Analysis
-
max time kernel
78s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
15-04-2022 02:08
Static task
static1
Behavioral task
behavioral1
Sample
a6fdf220e34bf901c136a5528548f28da6c71f2cf62e97a07a9ccf8408a06f8e.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
a6fdf220e34bf901c136a5528548f28da6c71f2cf62e97a07a9ccf8408a06f8e.exe
Resource
win10v2004-20220414-en
General
-
Target
a6fdf220e34bf901c136a5528548f28da6c71f2cf62e97a07a9ccf8408a06f8e.exe
-
Size
1.1MB
-
MD5
9fd83afa4f050599f081eaa6b36b380c
-
SHA1
f062d2cbeaf4395d2335665ad57477c4949b3260
-
SHA256
a6fdf220e34bf901c136a5528548f28da6c71f2cf62e97a07a9ccf8408a06f8e
-
SHA512
62a3f682fcf14eee14537552977f5906f50dd3e29598feaf8c90b285abc7484e432a843e5cf5621d72322e7de35a812b2421e50de2ff1f93dbb66a3daa0b7420
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
WindowsUpdate.exepid Process 1124 WindowsUpdate.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a6fdf220e34bf901c136a5528548f28da6c71f2cf62e97a07a9ccf8408a06f8e.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation a6fdf220e34bf901c136a5528548f28da6c71f2cf62e97a07a9ccf8408a06f8e.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
a6fdf220e34bf901c136a5528548f28da6c71f2cf62e97a07a9ccf8408a06f8e.exeWindowsUpdate.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\530aa54a7f8da22dfa9151c567c09315 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a6fdf220e34bf901c136a5528548f28da6c71f2cf62e97a07a9ccf8408a06f8e.exe" a6fdf220e34bf901c136a5528548f28da6c71f2cf62e97a07a9ccf8408a06f8e.exe Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\530aa54a7f8da22dfa9151c567c09315 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\MyClient\\WindowsUpdate.exe" a6fdf220e34bf901c136a5528548f28da6c71f2cf62e97a07a9ccf8408a06f8e.exe Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\530aa54a7f8da22dfa9151c567c09315 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\MyClient\\WindowsUpdate.exe" WindowsUpdate.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 10 IoCs
Processes:
a6fdf220e34bf901c136a5528548f28da6c71f2cf62e97a07a9ccf8408a06f8e.exeWindowsUpdate.exepid Process 4968 a6fdf220e34bf901c136a5528548f28da6c71f2cf62e97a07a9ccf8408a06f8e.exe 4968 a6fdf220e34bf901c136a5528548f28da6c71f2cf62e97a07a9ccf8408a06f8e.exe 4968 a6fdf220e34bf901c136a5528548f28da6c71f2cf62e97a07a9ccf8408a06f8e.exe 1124 WindowsUpdate.exe 1124 WindowsUpdate.exe 1124 WindowsUpdate.exe 1124 WindowsUpdate.exe 1124 WindowsUpdate.exe 1124 WindowsUpdate.exe 1124 WindowsUpdate.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 40 IoCs
Processes:
a6fdf220e34bf901c136a5528548f28da6c71f2cf62e97a07a9ccf8408a06f8e.exeWindowsUpdate.exepid Process 4968 a6fdf220e34bf901c136a5528548f28da6c71f2cf62e97a07a9ccf8408a06f8e.exe 4968 a6fdf220e34bf901c136a5528548f28da6c71f2cf62e97a07a9ccf8408a06f8e.exe 4968 a6fdf220e34bf901c136a5528548f28da6c71f2cf62e97a07a9ccf8408a06f8e.exe 4968 a6fdf220e34bf901c136a5528548f28da6c71f2cf62e97a07a9ccf8408a06f8e.exe 4968 a6fdf220e34bf901c136a5528548f28da6c71f2cf62e97a07a9ccf8408a06f8e.exe 4968 a6fdf220e34bf901c136a5528548f28da6c71f2cf62e97a07a9ccf8408a06f8e.exe 4968 a6fdf220e34bf901c136a5528548f28da6c71f2cf62e97a07a9ccf8408a06f8e.exe 4968 a6fdf220e34bf901c136a5528548f28da6c71f2cf62e97a07a9ccf8408a06f8e.exe 4968 a6fdf220e34bf901c136a5528548f28da6c71f2cf62e97a07a9ccf8408a06f8e.exe 4968 a6fdf220e34bf901c136a5528548f28da6c71f2cf62e97a07a9ccf8408a06f8e.exe 4968 a6fdf220e34bf901c136a5528548f28da6c71f2cf62e97a07a9ccf8408a06f8e.exe 4968 a6fdf220e34bf901c136a5528548f28da6c71f2cf62e97a07a9ccf8408a06f8e.exe 