banload | 79d09a008ac61e606845d0e17b4fd423bb584807a5c6ae8eb6584215c6856e7b

Analysis

max time kernel
145s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
17-06-2024 13:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ussm_setup.exe
Size

13.5MB
MD5

98b8665b96a90c222664747ba5ce87ca
SHA1

978f73a86c03e03082140ce62b8ec9befd8f68f3
SHA256

79d09a008ac61e606845d0e17b4fd423bb584807a5c6ae8eb6584215c6856e7b
SHA512

153adbc03c7fc3172e63433fe21c2df36c162aa67d868f94b2fc5c23c016550378a043acaeeab1fdc0d27ad1cce69393f42a95d4af7880f16eb4ea444ca30585
SSDEEP

393216:TBK1BgFlNlvvA0fEPi4YGplf1oRm5TyEsOPuzffKD:TA1BgFZv4443B1oM5TZs5rW

Score

10^/10

banload discovery downloader dropper evasion trojan

Malware Config

Signatures

Banload
Banload variants download malicious files, then install and execute the files.
trojan dropper downloader banload
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

ussm.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ussm.exe
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

ussm.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ussm.exe
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate ussm.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

ussm_setup.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation ussm_setup.exe
Drops file in System32 directory 2 IoCs

Processes:

ussm_setup.exe

description ioc process

File created C:\Windows\SysWOW64\Live Screensaver.scr ussm_setup.exe
File created C:\Windows\SysWOW64\Ultra Screen Saver.scr ussm_setup.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ussm.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ussm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	ussm.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	ussm_setup.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Live Screensaver.scr	ussm_setup.exe
File created	C:\Windows\SysWOW64\Ultra Screen Saver.scr	ussm_setup.exe

Drops file in Program Files directory 40 IoCs

Processes:

ussm_setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Ultra Screen Saver Maker\icon.ico	ussm_setup.exe
File created	C:\Program Files (x86)\Ultra Screen Saver Maker\Languages\Icelandic.isl	ussm_setup.exe
File created	C:\Program Files (x86)\Ultra Screen Saver Maker\ISCmplr.dll	ussm_setup.exe
File created	C:\Program Files (x86)\Ultra Screen Saver Maker\LiveScreensaverCreator.exe	ussm_setup.exe
File created	C:\Program Files (x86)\Ultra Screen Saver Maker\ISPP.dll	ussm_setup.exe
File created	C:\Program Files (x86)\Ultra Screen Saver Maker\Languages\French.isl	ussm_setup.exe
File created	C:\Program Files (x86)\Ultra Screen Saver Maker\islzma.dll	ussm_setup.exe
File created	C:\Program Files (x86)\Ultra Screen Saver Maker\ss.exe	ussm_setup.exe
File created	C:\Program Files (x86)\Ultra Screen Saver Maker\Default.isl	ussm_setup.exe
File created	C:\Program Files (x86)\Ultra Screen Saver Maker\Languages\Armenian.isl	ussm_setup.exe
File created	C:\Program Files (x86)\Ultra Screen Saver Maker\Languages\Bulgarian.isl	ussm_setup.exe
File created	C:\Program Files (x86)\Ultra Screen Saver Maker\Languages\Danish.isl	ussm_setup.exe
File created	C:\Program Files (x86)\Ultra Screen Saver Maker\Languages\Finnish.isl	ussm_setup.exe
File created	C:\Program Files (x86)\Ultra Screen Saver Maker\uninst.exe	ussm_setup.exe
File created	C:\Program Files (x86)\Ultra Screen Saver Maker\LiveScreensaver.exe	ussm_setup.exe
File created	C:\Program Files (x86)\Ultra Screen Saver Maker\Languages\Hebrew.isl	ussm_setup.exe
File created	C:\Program Files (x86)\Ultra Screen Saver Maker\Languages\Polish.isl	ussm_setup.exe
File created	C:\Program Files (x86)\Ultra Screen Saver Maker\Languages\Portuguese.isl	ussm_setup.exe
File created	C:\Program Files (x86)\Ultra Screen Saver Maker\Languages\Slovenian.isl	ussm_setup.exe
File created	C:\Program Files (x86)\Ultra Screen Saver Maker\SetupLdr.e32	ussm_setup.exe
File created	C:\Program Files (x86)\Ultra Screen Saver Maker\WizModernImage-IS.bmp	ussm_setup.exe
File created	C:\Program Files (x86)\Ultra Screen Saver Maker\ussm.exe	ussm_setup.exe
File created	C:\Program Files (x86)\Ultra Screen Saver Maker\Languages\Corsican.isl	ussm_setup.exe
File created	C:\Program Files (x86)\Ultra Screen Saver Maker\Languages\Dutch.isl	ussm_setup.exe
File created	C:\Program Files (x86)\Ultra Screen Saver Maker\Languages\German.isl	ussm_setup.exe
File created	C:\Program Files (x86)\Ultra Screen Saver Maker\Languages\Norwegian.isl	ussm_setup.exe
File created	C:\Program Files (x86)\Ultra Screen Saver Maker\ISCC.exe	ussm_setup.exe
File created	C:\Program Files (x86)\Ultra Screen Saver Maker\Languages\Czech.isl	ussm_setup.exe
File created	C:\Program Files (x86)\Ultra Screen Saver Maker\Languages\Japanese.isl	ussm_setup.exe
File created	C:\Program Files (x86)\Ultra Screen Saver Maker\Languages\Slovak.isl	ussm_setup.exe
File created	C:\Program Files (x86)\Ultra Screen Saver Maker\Languages\Turkish.isl	ussm_setup.exe
File created	C:\Program Files (x86)\Ultra Screen Saver Maker\ISPPBuiltins.iss	ussm_setup.exe
File created	C:\Program Files (x86)\Ultra Screen Saver Maker\Setup.e32	ussm_setup.exe
File created	C:\Program Files (x86)\Ultra Screen Saver Maker\Languages\Catalan.isl	ussm_setup.exe
File created	C:\Program Files (x86)\Ultra Screen Saver Maker\Languages\Italian.isl	ussm_setup.exe
File created	C:\Program Files (x86)\Ultra Screen Saver Maker\Languages\Russian.isl	ussm_setup.exe
File created	C:\Program Files (x86)\Ultra Screen Saver Maker\Languages\Spanish.isl	ussm_setup.exe
File created	C:\Program Files (x86)\Ultra Screen Saver Maker\WizModernSmallImage-IS.bmp	ussm_setup.exe
File created	C:\Program Files (x86)\Ultra Screen Saver Maker\Languages\BrazilianPortuguese.isl	ussm_setup.exe
File created	C:\Program Files (x86)\Ultra Screen Saver Maker\Languages\Ukrainian.isl	ussm_setup.exe

