Analysis
-
max time kernel
36s -
max time network
38s -
platform
windows11-21h2_x64 -
resource
win11-20250502-en -
resource tags
arch:x64arch:x86image:win11-20250502-enlocale:en-usos:windows11-21h2-x64system -
submitted
02/07/2025, 19:24
Static task
static1
Behavioral task
behavioral1
Sample
Alcohol120_trial_2.1.1.2201.exe
Resource
win11-20250502-en
Errors
General
-
Target
Alcohol120_trial_2.1.1.2201.exe
-
Size
12.4MB
-
MD5
febeb08dd8630aec9bfa3344e7fa5ce3
-
SHA1
ba61db31ca06ac4879a0bd88637d6e20fb4be836
-
SHA256
4494df27de96398c4326b6ecf701ffdacf53729fef54fca0651439159dc5bf29
-
SHA512
710a406c96ecb83f7930a1caaacb824a75d4b6cf94bef3ff5dcbd029f45beb29774d61fb0fdf3ebd9b3ffdf011c8c88e52eff90f86f8f37975fc21df9bbf29ae
-
SSDEEP
393216:cyUUw633OKrbnwp4XyA7NRLs8PH5vMe2F4EV:cyUUw23LrLwpEZLs8PH5vzC4Y
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\System32\Drivers\sptd2.sys SPTD2inst.exe -
Executes dropped EXE 1 IoCs
pid Process 1168 SPTD2inst.exe -
Loads dropped DLL 15 IoCs
pid Process 4896 Alcohol120_trial_2.1.1.2201.exe 4896 Alcohol120_trial_2.1.1.2201.exe 4896 Alcohol120_trial_2.1.1.2201.exe 4896 Alcohol120_trial_2.1.1.2201.exe 4896 Alcohol120_trial_2.1.1.2201.exe 4896 Alcohol120_trial_2.1.1.2201.exe 4896 Alcohol120_trial_2.1.1.2201.exe 4896 Alcohol120_trial_2.1.1.2201.exe 4896 Alcohol120_trial_2.1.1.2201.exe 4896 Alcohol120_trial_2.1.1.2201.exe 4896 Alcohol120_trial_2.1.1.2201.exe 4896 Alcohol120_trial_2.1.1.2201.exe 4896 Alcohol120_trial_2.1.1.2201.exe 4896 Alcohol120_trial_2.1.1.2201.exe 4896 Alcohol120_trial_2.1.1.2201.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Alcohol 120% 2.1.1.2201 Setup = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Alcohol120_trial_2.1.1.2201.exe\"" Alcohol120_trial_2.1.1.2201.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alcohol120_trial_2.1.1.2201.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000cef4b7c7ac8035a60000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000cef4b7c70000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900cef4b7c7000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dcef4b7c7000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000cef4b7c700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "36" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeBackupPrivilege 872 vssvc.exe Token: SeRestorePrivilege 872 vssvc.exe Token: SeAuditPrivilege 872 vssvc.exe Token: SeBackupPrivilege 1168 SPTD2inst.exe Token: SeRestorePrivilege 1168 SPTD2inst.exe Token: SeShutdownPrivilege 4896 Alcohol120_trial_2.1.1.2201.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 920 LogonUI.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 4896 wrote to memory of 1168 4896 Alcohol120_trial_2.1.1.2201.exe 78 PID 4896 wrote to memory of 1168 4896 Alcohol120_trial_2.1.1.2201.exe 78 PID 3316 wrote to memory of 1816 3316 cmd.exe 88 PID 3316 wrote to memory of 1816 3316 cmd.exe 88 PID 3316 wrote to memory of 1816 3316 cmd.exe 88 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Alcohol120_trial_2.1.1.2201.exe"C:\Users\Admin\AppData\Local\Temp\Alcohol120_trial_2.1.1.2201.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Users\Admin\AppData\Local\Temp\SPTD2inst.exe"C:\Users\Admin\AppData\Local\Temp\SPTD2inst.exe" add /q2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1168