4968 a6fdf220e34bf901c136a5528548f28da6c71f2cf62e97a07a9ccf8408a06f8e.exe 4968 a6fdf220e34bf901c136a5528548f28da6c71f2cf62e97a07a9ccf8408a06f8e.exe 4968 a6fdf220e34bf901c136a5528548f28da6c71f2cf62e97a07a9ccf8408a06f8e.exe 4968 a6fdf220e34bf901c136a5528548f28da6c71f2cf62e97a07a9ccf8408a06f8e.exe 4968 a6fdf220e34bf901c136a5528548f28da6c71f2cf62e97a07a9ccf8408a06f8e.exe 4968 a6fdf220e34bf901c136a5528548f28da6c71f2cf62e97a07a9ccf8408a06f8e.exe 4968 a6fdf220e34bf901c136a5528548f28da6c71f2cf62e97a07a9ccf8408a06f8e.exe 4968 a6fdf220e34bf901c136a5528548f28da6c71f2cf62e97a07a9ccf8408a06f8e.exe 1124 WindowsUpdate.exe 1124 WindowsUpdate.exe 1124 WindowsUpdate.exe 1124 WindowsUpdate.exe 1124 WindowsUpdate.exe 1124 WindowsUpdate.exe 1124 WindowsUpdate.exe 1124 WindowsUpdate.exe 1124 WindowsUpdate.exe 1124 WindowsUpdate.exe 1124 WindowsUpdate.exe 1124 WindowsUpdate.exe 1124 WindowsUpdate.exe 1124 WindowsUpdate.exe 1124 WindowsUpdate.exe 1124 WindowsUpdate.exe 1124 WindowsUpdate.exe 1124 WindowsUpdate.exe 1124 WindowsUpdate.exe 1124 WindowsUpdate.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
a6fdf220e34bf901c136a5528548f28da6c71f2cf62e97a07a9ccf8408a06f8e.exeWindowsUpdate.exedescription pid Process Token: SeDebugPrivilege 4968 a6fdf220e34bf901c136a5528548f28da6c71f2cf62e97a07a9ccf8408a06f8e.exe Token: SeDebugPrivilege 1124 WindowsUpdate.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
a6fdf220e34bf901c136a5528548f28da6c71f2cf62e97a07a9ccf8408a06f8e.exeWindowsUpdate.exepid Process 4968 a6fdf220e34bf901c136a5528548f28da6c71f2cf62e97a07a9ccf8408a06f8e.exe 4968 a6fdf220e34bf901c136a5528548f28da6c71f2cf62e97a07a9ccf8408a06f8e.exe 4968 a6fdf220e34bf901c136a5528548f28da6c71f2cf62e97a07a9ccf8408a06f8e.exe 1124 WindowsUpdate.exe 1124 WindowsUpdate.exe 1124 WindowsUpdate.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
a6fdf220e34bf901c136a5528548f28da6c71f2cf62e97a07a9ccf8408a06f8e.exedescription pid Process procid_target PID 4968 wrote to memory of 1124 4968 a6fdf220e34bf901c136a5528548f28da6c71f2cf62e97a07a9ccf8408a06f8e.exe 79 PID 4968 wrote to memory of 1124 4968 a6fdf220e34bf901c136a5528548f28da6c71f2cf62e97a07a9ccf8408a06f8e.exe 79 PID 4968 wrote to memory of 1124 4968 a6fdf220e34bf901c136a5528548f28da6c71f2cf62e97a07a9ccf8408a06f8e.exe 79
Processes
-
C:\Users\Admin\AppData\Local\Temp\a6fdf220e34bf901c136a5528548f28da6c71f2cf62e97a07a9ccf8408a06f8e.exe"C:\Users\Admin\AppData\Local\Temp\a6fdf220e34bf901c136a5528548f28da6c71f2cf62e97a07a9ccf8408a06f8e.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe"C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1124
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD59fd83afa4f050599f081eaa6b36b380c
SHA1f062d2cbeaf4395d2335665ad57477c4949b3260
SHA256a6fdf220e34bf901c136a5528548f28da6c71f2cf62e97a07a9ccf8408a06f8e
SHA51262a3f682fcf14eee14537552977f5906f50dd3e29598feaf8c90b285abc7484e432a843e5cf5621d72322e7de35a812b2421e50de2ff1f93dbb66a3daa0b7420
-
Filesize
1.1MB
MD59fd83afa4f050599f081eaa6b36b380c
SHA1f062d2cbeaf4395d2335665ad57477c4949b3260
SHA256a6fdf220e34bf901c136a5528548f28da6c71f2cf62e97a07a9ccf8408a06f8e
SHA51262a3f682fcf14eee14537552977f5906f50dd3e29598feaf8c90b285abc7484e432a843e5cf5621d72322e7de35a812b2421e50de2ff1f93dbb66a3daa0b7420
-
Filesize
17KB
MD589dd6e72358a669b7d6e2348307a7af7
SHA10db348f3c6114a45d71f4d218e0e088b71c7bb0a
SHA256ad34794058212006ae974fcc6a0242598e6d020f08044439e3512773cd402b7e
SHA51293b8a47686d7491281a0809b138a6244a535302ba0d6b2146849e9888632c72b6223ae8eb7a24f1006aaf57ab947a8f43719cff4837df559e7bf42f52c63856b