Analysis
-
max time kernel
132s -
max time network
141s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
04-03-2021 02:56
Static task
static1
Behavioral task
behavioral1
Sample
AAM UpdatesHtA.bin.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
AAM UpdatesHtA.bin.exe
Resource
win10v20201028
General
-
Target
AAM UpdatesHtA.bin.exe
-
Size
485KB
-
MD5
eb941fbca579d3c0966de86b904fc298
-
SHA1
d2aa567fa30befa6e082376b11587aa0f3b0d5b7
-
SHA256
d64afd9799d8de3f39a4ce99584fa67a615a667945532cfa3f702adbe27724c4
-
SHA512
168e5fbbd86950cf409ac2f50d5b0b81c295d8c291077d974d1adad11313c3a4ccb9e5d623a5769136cce3eba33b35acb4f39f6fd1c9323ea0ceb46eb85991f5
Malware Config
Extracted
plugx
45.251.240.55:443
45.251.240.55:8080
45.251.240.55:8000
EDysZYTmoiuUydWatmWb
-
folder
AAM UpdatesHtA
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
AAM Updates.exeAAM Updates.exepid process 556 AAM Updates.exe 1080 AAM Updates.exe -
Loads dropped DLL 7 IoCs
Processes:
AAM UpdatesHtA.bin.exeAAM Updates.exeAAM Updates.exepid process 1908 AAM UpdatesHtA.bin.exe 1908 AAM UpdatesHtA.bin.exe 1908 AAM UpdatesHtA.bin.exe 1908 AAM UpdatesHtA.bin.exe 556 AAM Updates.exe 556 AAM Updates.exe 1080 AAM Updates.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
AAM Updates.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\AAM UpdatesHtA = "\"C:\\ProgramData\\AAM UpdatesHtA\\AAM Updates.exe\" 398" AAM Updates.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run AAM Updates.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AAM UpdatesHtA = "\"C:\\ProgramData\\AAM UpdatesHtA\\AAM Updates.exe\" 398" AAM Updates.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run AAM Updates.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
AAM Updates.exedescription ioc process File opened (read-only) \??\D: AAM Updates.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
AAM UpdatesHtA.bin.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main AAM UpdatesHtA.bin.exe -
Modifies registry class 4 IoCs
Processes:
AAM Updates.exeAAM Updates.exedescription ioc process Key created \REGISTRY\MACHINE\Software\CLASSES\ms-pu AAM Updates.exe Key created \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000_CLASSES\ms-pu AAM Updates.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\ms-pu\CLSID = 42004500390046003400360037003900390046003400360030003600390046000000 AAM Updates.exe Key created \REGISTRY\MACHINE\Software\CLASSES\ms-pu AAM Updates.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
AAM Updates.exepid process 1080 AAM Updates.exe 1080 AAM Updates.exe 1080 AAM Updates.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
AAM Updates.exedescription pid process Token: SeDebugPrivilege 1080 AAM Updates.exe Token: SeDebugPrivilege 1080 AAM Updates.exe Token: SeTcbPrivilege 1080 AAM Updates.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AAM UpdatesHtA.bin.exepid process 1908 AAM UpdatesHtA.bin.exe 1908 AAM UpdatesHtA.bin.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