Executes dropped EXE 2 IoCs

Processes:

ussm.exeussm.exe

pid process

4796 ussm.exe
876 ussm.exe
Loads dropped DLL 7 IoCs

Processes:

ussm_setup.exe

pid process

3272 ussm_setup.exe
3272 ussm_setup.exe
3272 ussm_setup.exe
3272 ussm_setup.exe
3272 ussm_setup.exe
3272 ussm_setup.exe
3272 ussm_setup.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4796	ussm.exe
876	ussm.exe

pid	process
3272	ussm_setup.exe
3272	ussm_setup.exe
3272	ussm_setup.exe
3272	ussm_setup.exe
3272	ussm_setup.exe
3272	ussm_setup.exe
3272	ussm_setup.exe

Modifies Internet Explorer settings 1 TTPs 15 IoCs

adware spyware

Modify Registry

T1112

Processes:

ussm_setup.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Live Screensaver.scr = "11000"	ussm_setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING\Live Screensaver.scr = "1"	ussm_setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALIGNED_TIMERS\LIVESC~1.SCR = "1"	ussm_setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\LiveScreensaver.exe = "11000"	ussm_setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALIGNED_TIMERS\LiveScreensaver.exe = "1"	ussm_setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\LIVESC~2.EXE = "11000"	ussm_setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\LIVESC~1.SCR = "11000"	ussm_setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING\LIVESC~1.SCR = "1"	ussm_setup.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING	ussm_setup.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALIGNED_TIMERS	ussm_setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING\LIVESC~2.EXE = "1"	ussm_setup.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	ussm_setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING\LiveScreensaver.exe = "1"	ussm_setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALIGNED_TIMERS\LIVESC~2.EXE = "1"	ussm_setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALIGNED_TIMERS\Live Screensaver.scr = "1"	ussm_setup.exe

