Analysis
-
max time kernel
146s -
max time network
167s -
platform
windows11_x64 -
resource
win11 -
submitted
21-10-2021 12:47
Static task
static1
Behavioral task
behavioral1
Sample
Software-update-patc_579570356.exe
Resource
win7-ja-20211014
Behavioral task
behavioral2
Sample
Software-update-patc_579570356.exe
Resource
win7-en-20210920
Behavioral task
behavioral3
Sample
Software-update-patc_579570356.exe
Resource
win7-de-20210920
Behavioral task
behavioral4
Sample
Software-update-patc_579570356.exe
Resource
win11
Behavioral task
behavioral5
Sample
Software-update-patc_579570356.exe
Resource
win10-ja-20211014
Behavioral task
behavioral6
Sample
Software-update-patc_579570356.exe
Resource
win10-en-20211014
Behavioral task
behavioral7
Sample
Software-update-patc_579570356.exe
Resource
win10-de-20210920
General
-
Target
Software-update-patc_579570356.exe
-
Size
4.7MB
-
MD5
c027026e244f74549a49e1f98216719c
-
SHA1
9e9b4459e9225a432eef8f97b9193707dd7247b5
-
SHA256
bd20ddd34d178d08736818991be6d5d8e4d62d81180d1d293ffafb1418bf2781
-
SHA512
68953341f9dc46daae4e738bd4418bca5edb22035958ddba46de86cf6e44c8731f49f52763f3addc6e4d5a6cfcb48ee5b1345a2727ba7983b07a9322ae2713d7
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Software-update-patc_579570356.tmpVoluptatem.exepid process 1352 Software-update-patc_579570356.tmp 3184 Voluptatem.exe -
Loads dropped DLL 1 IoCs
Processes:
Software-update-patc_579570356.tmppid process 1352 Software-update-patc_579570356.tmp -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 20 IoCs
Processes:
Software-update-patc_579570356.tmpdescription ioc process File created C:\Program Files (x86)\Autem\eaque\is-ED1UF.tmp Software-update-patc_579570356.tmp File created C:\Program Files (x86)\Autem\rerum\is-VA382.tmp Software-update-patc_579570356.tmp File opened for modification C:\Program Files (x86)\Autem\rerum\Voluptatem.exe Software-update-patc_579570356.tmp File created C:\Program Files (x86)\Autem\unins000.dat Software-update-patc_579570356.tmp File created C:\Program Files (x86)\Autem\is-MRI2U.tmp Software-update-patc_579570356.tmp File created C:\Program Files (x86)\Autem\is-F5ICT.tmp Software-update-patc_579570356.tmp File created C:\Program Files (x86)\Autem\eaque\is-0K8CG.tmp Software-update-patc_579570356.tmp File created C:\Program Files (x86)\Autem\rerum\is-9116H.tmp Software-update-patc_579570356.tmp File created C:\Program Files (x86)\Autem\is-NCVVV.tmp Software-update-patc_579570356.tmp File created C:\Program Files (x86)\Autem\is-KJ43S.tmp Software-update-patc_579570356.tmp File created C:\Program Files (x86)\Autem\is-6UN1S.tmp Software-update-patc_579570356.tmp File created C:\Program Files (x86)\Autem\rerum\is-46M9F.tmp Software-update-patc_579570356.tmp File created C:\Program Files (x86)\Autem\rerum\is-GPC2A.tmp Software-update-patc_579570356.tmp File opened for modification C:\Program Files (x86)\Autem\unins000.dat Software-update-patc_579570356.tmp File created C:\Program Files (x86)\Autem\is-B685H.tmp Software-update-patc_579570356.tmp File created C:\Program Files (x86)\Autem\is-HNE0H.tmp Software-update-patc_579570356.tmp File created C:\Program Files (x86)\Autem\eaque\is-SJJQ3.tmp Software-update-patc_579570356.tmp File created C:\Program Files (x86)\Autem\eaque\is-M0FC0.tmp Software-update-patc_579570356.tmp File created C:\Program Files (x86)\Autem\eaque\is-O7S7N.tmp Software-update-patc_579570356.tmp File created C:\Program Files (x86)\Autem\rerum\is-F2AT2.tmp Software-update-patc_579570356.tmp -
Drops file in Windows directory 6 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
svchost.exeWaaSMedicAgent.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates svchost.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Software-update-patc_579570356.tmppid process 1352 Software-update-patc_579570356.tmp 1352 Software-update-patc_579570356.tmp -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