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:872
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:31⤵PID:1824
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Alcohol120_trial_2.1.1.2201.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3316 -
C:\Users\Admin\AppData\Local\Temp\Alcohol120_trial_2.1.1.2201.exeC:\Users\Admin\AppData\Local\Temp\Alcohol120_trial_2.1.1.2201.exe2⤵PID:1816
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3a11855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:920
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
357KB
MD50e226ba5dfb6380c080e0718dfc00b93
SHA1a8c3b31891eb92e3c68dd14dc9d3e29f0af2bf66
SHA2567134b671818c893d81cbc7b80d4a3840461db225748e5fdee8e2bd79a43bae9e
SHA5122fd9a1b8bcdb126b545e055aa8f358875a9e509a0405a6cba6b4efe2aa560f6bc414b055b7ac4abca80b7ad4ea80e2ac693d8a25f217d5c7975051d6a731d897
-
Filesize
50KB
MD53862c98f3676f3fd8bf4759db17cf273
SHA18ce5ca251376345220fa502930e4339cfbd7721d
SHA2561c7d5e42ff3bc5e1a0ecd01fa68633dc67515b3a06e660fcd2d22d6ea436a6f1
SHA5121836a39ad1bf17e086836298323cc36538174d991aa2e9ee4fd8b4594e88aad1723fd875501f2e256e2b358fc88a84cd564b5bef79eca2b51af4880c9646f396
-
Filesize
5KB
MD59384f4007c492d4fa040924f31c00166
SHA1aba37faef30d7c445584c688a0b5638f5db31c7b
SHA25660a964095af1be79f6a99b22212fefe2d16f5a0afd7e707d14394e4143e3f4f5
SHA51268f158887e24302673227adffc688fd3edabf097d7f5410f983e06c6b9c7344ca1d8a45c7fa05553adcc5987993df3a298763477168d4842e554c4eb93b9aaaf
-
Filesize
49KB
MD526628ae407ed37ad4fb7b1e8ad623df4
SHA1b01d933757a57eea04241cf656583e23f0278b9a
SHA256a5f3700631c64057a304daef08af79a3428da669585ba4ead2a7ff7fc34cdf9d
SHA512c7b4e6377eb85660ed7bd762105689a20d62b2cd3f56587c390f85dc612ed2d822982bbcb3175e59dc9e7e5dc9b65065ea4cbcb79581695222eac2c5a727fcb6
-
Filesize
11KB
MD5c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
-
Filesize
9KB
MD5d1a1686ac8444bbd9b1daed5944bcf04
SHA1d91ac9ff19526d12e4fce8717f520eb816a266d0
SHA2569f25311e89e9c14622e64cdf30330612b984fd940d2197ab6a95a3ef1e6e59aa
SHA51244cf32c83d434ee141b90f8be5bf796223e3fd0c24267aeda7aa01d85f18664ecf5e80b01fd59e3f821b11e5103a48d24ebfd95ab5452c914a3e393d858a5f24
-
Filesize
8KB
MD514b655f0567e2d13459a4c77b2641ad8
SHA116f073c74680f4ef8b6b477e86b75d8f136824c2
SHA256d5684110f61200ac1142648f06a4df3ee30acf38b96538496c33cac69942c4cc
SHA512f64ab83cbb87986d0356a7b9f0ebd0314d1341aecb6be627861b6a35df80d765cf85157293950eff82d44901f65068de177780a829c4d34f55a4f5089a0ddebe
-
Filesize
150KB
MD56ad7f23b6dee9bd5c2849fa8a831df24
SHA1e221e3917df3f0cfbc8c545c7c28375131b3cd54
SHA256aa800d4d2ca0dac3c75ea5ef2eaccc6e4dec72f24c21c0e2511d1f1c79da6013
SHA512fd454c1f881e4d46a241fd930260186b880fb75c25b268160b1f8540607b1c6c495d264bd2b7e00864839a673f6efc76605043937bba494de871ba770bb78c91
-
Filesize
9KB
MD5c10e04dd4ad4277d5adc951bb331c777
SHA1b1e30808198a3ae6d6d1cca62df8893dc2a7ad43
SHA256e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a
SHA512853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e