Modifies registry class 38 IoCs

Processes:

ussm.exeussm_setup.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E3823A2-15C5-CC15-1F99-8B637696AC1D}\NotInsertable	ussm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E3823A2-15C5-CC15-1F99-8B637696AC1D}\Server	ussm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\UltraScreenSaverMaker.File\shell\open	ussm_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.lsc\ = "LiveScreensaverCreator.File"	ussm_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScreensaverCreator.File\shell\open	ussm_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScreensaverCreator.File\shell\ = "open"	ussm_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E3823A2-15C5-CC15-1F99-8B637696AC1D}\InprocServer32\ = "C:\\Windows\\SysWOW64\\mscoree.dll"	ussm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E3823A2-15C5-CC15-1F99-8B637696AC1D}\InprocServer32\ThreadingModel = "Both"	ussm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.lsc	ussm_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScreensaverCreator.File\ = "Live Screensaver Creator File"	ussm_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScreensaverCreator.File\DefaultIcon\ = "C:\\Program Files (x86)\\Ultra Screen Saver Maker\\LiveScreensaverCreator.exe"	ussm_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScreensaverCreator.File\shell\open\command	ussm_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E3823A2-15C5-CC15-1F99-8B637696AC1D}\ProgID\ = "ComPlusDebug.CorpubPublish.1"	ussm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScreensaverCreator.File	ussm_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E3823A2-15C5-CC15-1F99-8B637696AC1D}	ussm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E3823A2-15C5-CC15-1F99-8B637696AC1D}\ = "Microsoft Common Language Runtime Debugger Publisher"	ussm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E3823A2-15C5-CC15-1F99-8B637696AC1D}\InprocServer32\4.0.30319	ussm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E3823A2-15C5-CC15-1F99-8B637696AC1D}\ProgID	ussm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\UltraScreenSaverMaker.File\ = "Ultra Screen Saver Maker File"	ussm_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\UltraScreenSaverMaker.File\shell\ = "open"	ussm_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\UltraScreenSaverMaker.File\shell\open\command\ = "C:\\Program Files (x86)\\Ultra Screen Saver Maker\\ussm.exe \"%1\""	ussm_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E3823A2-15C5-CC15-1F99-8B637696AC1D}\VersionIndependentProgID\ = "ComPlusDebug.CorpubPublish"	ussm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ssp\ = "UltraScreenSaverMaker.File"	ussm_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScreensaverCreator.File\shell	ussm_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E3823A2-15C5-CC15-1F99-8B637696AC1D}\InprocServer32\4.0.30319\ImplementedInThisVersion	ussm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\UltraScreenSaverMaker.File\shell\open\command	ussm_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScreensaverCreator.File\DefaultIcon	ussm_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E3823A2-15C5-CC15-1F99-8B637696AC1D}\InprocServer32\2.0.50727\ImplementedInThisVersion	ussm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\UltraScreenSaverMaker.File	ussm_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\UltraScreenSaverMaker.File\DefaultIcon	ussm_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\UltraScreenSaverMaker.File\DefaultIcon\ = "C:\\Program Files (x86)\\Ultra Screen Saver Maker\\ussm.exe"	ussm_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScreensaverCreator.File\shell\open\command\ = "C:\\Program Files (x86)\\Ultra Screen Saver Maker\\LiveScreensaverCreator.exe \"%1\""	ussm_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E3823A2-15C5-CC15-1F99-8B637696AC1D}\InprocServer32\2.0.50727	ussm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E3823A2-15C5-CC15-1F99-8B637696AC1D}\Server\ = "mscordbi.dll"	ussm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E3823A2-15C5-CC15-1F99-8B637696AC1D}\VersionIndependentProgID	ussm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ssp	ussm_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\UltraScreenSaverMaker.File\shell	ussm_setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E3823A2-15C5-CC15-1F99-8B637696AC1D}\InprocServer32	ussm.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

ussm_setup.exe

pid process

3272 ussm_setup.exe
3272 ussm_setup.exe
3272 ussm_setup.exe
3272 ussm_setup.exe
Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

ussm.exe

description pid process

Token: 33 876 ussm.exe
Token: SeIncBasePriorityPrivilege 876 ussm.exe
Token: 33 876 ussm.exe
Token: SeIncBasePriorityPrivilege 876 ussm.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

ussm.exe

pid process

876 ussm.exe
876 ussm.exe
Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

ussm.exe

pid process

876 ussm.exe
876 ussm.exe
876 ussm.exe
876 ussm.exe
876 ussm.exe
876 ussm.exe
876 ussm.exe
876 ussm.exe
876 ussm.exe
876 ussm.exe

