Malware Analysis Report

2025-08-05 14:36

Sample ID 250702-x4kdnszyaz
Target Alcohol120_trial_2.1.1.2201.exe
SHA256 4494df27de96398c4326b6ecf701ffdacf53729fef54fca0651439159dc5bf29
Tags
discovery persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

4494df27de96398c4326b6ecf701ffdacf53729fef54fca0651439159dc5bf29

Threat Level: Likely malicious

The file Alcohol120_trial_2.1.1.2201.exe was found to be: Likely malicious.

Malicious Activity Summary

discovery persistence

Drops file in Drivers directory

Executes dropped EXE

Loads dropped DLL

Checks installed software on the system

Adds Run key to start application

System Location Discovery: System Language Discovery

Enumerates physical storage devices

NSIS installer

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-07-02 19:24

Signatures

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-07-02 19:24

Reported

2025-07-02 19:26

Platform

win11-20250502-en

Max time kernel

36s

Max time network

38s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Alcohol120_trial_2.1.1.2201.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\Drivers\sptd2.sys C:\Users\Admin\AppData\Local\Temp\SPTD2inst.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SPTD2inst.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3518521428-3897247806-4080064211-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Alcohol 120% 2.1.1.2201 Setup = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Alcohol120_trial_2.1.1.2201.exe\"" C:\Users\Admin\AppData\Local\Temp\Alcohol120_trial_2.1.1.2201.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Alcohol120_trial_2.1.1.2201.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000cef4b7c7ac8035a60000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000cef4b7c70000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900cef4b7c7000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dcef4b7c7000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000cef4b7c700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "36" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SPTD2inst.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\SPTD2inst.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Alcohol120_trial_2.1.1.2201.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\LogonUI.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\Alcohol120_trial_2.1.1.2201.exe

"C:\Users\Admin\AppData\Local\Temp\Alcohol120_trial_2.1.1.2201.exe"

C:\Users\Admin\AppData\Local\Temp\SPTD2inst.exe

"C:\Users\Admin\AppData\Local\Temp\SPTD2inst.exe" add /q

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:3

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Alcohol120_trial_2.1.1.2201.exe"

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa3a11855 /state1:0x41c64e6d

C:\Users\Admin\AppData\Local\Temp\Alcohol120_trial_2.1.1.2201.exe

C:\Users\Admin\AppData\Local\Temp\Alcohol120_trial_2.1.1.2201.exe

Network

Files

C:\Users\Admin\AppData\Local\Temp\nss67C4.tmp\SetupHlp.dll

MD5 26628ae407ed37ad4fb7b1e8ad623df4
SHA1 b01d933757a57eea04241cf656583e23f0278b9a
SHA256 a5f3700631c64057a304daef08af79a3428da669585ba4ead2a7ff7fc34cdf9d
SHA512 c7b4e6377eb85660ed7bd762105689a20d62b2cd3f56587c390f85dc612ed2d822982bbcb3175e59dc9e7e5dc9b65065ea4cbcb79581695222eac2c5a727fcb6

memory/4896-8-0x0000000074260000-0x0000000074271000-memory.dmp

memory/4896-7-0x0000000074260000-0x0000000074271000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nss67C4.tmp\W10_17763RegHlper.dll

MD5 d1a1686ac8444bbd9b1daed5944bcf04
SHA1 d91ac9ff19526d12e4fce8717f520eb816a266d0
SHA256 9f25311e89e9c14622e64cdf30330612b984fd940d2197ab6a95a3ef1e6e59aa
SHA512 44cf32c83d434ee141b90f8be5bf796223e3fd0c24267aeda7aa01d85f18664ecf5e80b01fd59e3f821b11e5103a48d24ebfd95ab5452c914a3e393d858a5f24

C:\Users\Admin\AppData\Local\Temp\nss67C4.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

C:\Users\Admin\AppData\Local\Temp\nss67C4.tmp\LangDLL.dll

MD5 9384f4007c492d4fa040924f31c00166
SHA1 aba37faef30d7c445584c688a0b5638f5db31c7b
SHA256 60a964095af1be79f6a99b22212fefe2d16f5a0afd7e707d14394e4143e3f4f5
SHA512 68f158887e24302673227adffc688fd3edabf097d7f5410f983e06c6b9c7344ca1d8a45c7fa05553adcc5987993df3a298763477168d4842e554c4eb93b9aaaf

memory/4896-21-0x0000000074260000-0x0000000074271000-memory.dmp

memory/4896-30-0x0000000074000000-0x0000000074011000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nss67C4.tmp\nsDialogs.dll

MD5 c10e04dd4ad4277d5adc951bb331c777
SHA1 b1e30808198a3ae6d6d1cca62df8893dc2a7ad43
SHA256 e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a
SHA512 853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

C:\Users\Admin\AppData\Local\Temp\nss67C4.tmp\linker.dll

MD5 14b655f0567e2d13459a4c77b2641ad8
SHA1 16f073c74680f4ef8b6b477e86b75d8f136824c2
SHA256 d5684110f61200ac1142648f06a4df3ee30acf38b96538496c33cac69942c4cc
SHA512 f64ab83cbb87986d0356a7b9f0ebd0314d1341aecb6be627861b6a35df80d765cf85157293950eff82d44901f65068de177780a829c4d34f55a4f5089a0ddebe

C:\Users\Admin\AppData\Local\Temp\SPTDIntf.dll

MD5 3862c98f3676f3fd8bf4759db17cf273
SHA1 8ce5ca251376345220fa502930e4339cfbd7721d
SHA256 1c7d5e42ff3bc5e1a0ecd01fa68633dc67515b3a06e660fcd2d22d6ea436a6f1
SHA512 1836a39ad1bf17e086836298323cc36538174d991aa2e9ee4fd8b4594e88aad1723fd875501f2e256e2b358fc88a84cd564b5bef79eca2b51af4880c9646f396

memory/4896-55-0x0000000073EE0000-0x0000000073EEF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SPTD2inst.exe

MD5 0e226ba5dfb6380c080e0718dfc00b93
SHA1 a8c3b31891eb92e3c68dd14dc9d3e29f0af2bf66
SHA256 7134b671818c893d81cbc7b80d4a3840461db225748e5fdee8e2bd79a43bae9e
SHA512 2fd9a1b8bcdb126b545e055aa8f358875a9e509a0405a6cba6b4efe2aa560f6bc414b055b7ac4abca80b7ad4ea80e2ac693d8a25f217d5c7975051d6a731d897

memory/4896-64-0x0000000073EE0000-0x0000000073EEF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nss67C4.tmp\modern-wizard.bmp

MD5 6ad7f23b6dee9bd5c2849fa8a831df24
SHA1 e221e3917df3f0cfbc8c545c7c28375131b3cd54
SHA256 aa800d4d2ca0dac3c75ea5ef2eaccc6e4dec72f24c21c0e2511d1f1c79da6013
SHA512 fd454c1f881e4d46a241fd930260186b880fb75c25b268160b1f8540607b1c6c495d264bd2b7e00864839a673f6efc76605043937bba494de871ba770bb78c91

memory/4896-89-0x0000000074260000-0x0000000074271000-memory.dmp