Analysis
-
max time kernel
60s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
15-04-2022 02:08
Static task
static1
Behavioral task
behavioral1
Sample
ad23aa6f1afb2b28998e1b6f17d147763a0486a00ba8b88125c41905a3eab0ee.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
ad23aa6f1afb2b28998e1b6f17d147763a0486a00ba8b88125c41905a3eab0ee.exe
Resource
win10v2004-20220414-en
General
-
Target
ad23aa6f1afb2b28998e1b6f17d147763a0486a00ba8b88125c41905a3eab0ee.exe
-
Size
325KB
-
MD5
08359645bddd0dfb58c44cd2e04031a3
-
SHA1
3ce31c0da59dd222facd81e2bb3d251165430154
-
SHA256
ad23aa6f1afb2b28998e1b6f17d147763a0486a00ba8b88125c41905a3eab0ee
-
SHA512
8321166bc96199634da034ef79e8f51a3e0dd007bb7dc8cdafb45fba75a9e6713c85ee6d14182d7fc49b9df722eb6bb0a3ae249864defa268716c6d8e85a0400
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
WindowsUpdate.exepid Process 1664 WindowsUpdate.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ad23aa6f1afb2b28998e1b6f17d147763a0486a00ba8b88125c41905a3eab0ee.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation ad23aa6f1afb2b28998e1b6f17d147763a0486a00ba8b88125c41905a3eab0ee.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
ad23aa6f1afb2b28998e1b6f17d147763a0486a00ba8b88125c41905a3eab0ee.exeWindowsUpdate.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\530aa54a7f8da22dfa9151c567c09315 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\MyClient\\WindowsUpdate.exe" ad23aa6f1afb2b28998e1b6f17d147763a0486a00ba8b88125c41905a3eab0ee.exe Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\530aa54a7f8da22dfa9151c567c09315 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\MyClient\\WindowsUpdate.exe" WindowsUpdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\530aa54a7f8da22dfa9151c567c09315 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ad23aa6f1afb2b28998e1b6f17d147763a0486a00ba8b88125c41905a3eab0ee.exe" ad23aa6f1afb2b28998e1b6f17d147763a0486a00ba8b88125c41905a3eab0ee.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 40 IoCs
Processes:
ad23aa6f1afb2b28998e1b6f17d147763a0486a00ba8b88125c41905a3eab0ee.exeWindowsUpdate.exepid Process 400 ad23aa6f1afb2b28998e1b6f17d147763a0486a00ba8b88125c41905a3eab0ee.exe 400 ad23aa6f1afb2b28998e1b6f17d147763a0486a00ba8b88125c41905a3eab0ee.exe 400 ad23aa6f1afb2b28998e1b6f17d147763a0486a00ba8b88125c41905a3eab0ee.exe 400 ad23aa6f1afb2b28998e1b6f17d147763a0486a00ba8b88125c41905a3eab0ee.exe 400 ad23aa6f1afb2b28998e1b6f17d147763a0486a00ba8b88125c41905a3eab0ee.exe 400 ad23aa6f1afb2b28998e1b6f17d147763a0486a00ba8b88125c41905a3eab0ee.exe 400 ad23aa6f1afb2b28998e1b6f17d147763a0486a00ba8b88125c41905a3eab0ee.exe 400 ad23aa6f1afb2b28998e1b6f17d147763a0486a00ba8b88125c41905a3eab0ee.exe 400 ad23aa6f1afb2b28998e1b6f17d147763a0486a00ba8b88125c41905a3eab0ee.exe 400 ad23aa6f1afb2b28998e1b6f17d147763a0486a00ba8b88125c41905a3eab0ee.exe 400 ad23aa6f1afb2b28998e1b6f17d147763a0486a00ba8b88125c41905a3eab0ee.exe 400 ad23aa6f1afb2b28998e1b6f17d147763a0486a00ba8b88125c41905a3eab0ee.exe 400 ad23aa6f1afb2b28998e1b6f17d147763a0486a00ba8b88125c41905a3eab0ee.exe 400 ad23aa6f1afb2b28998e1b6f17d147763a0486a00ba8b88125c41905a3eab0ee.exe 400 ad23aa6f1afb2b28998e1b6f17d147763a0486a00ba8b88125c41905a3eab0ee.exe 400 