Analysis
-
max time kernel
75s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
15-04-2022 02:08
Static task
static1
Behavioral task
behavioral1
Sample
332264c28d80cd77013a04230ee1a669ab146d7958d02c894d3381012a0ea2cb.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
332264c28d80cd77013a04230ee1a669ab146d7958d02c894d3381012a0ea2cb.exe
Resource
win10v2004-20220414-en
General
-
Target
332264c28d80cd77013a04230ee1a669ab146d7958d02c894d3381012a0ea2cb.exe
-
Size
1.1MB
-
MD5
78daff0be38c4b6167fc039095fbfe2f
-
SHA1
8a01f87a55b6d6aeb891f28d55e4c51873e58f73
-
SHA256
332264c28d80cd77013a04230ee1a669ab146d7958d02c894d3381012a0ea2cb
-
SHA512
2206ce045a59d6758bac3a441b8d3f67a3516f2d7dcd81c6670734b5553a03467f019907f09fe6137697e797d60639cea434dd7842eb7c73fafe0e95e353a020
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
WindowsUpdate.exepid Process 2028 WindowsUpdate.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
332264c28d80cd77013a04230ee1a669ab146d7958d02c894d3381012a0ea2cb.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation 332264c28d80cd77013a04230ee1a669ab146d7958d02c894d3381012a0ea2cb.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
332264c28d80cd77013a04230ee1a669ab146d7958d02c894d3381012a0ea2cb.exeWindowsUpdate.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\530aa54a7f8da22dfa9151c567c09315 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\332264c28d80cd77013a04230ee1a669ab146d7958d02c894d3381012a0ea2cb.exe" 332264c28d80cd77013a04230ee1a669ab146d7958d02c894d3381012a0ea2cb.exe Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\530aa54a7f8da22dfa9151c567c09315 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\MyClient\\WindowsUpdate.exe" 332264c28d80cd77013a04230ee1a669ab146d7958d02c894d3381012a0ea2cb.exe Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\530aa54a7f8da22dfa9151c567c09315 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\MyClient\\WindowsUpdate.exe" WindowsUpdate.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs
Processes:
332264c28d80cd77013a04230ee1a669ab146d7958d02c894d3381012a0ea2cb.exeWindowsUpdate.exepid Process 828 332264c28d80cd77013a04230ee1a669ab146d7958d02c894d3381012a0ea2cb.exe 828 332264c28d80cd77013a04230ee1a669ab146d7958d02c894d3381012a0ea2cb.exe 828 332264c28d80cd77013a04230ee1a669ab146d7958d02c894d3381012a0ea2cb.exe 828 332264c28d80cd77013a04230ee1a669ab146d7958d02c894d3381012a0ea2cb.exe 828 332264c28d80cd77013a04230ee1a669ab146d7958d02c894d3381012a0ea2cb.exe 828 332264c28d80cd77013a04230ee1a669ab146d7958d02c894d3381012a0ea2cb.exe 2028 WindowsUpdate.exe 2028 WindowsUpdate.exe 2028 WindowsUpdate.exe 2028 WindowsUpdate.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 42 IoCs
Processes:
332264c28d80cd77013a04230ee1a669ab146d7958d02c894d3381012a0ea2cb.exeWindowsUpdate.exepid Process 828 332264c28d80cd77013a04230ee1a669ab146d7958d02c894d3381012a0ea2cb.exe 828 332264c28d80cd77013a04230ee1a669ab146d7958d02c894d3381012a0ea2cb.exe 828 332264c28d80cd77013a04230ee1a669ab146d7958d02c894d3381012a0ea2cb.exe 828 332264c28d80cd77013a04230ee1a669ab146d7958d02c894d3381012a0ea2cb.exe 828 332264c28d80cd77013a04230ee1a669ab146d7958d02c894d3381012a0ea2cb.exe 828 332264c28d80cd77013a04230ee1a669ab146d7958d02c894d3381012a0ea2cb.exe 828 332264c28d80cd77013a04230ee1a669ab146d7958d02c894d3381012a0ea2cb.exe 828 332264c28d80cd77013a04230ee1a669ab146d7958d02c894d3381012a0ea2cb.exe 828 332264c28d80cd77013a04230ee1a669ab146d7958d02c894d3381012a0ea2cb.exe 828 332264c28d80cd77013a04230ee1a669ab146d7958d02c894d3381012a0ea2cb.exe 828 332264c28d80cd77013a04230ee1a669ab146d7958d02c894d3381012a0ea2cb.exe 828 