Analysis Overview
SHA256
4494df27de96398c4326b6ecf701ffdacf53729fef54fca0651439159dc5bf29
Threat Level: Likely malicious
The file Alcohol120_trial_2.1.1.2201.exe was found to be: Likely malicious.
Malicious Activity Summary
Drops file in Drivers directory
Executes dropped EXE
Loads dropped DLL
Checks installed software on the system
Adds Run key to start application
System Location Discovery: System Language Discovery
Enumerates physical storage devices
NSIS installer
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-07-02 19:24
Signatures
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-07-02 19:24
Reported
2025-07-02 19:26
Platform
win11-20250502-en
Max time kernel
36s
Max time network
38s
Command Line
Signatures
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\Drivers\sptd2.sys | C:\Users\Admin\AppData\Local\Temp\SPTD2inst.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SPTD2inst.exe | N/A |
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Alcohol 120% 2.1.1.2201 Setup = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Alcohol120_trial_2.1.1.2201.exe\"" | C:\Users\Admin\AppData\Local\Temp\Alcohol120_trial_2.1.1.2201.exe | N/A |
Checks installed software on the system
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Alcohol120_trial_2.1.1.2201.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000cef4b7c7ac8035a60000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000cef4b7c70000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900cef4b7c7000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dcef4b7c7000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000cef4b7c700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "36" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SPTD2inst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SPTD2inst.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Alcohol120_trial_2.1.1.2201.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4896 wrote to memory of 1168 | N/A | C:\Users\Admin\AppData\Local\Temp\Alcohol120_trial_2.1.1.2201.exe | C:\Users\Admin\AppData\Local\Temp\SPTD2inst.exe |
| PID 4896 wrote to memory of 1168 | N/A | C:\Users\Admin\AppData\Local\Temp\Alcohol120_trial_2.1.1.2201.exe | C:\Users\Admin\AppData\Local\Temp\SPTD2inst.exe |
| PID 3316 wrote to memory of 1816 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\Alcohol120_trial_2.1.1.2201.exe |
| PID 3316 wrote to memory of 1816 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\Alcohol120_trial_2.1.1.2201.exe |
| PID 3316 wrote to memory of 1816 | N/A | C:\Windows\system32\cmd.exe | C:\Users\Admin\AppData\Local\Temp\Alcohol120_trial_2.1.1.2201.exe |
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Alcohol120_trial_2.1.1.2201.exe
"C:\Users\Admin\AppData\Local\Temp\Alcohol120_trial_2.1.1.2201.exe"
C:\Users\Admin\AppData\Local\Temp\SPTD2inst.exe
"C:\Users\Admin\AppData\Local\Temp\SPTD2inst.exe" add /q
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:3
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Alcohol120_trial_2.1.1.2201.exe"
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a11855 /state1:0x41c64e6d
C:\Users\Admin\AppData\Local\Temp\Alcohol120_trial_2.1.1.2201.exe
C:\Users\Admin\AppData\Local\Temp\Alcohol120_trial_2.1.1.2201.exe
Network
Files
C:\Users\Admin\AppData\Local\Temp\nss67C4.tmp\SetupHlp.dll
| MD5 | 26628ae407ed37ad4fb7b1e8ad623df4 |
