Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows11_x64 -
resource
win11 -
submitted
21-10-2021 12:46
Static task
static1
Behavioral task
behavioral1
Sample
Software-update-patc_612604768.exe
Resource
win7-ja-20211014
Behavioral task
behavioral2
Sample
Software-update-patc_612604768.exe
Resource
win7-en-20211014
Behavioral task
behavioral3
Sample
Software-update-patc_612604768.exe
Resource
win7-de-20211014
Behavioral task
behavioral4
Sample
Software-update-patc_612604768.exe
Resource
win11
Behavioral task
behavioral5
Sample
Software-update-patc_612604768.exe
Resource
win10-ja-20211014
Behavioral task
behavioral6
Sample
Software-update-patc_612604768.exe
Resource
win10-en-20210920
Behavioral task
behavioral7
Sample
Software-update-patc_612604768.exe
Resource
win10-de-20211014
General
-
Target
Software-update-patc_612604768.exe
-
Size
4.7MB
-
MD5
567ab95af9696f0d0cea101efbd344f9
-
SHA1
78544ed738d9929e68b735448276c93166b61c37
-
SHA256
3bfbe7f602fdffa1b70a657767d1fa7cfe4f6111da191b94d1abe8f5d8f1ea3b
-
SHA512
36d16b04d74d41ef11b8dcef4c5e705d6660a0bb34c72abbd59fad36f37bde069b80af270dbd208b0956f1b8bd4abcb87cdb05a32265a6d4aeae2266dc7709bf
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Software-update-patc_612604768.tmpQuibusdam.exepid process 4492 Software-update-patc_612604768.tmp 1404 Quibusdam.exe -
Sets service image path in registry 2 TTPs
-
Loads dropped DLL 1 IoCs
Processes:
Software-update-patc_612604768.tmppid process 4492 Software-update-patc_612604768.tmp -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 16 IoCs
Processes:
Software-update-patc_612604768.tmpdescription ioc process File created C:\Program Files (x86)\Dolore\quia\is-14RBT.tmp Software-update-patc_612604768.tmp File created C:\Program Files (x86)\Dolore\quos\is-HJ4BO.tmp Software-update-patc_612604768.tmp File opened for modification C:\Program Files (x86)\Dolore\unins000.dat Software-update-patc_612604768.tmp File created C:\Program Files (x86)\Dolore\consectetur\is-OQ1RF.tmp Software-update-patc_612604768.tmp File created C:\Program Files (x86)\Dolore\in\is-7EP6V.tmp Software-update-patc_612604768.tmp File created C:\Program Files (x86)\Dolore\minus\is-6L40G.tmp Software-update-patc_612604768.tmp File created C:\Program Files (x86)\Dolore\is-PUJ24.tmp Software-update-patc_612604768.tmp File created C:\Program Files (x86)\Dolore\is-LNOS1.tmp Software-update-patc_612604768.tmp File created C:\Program Files (x86)\Dolore\consectetur\is-HLL0Q.tmp Software-update-patc_612604768.tmp File created C:\Program Files (x86)\Dolore\in\is-8U9VR.tmp Software-update-patc_612604768.tmp File created C:\Program Files (x86)\Dolore\minus\is-GI0B6.tmp Software-update-patc_612604768.tmp File created C:\Program Files (x86)\Dolore\quia\is-S2D7L.tmp Software-update-patc_612604768.tmp File opened for modification C:\Program Files (x86)\Dolore\quia\Quibusdam.exe Software-update-patc_612604768.tmp File created C:\Program Files (x86)\Dolore\unins000.dat Software-update-patc_612604768.tmp File created C:\Program Files (x86)\Dolore\is-1AKHS.tmp Software-update-patc_612604768.tmp File created C:\Program Files (x86)\Dolore\in\is-OQHOD.tmp Software-update-patc_612604768.tmp -
Drops file in Windows directory 6 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
WaaSMedicAgent.exesvchost.exeWaaSMedicAgent.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates svchost.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Software-update-patc_612604768.tmppid process 4492 Software-update-patc_612604768.tmp 4492 Software-update-patc_612604768.tmp -
Suspicious use of AdjustPrivilegeToken 14 IoCs
Processes:
svchost.exesvchost.exeWaaSMedicAgent.exedescription pid process Token: SeShutdownPrivilege 2344 svchost.exe Token: SeCreatePagefilePrivilege 2344 svchost.exe Token: SeShutdownPrivilege 2344 svchost.exe Token: SeCreatePagefilePrivilege 2344 svchost.exe Token: SeShutdownPrivilege 2344 svchost.exe Token: SeCreatePagefilePrivilege 2344 svchost.exe Token: SeShutdownPrivilege 3960 svchost.exe Token: SeCreatePagefilePrivilege 3960 svchost.exe Token: SeTakeOwnershipPrivilege 1796 WaaSMedicAgent.exe Token: SeSecurityPrivilege 1796 WaaSMedicAgent.exe Token: SeRestorePrivilege 1796 WaaSMedicAgent.exe Token: SeBackupPrivilege 1796 WaaSMedicAgent.exe Token: SeShutdownPrivilege 2344 svchost.exe Token: SeCreatePagefilePrivilege 2344 svchost.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Software-update-patc_612604768.tmppid process 4492 Software-update-patc_612604768.tmp -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Software-update-patc_612604768.exeSoftware-update-patc_612604768.tmpsvchost.exedescription pid process target process PID 1904 wrote to memory of 4492 1904 Software-update-patc_612604768.exe Software-update-patc_612604768.tmp PID 1904 wrote to memory of 4492 1904 Software-update-patc_612604768.exe Software-update-patc_612604768.tmp PID 1904 wrote to memory of 4492 1904 Software-update-patc_612604768.exe Software-update-patc_612604768.tmp PID 4492 wrote to memory of 1404 4492 Software-update-patc_612604768.tmp Quibusdam.exe PID 4492 wrote to memory of 1404 4492 Software-update-patc_612604768.tmp Quibusdam.exe PID 4492 wrote to memory of 1404 4492 Software-update-patc_612604768.tmp Quibusdam.exe PID 3960 wrote to memory of 1044 3960 svchost.exe MoUsoCoreWorker.exe PID 3960 wrote to memory of 1044 3960 svchost.exe MoUsoCoreWorker.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Software-update-patc_612604768.exe"C:\Users\Admin\AppData\Local\Temp\Software-update-patc_612604768.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-H1C33.tmp\Software-update-patc_612604768.tmp"C:\Users\Admin\AppData\Local\Temp\is-H1C33.tmp\Software-update-patc_612604768.tmp" /SL5="$50024,4477466,466944,C:\Users\Admin\AppData\Local\Temp\Software-update-patc_612604768.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Dolore\quia\Quibusdam.exe"C:\Program Files (x86)\Dolore/\quia\Quibusdam.exe" 2fe3d428284ff9b385bc1c941892777b3⤵
- Executes dropped EXE
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe c3431efed8230d19195bab30b92fd153 jYw63YZejU+wjZUG9iM1eg.0.1.0.3.01⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\uus\AMD64\MoUsoCoreWorker.exeC:\Windows\uus\AMD64\MoUsoCoreWorker.exe2⤵
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe c3431efed8230d19195bab30b92fd153 jYw63YZejU+wjZUG9iM1eg.0.1.0.3.01⤵
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Dolore\quia\Quibusdam.exeMD5
9b872933c0915fc132fe0a8246ea9298
SHA1603f68a5bd95bbfe1faa9bac3760e8a2b5ea4b08
SHA256da035b6389687dc5389b77c75b0ed3a99ce2e6cb1a0d7a96c29380a77f84d900
SHA51227db5e85d4d3ae77428a58ce83f66d6f71c4131c473c2e8243423e223b4883621709bb517af5b675255eecbcd237aafc2ce7da712f64c45d91d472767b6dcade
-
C:\Users\Admin\AppData\Local\Temp\is-H1C33.tmp\Software-update-patc_612604768.tmpMD5
4caf2ca22417bb2cd44c0d0daf5fdd8b
SHA1bdb2b86d9c033785c9b1db5618986030b2852ffd
SHA256a1c11ed2d5bb2399e27a35e04114a5e244e4ae251c905160ffa1fefe1530d7b4
SHA512ff99d66ae326d6f63243e7e732bf69417ca4732686095cffb59f80d53b4bb44a9ea74900f04d64f3bfa047ec1e962ed81ce78d9ebbe009ddd58097e7ce3913da
-
C:\Users\Admin\AppData\Local\Temp\is-H1C33.tmp\Software-update-patc_612604768.tmpMD5
4caf2ca22417bb2cd44c0d0daf5fdd8b
SHA1bdb2b86d9c033785c9b1db5618986030b2852ffd
SHA256a1c11ed2d5bb2399e27a35e04114a5e244e4ae251c905160ffa1fefe1530d7b4
SHA512ff99d66ae326d6f63243e7e732bf69417ca4732686095cffb59f80d53b4bb44a9ea74900f04d64f3bfa047ec1e962ed81ce78d9ebbe009ddd58097e7ce3913da
-
C:\Users\Admin\AppData\Local\Temp\is-OPD53.tmp\_isetup\_iscrypt.dllMD5
a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
memory/1044-162-0x0000000000000000-mapping.dmp
-
memory/1404-154-0x0000000000000000-mapping.dmp
-
memory/1404-156-0x0000000000400000-0x0000000001860000-memory.dmpFilesize
20.4MB
-
memory/1404-157-0x0000000000400000-0x0000000001860000-memory.dmpFilesize
20.4MB
-
memory/1404-158-0x0000000004660000-0x0000000004661000-memory.dmpFilesize
4KB
-
memory/1904-148-0x0000000000400000-0x000000000047C000-memory.dmpFilesize
496KB
-
memory/2344-160-0x0000024591920000-0x0000024591930000-memory.dmpFilesize
64KB
-
memory/2344-159-0x0000024591360000-0x0000024591370000-memory.dmpFilesize
64KB
-
memory/2344-161-0x0000024593FF0000-0x0000024593FF4000-memory.dmpFilesize
16KB
-
memory/4492-153-0x0000000002400000-0x0000000002401000-memory.dmpFilesize
4KB
-
memory/4492-149-0x0000000000000000-mapping.dmp