Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 20:51
Static task
static1
Behavioral task
behavioral1
Sample
2bfcc18ff3157d5b800d7d8f3d2ca77a131f228a7e37c64632977073efa9d279.exe
Resource
win7v20201028
General
-
Target
2bfcc18ff3157d5b800d7d8f3d2ca77a131f228a7e37c64632977073efa9d279.exe
-
Size
746KB
-
MD5
614176a1e8e22a51c1106403ce3d1423
-
SHA1
482ea2b067d059eef45ee47fdb782a0e24fdab8e
-
SHA256
2bfcc18ff3157d5b800d7d8f3d2ca77a131f228a7e37c64632977073efa9d279
-
SHA512
4db9c64c491c0e9574616596497f7be9e9abece4d3cc68c66d5f91c4b223b88bbe8ea192aa90cedc8c63b7caa9ce44ad00d89394850787b019ce51b1aa93a6f8
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
UPC.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe" UPC.exe -
Executes dropped EXE 4 IoCs
Processes:
0.exeUPC.sfx.exeUPC.exesvchost.exepid process 3012 0.exe 2912 UPC.sfx.exe 936 UPC.exe 2128 svchost.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1\UPC.exe upx C:\Users\Admin\AppData\Local\Temp\1\UPC.exe upx C:\Users\Admin\AppData\Local\Temp\Microsoft\svchost.exe upx C:\Users\Admin\AppData\Local\Temp\Microsoft\svchost.exe upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
UPC.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\International\Geo\Nation UPC.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
UPC.exesvchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe" UPC.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\svchost.exe" svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
UPC.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance UPC.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
svchost.exepid process 2128 svchost.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
UPC.exesvchost.exedescription pid process Token: SeIncreaseQuotaPrivilege 936 UPC.exe Token: SeSecurityPrivilege 936 UPC.exe Token: SeTakeOwnershipPrivilege 936 UPC.exe Token: SeLoadDriverPrivilege 936 UPC.exe Token: SeSystemProfilePrivilege 936 UPC.exe Token: SeSystemtimePrivilege 936 UPC.exe Token: SeProfSingleProcessPrivilege 936 UPC.exe Token: SeIncBasePriorityPrivilege 936 UPC.exe Token: SeCreatePagefilePrivilege 936 UPC.exe Token: SeBackupPrivilege 936 UPC.exe Token: SeRestorePrivilege 936 UPC.exe Token: SeShutdownPrivilege 936 UPC.exe Token: SeDebugPrivilege 936 UPC.exe Token: SeSystemEnvironmentPrivilege 936 UPC.exe Token: SeChangeNotifyPrivilege 936 UPC.exe Token: SeRemoteShutdownPrivilege 936 UPC.exe Token: SeUndockPrivilege 936 UPC.exe Token: SeManageVolumePrivilege 936 UPC.exe Token: SeImpersonatePrivilege 936 UPC.exe Token: SeCreateGlobalPrivilege 936 UPC.exe Token: 33 936 UPC.exe Token: 34 936 UPC.exe Token: 35 936 UPC.exe Token: 36 936 UPC.exe Token: SeIncreaseQuotaPrivilege 2128 svchost.exe Token: SeSecurityPrivilege 2128 svchost.exe Token: SeTakeOwnershipPrivilege 2128 svchost.exe Token: SeLoadDriverPrivilege 2128 svchost.exe Token: SeSystemProfilePrivilege 2128 svchost.exe Token: SeSystemtimePrivilege 2128 svchost.exe Token: SeProfSingleProcessPrivilege 2128 svchost.exe Token: SeIncBasePriorityPrivilege 2128 svchost.exe Token: SeCreatePagefilePrivilege 2128 svchost.exe Token: SeBackupPrivilege 2128 svchost.exe Token: SeRestorePrivilege 2128 svchost.exe Token: SeShutdownPrivilege 2128 svchost.exe Token: SeDebugPrivilege 2128 svchost.exe Token: SeSystemEnvironmentPrivilege 2128 svchost.exe Token: SeChangeNotifyPrivilege 2128 svchost.exe Token: SeRemoteShutdownPrivilege 2128 svchost.exe Token: SeUndockPrivilege 2128 svchost.exe Token: SeManageVolumePrivilege 2128 svchost.exe Token: SeImpersonatePrivilege 2128 svchost.exe Token: SeCreateGlobalPrivilege 2128 svchost.exe Token: 33 2128 svchost.exe Token: 34 2128 svchost.exe Token: 35 2128 svchost.exe Token: 36 2128 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