pid	process
3272	ussm_setup.exe
3272	ussm_setup.exe
3272	ussm_setup.exe
3272	ussm_setup.exe

description	pid	process
Token: 33	876	ussm.exe
Token: SeIncBasePriorityPrivilege	876	ussm.exe
Token: 33	876	ussm.exe
Token: SeIncBasePriorityPrivilege	876	ussm.exe

pid	process
876	ussm.exe
876	ussm.exe

pid	process
876	ussm.exe
876	ussm.exe
876	ussm.exe
876	ussm.exe
876	ussm.exe
876	ussm.exe
876	ussm.exe
876	ussm.exe
876	ussm.exe
876	ussm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ussm_setup.exeussm.exe

description	pid	process	target process
PID 3272 wrote to memory of 4796	3272	ussm_setup.exe	ussm.exe
PID 3272 wrote to memory of 4796	3272	ussm_setup.exe	ussm.exe
PID 3272 wrote to memory of 4796	3272	ussm_setup.exe	ussm.exe
PID 4796 wrote to memory of 876	4796	ussm.exe	ussm.exe
PID 4796 wrote to memory of 876	4796	ussm.exe	ussm.exe
PID 4796 wrote to memory of 876	4796	ussm.exe	ussm.exe
PID 4796 wrote to memory of 876	4796	ussm.exe	ussm.exe
PID 4796 wrote to memory of 876	4796	ussm.exe	ussm.exe
PID 4796 wrote to memory of 876	4796	ussm.exe	ussm.exe
PID 4796 wrote to memory of 876	4796	ussm.exe	ussm.exe
PID 4796 wrote to memory of 876	4796	ussm.exe	ussm.exe
PID 4796 wrote to memory of 876	4796	ussm.exe	ussm.exe
PID 4796 wrote to memory of 876	4796	ussm.exe	ussm.exe
PID 4796 wrote to memory of 876	4796	ussm.exe	ussm.exe
PID 4796 wrote to memory of 876	4796	ussm.exe	ussm.exe
PID 4796 wrote to memory of 876	4796	ussm.exe	ussm.exe
PID 4796 wrote to memory of 876	4796	ussm.exe	ussm.exe
PID 4796 wrote to memory of 876	4796	ussm.exe	ussm.exe
PID 4796 wrote to memory of 876	4796	ussm.exe	ussm.exe
PID 4796 wrote to memory of 876	4796	ussm.exe	ussm.exe
PID 4796 wrote to memory of 876	4796	ussm.exe	ussm.exe
PID 4796 wrote to memory of 876	4796	ussm.exe	ussm.exe
PID 4796 wrote to memory of 876	4796	ussm.exe	ussm.exe
PID 4796 wrote to memory of 876	4796	ussm.exe	ussm.exe
PID 4796 wrote to memory of 876	4796	ussm.exe	ussm.exe
PID 4796 wrote to memory of 876	4796	ussm.exe	ussm.exe
PID 4796 wrote to memory of 876	4796	ussm.exe	ussm.exe
PID 4796 wrote to memory of 876	4796	ussm.exe	ussm.exe
PID 4796 wrote to memory of 876	4796	ussm.exe	ussm.exe
PID 4796 wrote to memory of 876	4796	ussm.exe	ussm.exe
PID 4796 wrote to memory of 876	4796	ussm.exe	ussm.exe
PID 4796 wrote to memory of 876	4796	ussm.exe	ussm.exe
PID 4796 wrote to memory of 876	4796	ussm.exe	ussm.exe
PID 4796 wrote to memory of 876	4796	ussm.exe	ussm.exe
PID 4796 wrote to memory of 876	4796	ussm.exe	ussm.exe
PID 4796 wrote to memory of 876	4796	ussm.exe	ussm.exe
PID 4796 wrote to memory of 876	4796	ussm.exe	ussm.exe
PID 4796 wrote to memory of 876	4796	ussm.exe	ussm.exe
PID 4796 wrote to memory of 876	4796	ussm.exe	ussm.exe
PID 4796 wrote to memory of 876	4796	ussm.exe	ussm.exe
PID 4796 wrote to memory of 876	4796	ussm.exe	ussm.exe
PID 4796 wrote to memory of 876	4796	ussm.exe	ussm.exe
PID 4796 wrote to memory of 876	4796	ussm.exe	ussm.exe
PID 4796 wrote to memory of 876	4796	ussm.exe	ussm.exe
PID 4796 wrote to memory of 876	4796	ussm.exe	ussm.exe
PID 4796 wrote to memory of 876	4796	ussm.exe	ussm.exe
PID 4796 wrote to memory of 876	4796	ussm.exe	ussm.exe
PID 4796 wrote to memory of 876	4796	ussm.exe	ussm.exe
PID 4796 wrote to memory of 876	4796	ussm.exe	ussm.exe
PID 4796 wrote to memory of 876	4796	ussm.exe	ussm.exe
PID 4796 wrote to memory of 876	4796	ussm.exe	ussm.exe
PID 4796 wrote to memory of 876	4796	ussm.exe	ussm.exe
PID 4796 wrote to memory of 876	4796	ussm.exe	ussm.exe
PID 4796 wrote to memory of 876	4796	ussm.exe	ussm.exe
PID 4796 wrote to memory of 876	4796	ussm.exe	ussm.exe
PID 4796 wrote to memory of 876	4796	ussm.exe	ussm.exe
PID 4796 wrote to memory of 876	4796	ussm.exe	ussm.exe
PID 4796 wrote to memory of 876	4796	ussm.exe	ussm.exe
PID 4796 wrote to memory of 876	4796	ussm.exe	ussm.exe
PID 4796 wrote to memory of 876	4796	ussm.exe	ussm.exe
PID 4796 wrote to memory of 876	4796	ussm.exe	ussm.exe
PID 4796 wrote to memory of 876	4796	ussm.exe	ussm.exe
PID 4796 wrote to memory of 876	4796	ussm.exe	ussm.exe
PID 4796 wrote to memory of 876	4796	ussm.exe	ussm.exe

