Analysis
-
max time kernel
142s -
max time network
120s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
09-11-2021 02:28
Static task
static1
Behavioral task
behavioral1
Sample
35ff5f54ce6916b53bddc3b3d4acb854.exe
Resource
win7-en-20211104
General
-
Target
35ff5f54ce6916b53bddc3b3d4acb854.exe
-
Size
3.3MB
-
MD5
35ff5f54ce6916b53bddc3b3d4acb854
-
SHA1
f90ecfdef0c315285a43ee6f14717679916453cc
-
SHA256
878ae0892199581e106ef623d98801cab28341b1b969eaeff6a3704c580dce76
-
SHA512
a79a316ce197ccab1f9090436195557420f833ecb2bb84e1f15ab60beb0d2bd0c3d9b013b22c38ba3f53d3c430ae0295c842c2ca288cfbda3514d0acfc24fec3
Malware Config
Signatures
-
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
-
Async RAT payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1616-93-0x0000000000AB0000-0x0000000000AD0000-memory.dmp asyncrat behavioral1/memory/1616-94-0x0000000000AE0000-0x0000000000AFE000-memory.dmp asyncrat -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
1.exertcupdater.exertcupdater.exepid process 1748 1.exe 940 rtcupdater.exe 1616 rtcupdater.exe -
Modifies Installed Components in the registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
35ff5f54ce6916b53bddc3b3d4acb854.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 35ff5f54ce6916b53bddc3b3d4acb854.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 35ff5f54ce6916b53bddc3b3d4acb854.exe -
Loads dropped DLL 3 IoCs
Processes:
35ff5f54ce6916b53bddc3b3d4acb854.exe1.exertcupdater.exepid process 1592 35ff5f54ce6916b53bddc3b3d4acb854.exe 1748 1.exe 940 rtcupdater.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/1748-69-0x00000000041D0000-0x00000000041F1000-memory.dmp agile_net -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/memory/1592-59-0x0000000000F60000-0x0000000000F61000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows\CurrentVersion\Run\rtcupdater = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Root\\rtcupdater.exe" reg.exe Key created \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
35ff5f54ce6916b53bddc3b3d4acb854.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 35ff5f54ce6916b53bddc3b3d4acb854.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
35ff5f54ce6916b53bddc3b3d4acb854.exepid process 1592 35ff5f54ce6916b53bddc3b3d4acb854.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rtcupdater.exedescription pid process target process PID 940 set thread context of 1616 940 rtcupdater.exe rtcupdater.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 5 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-103686315-404690609-2047157615-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
35ff5f54ce6916b53bddc3b3d4acb854.exe1.exertcupdater.exertcupdater.exepid process 1592 35ff5f54ce6916b53bddc3b3d4acb854.exe 1592 35ff5f54ce6916b53bddc3b3d4acb854.exe 1748 1.exe 1748 1.exe 1748 1.exe 940 rtcupdater.exe 940 rtcupdater.exe 1616 rtcupdater.exe -
Suspicious use of AdjustPrivilegeToken 18 IoCs
Processes:
35ff5f54ce6916b53bddc3b3d4acb854.exe1.exertcupdater.exertcupdater.exeexplorer.exeAUDIODG.EXEdescription pid process Token: SeDebugPrivilege 1592 35ff5f54ce6916b53bddc3b3d4acb854.exe Token: SeDebugPrivilege 1748 1.exe Token: SeDebugPrivilege 940 rtcupdater.exe Token: SeDebugPrivilege 1616 rtcupdater.exe Token: SeShutdownPrivilege 1012 explorer.exe Token: SeShutdownPrivilege 1012 explorer.exe Token: SeShutdownPrivilege 1012 explorer.exe Token: SeShutdownPrivilege 1012 explorer.exe Token: SeShutdownPrivilege 1012 explorer.exe Token: SeShutdownPrivilege 1012 explorer.exe Token: SeShutdownPrivilege 1012 explorer.exe Token: SeShutdownPrivilege 1012 explorer.exe Token: 33 856 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 856 AUDIODG.EXE Token: 33 856 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 856 AUDIODG.EXE Token: SeShutdownPrivilege 1012 explorer.exe Token: SeShutdownPrivilege 1012 explorer.exe -
Suspicious use of FindShellTrayWindow 24 IoCs
Processes:
explorer.exepid process 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe -
Suspicious use of SendNotifyMessage 25 IoCs
Processes:
explorer.exepid process 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe 1012 explorer.exe -
Suspicious use of WriteProcessMemory 39 IoCs
Processes:
35ff5f54ce6916b53bddc3b3d4acb854.exe1.execmd.exertcupdater.exertcupdater.exeexplorer.exedescription pid process target process PID 1592 wrote to memory of 1748 1592 35ff5f54ce6916b53bddc3b3d4acb854.exe 1.exe PID 1592 wrote to memory of 1748 1592 35ff5f54ce6916b53bddc3b3d4acb854.exe 1.exe PID 1592 wrote to memory of 1748 1592 35ff5f54ce6916b53bddc3b3d4acb854.exe 1.exe PID 1592 wrote to memory of 1748 1592 35ff5f54ce6916b53bddc3b3d4acb854.exe 1.exe PID 1748 wrote to memory of 1772 1748 1.exe cmd.exe PID 1748 wrote to memory of 1772 1748 1.exe cmd.exe PID 1748 wrote to memory of 1772 1748 1.exe cmd.exe PID 1748 wrote to memory of 1772 1748 1.exe cmd.exe PID 1772 wrote to memory of 328 1772 cmd.exe reg.exe PID 1772 wrote to memory of 328 1772 cmd.exe reg.exe PID 1772 wrote to memory of 328 1772 cmd.exe reg.exe PID 1772 wrote to memory of 328 1772 cmd.exe reg.exe PID 1748 wrote to memory of 940 1748 1.exe rtcupdater.exe PID 1748 wrote to memory of 940 1748 1.exe rtcupdater.exe PID 1748 wrote to memory of 940 1748 1.exe rtcupdater.exe PID 1748 wrote to memory of 940 1748 1.exe rtcupdater.exe PID 1748 wrote to memory of 940 1748 1.exe rtcupdater.exe PID 1748 wrote to memory of 940 1748 1.exe rtcupdater.exe PID 1748 wrote to memory of 940 1748 1.exe rtcupdater.exe PID 940 wrote to memory of 1616 940 rtcupdater.exe rtcupdater.exe PID 940 wrote to memory of 1616 940 rtcupdater.exe rtcupdater.exe PID 940 wrote to memory of 1616 940 rtcupdater.exe rtcupdater.exe PID 940 wrote to memory of 1616 940 rtcupdater.exe rtcupdater.exe PID 940 wrote to memory of 1616 940 rtcupdater.exe rtcupdater.exe PID 940 wrote to memory of 1616 940 rtcupdater.exe rtcupdater.exe PID 940 wrote to memory of 1616 940 rtcupdater.exe rtcupdater.exe PID 940 wrote to memory of 1616 940 rtcupdater.exe rtcupdater.exe PID 940 wrote to memory of 1616 940 rtcupdater.exe rtcupdater.exe PID 940 wrote to memory of 1616 940 rtcupdater.exe rtcupdater.exe PID 940 wrote to memory of 1616 940 rtcupdater.exe rtcupdater.exe PID 940 wrote to memory of 1616 940 rtcupdater.exe rtcupdater.exe PID 940 wrote to memory of 1616 940 rtcupdater.exe rtcupdater.exe PID 1616 wrote to memory of 1012 1616 rtcupdater.exe explorer.exe PID 1616 wrote to memory of 1012 1616 rtcupdater.exe explorer.exe PID 1616 wrote to memory of 1012 1616 rtcupdater.exe explorer.exe PID 1616 wrote to memory of 1012 1616 rtcupdater.exe explorer.exe PID 1012 wrote to memory of 2024 1012 explorer.exe ctfmon.exe PID 1012 wrote to memory of 2024 1012 explorer.exe ctfmon.exe PID 1012 wrote to memory of 2024 1012 explorer.exe ctfmon.