332264c28d80cd77013a04230ee1a669ab146d7958d02c894d3381012a0ea2cb.exe 828 332264c28d80cd77013a04230ee1a669ab146d7958d02c894d3381012a0ea2cb.exe 828 332264c28d80cd77013a04230ee1a669ab146d7958d02c894d3381012a0ea2cb.exe 828 332264c28d80cd77013a04230ee1a669ab146d7958d02c894d3381012a0ea2cb.exe 828 332264c28d80cd77013a04230ee1a669ab146d7958d02c894d3381012a0ea2cb.exe 828 332264c28d80cd77013a04230ee1a669ab146d7958d02c894d3381012a0ea2cb.exe 828 332264c28d80cd77013a04230ee1a669ab146d7958d02c894d3381012a0ea2cb.exe 828 332264c28d80cd77013a04230ee1a669ab146d7958d02c894d3381012a0ea2cb.exe 828 332264c28d80cd77013a04230ee1a669ab146d7958d02c894d3381012a0ea2cb.exe 2028 WindowsUpdate.exe 2028 WindowsUpdate.exe 2028 WindowsUpdate.exe 2028 WindowsUpdate.exe 2028 WindowsUpdate.exe 2028 WindowsUpdate.exe 2028 WindowsUpdate.exe 2028 WindowsUpdate.exe 2028 WindowsUpdate.exe 2028 WindowsUpdate.exe 2028 WindowsUpdate.exe 2028 WindowsUpdate.exe 2028 WindowsUpdate.exe 2028 WindowsUpdate.exe 2028 WindowsUpdate.exe 2028 WindowsUpdate.exe 2028 WindowsUpdate.exe 2028 WindowsUpdate.exe 2028 WindowsUpdate.exe 2028 WindowsUpdate.exe 2028 WindowsUpdate.exe 2028 WindowsUpdate.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
332264c28d80cd77013a04230ee1a669ab146d7958d02c894d3381012a0ea2cb.exeWindowsUpdate.exedescription pid Process Token: SeDebugPrivilege 828 332264c28d80cd77013a04230ee1a669ab146d7958d02c894d3381012a0ea2cb.exe Token: SeDebugPrivilege 2028 WindowsUpdate.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
332264c28d80cd77013a04230ee1a669ab146d7958d02c894d3381012a0ea2cb.exeWindowsUpdate.exepid Process 828 332264c28d80cd77013a04230ee1a669ab146d7958d02c894d3381012a0ea2cb.exe 828 332264c28d80cd77013a04230ee1a669ab146d7958d02c894d3381012a0ea2cb.exe 828 332264c28d80cd77013a04230ee1a669ab146d7958d02c894d3381012a0ea2cb.exe 2028 WindowsUpdate.exe 2028 WindowsUpdate.exe 2028 WindowsUpdate.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
332264c28d80cd77013a04230ee1a669ab146d7958d02c894d3381012a0ea2cb.exedescription pid Process procid_target PID 828 wrote to memory of 2028 828 332264c28d80cd77013a04230ee1a669ab146d7958d02c894d3381012a0ea2cb.exe 78 PID 828 wrote to memory of 2028 828 332264c28d80cd77013a04230ee1a669ab146d7958d02c894d3381012a0ea2cb.exe 78 PID 828 wrote to memory of 2028 828 332264c28d80cd77013a04230ee1a669ab146d7958d02c894d3381012a0ea2cb.exe 78
Processes
-
C:\Users\Admin\AppData\Local\Temp\332264c28d80cd77013a04230ee1a669ab146d7958d02c894d3381012a0ea2cb.exe"C:\Users\Admin\AppData\Local\Temp\332264c28d80cd77013a04230ee1a669ab146d7958d02c894d3381012a0ea2cb.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe"C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2028
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD578daff0be38c4b6167fc039095fbfe2f
SHA18a01f87a55b6d6aeb891f28d55e4c51873e58f73
SHA256332264c28d80cd77013a04230ee1a669ab146d7958d02c894d3381012a0ea2cb
SHA5122206ce045a59d6758bac3a441b8d3f67a3516f2d7dcd81c6670734b5553a03467f019907f09fe6137697e797d60639cea434dd7842eb7c73fafe0e95e353a020
-
Filesize
1.1MB
MD578daff0be38c4b6167fc039095fbfe2f
SHA18a01f87a55b6d6aeb891f28d55e4c51873e58f73
SHA256332264c28d80cd77013a04230ee1a669ab146d7958d02c894d3381012a0ea2cb
SHA5122206ce045a59d6758bac3a441b8d3f67a3516f2d7dcd81c6670734b5553a03467f019907f09fe6137697e797d60639cea434dd7842eb7c73fafe0e95e353a020
-
Filesize
17KB
MD589dd6e72358a669b7d6e2348307a7af7
SHA10db348f3c6114a45d71f4d218e0e088b71c7bb0a
SHA256ad34794058212006ae974fcc6a0242598e6d020f08044439e3512773cd402b7e
SHA51293b8a47686d7491281a0809b138a6244a535302ba0d6b2146849e9888632c72b6223ae8eb7a24f1006aaf57ab947a8f43719cff4837df559e7bf42f52c63856b