C:\Users\Admin\AppData\Local\Temp\ussm_setup.exe
"C:\Users\Admin\AppData\Local\Temp\ussm_setup.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Program Files directory
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3272

C:\Program Files (x86)\Ultra Screen Saver Maker\ussm.exe
"C:\Program Files (x86)\Ultra Screen Saver Maker\ussm.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4796

C:\Program Files (x86)\Ultra Screen Saver Maker\ussm.exe
"C:\Program Files (x86)\Ultra Screen Saver Maker\ussm.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:876

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Ultra Screen Saver Maker\ISCC.exe
Filesize
854KB

MD5
272761722fad70322be6d2f89839f329

SHA1
c894f5d96e81cf5bd8d03d6586c9bd412f508f27

SHA256
0d02e30a6ad432a50eb86f1ecf330147046e671de340bcb43a170fecbd19bf51

SHA512
ba4e0ce3a511eff43dce2999bc3905580bc19858dd1e73e5cf1b9dc7a7fa6848d11821e1db8d2af968728f2aebb18ce330cad775b640e718201d6c899b8027ef

Download Submit
C:\Program Files (x86)\Ultra Screen Saver Maker\ISCmplr.dll
Filesize
1.6MB

MD5
f70a42376ca3c3b6ccec8b1b52f6018d

SHA1
24d735c4f17514ab9a68fe3344dcf0b23b99e99a

SHA256
5ea9bb338795bffa33da5581e5fe1c976a561f6dc32105635dcd518fbb5a33b4

SHA512
051720c8e9b5fa2fb754b361aee8681563d5edce393eb9bab004d496e7d5a2abfffab583936df4e7af24c11ee8f46c6973dbb52e162de0b66f187a057d764bad

Download Submit
C:\Program Files (x86)\Ultra Screen Saver Maker\ISPP.dll
Filesize
994KB

MD5
37f945c55cc916c2cb79eb9b063f9e46

SHA1
7ef72b485ff971d24d9d98bce4da803a28642768

SHA256
1be06b60090221d7a7d236d374ab4ff7e6a56013107f806be4bea2b79dad3703

SHA512
cce739d33e152d1606227d34c8c241954ee0643e9970a8858fad47a97c69986b715932638fa605cae3f639b208deeccc8b01b2ced135103634a830ed91e6af3e

Download Submit
C:\Program Files (x86)\Ultra Screen Saver Maker\ISPPBuiltins.iss
Filesize
10KB

