Overview

overview

10

Static

static

8a1b2f098d...1f.exe

windows7_x64

10

8a1b2f098d...1f.exe

windows10-2004_x64

8

Analysis

  • max time kernel
    160s
  • max time network
    163s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    03-02-2022 15:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe

  • Size

    332KB

  • MD5

    349d353065a260a6cb340666ae9d5f06

  • SHA1

    049c76e212e1e7368c368eb1b47bf18df84f2d61

  • SHA256

    8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f

  • SHA512

    ecd932d518ef32d2c6c25927c9f0298ab380651078df8b3c837ad7027875574b9bb2764f9ac22bc30d65f816313dbf77554b688bcbaec5a1519c0fa6f1fe5293

Score
8/10
evasionpersistence

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Sets service image path in registry 2 TTPs
    persistence
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Program Files directory 6 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe
    "C:\Users\Admin\AppData\Local\Temp\8a1b2f098dcf0dd3740ab243f02f83fd8b3129f3b88aa986d10ec4eeb183e01f.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:2876
    • C:\Program Files (x86)\udat\Crack.exe
      "C:\Program Files (x86)\udat\Crack.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:704
    • C:\Program Files (x86)\udat\super.exe
      "C:\Program Files (x86)\udat\super.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:3296
      • C:\Users\Admin\AppData\Roaming\winlogon.exe
        "C:\Users\Admin\AppData\Roaming\winlogon.exe"
        3⤵
        • Executes dropped EXE
        • Drops startup file
        • Adds Run key to start application
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1472
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\winlogon.exe" "winlogon.exe" ENABLE
          4⤵
            PID:4092
    • C:\Windows\system32\MusNotifyIcon.exe
      %systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
      1⤵
      • Checks processor information in registry
      PID:2096
    • C:\Windows\System32\WaaSMedicAgent.exe
      C:\Windows\System32\WaaSMedicAgent.exe 2a275bebdb39eee968a8386397ce248f imhAM3Uzrk6gc/oKzN3D/Q.0.1.0.0.0
      1⤵
      • Modifies data under HKEY_USERS
      PID:1052
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k NetworkService -p
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      PID:2176

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Modify Existing Service

    1
    T1031

    Registry Run Keys / Startup Folder

    2
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    2
    T1112

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    3
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\udat\Crack.exe
      MD5

      1c626edcdad864d70de9befdf08bf9c1

      SHA1

      cb934d5bfeb4ace53c76b5c3e3f20b3d2266ee6e

      SHA256

      e567c91c039b624b4a4d0adceb6879edd9ab834ff6048484ac1c7db4d6cbdf4a

      SHA512

      b02e1c9d5d043f1393b3e1e1b431e87a8713618abd2cc9f8264132acc6c1f619f11cb40823aa3bc306073132d5b4b3141b6f21f418ea4bbd31bbd825c6305ab9

      Download Submit
    • C:\Program Files (x86)\udat\Crack.exe
      MD5

      1c626edcdad864d70de9befdf08bf9c1

      SHA1

      cb934d5bfeb4ace53c76b5c3e3f20b3d2266ee6e

      SHA256

      e567c91c039b624b4a4d0adceb6879edd9ab834ff6048484ac1c7db4d6cbdf4a

      SHA512

      b02e1c9d5d043f1393b3e1e1b431e87a8713618abd2cc9f8264132acc6c1f619f11cb40823aa3bc306073132d5b4b3141b6f21f418ea4bbd31bbd825c6305ab9

      Download Submit
    • C:\Program Files (x86)\udat\super.exe
      MD5

      a82bd9f52870c56eaf1c5b671675fde3

      SHA1

      497194d1414df0581ea12da2f38c3da71ef81b70

      SHA256

      99a7428f70a6f74c5711f052932f92fc0cc6b89f9d9d010df46b65bfef154df0

      SHA512

      eeae72ad2cf725a82f8fc5384de4e65e4175ff18069e07017ede5b615499cef4a7b123ff00e43b21c7c2860a92a36fe358d80965c37ada51cba0ace8ffe937c7

      Download Submit
    • C:\Program Files (x86)\udat\super.exe
      MD5

      a82bd9f52870c56eaf1c5b671675fde3

      SHA1

      497194d1414df0581ea12da2f38c3da71ef81b70

      SHA256

      99a7428f70a6f74c5711f052932f92fc0cc6b89f9d9d010df46b65bfef154df0

      SHA512

      eeae72ad2cf725a82f8fc5384de4e65e4175ff18069e07017ede5b615499cef4a7b123ff00e43b21c7c2860a92a36fe358d80965c37ada51cba0ace8ffe937c7

      Download Submit
    • C:\Users\Admin\AppData\Roaming\winlogon.exe
      MD5

      a82bd9f52870c56eaf1c5b671675fde3

      SHA1

      497194d1414df0581ea12da2f38c3da71ef81b70

      SHA256

      99a7428f70a6f74c5711f052932f92fc0cc6b89f9d9d010df46b65bfef154df0

      SHA512

      eeae72ad2cf725a82f8fc5384de4e65e4175ff18069e07017ede5b615499cef4a7b123ff00e43b21c7c2860a92a36fe358d80965c37ada51cba0ace8ffe937c7

      Download Submit
    • C:\Users\Admin\AppData\Roaming\winlogon.exe
      MD5

      a82bd9f52870c56eaf1c5b671675fde3

      SHA1

      497194d1414df0581ea12da2f38c3da71ef81b70

      SHA256

      99a7428f70a6f74c5711f052932f92fc0cc6b89f9d9d010df46b65bfef154df0

      SHA512

      eeae72ad2cf725a82f8fc5384de4e65e4175ff18069e07017ede5b615499cef4a7b123ff00e43b21c7c2860a92a36fe358d80965c37ada51cba0ace8ffe937c7

      Download Submit
    • memory/1472-263-0x00000000052A0000-0x00000000052A1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1472-264-0x0000000005390000-0x0000000005422000-memory.dmp
      Filesize

      584KB

      Download
    • memory/1472-265-0x0000000005310000-0x000000000531A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/3296-259-0x0000000004AC0000-0x0000000004AC1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3296-260-0x0000000005320000-0x00000000058C4000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/3296-202-0x0000000004AD0000-0x0000000004B6C000-memory.dmp
      Filesize

      624KB

      Download
    • memory/3296-134-0x00000000000A0000-0x00000000000DE000-memory.dmp
      Filesize

      248KB

      Download