Analysis
-
max time kernel
49s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
15-04-2022 02:08
Static task
static1
Behavioral task
behavioral1
Sample
b666453202660a3a6d28743b422d66ad1f3c02f0eae99c4d9e899ca3eade70fd.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
b666453202660a3a6d28743b422d66ad1f3c02f0eae99c4d9e899ca3eade70fd.exe
Resource
win10v2004-20220414-en
General
-
Target
b666453202660a3a6d28743b422d66ad1f3c02f0eae99c4d9e899ca3eade70fd.exe
-
Size
1.1MB
-
MD5
a85d38af1a94e238abddb11e66d6f673
-
SHA1
36c3966ca74f3c4a4f3988717fb701570c70486f
-
SHA256
b666453202660a3a6d28743b422d66ad1f3c02f0eae99c4d9e899ca3eade70fd
-
SHA512
6856f1827210ce9ecdb4dd2c503ed5a9cf0774e69a93826fa0e5c0f774186d83161dbe25bbf93397f8fdaf4af0f1699daeaf857cd2c28e717858e0e518ce5092
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
WindowsUpdate.exepid Process 3036 WindowsUpdate.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
b666453202660a3a6d28743b422d66ad1f3c02f0eae99c4d9e899ca3eade70fd.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation b666453202660a3a6d28743b422d66ad1f3c02f0eae99c4d9e899ca3eade70fd.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
b666453202660a3a6d28743b422d66ad1f3c02f0eae99c4d9e899ca3eade70fd.exeWindowsUpdate.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\530aa54a7f8da22dfa9151c567c09315 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b666453202660a3a6d28743b422d66ad1f3c02f0eae99c4d9e899ca3eade70fd.exe" b666453202660a3a6d28743b422d66ad1f3c02f0eae99c4d9e899ca3eade70fd.exe Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\530aa54a7f8da22dfa9151c567c09315 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\MyClient\\WindowsUpdate.exe" b666453202660a3a6d28743b422d66ad1f3c02f0eae99c4d9e899ca3eade70fd.exe Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\530aa54a7f8da22dfa9151c567c09315 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\MyClient\\WindowsUpdate.exe" WindowsUpdate.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
Processes:
b666453202660a3a6d28743b422d66ad1f3c02f0eae99c4d9e899ca3eade70fd.exeWindowsUpdate.exepid Process 1620 b666453202660a3a6d28743b422d66ad1f3c02f0eae99c4d9e899ca3eade70fd.exe 1620 b666453202660a3a6d28743b422d66ad1f3c02f0eae99c4d9e899ca3eade70fd.exe 1620 b666453202660a3a6d28743b422d66ad1f3c02f0eae99c4d9e899ca3eade70fd.exe 3036 WindowsUpdate.exe 3036 WindowsUpdate.exe 3036 WindowsUpdate.exe 3036 WindowsUpdate.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 40 IoCs
Processes:
b666453202660a3a6d28743b422d66ad1f3c02f0eae99c4d9e899ca3eade70fd.exeWindowsUpdate.exepid Process 1620 b666453202660a3a6d28743b422d66ad1f3c02f0eae99c4d9e899ca3eade70fd.exe 1620 b666453202660a3a6d28743b422d66ad1f3c02f0eae99c4d9e899ca3eade70fd.exe 1620 b666453202660a3a6d28743b422d66ad1f3c02f0eae99c4d9e899ca3eade70fd.exe 1620 b666453202660a3a6d28743b422d66ad1f3c02f0eae99c4d9e899ca3eade70fd.exe 1620 b666453202660a3a6d28743b422d66ad1f3c02f0eae99c4d9e899ca3eade70fd.exe 1620 b666453202660a3a6d28743b422d66ad1f3c02f0eae99c4d9e899ca3eade70fd.exe 1620 b666453202660a3a6d28743b422d66ad1f3c02f0eae99c4d9e899ca3eade70fd.exe 1620 b666453202660a3a6d28743b422d66ad1f3c02f0eae99c4d9e899ca3eade70fd.exe 1620 b666453202660a3a6d28743b422d66ad1f3c02f0eae99c4d9e899ca3eade70fd.exe 1620 b666453202660a3a6d28743b422d66ad1f3c02f0eae99c4d9e899ca3eade70fd.exe 1620 b666453202660a3a6d28743b422d66ad1f3c02f0eae99c4d9e899ca3eade70fd.exe 1620 b666453202660a3a6d28743b422d66ad1f3c02f0eae99c4d9e899ca3eade70fd.exe 1620 