AAM UpdatesHtA.bin.exeAAM Updates.exedescription pid process target process PID 1908 wrote to memory of 556 1908 AAM UpdatesHtA.bin.exe AAM Updates.exe PID 1908 wrote to memory of 556 1908 AAM UpdatesHtA.bin.exe AAM Updates.exe PID 1908 wrote to memory of 556 1908 AAM UpdatesHtA.bin.exe AAM Updates.exe PID 1908 wrote to memory of 556 1908 AAM UpdatesHtA.bin.exe AAM Updates.exe PID 1908 wrote to memory of 556 1908 AAM UpdatesHtA.bin.exe AAM Updates.exe PID 1908 wrote to memory of 556 1908 AAM UpdatesHtA.bin.exe AAM Updates.exe PID 1908 wrote to memory of 556 1908 AAM UpdatesHtA.bin.exe AAM Updates.exe PID 556 wrote to memory of 1080 556 AAM Updates.exe AAM Updates.exe PID 556 wrote to memory of 1080 556 AAM Updates.exe AAM Updates.exe PID 556 wrote to memory of 1080 556 AAM Updates.exe AAM Updates.exe PID 556 wrote to memory of 1080 556 AAM Updates.exe AAM Updates.exe PID 556 wrote to memory of 1080 556 AAM Updates.exe AAM Updates.exe PID 556 wrote to memory of 1080 556 AAM Updates.exe AAM Updates.exe PID 556 wrote to memory of 1080 556 AAM Updates.exe AAM Updates.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\AAM UpdatesHtA.bin.exe"C:\Users\Admin\AppData\Local\Temp\AAM UpdatesHtA.bin.exe"1⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AAM Updates.exe"C:\Users\Admin\AppData\Local\Temp\AAM Updates.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\AAM UpdatesHtA\AAM Updates.exe"C:\ProgramData\AAM UpdatesHtA\AAM Updates.exe" 3983⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\AAM UpdatesHtA\AAM Updates.exeMD5
c70d8dce46b4551133ecc58aed84bf0e
SHA100626346632fdfb2a1d5831793e92a3601ec4d9f
SHA2560459e62c5444896d5be404c559c834ba455fa5cae1689c70fc8c61bc15468681
SHA51212117c7fa9acef9a2a8d7da53a2a435dd45298bb98439025e2c4a3bb0c8096675d5541c0b2eb7246164e2a19cd879f98c0a007b0f73691d59036822be01a6f92
-
C:\ProgramData\AAM UpdatesHtA\HEX.dllMD5
b061d981d224454ffd8d692cf7ee92b7
SHA12c93c30207786343f3de6ca540d14fefc237a9b4
SHA25614f9278f3515fae71ccb8073cfaf73bdcc00eab3888d8cee6fb43a4f51c9e699
SHA512ac1923f62becd49f164f9ff6782468e554a6a13b5d00cff3fb889f8198d311004ecfe9658ccad58b348e2b39d4e8c51d9623e658d64a2fdcafa82e4b86493014
-
C:\ProgramData\AAM UpdatesHtA\adobeupdate.datMD5
317705ca7476ac9a754b80fded717f6b
SHA1ed690e1eb83b4a71529e2b8e92d9699f53171250
SHA256abd6521990e88bd18bbcba063744efe0ccac23063bb340720cc3f610d9b1c770
SHA5122d452ab0fa2f2692061b1afb43bea1ead1bc47b328a00e8508e1121446646cb6ce686bf4d9538cdaf2c176ba0ae59df701930331cc52a3d94cc1ba9d64abf167
-
C:\Users\Admin\AppData\Local\Temp\AAM Updates.exeMD5
c70d8dce46b4551133ecc58aed84bf0e
SHA100626346632fdfb2a1d5831793e92a3601ec4d9f
SHA2560459e62c5444896d5be404c559c834ba455fa5cae1689c70fc8c61bc15468681
SHA51212117c7fa9acef9a2a8d7da53a2a435dd45298bb98439025e2c4a3bb0c8096675d5541c0b2eb7246164e2a19cd879f98c0a007b0f73691d59036822be01a6f92
-
C:\Users\Admin\AppData\Local\Temp\AAM Updates.exeMD5
c70d8dce46b4551133ecc58aed84bf0e
SHA100626346632fdfb2a1d5831793e92a3601ec4d9f
SHA2560459e62c5444896d5be404c559c834ba455fa5cae1689c70fc8c61bc15468681
SHA51212117c7fa9acef9a2a8d7da53a2a435dd45298bb98439025e2c4a3bb0c8096675d5541c0b2eb7246164e2a19cd879f98c0a007b0f73691d59036822be01a6f92
-
C:\Users\Admin\AppData\Local\Temp\HEX.dllMD5
b061d981d224454ffd8d692cf7ee92b7
SHA12c93c30207786343f3de6ca540d14fefc237a9b4
SHA25614f9278f3515fae71ccb8073cfaf73bdcc00eab3888d8cee6fb43a4f51c9e699