| SHA1 | b01d933757a57eea04241cf656583e23f0278b9a |
| SHA256 | a5f3700631c64057a304daef08af79a3428da669585ba4ead2a7ff7fc34cdf9d |
| SHA512 | c7b4e6377eb85660ed7bd762105689a20d62b2cd3f56587c390f85dc612ed2d822982bbcb3175e59dc9e7e5dc9b65065ea4cbcb79581695222eac2c5a727fcb6 |
memory/4896-8-0x0000000074260000-0x0000000074271000-memory.dmp
memory/4896-7-0x0000000074260000-0x0000000074271000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nss67C4.tmp\W10_17763RegHlper.dll
| MD5 | d1a1686ac8444bbd9b1daed5944bcf04 |
| SHA1 | d91ac9ff19526d12e4fce8717f520eb816a266d0 |
| SHA256 | 9f25311e89e9c14622e64cdf30330612b984fd940d2197ab6a95a3ef1e6e59aa |
| SHA512 | 44cf32c83d434ee141b90f8be5bf796223e3fd0c24267aeda7aa01d85f18664ecf5e80b01fd59e3f821b11e5103a48d24ebfd95ab5452c914a3e393d858a5f24 |
C:\Users\Admin\AppData\Local\Temp\nss67C4.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
C:\Users\Admin\AppData\Local\Temp\nss67C4.tmp\LangDLL.dll
| MD5 | 9384f4007c492d4fa040924f31c00166 |
| SHA1 | aba37faef30d7c445584c688a0b5638f5db31c7b |
| SHA256 | 60a964095af1be79f6a99b22212fefe2d16f5a0afd7e707d14394e4143e3f4f5 |
| SHA512 | 68f158887e24302673227adffc688fd3edabf097d7f5410f983e06c6b9c7344ca1d8a45c7fa05553adcc5987993df3a298763477168d4842e554c4eb93b9aaaf |
memory/4896-21-0x0000000074260000-0x0000000074271000-memory.dmp
memory/4896-30-0x0000000074000000-0x0000000074011000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nss67C4.tmp\nsDialogs.dll
| MD5 | c10e04dd4ad4277d5adc951bb331c777 |
| SHA1 | b1e30808198a3ae6d6d1cca62df8893dc2a7ad43 |
| SHA256 | e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a |
| SHA512 | 853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e |
C:\Users\Admin\AppData\Local\Temp\nss67C4.tmp\linker.dll
| MD5 | 14b655f0567e2d13459a4c77b2641ad8 |
| SHA1 | 16f073c74680f4ef8b6b477e86b75d8f136824c2 |
| SHA256 | d5684110f61200ac1142648f06a4df3ee30acf38b96538496c33cac69942c4cc |
| SHA512 | f64ab83cbb87986d0356a7b9f0ebd0314d1341aecb6be627861b6a35df80d765cf85157293950eff82d44901f65068de177780a829c4d34f55a4f5089a0ddebe |
C:\Users\Admin\AppData\Local\Temp\SPTDIntf.dll
| MD5 | 3862c98f3676f3fd8bf4759db17cf273 |
| SHA1 | 8ce5ca251376345220fa502930e4339cfbd7721d |
| SHA256 | 1c7d5e42ff3bc5e1a0ecd01fa68633dc67515b3a06e660fcd2d22d6ea436a6f1 |
| SHA512 | 1836a39ad1bf17e086836298323cc36538174d991aa2e9ee4fd8b4594e88aad1723fd875501f2e256e2b358fc88a84cd564b5bef79eca2b51af4880c9646f396 |
memory/4896-55-0x0000000073EE0000-0x0000000073EEF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SPTD2inst.exe
| MD5 | 0e226ba5dfb6380c080e0718dfc00b93 |
| SHA1 | a8c3b31891eb92e3c68dd14dc9d3e29f0af2bf66 |
| SHA256 | 7134b671818c893d81cbc7b80d4a3840461db225748e5fdee8e2bd79a43bae9e |
| SHA512 | 2fd9a1b8bcdb126b545e055aa8f358875a9e509a0405a6cba6b4efe2aa560f6bc414b055b7ac4abca80b7ad4ea80e2ac693d8a25f217d5c7975051d6a731d897 |
memory/4896-64-0x0000000073EE0000-0x0000000073EEF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nss67C4.tmp\modern-wizard.bmp
| MD5 | 6ad7f23b6dee9bd5c2849fa8a831df24 |
| SHA1 | e221e3917df3f0cfbc8c545c7c28375131b3cd54 |
| SHA256 | aa800d4d2ca0dac3c75ea5ef2eaccc6e4dec72f24c21c0e2511d1f1c79da6013 |
| SHA512 | fd454c1f881e4d46a241fd930260186b880fb75c25b268160b1f8540607b1c6c495d264bd2b7e00864839a673f6efc76605043937bba494de871ba770bb78c91 |
memory/4896-89-0x0000000074260000-0x0000000074271000-memory.dmp