Analysis
-
max time kernel
35s -
max time network
126s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
05-04-2021 20:57
Static task
static1
Behavioral task
behavioral1
Sample
updatechannel3.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
updatechannel3.exe
Resource
win10v20201028
General
-
Target
updatechannel3.exe
-
Size
12KB
-
MD5
4f50605a46c47d765ff37b8751760505
-
SHA1
61644ff438213b0d3bd7d439f538278f09c45ee5
-
SHA256
0ecb8ecf9516eba75d193a532fbbd5acd5d5c8794eb69c97110a911323c65584
-
SHA512
1a4c5f186213de6a48d1c4d94419efd460babb927482628578c6749cf6b8cb4e06caf854d5a8b14ee9b432585364e5051563b41d1d6810103a6a2a2fe1835e56
Malware Config
Extracted
raccoon
3d7990f080e9dcb56104447e3789dec4380efc8b
-
url4cnc
https://telete.in/jvadikkamushkin
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
txNV8lUmrL5MZGY0vfhAAwyk.exe3UpGTFZVNboVxGDX2x4ob3CN.exepid process 2236 txNV8lUmrL5MZGY0vfhAAwyk.exe 3092 3UpGTFZVNboVxGDX2x4ob3CN.exe -
Loads dropped DLL 1 IoCs
Processes:
3UpGTFZVNboVxGDX2x4ob3CN.exepid process 3092 3UpGTFZVNboVxGDX2x4ob3CN.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
updatechannel3.exetxNV8lUmrL5MZGY0vfhAAwyk.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\jTQWprYmh0fMVg8m7Oyv3BaaQWLYa0r6 = "C:\\Users\\Admin\\Documents\\txNV8lUmrL5MZGY0vfhAAwyk.exe" updatechannel3.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\xgfQ2ZTYcloFyyU5uo2S0tWFQ6M2M106 = "C:\\Users\\Admin\\AppData\\Roaming\\3UpGTFZVNboVxGDX2x4ob3CN.exe" txNV8lUmrL5MZGY0vfhAAwyk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\xbnGjNrAeDVFpgWozdkbOXxDJZA6MbMl = "C:\\Users\\Admin\\AppData\\Roaming\\DdGamEekZycyqUmKcJYVGHpo.exe" txNV8lUmrL5MZGY0vfhAAwyk.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\vsSWKOWg62xxXRaujhDtQYsanj6JNvxD = "C:\\Users\\Admin\\AppData\\Roaming\\kdKccOCLGrGXjVZx7Uj5J9DV.exe" txNV8lUmrL5MZGY0vfhAAwyk.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 4452 timeout.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
updatechannel3.exetxNV8lUmrL5MZGY0vfhAAwyk.exedescription pid process Token: SeDebugPrivilege 4704 updatechannel3.exe Token: SeDebugPrivilege 2236 txNV8lUmrL5MZGY0vfhAAwyk.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
updatechannel3.exetxNV8lUmrL5MZGY0vfhAAwyk.exe3UpGTFZVNboVxGDX2x4ob3CN.execmd.exedescription pid process target process PID 4704 wrote to memory of 2236 4704 updatechannel3.exe txNV8lUmrL5MZGY0vfhAAwyk.exe PID 4704 wrote to memory of 2236 4704 updatechannel3.exe txNV8lUmrL5MZGY0vfhAAwyk.exe PID 2236 wrote to memory of 3092 2236 txNV8lUmrL5MZGY0vfhAAwyk.exe 3UpGTFZVNboVxGDX2x4ob3CN.exe PID 2236 wrote to memory of 3092 2236 txNV8lUmrL5MZGY0vfhAAwyk.exe 3UpGTFZVNboVxGDX2x4ob3CN.exe PID 2236 wrote to memory of 3092 2236 txNV8lUmrL5MZGY0vfhAAwyk.exe 3UpGTFZVNboVxGDX2x4ob3CN.exe PID 3092 wrote to memory of 4500 3092 3UpGTFZVNboVxGDX2x4ob3CN.exe cmd.exe PID 3092 wrote to memory of 4500 3092 3UpGTFZVNboVxGDX2x4ob3CN.exe cmd.exe PID 3092 wrote to memory of 4500 3092 3UpGTFZVNboVxGDX2x4ob3CN.exe cmd.exe PID 4500 wrote to memory of 4452 4500 cmd.exe timeout.exe PID 4500 wrote to memory of 4452 4500 cmd.exe timeout.exe PID 4500 wrote to memory of 4452 4500 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\updatechannel3.exe"C:\Users\Admin\AppData\Local\Temp\updatechannel3.