Analysis

  • max time kernel
    36s
  • max time network
    38s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250502-en
  • resource tags

    arch:x64arch:x86image:win11-20250502-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    02/07/2025, 19:24

Errors

Reason
Machine shutdown

General

  • Target

    Alcohol120_trial_2.1.1.2201.exe

  • Size

    12.4MB

  • MD5

    febeb08dd8630aec9bfa3344e7fa5ce3

  • SHA1

    ba61db31ca06ac4879a0bd88637d6e20fb4be836

  • SHA256

    4494df27de96398c4326b6ecf701ffdacf53729fef54fca0651439159dc5bf29

  • SHA512

    710a406c96ecb83f7930a1caaacb824a75d4b6cf94bef3ff5dcbd029f45beb29774d61fb0fdf3ebd9b3ffdf011c8c88e52eff90f86f8f37975fc21df9bbf29ae

  • SSDEEP

    393216:cyUUw633OKrbnwp4XyA7NRLs8PH5vMe2F4EV:cyUUw23LrLwpEZLs8PH5vzC4Y

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 15 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Alcohol120_trial_2.1.1.2201.exe
    "C:\Users\Admin\AppData\Local\Temp\Alcohol120_trial_2.1.1.2201.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4896
    • C:\Users\Admin\AppData\Local\Temp\SPTD2inst.exe
      "C:\Users\Admin\AppData\Local\Temp\SPTD2inst.exe" add /q
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1168
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    PID:872
  • C:\Windows\system32\srtasks.exe
    C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:3
    1⤵
      PID:1824
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Alcohol120_trial_2.1.1.2201.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:3316
      • C:\Users\Admin\AppData\Local\Temp\Alcohol120_trial_2.1.1.2201.exe
        C:\Users\Admin\AppData\Local\Temp\Alcohol120_trial_2.1.1.2201.exe
        2⤵
          PID:1816
      • C:\Windows\system32\LogonUI.exe
        "LogonUI.exe" /flags:0x4 /state0:0xa3a11855 /state1:0x41c64e6d
        1⤵
        • Modifies data under HKEY_USERS
        • Suspicious use of SetWindowsHookEx
        PID:920

      Network

            MITRE ATT&CK Enterprise v16

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\SPTD2inst.exe

              Filesize

              357KB

              MD5

              0e226ba5dfb6380c080e0718dfc00b93

              SHA1

              a8c3b31891eb92e3c68dd14dc9d3e29f0af2bf66

              SHA256

              7134b671818c893d81cbc7b80d4a3840461db225748e5fdee8e2bd79a43bae9e

              SHA512

              2fd9a1b8bcdb126b545e055aa8f358875a9e509a0405a6cba6b4efe2aa560f6bc414b055b7ac4abca80b7ad4ea80e2ac693d8a25f217d5c7975051d6a731d897

            • C:\Users\Admin\AppData\Local\Temp\SPTDIntf.dll

              Filesize

              50KB

              MD5

              3862c98f3676f3fd8bf4759db17cf273

              SHA1

              8ce5ca251376345220fa502930e4339cfbd7721d

              SHA256

              1c7d5e42ff3bc5e1a0ecd01fa68633dc67515b3a06e660fcd2d22d6ea436a6f1

              SHA512

              1836a39ad1bf17e086836298323cc36538174d991aa2e9ee4fd8b4594e88aad1723fd875501f2e256e2b358fc88a84cd564b5bef79eca2b51af4880c9646f396

            • C:\Users\Admin\AppData\Local\Temp\nss67C4.tmp\LangDLL.dll

              Filesize

              5KB

              MD5

              9384f4007c492d4fa040924f31c00166

              SHA1

              aba37faef30d7c445584c688a0b5638f5db31c7b

              SHA256

              60a964095af1be79f6a99b22212fefe2d16f5a0afd7e707d14394e4143e3f4f5

              SHA512

              68f158887e24302673227adffc688fd3edabf097d7f5410f983e06c6b9c7344ca1d8a45c7fa05553adcc5987993df3a298763477168d4842e554c4eb93b9aaaf