SHA512ac1923f62becd49f164f9ff6782468e554a6a13b5d00cff3fb889f8198d311004ecfe9658ccad58b348e2b39d4e8c51d9623e658d64a2fdcafa82e4b86493014
-
C:\Users\Admin\AppData\Local\Temp\adobeupdate.datMD5
317705ca7476ac9a754b80fded717f6b
SHA1ed690e1eb83b4a71529e2b8e92d9699f53171250
SHA256abd6521990e88bd18bbcba063744efe0ccac23063bb340720cc3f610d9b1c770
SHA5122d452ab0fa2f2692061b1afb43bea1ead1bc47b328a00e8508e1121446646cb6ce686bf4d9538cdaf2c176ba0ae59df701930331cc52a3d94cc1ba9d64abf167
-
\ProgramData\AAM UpdatesHtA\AAM Updates.exeMD5
c70d8dce46b4551133ecc58aed84bf0e
SHA100626346632fdfb2a1d5831793e92a3601ec4d9f
SHA2560459e62c5444896d5be404c559c834ba455fa5cae1689c70fc8c61bc15468681
SHA51212117c7fa9acef9a2a8d7da53a2a435dd45298bb98439025e2c4a3bb0c8096675d5541c0b2eb7246164e2a19cd879f98c0a007b0f73691d59036822be01a6f92
-
\ProgramData\AAM UpdatesHtA\hex.dllMD5
b061d981d224454ffd8d692cf7ee92b7
SHA12c93c30207786343f3de6ca540d14fefc237a9b4
SHA25614f9278f3515fae71ccb8073cfaf73bdcc00eab3888d8cee6fb43a4f51c9e699
SHA512ac1923f62becd49f164f9ff6782468e554a6a13b5d00cff3fb889f8198d311004ecfe9658ccad58b348e2b39d4e8c51d9623e658d64a2fdcafa82e4b86493014
-
\Users\Admin\AppData\Local\Temp\AAM Updates.exeMD5
c70d8dce46b4551133ecc58aed84bf0e
SHA100626346632fdfb2a1d5831793e92a3601ec4d9f
SHA2560459e62c5444896d5be404c559c834ba455fa5cae1689c70fc8c61bc15468681
SHA51212117c7fa9acef9a2a8d7da53a2a435dd45298bb98439025e2c4a3bb0c8096675d5541c0b2eb7246164e2a19cd879f98c0a007b0f73691d59036822be01a6f92
-
\Users\Admin\AppData\Local\Temp\AAM Updates.exeMD5
c70d8dce46b4551133ecc58aed84bf0e
SHA100626346632fdfb2a1d5831793e92a3601ec4d9f
SHA2560459e62c5444896d5be404c559c834ba455fa5cae1689c70fc8c61bc15468681
SHA51212117c7fa9acef9a2a8d7da53a2a435dd45298bb98439025e2c4a3bb0c8096675d5541c0b2eb7246164e2a19cd879f98c0a007b0f73691d59036822be01a6f92
-
\Users\Admin\AppData\Local\Temp\AAM Updates.exeMD5
c70d8dce46b4551133ecc58aed84bf0e
SHA100626346632fdfb2a1d5831793e92a3601ec4d9f
SHA2560459e62c5444896d5be404c559c834ba455fa5cae1689c70fc8c61bc15468681
SHA51212117c7fa9acef9a2a8d7da53a2a435dd45298bb98439025e2c4a3bb0c8096675d5541c0b2eb7246164e2a19cd879f98c0a007b0f73691d59036822be01a6f92
-
\Users\Admin\AppData\Local\Temp\AAM Updates.exeMD5
c70d8dce46b4551133ecc58aed84bf0e
SHA100626346632fdfb2a1d5831793e92a3601ec4d9f
SHA2560459e62c5444896d5be404c559c834ba455fa5cae1689c70fc8c61bc15468681
SHA51212117c7fa9acef9a2a8d7da53a2a435dd45298bb98439025e2c4a3bb0c8096675d5541c0b2eb7246164e2a19cd879f98c0a007b0f73691d59036822be01a6f92
-
\Users\Admin\AppData\Local\Temp\hex.dllMD5
b061d981d224454ffd8d692cf7ee92b7
SHA12c93c30207786343f3de6ca540d14fefc237a9b4
SHA25614f9278f3515fae71ccb8073cfaf73bdcc00eab3888d8cee6fb43a4f51c9e699
SHA512ac1923f62becd49f164f9ff6782468e554a6a13b5d00cff3fb889f8198d311004ecfe9658ccad58b348e2b39d4e8c51d9623e658d64a2fdcafa82e4b86493014
-
memory/556-13-0x0000000001D90000-0x00000000059C6000-memory.dmpFilesize
60.2MB
-
memory/556-8-0x0000000000000000-mapping.dmp
-
memory/1080-17-0x0000000000000000-mapping.dmp
-
memory/1080-22-0x0000000001FD0000-0x0000000005C06000-memory.dmpFilesize
60.2MB
-
memory/1884-3-0x000007FEF76B0000-0x000007FEF792A000-memory.dmpFilesize
2.5MB
-
memory/1908-2-0x0000000076271000-0x0000000076273000-memory.dmpFilesize
8KB