Overview

overview

10

Static

static

Software-u...56.exe

windows7_x64

8

Software-u...56.exe

windows7_x64

10

Software-u...56.exe

windows7_x64

8

Software-u...56.exe

windows11_x64

8

Software-u...56.exe

windows10_x64

10

Software-u...56.exe

windows10_x64

10

Software-u...56.exe

windows10_x64

10

Analysis

  • max time kernel
    146s
  • max time network
    167s
  • platform
    windows11_x64
  • resource
    win11
  • submitted
    21-10-2021 12:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Software-update-patc_579570356.exe

  • Size

    4.7MB

  • MD5

    c027026e244f74549a49e1f98216719c

  • SHA1

    9e9b4459e9225a432eef8f97b9193707dd7247b5

  • SHA256

    bd20ddd34d178d08736818991be6d5d8e4d62d81180d1d293ffafb1418bf2781

  • SHA512

    68953341f9dc46daae4e738bd4418bca5edb22035958ddba46de86cf6e44c8731f49f52763f3addc6e4d5a6cfcb48ee5b1345a2727ba7983b07a9322ae2713d7

Score
8/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 20 IoCs
  • Drops file in Windows directory 6 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Software-update-patc_579570356.exe
    "C:\Users\Admin\AppData\Local\Temp\Software-update-patc_579570356.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2876
    • C:\Users\Admin\AppData\Local\Temp\is-ODM42.tmp\Software-update-patc_579570356.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-ODM42.tmp\Software-update-patc_579570356.tmp" /SL5="$300DE,4499537,466944,C:\Users\Admin\AppData\Local\Temp\Software-update-patc_579570356.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:1352
      • C:\Program Files (x86)\Autem\rerum\Voluptatem.exe
        "C:\Program Files (x86)\Autem/\rerum\Voluptatem.exe" b0ad3d01dc1c01fd7e87a06144c12f59
        3⤵
        • Executes dropped EXE
        PID:3184
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
    1⤵
      PID:2744
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:3228
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
      1⤵
      • Checks processor information in registry
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2424
      • C:\Windows\uus\AMD64\MoUsoCoreWorker.exe
        C:\Windows\uus\AMD64\MoUsoCoreWorker.exe
        2⤵
          PID:2896
      • C:\Windows\System32\WaaSMedicAgent.exe
        C:\Windows\System32\WaaSMedicAgent.exe c774ae850a147911a5db09a6d89eda2e bsSRGFB8/Uy8c9zPqT2v2Q.0.1.0.3.0
        1⤵
        • Modifies data under HKEY_USERS
        PID:3500

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Discovery

      Query Registry

      2
      T1012

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Autem\rerum\Voluptatem.exe
        MD5

        0c56ac590273d1feb7c0564c809915a5

        SHA1

        2a17747673000c17634113e634e4166152a88688

        SHA256

        850f46f685e44dcbafd8a61fa5881b0f4471cf3441342b3fe8c0a2559ec4c15e

        SHA512

        95a86884d2950687064ddb348184133e26c56c617297ee992daefa05ff7f1cf8e544208048462ac173d66ed5eb291fd6d860d324721a1441d76a11a62df8ebc4

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\is-O0FK6.tmp\_isetup\_iscrypt.dll
        MD5

        a69559718ab506675e907fe49deb71e9

        SHA1

        bc8f404ffdb1960b50c12ff9413c893b56f2e36f

        SHA256

        2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

        SHA512

        e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\is-ODM42.tmp\Software-update-patc_579570356.tmp
        MD5

        4caf2ca22417bb2cd44c0d0daf5fdd8b

        SHA1

        bdb2b86d9c033785c9b1db5618986030b2852ffd

        SHA256

        a1c11ed2d5bb2399e27a35e04114a5e244e4ae251c905160ffa1fefe1530d7b4

        SHA512

        ff99d66ae326d6f63243e7e732bf69417ca4732686095cffb59f80d53b4bb44a9ea74900f04d64f3bfa047ec1e962ed81ce78d9ebbe009ddd58097e7ce3913da

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\is-ODM42.tmp\Software-update-patc_579570356.tmp
        MD5

        4caf2ca22417bb2cd44c0d0daf5fdd8b

        SHA1

        bdb2b86d9c033785c9b1db5618986030b2852ffd

        SHA256

        a1c11ed2d5bb2399e27a35e04114a5e244e4ae251c905160ffa1fefe1530d7b4

        SHA512

        ff99d66ae326d6f63243e7e732bf69417ca4732686095cffb59f80d53b4bb44a9ea74900f04d64f3bfa047ec1e962ed81ce78d9ebbe009ddd58097e7ce3913da

        Download Submit
      • memory/1352-156-0x00000000022C0000-0x00000000022C1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1352-151-0x0000000000000000-mapping.dmp
        Download
      • memory/2876-154-0x0000000000400000-0x000000000047C000-memory.dmp
        Filesize

        496KB

        Download
      • memory/2896-157-0x0000000000000000-mapping.dmp
        Download
      • memory/3184-158-0x0000000000000000-mapping.dmp
        Download
      • memory/3184-160-0x0000000000400000-0x0000000001860000-memory.dmp
        Filesize

        20.4MB

        Download
      • memory/3184-161-0x0000000000400000-0x0000000001860000-memory.dmp
        Filesize

        20.4MB

        Download
      • memory/3184-162-0x0000000004460000-0x0000000004461000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3228-146-0x00000238EDF60000-0x00000238EDF70000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3228-148-0x00000238F0C40000-0x00000238F0C44000-memory.dmp
        Filesize

        16KB

        Download
      • memory/3228-147-0x00000238EE520000-0x00000238EE530000-memory.dmp
        Filesize

        64KB

        Download