TTPs
    defense_evasionexecution
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    defense_evasion
  • SvcStealer, Diamotrix

    SvcStealer aka Diamotrix Clipper is a stealer/downloader written in C++.

    stealerdownloadersvcstealer
  • Svcstealer family
    svcstealer
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Run Powershell to execute payload.

    execution
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 27 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 49 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3608
    • C:\Users\Admin\AppData\Local\Temp\USDT Flasher.exe
      "C:\Users\Admin\AppData\Local\Temp\USDT Flasher.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:1516
      • C:\Users\Admin\AppData\Local\Temp\lang\lang.exe
        "C:\Users\Admin\AppData\Local\Temp\lang\lang.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2936
        • C:\Users\Admin\AppData\Local\Temp\is-0J9NB.tmp\lang.tmp
          "C:\Users\Admin\AppData\Local\Temp\is-0J9NB.tmp\lang.tmp" /SL5="$601EC,2695233,175616,C:\Users\Admin\AppData\Local\Temp\lang\lang.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2396
          • C:\Users\Admin\AppData\Local\Temp\lang\lang.exe
            "C:\Users\Admin\AppData\Local\Temp\lang\lang.exe" /VERYSILENT
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4812
            • C:\Users\Admin\AppData\Local\Temp\is-48UM7.tmp\lang.tmp
              "C:\Users\Admin\AppData\Local\Temp\is-48UM7.tmp\lang.tmp" /SL5="$B0046,2695233,175616,C:\Users\Admin\AppData\Local\Temp\lang\lang.exe" /VERYSILENT
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of WriteProcessMemory
              PID:4748
              • C:\Windows\SysWOW64\regsvr32.exe
                "regsvr32.exe" /s /i:INSTALL "C:\Users\Admin\AppData\Roaming\\d3d118.drv"
                7⤵
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:4756
                • C:\Windows\system32\regsvr32.exe
                  /s /i:INSTALL "C:\Users\Admin\AppData\Roaming\\d3d118.drv"
                  8⤵
                  • Loads dropped DLL
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of WriteProcessMemory
                  PID:2008
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL \"%APPDATA%\d3d118.drv\"' }) { exit 0 } else { exit 1 }"
                    9⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4672
                  • C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe
                    "PowerShell.exe" -NoProfile -NonInteractive -Command -
                    9⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3660
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL \"%APPDATA%\d3d118.drv\"' }) { exit 0 } else { exit 1 }"
                    9⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    PID:2044
      • C:\Users\Admin\AppData\Local\Temp\bin\app.exe
        "C:\Users\Admin\AppData\Local\Temp\bin\app.exe"
        3⤵
        • Modifies visibility of file extensions in Explorer
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1736
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C sc config "RemoteRegistry" start= disabled
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1036
          • C:\Windows\system32\sc.exe
            sc config "RemoteRegistry" start= disabled
            5⤵
            • Launches sc.exe
            PID:5308
    • C:\Users\Admin\AppData\Local\Temp\D23F.tmp.exe
      C:\Users\Admin\AppData\Local\Temp\D23F.tmp.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      PID:1756
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\D23F.tmp.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1524
      • C:\Users\Admin\AppData\Local\Temp\D23F.tmp.exe
        C:\Users\Admin\AppData\Local\Temp\D23F.tmp.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3672
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Winserv\winserv.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3632
      • C:\Users\Admin\AppData\Roaming\Winserv\winserv.exe
        C:\Users\Admin\AppData\Roaming\Winserv\winserv.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:4928
    • C:\Users\Admin\AppData\Local\Temp\E297.tmp.exe
      C:\Users\Admin\AppData\Local\Temp\E297.tmp.exe
      2⤵
      • Executes dropped EXE
      PID:4848
  • C:\Windows\system32\regsvr32.EXE
    "C:\Windows\system32\regsvr32.EXE" /s /i:INSTALL "C:\Users\Admin\AppData\Roaming\d3d118.drv"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:5604
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL \"%APPDATA%\d3d118.drv\"' }) { exit 0 } else { exit 1 }"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      PID:2416
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL \"%APPDATA%\d3d118.drv\"' }) { exit 0 } else { exit 1 }"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      PID:2324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