MD5
bde376560fe6a3cad7a393a30cf863bf

SHA1
deaac09e57b97090329ec6eee5f6e147c238b7ec

SHA256
a7c5a10f4aac60862082985cfdf8bc5e703fa7fb9cfff4e1deb1d9452862057f

SHA512
43c94de9b7d29639168f3c10a333f5354d6ca69587fa086fa128be28a7b3e3c95d463eaf62c8b844c43fd4d7d1122ff25f0f782633ed8d59f36b5d5cb336ccce

Download Submit
C:\Program Files (x86)\Ultra Screen Saver Maker\LiveScreensaverCreator.exe
Filesize
5.2MB

MD5
9bea00faab802ecc7784fb8323cc1ff6

SHA1
744e723df975d0d512bfe384abfe09e07398ae51

SHA256
9e6bfd21c88607f962fa00eac5cb054eeb0daad5bae871cc1f07742992f5a7bd

SHA512
971a971b8f46a6450ed54c6bc496f63f31e47960877d04b150d641b829a6e68919421d029d1532bcbdc0a4addbee6d22fa7b533757425e5c819e4fb8008ced79

Download Submit
C:\Program Files (x86)\Ultra Screen Saver Maker\Setup.e32
Filesize
3.0MB

MD5
80de36c7c5092a3b21f923d408033df0

SHA1
55036034ab43264e53b41a7f9582e938e9ec557b

SHA256
088622096c373250d04e46de5cda072a921a89900c57988bbe52f1e308e48043

SHA512
4e4a4d6d10f8f3e732806abc9eb9d8f01455325bd92d68c6b195ced23e900c5cbd5931c5a80b8b8e6923a97face299e6965e7a8a7c2c1c6c2921db82c085a959

Download Submit
C:\Program Files (x86)\Ultra Screen Saver Maker\SetupLdr.e32
Filesize
813KB

MD5
410e3415c9ff3e83d68bdb4a3b513903

SHA1
c86daeb8822baf3a4889bddbc6aeca0ca25a320c

SHA256
86154d725c21660f220e957eb6dcaf73ca609eef486dcdce6d5d7c286abd03d5

SHA512
fcc2f69c1703b0fd0aa07883246909860ecfc6077b8a78a4f0260a5979cd8d5eb56bcbb2bdf734f81ff3012a34cd822f9d380088620784b24b308dfa90a33d22

Download Submit
C:\Program Files (x86)\Ultra Screen Saver Maker\icon.ico
Filesize
155KB

MD5
5c0d40a01b451941e856c7261bdfc7ac

SHA1
1575207e12921f9e4fce6002820aaecd2858b8e1

SHA256
cc5213e87eb184c852dcce9cd5f8d3d3d3223f5365b0cedc5f4f35d2b777f358

SHA512
9b54a53c18e17eca861848bfb96b48fca88ae7c46659fbed1e97ebb60eeffa0ff4b51e901fde0b9b55f9cceeac4d3f959e080a85a0b6525d5601d2e52a2fdfb2

Download Submit
C:\Program Files (x86)\Ultra Screen Saver Maker\islzma.dll
Filesize
88KB

MD5
a3ddc4cd74cc38811ca2ab4c7e51b8f6

SHA1
07963ac2321779410262fc65ee79395d3e2463a1

SHA256
0b2e19e473a47e10578b05a2f3b43ad96603f3ee1e397c06a280c3b7458a76e2

SHA512
baaafbda169958b9855394ffc6063034e73bfe54896a05f5e64fc754d1a72d3a45d55d665c6d71e325c9433116db769bc1913cc83327c6a5394e9d1f3ddefc17

Download Submit
C:\Program Files (x86)\Ultra Screen Saver Maker\ss.exe
Filesize
2.8MB

MD5
3866bd93ab8c237a9bc5c3d1d047c632

SHA1
7696fde299a1a1711f13d267f31b0c44a5981e97

SHA256
c05a3af16e2069e02c3c890d4dda948b0877761c9ec8a240a5e3f79e25c9f8a1

SHA512
6ef9bbe3987883214cd692f3c5abb432f78e11d965dcf1b9e1b6ed912c96df19644fef812fa69bf32be3741b6660982923568213e65dbe878946206db2a1fcc2

Download Submit
C:\Program Files (x86)\Ultra Screen Saver Maker\ussm.exe
Filesize
6.3MB