svchost.exepid process 2128 svchost.exe -
Suspicious use of WriteProcessMemory 42 IoCs
Processes:
2bfcc18ff3157d5b800d7d8f3d2ca77a131f228a7e37c64632977073efa9d279.exe0.execmd.exeUPC.sfx.exeUPC.execmd.exesvchost.exedescription pid process target process PID 2268 wrote to memory of 3012 2268 2bfcc18ff3157d5b800d7d8f3d2ca77a131f228a7e37c64632977073efa9d279.exe 0.exe PID 2268 wrote to memory of 3012 2268 2bfcc18ff3157d5b800d7d8f3d2ca77a131f228a7e37c64632977073efa9d279.exe 0.exe PID 2268 wrote to memory of 3012 2268 2bfcc18ff3157d5b800d7d8f3d2ca77a131f228a7e37c64632977073efa9d279.exe 0.exe PID 3012 wrote to memory of 3992 3012 0.exe cmd.exe PID 3012 wrote to memory of 3992 3012 0.exe cmd.exe PID 3992 wrote to memory of 2912 3992 cmd.exe UPC.sfx.exe PID 3992 wrote to memory of 2912 3992 cmd.exe UPC.sfx.exe PID 3992 wrote to memory of 2912 3992 cmd.exe UPC.sfx.exe PID 2912 wrote to memory of 936 2912 UPC.sfx.exe UPC.exe PID 2912 wrote to memory of 936 2912 UPC.sfx.exe UPC.exe PID 2912 wrote to memory of 936 2912 UPC.sfx.exe UPC.exe PID 936 wrote to memory of 3496 936 UPC.exe cmd.exe PID 936 wrote to memory of 3496 936 UPC.exe cmd.exe PID 936 wrote to memory of 3496 936 UPC.exe cmd.exe PID 3496 wrote to memory of 1572 3496 cmd.exe attrib.exe PID 3496 wrote to memory of 1572 3496 cmd.exe attrib.exe PID 3496 wrote to memory of 1572 3496 cmd.exe attrib.exe PID 936 wrote to memory of 2128 936 UPC.exe svchost.exe PID 936 wrote to memory of 2128 936 UPC.exe svchost.exe PID 936 wrote to memory of 2128 936 UPC.exe svchost.exe PID 2128 wrote to memory of 4000 2128 svchost.exe notepad.exe PID 2128 wrote to memory of 4000 2128 svchost.exe notepad.exe PID 2128 wrote to memory of 4000 2128 svchost.exe notepad.exe PID 2128 wrote to memory of 4000 2128 svchost.exe notepad.exe PID 2128 wrote to memory of 4000 2128 svchost.exe notepad.exe PID 2128 wrote to memory of 4000 2128 svchost.exe notepad.exe PID 2128 wrote to memory of 4000 2128 svchost.exe notepad.exe PID 2128 wrote to memory of 4000 2128 svchost.exe notepad.exe PID 2128 wrote to memory of 4000 2128 svchost.exe notepad.exe PID 2128 wrote to memory of 4000 2128 svchost.exe notepad.exe PID 2128 wrote to memory of 4000 2128 svchost.exe notepad.exe PID 2128 wrote to memory of 4000 2128 svchost.exe notepad.exe PID 2128 wrote to memory of 4000 2128 svchost.exe notepad.exe PID 2128 wrote to memory of 4000 2128 svchost.exe notepad.exe PID 2128 wrote to memory of 4000 2128 svchost.exe notepad.exe PID 2128 wrote to memory of 4000 2128 svchost.exe notepad.exe PID 2128 wrote to memory of 4000 2128 svchost.exe notepad.exe PID 2128 wrote to memory of 4000 2128 svchost.exe notepad.exe PID 2128 wrote to memory of 4000 2128 svchost.exe notepad.exe PID 2128 wrote to memory of 4000 2128 svchost.exe notepad.exe PID 2128 wrote to memory of 4000 2128 svchost.exe notepad.exe PID 2128 wrote to memory of 4000 2128 svchost.exe notepad.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2bfcc18ff3157d5b800d7d8f3d2ca77a131f228a7e37c64632977073efa9d279.exe"C:\Users\Admin\AppData\Local\Temp\2bfcc18ff3157d5b800d7d8f3d2ca77a131f228a7e37c64632977073efa9d279.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2\0.exe"C:\Users\Admin\AppData\Local\Temp\2\0.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\72C4.tmp\72D5.bat C:\Users\Admin\AppData\Local\Temp\2\0.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2\UPC.sfx.exeUPC.sfx.exe -p43434325gfhfcghjgjkghkjhgjlkhjlhgjkfghjdrhfgvjsr4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1\UPC.exe"C:\Users\Admin\AppData\Local\Temp\1\UPC.exe"5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\1" +s +h6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\1" +s +h7⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\Microsoft\svchost.exe"C:\Users\Admin\AppData\Local\Temp\Microsoft\svchost.exe"6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad7⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1\UPC.exeMD5