System Services

1
T1569

Service Execution

1
T1569.002

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Service Stop

1
T1489

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Optimizer\Optimizer.log
    Filesize

    305B

    MD5

    6524600bb5c0db14667f8b3e576f2d28

    SHA1

    a45da297815d1dc6d546bfc700c985591a044b20

    SHA256

    74cc005ec6231ad8eab05e46222e428971bda065e29c5b3dfeb0861780c1ba84

    SHA512

    22ac53dbef4f24b4688afd8366b88f0dabc6703f5b0021d9dac036c45fa67f617022bd29d93374f4b2811777742a49311c70dd59bd1f9a577727d0592c3d6f22

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\PowerShell.exe.log
    Filesize

    3KB

    MD5

    3eb3833f769dd890afc295b977eab4b4

    SHA1

    e857649b037939602c72ad003e5d3698695f436f

    SHA256

    c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

    SHA512

    c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    578f74b9997731d225b96bc32c24052b

    SHA1

    6d5ce10f29b40f5184073e1595bac40fb488946c

    SHA256

    b4625f1d511203844f116c804f31ccdb8311bf0cb545e60df760efda02389bc8

    SHA512

    aabe608fff7d980093d71444520e056d6e40d08d93f34ab33ffa59d9c6bb66f9e0472949f1dc14c459e0111e305f92c073630180f0314aa781bd78f29be27bf6

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    638689e24b53e8caab89dd1b996a300e

    SHA1

    56c32116b8c356ffb31a15ce846d11fe9d2afe10

    SHA256

    cc639b0f9604ce6c48f760f7e310cc838c881695222eece4e1bf69764f09ea8a

    SHA512

    7a900241441be7d5f3506eea0e7206a44506200c7c4438a7714fbc58f9ffa70b262a2b3638bc8fb8e92e3a684c8eedae719b1db84da959822cbce770bcff2977

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    ac533ea21ea4a15606db6378d61214cd

    SHA1

    7c219b84214743d1623af591e6e24958e6ce6e70

    SHA256

    cdf7dbb1b774bae2264fdc066001f3f84cc5f32c9691dfd892715db30873a439

    SHA512

    811c5aa3145e01e5f9fc0f34c2b19dfb3e2acf088454b318be555ab74165775f7f2bb7b2d3c3f564977c0a411a39329ac07b323a611ec66bacbfb5b6f0fb938f

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    178170c54a9081cc3aaac9ee2318211e

    SHA1

    94b0fd6cb5834be48fa39a95997a8852a6b64cc4

    SHA256

    906632fc1b247d32a6a2130ccf9062231984e8f2e7beddd511bbd19901fdb054

    SHA512

    71231d4c7d670dd444fc9a392b33ed1008fb815a03760357f43c43c77adf1d83b05a94dee240a50d1ba3f1cad5055c181aa3351f8719fb6d3939b785a224db15

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\D23F.tmp.exe
    Filesize

    177KB

    MD5

    3b127ebb1071fe3d90fe545aa1698700

    SHA1

    dadb18a698f8b76022446945e19410a633816a0b

    SHA256

    ed4d7c0d28ce4fb03726b009ab5a8035291d2f5026b1e2a8d6f0ee478c7a5a26

    SHA512

    5e58a8a3e3b1621cd8158f664652cf6bfa87b93052ec4af29b7ff17d3d33055fa8f939592032a57a7fbd0dd90c9485fa26d5cb5185899af76c7cf1015148a817

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\E297.tmp.exe
    Filesize

    253KB

    MD5

    a763e95afd333105b08aaf33f7fb1bea

    SHA1

    0ff903c6cace210ca3dda53eadbcdaa26a3f229c

    SHA256

    fb195f7313f9e00520e7ba6767665c0e1c24fc5135bff6f6af59d5d008f141bc

    SHA512

    0c9ae565e261cebf49105d17b8a06b004009cd882a17c854a5bd0d6390fdfb47433eac8e8a33c8de2740695d0ddec105fef7dc4f0a8ed66a714f6c6bf24d076d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_54xzx22y.xtx.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-0J9NB.tmp\lang.tmp
    Filesize