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\35ff5f54ce6916b53bddc3b3d4acb854.exe"C:\Users\Admin\AppData\Local\Temp\35ff5f54ce6916b53bddc3b3d4acb854.exe"1⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "rtcupdater" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Root\rtcupdater.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "rtcupdater" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Root\rtcupdater.exe"4⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Root\rtcupdater.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Root\rtcupdater.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Root\rtcupdater.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Root\rtcupdater.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"5⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\ctfmon.exectfmon.exe6⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5101⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1.exeMD5
93f2ef7ece667948d903fd81a9c93dae
SHA133a83a4a6d582c20c44719df67815455ec4f789c
SHA25678b4ba3aaf358440be7212cb23b8ca6c3f4fef477436b52c483185d4b90a8dda
SHA512793a9521600f50d127556ab7c46929faddc74e23cdbee49ec914a1502f346d7a3513036ee8d9c8d8c31112325217951b5e60df07093e5b6f3d0d3fc7148d2a4a
-
C:\Users\Admin\AppData\Local\Temp\1.exeMD5
93f2ef7ece667948d903fd81a9c93dae
SHA133a83a4a6d582c20c44719df67815455ec4f789c
SHA25678b4ba3aaf358440be7212cb23b8ca6c3f4fef477436b52c483185d4b90a8dda
SHA512793a9521600f50d127556ab7c46929faddc74e23cdbee49ec914a1502f346d7a3513036ee8d9c8d8c31112325217951b5e60df07093e5b6f3d0d3fc7148d2a4a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Root\rtcupdater.exeMD5
93f2ef7ece667948d903fd81a9c93dae
SHA133a83a4a6d582c20c44719df67815455ec4f789c
SHA25678b4ba3aaf358440be7212cb23b8ca6c3f4fef477436b52c483185d4b90a8dda
SHA512793a9521600f50d127556ab7c46929faddc74e23cdbee49ec914a1502f346d7a3513036ee8d9c8d8c31112325217951b5e60df07093e5b6f3d0d3fc7148d2a4a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Root\rtcupdater.exeMD5
93f2ef7ece667948d903fd81a9c93dae
SHA133a83a4a6d582c20c44719df67815455ec4f789c
SHA25678b4ba3aaf358440be7212cb23b8ca6c3f4fef477436b52c483185d4b90a8dda
SHA512793a9521600f50d127556ab7c46929faddc74e23cdbee49ec914a1502f346d7a3513036ee8d9c8d8c31112325217951b5e60df07093e5b6f3d0d3fc7148d2a4a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Root\rtcupdater.exeMD5
93f2ef7ece667948d903fd81a9c93dae
SHA133a83a4a6d582c20c44719df67815455ec4f789c
SHA25678b4ba3aaf358440be7212cb23b8ca6c3f4fef477436b52c483185d4b90a8dda
SHA512793a9521600f50d127556ab7c46929faddc74e23cdbee49ec914a1502f346d7a3513036ee8d9c8d8c31112325217951b5e60df07093e5b6f3d0d3fc7148d2a4a
-
\Users\Admin\AppData\Local\Temp\1.exeMD5
93f2ef7ece667948d903fd81a9c93dae
SHA133a83a4a6d582c20c44719df67815455ec4f789c