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\txNV8lUmrL5MZGY0vfhAAwyk.exe"C:\Users\Admin\Documents\txNV8lUmrL5MZGY0vfhAAwyk.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\3UpGTFZVNboVxGDX2x4ob3CN.exe"C:\Users\Admin\AppData\Roaming\3UpGTFZVNboVxGDX2x4ob3CN.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Roaming\3UpGTFZVNboVxGDX2x4ob3CN.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK5⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\3UpGTFZVNboVxGDX2x4ob3CN.exeMD5
28345a7bb63babaf99e760965ce493b7
SHA17e752390f6ebca4e1e8889302549be4dd0845f62
SHA256f9349585a2393d4378e283e73fc48d04941666ec0ccae4dd2fb68c2cad7ac9a1
SHA512d0692febe87dafca3db8b8934003f3b3c7d9bddd3761c60c4945878787b410b581eea042cb133dd255ab4f41e473f43571d45612eaedcc3508a49b63c4594ce5
-
C:\Users\Admin\AppData\Roaming\3UpGTFZVNboVxGDX2x4ob3CN.exeMD5
28345a7bb63babaf99e760965ce493b7
SHA17e752390f6ebca4e1e8889302549be4dd0845f62
SHA256f9349585a2393d4378e283e73fc48d04941666ec0ccae4dd2fb68c2cad7ac9a1
SHA512d0692febe87dafca3db8b8934003f3b3c7d9bddd3761c60c4945878787b410b581eea042cb133dd255ab4f41e473f43571d45612eaedcc3508a49b63c4594ce5
-
C:\Users\Admin\Documents\txNV8lUmrL5MZGY0vfhAAwyk.exeMD5
6be41709f8bfbf06307cc56d04249801
SHA1911d8ade72bef752233237351fbdb7a9f96e2cf0
SHA2560099e62ea3beb0f1631eb088bd697fd829963713ef4cb0e3a0a72b8c950c2383
SHA5128bc24e5f249ec4184ffba0db11dfcd7fc6bc7eae13af6ef8032abb0805f6fb61312759e7b5c46aa55a5d983e97148e3a071daec1fc38620baf4440a01c11150a
-
C:\Users\Admin\Documents\txNV8lUmrL5MZGY0vfhAAwyk.exeMD5
6be41709f8bfbf06307cc56d04249801
SHA1911d8ade72bef752233237351fbdb7a9f96e2cf0
SHA2560099e62ea3beb0f1631eb088bd697fd829963713ef4cb0e3a0a72b8c950c2383
SHA5128bc24e5f249ec4184ffba0db11dfcd7fc6bc7eae13af6ef8032abb0805f6fb61312759e7b5c46aa55a5d983e97148e3a071daec1fc38620baf4440a01c11150a
-
\Users\Admin\AppData\LocalLow\sqlite3.dllMD5
f964811b68f9f1487c2b41e1aef576ce
SHA1b423959793f14b1416bc3b7051bed58a1034025f
SHA25683bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7
SHA512565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4
-
memory/2236-13-0x0000000002EA0000-0x0000000002EA2000-memory.dmpFilesize
8KB
-
memory/2236-7-0x0000000000000000-mapping.dmp
-
memory/2236-10-0x00007FF8525B0000-0x00007FF852F9C000-memory.dmpFilesize
9.9MB
-
memory/2236-11-0x0000000000DB0000-0x0000000000DB1000-memory.dmpFilesize
4KB
-
memory/3092-19-0x0000000000400000-0x0000000000492000-memory.dmpFilesize
584KB
-
memory/3092-14-0x0000000000000000-mapping.dmp
-
memory/3092-17-0x0000000001D30000-0x0000000001D31000-memory.dmpFilesize
4KB
-
memory/3092-18-0x0000000001D30000-0x0000000001DC1000-memory.dmpFilesize
580KB
-
memory/4452-22-0x0000000000000000-mapping.dmp
-
memory/4500-21-0x0000000000000000-mapping.dmp
-
memory/4704-5-0x00000000049F0000-0x00000000049F1000-memory.dmpFilesize
4KB
-
memory/4704-3-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/4704-6-0x00000000058E0000-0x00000000058E1000-memory.dmpFilesize
4KB
-
memory/4704-2-0x0000000073CE0000-0x00000000743CE000-memory.dmpFilesize
6.9MB