    1.1MB

    MD5

    8aff8eda5770ce3ad2eda9dabad45149

    SHA1

    4d0986d27ea911125de35f334c5520643799863b

    SHA256

    c7f83b8e3f156dafaa203997e26e6fcf3ec1eca88c305e11173bd1704d1d5cd0

    SHA512

    6009158a30705c61c94ce2fe46ab11e5bf2ed451b40043e7959c875c964843b3caadddecaa78e6df459e5ad45b33907e0e0d3397ad2cabc372758be99f659e26

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-9JUFU.tmp\_isetup\_shfoldr.dll
    Filesize

    22KB

    MD5

    92dc6ef532fbb4a5c3201469a5b5eb63

    SHA1

    3e89ff837147c16b4e41c30d6c796374e0b8e62c

    SHA256

    9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

    SHA512

    9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

    Download Submit

  • C:\Users\Admin\AppData\Roaming\d3d118.drv
    Filesize

    10.3MB

    MD5

    8aca52db833d1ba385e1e859a59bdbd4

    SHA1

    e09a789a9ff49190051040d2eef2a185e65448e4

    SHA256

    017f3c01c61deadc93b7e8ecc84816bc3cb4a6456f4c21d96958ccc20c4e913e

    SHA512

    b9ff193bc0c3489785de241fee91f0746c127b111e9730c9fc35dddcbeb60fa269407ac0236e5f0f4f0fd2827e14a160d3d798f451f1478dd01ace974945876e

    Download Submit

  • memory/1736-102-0x000001F3B39D0000-0x000001F3B39E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1736-125-0x000001F3B7990000-0x000001F3B799A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1736-1-0x000001F399220000-0x000001F39949A000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/1736-6-0x000001F3B38C0000-0x000001F3B3972000-memory.dmp

    Filesize

    712KB

    Download

  • memory/1736-142-0x000001F3B8200000-0x000001F3B8212000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1736-10-0x000001F3B39D0000-0x000001F3B39E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1736-126-0x000001F3B7A00000-0x000001F3B7A26000-memory.dmp

    Filesize

    152KB

    Download

  • memory/1736-32-0x000001F39B1A0000-0x000001F39B1C2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1736-31-0x000001F3B4240000-0x000001F3B42B6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/1736-101-0x00007FFE802D3000-0x00007FFE802D5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1736-0-0x00007FFE802D3000-0x00007FFE802D5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1736-52-0x000001F3B3A90000-0x000001F3B3AAE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1736-124-0x000001F3B7970000-0x000001F3B7986000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2008-103-0x00007FFE79690000-0x00007FFE7A08B000-memory.dmp

    Filesize

    10.0MB

    Download

  • memory/2008-112-0x00007FFE79690000-0x00007FFE7A08B000-memory.dmp

    Filesize

    10.0MB

    Download

  • memory/2008-104-0x0000000002A70000-0x0000000002B75000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2396-42-0x0000000000400000-0x0000000000530000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2936-44-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2936-2-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2936-4-0x0000000000401000-0x0000000000417000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3608-110-0x0000000009220000-0x000000000932B000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3608-111-0x0000000009220000-0x000000000932B000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3608-189-0x0000000002A80000-0x0000000002A81000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3608-204-0x0000000009220000-0x000000000932B000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3608-190-0x0000000002A90000-0x0000000002A91000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3608-174-0x0000000009220000-0x000000000932B000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3608-177-0x0000000009220000-0x000000000932B000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3608-175-0x0000000002B30000-0x0000000002B63000-memory.dmp

    Filesize

    204KB

    Download

  • memory/3608-180-0x0000000009220000-0x000000000932B000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4748-60-0x0000000000400000-0x0000000000530000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/4812-40-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4812-64-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

    Download

  • memory/5604-168-0x00000000026A0000-0x00000000027A5000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/5604-167-0x00007FFE75000000-0x00007FFE759FB000-memory.dmp

    Filesize

    10.0MB

    Download