e7f0c59ca166b1226032afcc2a595abe
SHA1f6c1903c44c32547d980fddf2803d111916ddad2
SHA256f234484af5c2e9160c57a25423af367d8704f80bc991f5f0d3471f9deb74c140
SHA5126b016c8ec618908b6f140d7456daaf1728c62c1621b4dfc583247522d4cd4bfa39d653868237db7e250276f87951108be712e03da98d40e88571ca2c69fd1489
-
C:\Users\Admin\AppData\Local\Temp\1\UPC.exeMD5
e7f0c59ca166b1226032afcc2a595abe
SHA1f6c1903c44c32547d980fddf2803d111916ddad2
SHA256f234484af5c2e9160c57a25423af367d8704f80bc991f5f0d3471f9deb74c140
SHA5126b016c8ec618908b6f140d7456daaf1728c62c1621b4dfc583247522d4cd4bfa39d653868237db7e250276f87951108be712e03da98d40e88571ca2c69fd1489
-
C:\Users\Admin\AppData\Local\Temp\2\0.exeMD5
d47cb093de7d3980b54a894310d712c6
SHA1e68ab2b2a9b190ba73053326cb1496c76270d84b
SHA25651c85e3a6b80c75d0efddeb0bc7e9940d0c6753306dd6ffa5ffb5cf59d2894d4
SHA51258a24861a3ee7c4e28f61fffdeb9e4e503054f0b6f3ea152541340b1ac90e7fb3687c5be9dc178d383e528284b555b06fea76d35161ea7b21aa71e20f131b4b8
-
C:\Users\Admin\AppData\Local\Temp\2\0.exeMD5
d47cb093de7d3980b54a894310d712c6
SHA1e68ab2b2a9b190ba73053326cb1496c76270d84b
SHA25651c85e3a6b80c75d0efddeb0bc7e9940d0c6753306dd6ffa5ffb5cf59d2894d4
SHA51258a24861a3ee7c4e28f61fffdeb9e4e503054f0b6f3ea152541340b1ac90e7fb3687c5be9dc178d383e528284b555b06fea76d35161ea7b21aa71e20f131b4b8
-
C:\Users\Admin\AppData\Local\Temp\2\UPC.sfx.exeMD5
2759b2b1bd638ab68fe28f29d6302ce2
SHA1cc8d631e4192749f05b98ae08cb73173aeb778fd
SHA256459bda39e5fec6ac92933006d8e9993b7942a9445a2de4c4e2daa9ec546b07af
SHA512cf01b2b799e03c69d5e6cd618e87454a45d66038da867dfb2063c93a657b83d58602ab695b850d1f882c2e816715574d4c307bfb58b48fd2178eb75d34b389bf
-
C:\Users\Admin\AppData\Local\Temp\2\UPC.sfx.exeMD5
2759b2b1bd638ab68fe28f29d6302ce2
SHA1cc8d631e4192749f05b98ae08cb73173aeb778fd
SHA256459bda39e5fec6ac92933006d8e9993b7942a9445a2de4c4e2daa9ec546b07af
SHA512cf01b2b799e03c69d5e6cd618e87454a45d66038da867dfb2063c93a657b83d58602ab695b850d1f882c2e816715574d4c307bfb58b48fd2178eb75d34b389bf
-
C:\Users\Admin\AppData\Local\Temp\72C4.tmp\72D5.batMD5
409d7fa8239971ab6329e6d9a54b5bbf
SHA122827c4d3619474aa39859644c912710e2b97eb4
SHA256d07057af15d3b5f41895459978b87db7dcbdb27b7b11db134ab3f321fef43440
SHA5128f2b5a6e3ae5f1594462641146ec468c65a95bb30fb40ef76a39c4387f1f0add995719a266be38bfa5590335cc13e514a8ff9752116ff21ce85005d03104655e
-
C:\Users\Admin\AppData\Local\Temp\Microsoft\svchost.exeMD5
e7f0c59ca166b1226032afcc2a595abe
SHA1f6c1903c44c32547d980fddf2803d111916ddad2
SHA256f234484af5c2e9160c57a25423af367d8704f80bc991f5f0d3471f9deb74c140
SHA5126b016c8ec618908b6f140d7456daaf1728c62c1621b4dfc583247522d4cd4bfa39d653868237db7e250276f87951108be712e03da98d40e88571ca2c69fd1489
-
C:\Users\Admin\AppData\Local\Temp\Microsoft\svchost.exeMD5
e7f0c59ca166b1226032afcc2a595abe
SHA1f6c1903c44c32547d980fddf2803d111916ddad2
SHA256f234484af5c2e9160c57a25423af367d8704f80bc991f5f0d3471f9deb74c140
SHA5126b016c8ec618908b6f140d7456daaf1728c62c1621b4dfc583247522d4cd4bfa39d653868237db7e250276f87951108be712e03da98d40e88571ca2c69fd1489
-
memory/936-10-0x0000000000000000-mapping.dmp
-
memory/1572-14-0x0000000000000000-mapping.dmp
-
memory/2128-15-0x0000000000000000-mapping.dmp
-
memory/2912-7-0x0000000000000000-mapping.dmp
-
memory/3012-2-0x0000000000000000-mapping.dmp
-
memory/3496-13-0x0000000000000000-mapping.dmp
-
memory/3992-5-0x0000000000000000-mapping.dmp
-
memory/4000-18-0x0000000000000000-mapping.dmp
-
memory/4000-19-0x0000000002990000-0x0000000002991000-memory.dmpFilesize
4KB
-
memory/4000-20-0x0000000000000000-mapping.dmp