Overview

overview

8

Static

static

PatchClean....0.exe

windows7_x64

8

PatchClean....0.exe

windows10_x64

8

Analysis

  • max time kernel
    135s
  • max time network
    135s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    16/04/2021, 03:57

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    PatchCleaner_1.4.2.0.exe

  • Size

    1.3MB

  • MD5

    70d0bd7633d10c492839272c97b2544e

  • SHA1

    4da0e8c2fe1f06b13985d700fe15686a1015c3bb

  • SHA256

    6472de894c5cb6050fd80cdd893b8772aef71f8bdb5c65a0175cf7cbb90e6ec6

  • SHA512

    99d43ed2060eb6371a54f73af407fe4cc7644a93e5f856419ad0cb8769b2664139cb9097ff4be4b8dbb93f2c5da4fc90bc48eeac6fe0b3df5f8bc12428b5b5b2

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 16 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 5 IoCs
  • Modifies registry class 41 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PatchCleaner_1.4.2.0.exe
    "C:\Users\Admin\AppData\Local\Temp\PatchCleaner_1.4.2.0.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2204
    • C:\Users\Admin\AppData\Local\Temp\7zS1DCE.tmp\setup.exe
      .\setup.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3312
      • C:\Windows\SysWOW64\msiexec.exe
        "C:\Windows\SysWOW64\msiexec.exe" -I "C:\Users\Admin\AppData\Local\Temp\7zS1DCE.tmp\PatchCleaner.msi"
        3⤵
        • Blocklisted process makes network request
        • Enumerates connected drives
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:2120
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1640
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding E86733A00DED7A2FBB1B787F3162CE50 C
      2⤵
      • Loads dropped DLL
      PID:3660
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:2036
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding 89AB3CA606C61698F0B387604B0CD310
        2⤵
        • Loads dropped DLL
        PID:800
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
        PID:3948
      • \??\c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
        1⤵
        • Checks SCSI registry key(s)
        • Modifies data under HKEY_USERS
        PID:2692
      • C:\Program Files (x86)\HomeDev\PatchCleaner\PatchCleaner.exe
        "C:\Program Files (x86)\HomeDev\PatchCleaner\PatchCleaner.exe"
        1⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:3312
        • C:\Windows\System32\cscript.exe
          "C:\Windows\System32\cscript.exe" //B //Nologo WMIProducts.vbs
          2⤵
          • Drops file in Program Files directory
          PID:2720

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/3312-154-0x000001F2C0704000-0x000001F2C0705000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3312-152-0x000001F2C0700000-0x000001F2C0702000-memory.dmp

              Filesize

              8KB

              Download

            • memory/3312-155-0x000001F2C4620000-0x000001F2C4621000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3312-146-0x000001F2A7CF0000-0x000001F2A7CF1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3312-157-0x000001F2C6320000-0x000001F2C6321000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3312-158-0x000001F2C62E0000-0x000001F2C62E1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3312-159-0x000001F2C0705000-0x000001F2C0707000-memory.dmp

              Filesize

              8KB

              Download

            • memory/3312-148-0x000001F2A66A0000-0x000001F2A66A1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3312-143-0x000001F2A6030000-0x000001F2A6031000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3312-153-0x000001F2C0702000-0x000001F2C0704000-memory.dmp

              Filesize

              8KB

              Download

            • memory/3312-164-0x000001F2C6EB0000-0x000001F2C6EB1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3312-150-0x000001F2A7E40000-0x000001F2A7E41000-memory.dmp

              Filesize

              4KB

              Download

            • memory/3312-167-0x000001F2C45F0000-0x000001F2C45F1000-memory.dmp

              Filesize

              4KB

              Download