svchost.exesvchost.exedescription pid process Token: SeShutdownPrivilege 3228 svchost.exe Token: SeCreatePagefilePrivilege 3228 svchost.exe Token: SeShutdownPrivilege 3228 svchost.exe Token: SeCreatePagefilePrivilege 3228 svchost.exe Token: SeShutdownPrivilege 3228 svchost.exe Token: SeCreatePagefilePrivilege 3228 svchost.exe Token: SeShutdownPrivilege 2424 svchost.exe Token: SeCreatePagefilePrivilege 2424 svchost.exe Token: SeShutdownPrivilege 3228 svchost.exe Token: SeCreatePagefilePrivilege 3228 svchost.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Software-update-patc_579570356.tmppid process 1352 Software-update-patc_579570356.tmp -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Software-update-patc_579570356.exesvchost.exeSoftware-update-patc_579570356.tmpdescription pid process target process PID 2876 wrote to memory of 1352 2876 Software-update-patc_579570356.exe Software-update-patc_579570356.tmp PID 2876 wrote to memory of 1352 2876 Software-update-patc_579570356.exe Software-update-patc_579570356.tmp PID 2876 wrote to memory of 1352 2876 Software-update-patc_579570356.exe Software-update-patc_579570356.tmp PID 2424 wrote to memory of 2896 2424 svchost.exe MoUsoCoreWorker.exe PID 2424 wrote to memory of 2896 2424 svchost.exe MoUsoCoreWorker.exe PID 1352 wrote to memory of 3184 1352 Software-update-patc_579570356.tmp Voluptatem.exe PID 1352 wrote to memory of 3184 1352 Software-update-patc_579570356.tmp Voluptatem.exe PID 1352 wrote to memory of 3184 1352 Software-update-patc_579570356.tmp Voluptatem.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Software-update-patc_579570356.exe"C:\Users\Admin\AppData\Local\Temp\Software-update-patc_579570356.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-ODM42.tmp\Software-update-patc_579570356.tmp"C:\Users\Admin\AppData\Local\Temp\is-ODM42.tmp\Software-update-patc_579570356.tmp" /SL5="$300DE,4499537,466944,C:\Users\Admin\AppData\Local\Temp\Software-update-patc_579570356.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Autem\rerum\Voluptatem.exe"C:\Program Files (x86)\Autem/\rerum\Voluptatem.exe" b0ad3d01dc1c01fd7e87a06144c12f593⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\uus\AMD64\MoUsoCoreWorker.exeC:\Windows\uus\AMD64\MoUsoCoreWorker.exe2⤵
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe c774ae850a147911a5db09a6d89eda2e bsSRGFB8/Uy8c9zPqT2v2Q.0.1.0.3.01⤵
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Autem\rerum\Voluptatem.exeMD5
0c56ac590273d1feb7c0564c809915a5
SHA12a17747673000c17634113e634e4166152a88688
SHA256850f46f685e44dcbafd8a61fa5881b0f4471cf3441342b3fe8c0a2559ec4c15e
SHA51295a86884d2950687064ddb348184133e26c56c617297ee992daefa05ff7f1cf8e544208048462ac173d66ed5eb291fd6d860d324721a1441d76a11a62df8ebc4
-
C:\Users\Admin\AppData\Local\Temp\is-O0FK6.tmp\_isetup\_iscrypt.dllMD5
a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
C:\Users\Admin\AppData\Local\Temp\is-ODM42.tmp\Software-update-patc_579570356.tmpMD5
4caf2ca22417bb2cd44c0d0daf5fdd8b
SHA1bdb2b86d9c033785c9b1db5618986030b2852ffd
SHA256a1c11ed2d5bb2399e27a35e04114a5e244e4ae251c905160ffa1fefe1530d7b4
SHA512ff99d66ae326d6f63243e7e732bf69417ca4732686095cffb59f80d53b4bb44a9ea74900f04d64f3bfa047ec1e962ed81ce78d9ebbe009ddd58097e7ce3913da
-
C:\Users\Admin\AppData\Local\Temp\is-ODM42.tmp\Software-update-patc_579570356.tmpMD5
4caf2ca22417bb2cd44c0d0daf5fdd8b
SHA1bdb2b86d9c033785c9b1db5618986030b2852ffd
SHA256a1c11ed2d5bb2399e27a35e04114a5e244e4ae251c905160ffa1fefe1530d7b4
SHA512ff99d66ae326d6f63243e7e732bf69417ca4732686095cffb59f80d53b4bb44a9ea74900f04d64f3bfa047ec1e962ed81ce78d9ebbe009ddd58097e7ce3913da
-
memory/1352-156-0x00000000022C0000-0x00000000022C1000-memory.dmpFilesize
4KB
-
memory/1352-151-0x0000000000000000-mapping.dmp
-
memory/2876-154-0x0000000000400000-0x000000000047C000-memory.dmpFilesize
496KB
-
memory/2896-157-0x0000000000000000-mapping.dmp
-
memory/3184-158-0x0000000000000000-mapping.dmp
-
memory/3184-160-0x0000000000400000-0x0000000001860000-memory.dmpFilesize
20.4MB
-
memory/3184-161-0x0000000000400000-0x0000000001860000-memory.dmpFilesize
20.4MB
-
memory/3184-162-0x0000000004460000-0x0000000004461000-memory.dmpFilesize
4KB
-
memory/3228-146-0x00000238EDF60000-0x00000238EDF70000-memory.dmpFilesize
64KB
-
memory/3228-148-0x00000238F0C40000-0x00000238F0C44000-memory.dmpFilesize
16KB
-
memory/3228-147-0x00000238EE520000-0x00000238EE530000-memory.dmpFilesize
64KB