Overview
overview
10Static
static
844ad0656ef...d0.dll
windows7_x64
644ad0656ef...d0.dll
windows10_x64
663e28585c6...1b.exe
windows7_x64
863e28585c6...1b.exe
windows10_x64
877d426d73e...f7.exe
windows7_x64
1077d426d73e...f7.exe
windows10_x64
107b79f71dab...a8.exe
windows7_x64
87b79f71dab...a8.exe
windows10_x64
895cff1b536...b3.exe
windows7_x64
1095cff1b536...b3.exe
windows10_x64
10c2ed23b08d...6c.exe
windows7_x64
8c2ed23b08d...6c.exe
windows10_x64
8d10a043f50...fd.exe
windows7_x64
10d10a043f50...fd.exe
windows10_x64
10e265a0c4cb...ed.exe
windows7_x64
7e265a0c4cb...ed.exe
windows10_x64
7Analysis
-
max time kernel
23s -
max time network
115s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
15-02-2021 04:40
Static task
static1
Behavioral task
behavioral1
Sample
44ad0656ef0e7e356ad7a37992d81bb2832fd6f7d420a9502627a77c43f8f8d0.dll
Resource
win7v20201028
Behavioral task
behavioral2
Sample
44ad0656ef0e7e356ad7a37992d81bb2832fd6f7d420a9502627a77c43f8f8d0.dll
Resource
win10v20201028
Behavioral task
behavioral3
Sample
63e28585c6bf3c79b7f7c8c53533f3e0500ced3535ab1d6ffabb294a932c281b.exe
Resource
win7v20201028
Behavioral task
behavioral4
Sample
63e28585c6bf3c79b7f7c8c53533f3e0500ced3535ab1d6ffabb294a932c281b.exe
Resource
win10v20201028
Behavioral task
behavioral5
Sample
77d426d73e3aeef4eb5f1ccf5e3815f52af9c4d6b86d43cc5533548a0ab764f7.exe
Resource
win7v20201028
Behavioral task
behavioral6
Sample
77d426d73e3aeef4eb5f1ccf5e3815f52af9c4d6b86d43cc5533548a0ab764f7.exe
Resource
win10v20201028
Behavioral task
behavioral7
Sample
7b79f71dab448bf9fb7e6686894fbb342bacdfe6e058a0d0efbf3453fa366da8.exe
Resource
win7v20201028
Behavioral task
behavioral8
Sample
7b79f71dab448bf9fb7e6686894fbb342bacdfe6e058a0d0efbf3453fa366da8.exe
Resource
win10v20201028
Behavioral task
behavioral9
Sample
95cff1b536234f6cb1b3682bf4d88a3b4583710450652a9d928f67149f1208b3.exe
Resource
win7v20201028
Behavioral task
behavioral10
Sample
95cff1b536234f6cb1b3682bf4d88a3b4583710450652a9d928f67149f1208b3.exe
Resource
win10v20201028
Behavioral task
behavioral11
Sample
c2ed23b08dc766bf925748880bbf70a63516caba3f8646418bca231488708d6c.exe
Resource
win7v20201028
Behavioral task
behavioral12
Sample
c2ed23b08dc766bf925748880bbf70a63516caba3f8646418bca231488708d6c.exe
Resource
win10v20201028
Behavioral task
behavioral13
Sample
d10a043f50b47c93c7bdd522d777d62b6034134605449465c2cd3e66958be4fd.exe
Resource
win7v20201028
Behavioral task
behavioral14
Sample
d10a043f50b47c93c7bdd522d777d62b6034134605449465c2cd3e66958be4fd.exe
Resource
win10v20201028
Behavioral task
behavioral15
Sample
e265a0c4cb17501c0c96d3b9c996c27a6cb3479d20802c90ed9535d8e31075ed.exe
Resource
win7v20201028
Behavioral task
behavioral16
Sample
e265a0c4cb17501c0c96d3b9c996c27a6cb3479d20802c90ed9535d8e31075ed.exe
Resource
win10v20201028
General
-
Target
7b79f71dab448bf9fb7e6686894fbb342bacdfe6e058a0d0efbf3453fa366da8.exe
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
CompPkgSup.exepid process 4044 CompPkgSup.exe -
Processes:
resource yara_rule C:\ProgramData\ComponentUpdater\CompPkgSup.exe vmprotect C:\ProgramData\ComponentUpdater\CompPkgSup.exe vmprotect -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\PackagesSupport = "C:\\ProgramData\\ComponentUpdater\\CompPkgSup.exe" reg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 3064 taskkill.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 3064 taskkill.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
7b79f71dab448bf9fb7e6686894fbb342bacdfe6e058a0d0efbf3453fa366da8.execmd.execmd.execmd.execmd.exedescription pid process target process PID 3888 wrote to memory of 2536 3888 7b79f71dab448bf9fb7e6686894fbb342bacdfe6e058a0d0efbf3453fa366da8.exe cmd.exe PID 3888 wrote to memory of 2536 3888 7b79f71dab448bf9fb7e6686894fbb342bacdfe6e058a0d0efbf3453fa366da8.exe cmd.exe PID 3888 wrote to memory of 2536 3888 7b79f71dab448bf9fb7e6686894fbb342bacdfe6e058a0d0efbf3453fa366da8.exe cmd.exe PID 2536 wrote to memory of 3064 2536 cmd.exe taskkill.exe PID 2536 wrote to memory of 3064 2536 cmd.exe taskkill.exe PID 2536 wrote to memory of 3064 2536 cmd.exe taskkill.exe PID 3888 wrote to memory of 2584 3888 7b79f71dab448bf9fb7e6686894fbb342bacdfe6e058a0d0efbf3453fa366da8.exe cmd.exe PID 3888 wrote to memory of 2584 