SHA25678b4ba3aaf358440be7212cb23b8ca6c3f4fef477436b52c483185d4b90a8dda
SHA512793a9521600f50d127556ab7c46929faddc74e23cdbee49ec914a1502f346d7a3513036ee8d9c8d8c31112325217951b5e60df07093e5b6f3d0d3fc7148d2a4a
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Root\rtcupdater.exeMD5
93f2ef7ece667948d903fd81a9c93dae
SHA133a83a4a6d582c20c44719df67815455ec4f789c
SHA25678b4ba3aaf358440be7212cb23b8ca6c3f4fef477436b52c483185d4b90a8dda
SHA512793a9521600f50d127556ab7c46929faddc74e23cdbee49ec914a1502f346d7a3513036ee8d9c8d8c31112325217951b5e60df07093e5b6f3d0d3fc7148d2a4a
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Root\rtcupdater.exeMD5
93f2ef7ece667948d903fd81a9c93dae
SHA133a83a4a6d582c20c44719df67815455ec4f789c
SHA25678b4ba3aaf358440be7212cb23b8ca6c3f4fef477436b52c483185d4b90a8dda
SHA512793a9521600f50d127556ab7c46929faddc74e23cdbee49ec914a1502f346d7a3513036ee8d9c8d8c31112325217951b5e60df07093e5b6f3d0d3fc7148d2a4a
-
memory/328-71-0x0000000000000000-mapping.dmp
-
memory/940-82-0x0000000001040000-0x000000000104B000-memory.dmpFilesize
44KB
-
memory/940-83-0x0000000001090000-0x0000000001091000-memory.dmpFilesize
4KB
-
memory/940-74-0x0000000000000000-mapping.dmp
-
memory/940-77-0x0000000001140000-0x0000000001141000-memory.dmpFilesize
4KB
-
memory/940-79-0x00000000048B0000-0x00000000048B1000-memory.dmpFilesize
4KB
-
memory/940-81-0x00000000048B1000-0x00000000048B2000-memory.dmpFilesize
4KB
-
memory/1012-102-0x0000000003D10000-0x0000000003D11000-memory.dmpFilesize
4KB
-
memory/1012-100-0x000007FEFB761000-0x000007FEFB763000-memory.dmpFilesize
8KB
-
memory/1012-99-0x0000000000000000-mapping.dmp
-
memory/1592-59-0x0000000000F60000-0x0000000000F61000-memory.dmpFilesize
4KB
-
memory/1592-61-0x0000000004EC0000-0x0000000004EC1000-memory.dmpFilesize
4KB
-
memory/1592-55-0x0000000074F01000-0x0000000074F03000-memory.dmpFilesize
8KB
-
memory/1616-87-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/1616-96-0x00000000010E1000-0x00000000010E2000-memory.dmpFilesize
4KB
-
memory/1616-86-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/1616-98-0x00000000010E3000-0x00000000010E4000-memory.dmpFilesize
4KB
-
memory/1616-85-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/1616-88-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/1616-89-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/1616-90-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/1616-91-0x000000000040CD2F-mapping.dmp
-
memory/1616-95-0x0000000000400000-0x0000000000437000-memory.dmpFilesize
220KB
-
memory/1616-93-0x0000000000AB0000-0x0000000000AD0000-memory.dmpFilesize
128KB
-
memory/1616-94-0x0000000000AE0000-0x0000000000AFE000-memory.dmpFilesize
120KB
-
memory/1616-97-0x00000000010E2000-0x00000000010E3000-memory.dmpFilesize
4KB
-
memory/1748-63-0x0000000000000000-mapping.dmp
-
memory/1748-66-0x00000000001D0000-0x00000000001D1000-memory.dmpFilesize
4KB
-
memory/1748-68-0x00000000048C0000-0x00000000048C1000-memory.dmpFilesize
4KB
-
memory/1748-72-0x00000000048C1000-0x00000000048C2000-memory.dmpFilesize
4KB
-
memory/1748-69-0x00000000041D0000-0x00000000041F1000-memory.dmpFilesize
132KB
-
memory/1772-70-0x0000000000000000-mapping.dmp
-
memory/2024-101-0x0000000000000000-mapping.dmp