MD5
112c2f03fe651139465d896e17f77155

SHA1
89c590af52a060c7385978130681e0ca12347dda

SHA256
dfb9ffcecf7789723093dd47ed449c9b226550c26815993e9957679afff04c3a

SHA512
d271793ad80f482be2e8ee39816cb55c39d4df5c5b8e14c056bd02ab5878b5f37482121ec873c1a4b5a74a346484057601827ae51193b4d7cc0a0504a268f8bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi416F.tmp\AccessControl.dll
Filesize
13KB

MD5
9e7d36edcc188e166dee9552017ac94f

SHA1
0378843fe1e7fb2ad97b8432fbdcb44faa6fc48a

SHA256
d52a83c2a8551cebf48ff7a8d5930be1873bce990f855ccab4d7479cfeb22e3d

SHA512
92c31355cd124ba28c0ff9aa8fa34d5db9db0b093edb8978bc3cf94e1f72d526603d5d5c1e221dcb2ac6648bc420f4df9847c2b1e71046384d827814a77d1783

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi416F.tmp\System.dll
Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi416F.tmp\UserInfo.dll
Filesize
4KB

MD5
2f69afa9d17a5245ec9b5bb03d56f63c

SHA1
e0a133222136b3d4783e965513a690c23826aec9

SHA256
e54989d2b83e7282d0bec56b098635146aab5d5a283f1f89486816851ef885a0

SHA512
bfd4af50e41ebc56e30355c722c2a55540a5bbddb68f1522ef7aabfe4f5f2a20e87fa9677ee3cdb3c0bf5bd3988b89d1224d32c9f23342a16e46c542d8dc0926

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi416F.tmp\modern-wizard.bmp
Filesize
50KB

MD5
a1fe198047d3bc7fa0d6b40ed3f56487

SHA1
0b291e3c7cc1d634f0115c3541ca5f74f628a8b6

SHA256
78279eccf4b61be5fe39498aec40e9f3268d9a8ba38619fc2b901eaed61ac4f2

SHA512
060b610d860b026f5d1082457787b8445e15dcfe5ba3edfa4fcc561b5b0d5ef711763b12d3d2d3ff57384242504bb4cb5fb930f9591adb0324a3b957d6f61789

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi416F.tmp\nsDialogs.dll
Filesize
9KB

MD5
6c3f8c94d0727894d706940a8a980543

SHA1
0d1bcad901be377f38d579aafc0c41c0ef8dcefd

SHA256
56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

SHA512
2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi416F.tmp\nsis_appid.dll
Filesize
3KB

MD5
19071761e91c43c115a16b52458869b7

SHA1
75ddb807157f1aa31a08f87be0270f60990bcbbc

SHA256
e9e1ba410636698d666b328eea71346b8287248d262e44da07ce8b5fa24c5e5f

SHA512
bc0eab51cf27f657cd3fd62a47894ee13f3f561feaa565f16ba15088be39be73c9839a3cf35b538219ec83a03d48970b89258c5f20c37bcaf76438998437786c

Download Submit
memory/876-110-0x0000000000400000-0x0000000000D3C000-memory.dmp

Filesize
9.2MB

Download
memory/876-115-0x0000000003130000-0x000000000331E000-memory.dmp

Filesize
1.9MB

Download
memory/876-111-0x0000000003130000-0x000000000331E000-memory.dmp

Filesize
1.9MB

Download
memory/876-129-0x0000000000400000-0x0000000000D3C000-memory.dmp

Filesize
9.2MB

Download
memory/876-131-0x0000000000400000-0x0000000000D3C000-memory.dmp

Filesize
9.2MB

Download
memory/876-132-0x0000000000400000-0x0000000000D3C000-memory.dmp

Filesize
9.2MB

Download
memory/876-133-0x0000000003F60000-0x0000000003F80000-memory.dmp

Filesize
128KB

Download
memory/876-134-0x0000000000400000-0x0000000000D3C000-memory.dmp

Filesize
9.2MB

Download
memory/876-137-0x0000000003130000-0x000000000331E000-memory.dmp

Filesize
1.9MB

Download
memory/876-136-0x0000000000400000-0x0000000000D3C000-memory.dmp

Filesize
9.2MB

Download
memory/876-140-0x0000000003130000-0x000000000331E000-memory.dmp

Filesize
1.9MB

Download
memory/4796-108-0x0000000000400000-0x0000000000D3C000-memory.dmp

Filesize
9.2MB

Download
memory/4796-145-0x0000000000400000-0x0000000000D3C000-memory.dmp

Filesize
9.2MB

Download