b666453202660a3a6d28743b422d66ad1f3c02f0eae99c4d9e899ca3eade70fd.exe 1620 b666453202660a3a6d28743b422d66ad1f3c02f0eae99c4d9e899ca3eade70fd.exe 1620 b666453202660a3a6d28743b422d66ad1f3c02f0eae99c4d9e899ca3eade70fd.exe 1620 b666453202660a3a6d28743b422d66ad1f3c02f0eae99c4d9e899ca3eade70fd.exe 1620 b666453202660a3a6d28743b422d66ad1f3c02f0eae99c4d9e899ca3eade70fd.exe 1620 b666453202660a3a6d28743b422d66ad1f3c02f0eae99c4d9e899ca3eade70fd.exe 1620 b666453202660a3a6d28743b422d66ad1f3c02f0eae99c4d9e899ca3eade70fd.exe 1620 b666453202660a3a6d28743b422d66ad1f3c02f0eae99c4d9e899ca3eade70fd.exe 3036 WindowsUpdate.exe 3036 WindowsUpdate.exe 3036 WindowsUpdate.exe 3036 WindowsUpdate.exe 3036 WindowsUpdate.exe 3036 WindowsUpdate.exe 3036 WindowsUpdate.exe 3036 WindowsUpdate.exe 3036 WindowsUpdate.exe 3036 WindowsUpdate.exe 3036 WindowsUpdate.exe 3036 WindowsUpdate.exe 3036 WindowsUpdate.exe 3036 WindowsUpdate.exe 3036 WindowsUpdate.exe 3036 WindowsUpdate.exe 3036 WindowsUpdate.exe 3036 WindowsUpdate.exe 3036 WindowsUpdate.exe 3036 WindowsUpdate.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
b666453202660a3a6d28743b422d66ad1f3c02f0eae99c4d9e899ca3eade70fd.exeWindowsUpdate.exedescription pid Process Token: SeDebugPrivilege 1620 b666453202660a3a6d28743b422d66ad1f3c02f0eae99c4d9e899ca3eade70fd.exe Token: SeDebugPrivilege 3036 WindowsUpdate.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
b666453202660a3a6d28743b422d66ad1f3c02f0eae99c4d9e899ca3eade70fd.exeWindowsUpdate.exepid Process 1620 b666453202660a3a6d28743b422d66ad1f3c02f0eae99c4d9e899ca3eade70fd.exe 1620 b666453202660a3a6d28743b422d66ad1f3c02f0eae99c4d9e899ca3eade70fd.exe 1620 b666453202660a3a6d28743b422d66ad1f3c02f0eae99c4d9e899ca3eade70fd.exe 3036 WindowsUpdate.exe 3036 WindowsUpdate.exe 3036 WindowsUpdate.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
b666453202660a3a6d28743b422d66ad1f3c02f0eae99c4d9e899ca3eade70fd.exedescription pid Process procid_target PID 1620 wrote to memory of 3036 1620 b666453202660a3a6d28743b422d66ad1f3c02f0eae99c4d9e899ca3eade70fd.exe 80 PID 1620 wrote to memory of 3036 1620 b666453202660a3a6d28743b422d66ad1f3c02f0eae99c4d9e899ca3eade70fd.exe 80 PID 1620 wrote to memory of 3036 1620 b666453202660a3a6d28743b422d66ad1f3c02f0eae99c4d9e899ca3eade70fd.exe 80
Processes
-
C:\Users\Admin\AppData\Local\Temp\b666453202660a3a6d28743b422d66ad1f3c02f0eae99c4d9e899ca3eade70fd.exe"C:\Users\Admin\AppData\Local\Temp\b666453202660a3a6d28743b422d66ad1f3c02f0eae99c4d9e899ca3eade70fd.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe"C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3036
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5a85d38af1a94e238abddb11e66d6f673
SHA136c3966ca74f3c4a4f3988717fb701570c70486f
SHA256b666453202660a3a6d28743b422d66ad1f3c02f0eae99c4d9e899ca3eade70fd
SHA5126856f1827210ce9ecdb4dd2c503ed5a9cf0774e69a93826fa0e5c0f774186d83161dbe25bbf93397f8fdaf4af0f1699daeaf857cd2c28e717858e0e518ce5092
-
Filesize
1.1MB
MD5a85d38af1a94e238abddb11e66d6f673
SHA136c3966ca74f3c4a4f3988717fb701570c70486f
SHA256b666453202660a3a6d28743b422d66ad1f3c02f0eae99c4d9e899ca3eade70fd
SHA5126856f1827210ce9ecdb4dd2c503ed5a9cf0774e69a93826fa0e5c0f774186d83161dbe25bbf93397f8fdaf4af0f1699daeaf857cd2c28e717858e0e518ce5092
-
Filesize
17KB
MD589dd6e72358a669b7d6e2348307a7af7
SHA10db348f3c6114a45d71f4d218e0e088b71c7bb0a
SHA256ad34794058212006ae974fcc6a0242598e6d020f08044439e3512773cd402b7e
SHA51293b8a47686d7491281a0809b138a6244a535302ba0d6b2146849e9888632c72b6223ae8eb7a24f1006aaf57ab947a8f43719cff4837df559e7bf42f52c63856b