3888 7b79f71dab448bf9fb7e6686894fbb342bacdfe6e058a0d0efbf3453fa366da8.exe cmd.exe PID 3888 wrote to memory of 2584 3888 7b79f71dab448bf9fb7e6686894fbb342bacdfe6e058a0d0efbf3453fa366da8.exe cmd.exe PID 3888 wrote to memory of 184 3888 7b79f71dab448bf9fb7e6686894fbb342bacdfe6e058a0d0efbf3453fa366da8.exe cmd.exe PID 3888 wrote to memory of 184 3888 7b79f71dab448bf9fb7e6686894fbb342bacdfe6e058a0d0efbf3453fa366da8.exe cmd.exe PID 3888 wrote to memory of 184 3888 7b79f71dab448bf9fb7e6686894fbb342bacdfe6e058a0d0efbf3453fa366da8.exe cmd.exe PID 3888 wrote to memory of 740 3888 7b79f71dab448bf9fb7e6686894fbb342bacdfe6e058a0d0efbf3453fa366da8.exe schtasks.exe PID 3888 wrote to memory of 740 3888 7b79f71dab448bf9fb7e6686894fbb342bacdfe6e058a0d0efbf3453fa366da8.exe schtasks.exe PID 3888 wrote to memory of 740 3888 7b79f71dab448bf9fb7e6686894fbb342bacdfe6e058a0d0efbf3453fa366da8.exe schtasks.exe PID 3888 wrote to memory of 2760 3888 7b79f71dab448bf9fb7e6686894fbb342bacdfe6e058a0d0efbf3453fa366da8.exe cmd.exe PID 3888 wrote to memory of 2760 3888 7b79f71dab448bf9fb7e6686894fbb342bacdfe6e058a0d0efbf3453fa366da8.exe cmd.exe PID 3888 wrote to memory of 2760 3888 7b79f71dab448bf9fb7e6686894fbb342bacdfe6e058a0d0efbf3453fa366da8.exe cmd.exe PID 2584 wrote to memory of 2504 2584 cmd.exe attrib.exe PID 2584 wrote to memory of 2504 2584 cmd.exe attrib.exe PID 2584 wrote to memory of 2504 2584 cmd.exe attrib.exe PID 184 wrote to memory of 700 184 cmd.exe attrib.exe PID 184 wrote to memory of 700 184 cmd.exe attrib.exe PID 184 wrote to memory of 700 184 cmd.exe attrib.exe PID 2760 wrote to memory of 4060 2760 cmd.exe reg.exe PID 2760 wrote to memory of 4060 2760 cmd.exe reg.exe PID 2760 wrote to memory of 4060 2760 cmd.exe reg.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 2504 attrib.exe 700 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7b79f71dab448bf9fb7e6686894fbb342bacdfe6e058a0d0efbf3453fa366da8.exe"C:\Users\Admin\AppData\Local\Temp\7b79f71dab448bf9fb7e6686894fbb342bacdfe6e058a0d0efbf3453fa366da8.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /F /IM CompPkgSup.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /IM CompPkgSup.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ATTRIB +h +s C:\ProgramData\ComponentUpdater2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeATTRIB +h +s C:\ProgramData\ComponentUpdater3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ATTRIB +h +s C:\ProgramData\ComponentUpdater\CompPkgSup.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeATTRIB +h +s C:\ProgramData\ComponentUpdater\CompPkgSup.exe3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "PackagesSupport" /tr "C:\ProgramData\ComponentUpdater\CompPkgSup.exe" /f2⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "PackagesSupport" /d "C:\ProgramData\ComponentUpdater\CompPkgSup.exe" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "PackagesSupport" /d "C:\ProgramData\ComponentUpdater\CompPkgSup.exe" /f3⤵
- Adds Run key to start application
- Modifies registry key
-
C:\ProgramData\ComponentUpdater\CompPkgSup.exeC:\ProgramData\ComponentUpdater\CompPkgSup.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\ComponentUpdater\CompPkgSup.exeMD5
f9f30b7f542749d343862f6b7b35aed7
SHA1f3b220fdd7c3b9b534c88a53d9ef26b67fe6345e
SHA2567b79f71dab448bf9fb7e6686894fbb342bacdfe6e058a0d0efbf3453fa366da8
SHA5127edd1dda6363b375024dddf5f5d5cc214dc3602c2a72012bf851cab3979e8ae6f06cf72e58f6f8d7aac7642519ac6f6f6c162fc92cbddcc625b2776b985b6202
-
C:\ProgramData\ComponentUpdater\CompPkgSup.exeMD5
f9f30b7f542749d343862f6b7b35aed7
SHA1f3b220fdd7c3b9b534c88a53d9ef26b67fe6345e
SHA2567b79f71dab448bf9fb7e6686894fbb342bacdfe6e058a0d0efbf3453fa366da8
SHA5127edd1dda6363b375024dddf5f5d5cc214dc3602c2a72012bf851cab3979e8ae6f06cf72e58f6f8d7aac7642519ac6f6f6c162fc92cbddcc625b2776b985b6202
-
memory/184-5-0x0000000000000000-mapping.dmp
-
memory/700-9-0x0000000000000000-mapping.dmp
-
memory/740-6-0x0000000000000000-mapping.dmp
-
memory/2504-8-0x0000000000000000-mapping.dmp
-
memory/2536-2-0x0000000000000000-mapping.dmp
-
memory/2584-4-0x0000000000000000-mapping.dmp
-
memory/2760-7-0x0000000000000000-mapping.dmp
-
memory/3064-3-0x0000000000000000-mapping.dmp
-
memory/4060-11-0x0000000000000000-mapping.dmp