ad23aa6f1afb2b28998e1b6f17d147763a0486a00ba8b88125c41905a3eab0ee.exe 400 ad23aa6f1afb2b28998e1b6f17d147763a0486a00ba8b88125c41905a3eab0ee.exe 400 ad23aa6f1afb2b28998e1b6f17d147763a0486a00ba8b88125c41905a3eab0ee.exe 400 ad23aa6f1afb2b28998e1b6f17d147763a0486a00ba8b88125c41905a3eab0ee.exe 400 ad23aa6f1afb2b28998e1b6f17d147763a0486a00ba8b88125c41905a3eab0ee.exe 1664 WindowsUpdate.exe 1664 WindowsUpdate.exe 1664 WindowsUpdate.exe 1664 WindowsUpdate.exe 1664 WindowsUpdate.exe 1664 WindowsUpdate.exe 1664 WindowsUpdate.exe 1664 WindowsUpdate.exe 1664 WindowsUpdate.exe 1664 WindowsUpdate.exe 1664 WindowsUpdate.exe 1664 WindowsUpdate.exe 1664 WindowsUpdate.exe 1664 WindowsUpdate.exe 1664 WindowsUpdate.exe 1664 WindowsUpdate.exe 1664 WindowsUpdate.exe 1664 WindowsUpdate.exe 1664 WindowsUpdate.exe 1664 WindowsUpdate.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
ad23aa6f1afb2b28998e1b6f17d147763a0486a00ba8b88125c41905a3eab0ee.exeWindowsUpdate.exedescription pid Process Token: SeDebugPrivilege 400 ad23aa6f1afb2b28998e1b6f17d147763a0486a00ba8b88125c41905a3eab0ee.exe Token: SeDebugPrivilege 1664 WindowsUpdate.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
ad23aa6f1afb2b28998e1b6f17d147763a0486a00ba8b88125c41905a3eab0ee.exeWindowsUpdate.exepid Process 400 ad23aa6f1afb2b28998e1b6f17d147763a0486a00ba8b88125c41905a3eab0ee.exe 400 ad23aa6f1afb2b28998e1b6f17d147763a0486a00ba8b88125c41905a3eab0ee.exe 1664 WindowsUpdate.exe 1664 WindowsUpdate.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
ad23aa6f1afb2b28998e1b6f17d147763a0486a00ba8b88125c41905a3eab0ee.exedescription pid Process procid_target PID 400 wrote to memory of 1664 400 ad23aa6f1afb2b28998e1b6f17d147763a0486a00ba8b88125c41905a3eab0ee.exe 77 PID 400 wrote to memory of 1664 400 ad23aa6f1afb2b28998e1b6f17d147763a0486a00ba8b88125c41905a3eab0ee.exe 77 PID 400 wrote to memory of 1664 400 ad23aa6f1afb2b28998e1b6f17d147763a0486a00ba8b88125c41905a3eab0ee.exe 77
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad23aa6f1afb2b28998e1b6f17d147763a0486a00ba8b88125c41905a3eab0ee.exe"C:\Users\Admin\AppData\Local\Temp\ad23aa6f1afb2b28998e1b6f17d147763a0486a00ba8b88125c41905a3eab0ee.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe"C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1664
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
325KB
MD508359645bddd0dfb58c44cd2e04031a3
SHA13ce31c0da59dd222facd81e2bb3d251165430154
SHA256ad23aa6f1afb2b28998e1b6f17d147763a0486a00ba8b88125c41905a3eab0ee
SHA5128321166bc96199634da034ef79e8f51a3e0dd007bb7dc8cdafb45fba75a9e6713c85ee6d14182d7fc49b9df722eb6bb0a3ae249864defa268716c6d8e85a0400
-
Filesize
325KB
MD508359645bddd0dfb58c44cd2e04031a3
SHA13ce31c0da59dd222facd81e2bb3d251165430154
SHA256ad23aa6f1afb2b28998e1b6f17d147763a0486a00ba8b88125c41905a3eab0ee
SHA5128321166bc96199634da034ef79e8f51a3e0dd007bb7dc8cdafb45fba75a9e6713c85ee6d14182d7fc49b9df722eb6bb0a3ae249864defa268716c6d8e85a0400
-
Filesize
17KB
MD589dd6e72358a669b7d6e2348307a7af7
SHA10db348f3c6114a45d71f4d218e0e088b71c7bb0a
SHA256ad34794058212006ae974fcc6a0242598e6d020f08044439e3512773cd402b7e
SHA51293b8a47686d7491281a0809b138a6244a535302ba0d6b2146849e9888632c72b6223ae8eb7a24f1006aaf57ab947a8f43719cff4837df559e7bf42f52c63856b