            • C:\Users\Admin\AppData\Local\Temp\nss67C4.tmp\SetupHlp.dll

              Filesize

              49KB

              MD5

              26628ae407ed37ad4fb7b1e8ad623df4

              SHA1

              b01d933757a57eea04241cf656583e23f0278b9a

              SHA256

              a5f3700631c64057a304daef08af79a3428da669585ba4ead2a7ff7fc34cdf9d

              SHA512

              c7b4e6377eb85660ed7bd762105689a20d62b2cd3f56587c390f85dc612ed2d822982bbcb3175e59dc9e7e5dc9b65065ea4cbcb79581695222eac2c5a727fcb6

            • C:\Users\Admin\AppData\Local\Temp\nss67C4.tmp\System.dll

              Filesize

              11KB

              MD5

              c17103ae9072a06da581dec998343fc1

              SHA1

              b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

              SHA256

              dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

              SHA512

              d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

            • C:\Users\Admin\AppData\Local\Temp\nss67C4.tmp\W10_17763RegHlper.dll

              Filesize

              9KB

              MD5

              d1a1686ac8444bbd9b1daed5944bcf04

              SHA1

              d91ac9ff19526d12e4fce8717f520eb816a266d0

              SHA256

              9f25311e89e9c14622e64cdf30330612b984fd940d2197ab6a95a3ef1e6e59aa

              SHA512

              44cf32c83d434ee141b90f8be5bf796223e3fd0c24267aeda7aa01d85f18664ecf5e80b01fd59e3f821b11e5103a48d24ebfd95ab5452c914a3e393d858a5f24

            • C:\Users\Admin\AppData\Local\Temp\nss67C4.tmp\linker.dll

              Filesize

              8KB

              MD5

              14b655f0567e2d13459a4c77b2641ad8

              SHA1

              16f073c74680f4ef8b6b477e86b75d8f136824c2

              SHA256

              d5684110f61200ac1142648f06a4df3ee30acf38b96538496c33cac69942c4cc

              SHA512

              f64ab83cbb87986d0356a7b9f0ebd0314d1341aecb6be627861b6a35df80d765cf85157293950eff82d44901f65068de177780a829c4d34f55a4f5089a0ddebe

            • C:\Users\Admin\AppData\Local\Temp\nss67C4.tmp\modern-wizard.bmp

              Filesize

              150KB

              MD5

              6ad7f23b6dee9bd5c2849fa8a831df24

              SHA1

              e221e3917df3f0cfbc8c545c7c28375131b3cd54

              SHA256

              aa800d4d2ca0dac3c75ea5ef2eaccc6e4dec72f24c21c0e2511d1f1c79da6013

              SHA512

              fd454c1f881e4d46a241fd930260186b880fb75c25b268160b1f8540607b1c6c495d264bd2b7e00864839a673f6efc76605043937bba494de871ba770bb78c91

            • C:\Users\Admin\AppData\Local\Temp\nss67C4.tmp\nsDialogs.dll

              Filesize

              9KB

              MD5

              c10e04dd4ad4277d5adc951bb331c777

              SHA1

              b1e30808198a3ae6d6d1cca62df8893dc2a7ad43

              SHA256

              e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a

              SHA512

              853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

            • memory/4896-21-0x0000000074260000-0x0000000074271000-memory.dmp

              Filesize

              68KB

            • memory/4896-30-0x0000000074000000-0x0000000074011000-memory.dmp

              Filesize

              68KB

            • memory/4896-7-0x0000000074260000-0x0000000074271000-memory.dmp

              Filesize

              68KB

            • memory/4896-55-0x0000000073EE0000-0x0000000073EEF000-memory.dmp

              Filesize

              60KB

            • memory/4896-8-0x0000000074260000-0x0000000074271000-memory.dmp

              Filesize

              68KB

            • memory/4896-64-0x0000000073EE0000-0x0000000073EEF000-memory.dmp

              Filesize

              60KB

            • memory/4896-89-0x0000000074260000-0x0000000074271000-memory.dmp

              Filesize

              68KB