Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 19:16
Behavioral task
behavioral1
Sample
92760963e6eb5e27406510ce615900b7dd6d2ff618cd88f799bf0cb9ac387bb3.exe
Resource
win7-20220414-en
General
-
Target
92760963e6eb5e27406510ce615900b7dd6d2ff618cd88f799bf0cb9ac387bb3.exe
-
Size
254KB
-
MD5
175f2d9aebc4ac568a483a86af5e2188
-
SHA1
1883c73576b01e32c59643f00730906058795175
-
SHA256
92760963e6eb5e27406510ce615900b7dd6d2ff618cd88f799bf0cb9ac387bb3
-
SHA512
c1801bccb90550511c23524f01278232bed5e03a6e65b01c5d90d683830083d155a035efe1e5c6b64268f594d64b0d0a064a4eb2e5ec1b0fa9f53f517395ee15
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
92760963e6eb5e27406510ce615900b7dd6d2ff618cd88f799bf0cb9ac387bb3.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\app\\update.exe" 92760963e6eb5e27406510ce615900b7dd6d2ff618cd88f799bf0cb9ac387bb3.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
update.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" update.exe -
Disables RegEdit via registry modification
-
Executes dropped EXE 1 IoCs
Processes:
update.exepid process 4172 update.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\app\update.exe upx C:\Users\Admin\AppData\Roaming\app\update.exe upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
92760963e6eb5e27406510ce615900b7dd6d2ff618cd88f799bf0cb9ac387bb3.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 92760963e6eb5e27406510ce615900b7dd6d2ff618cd88f799bf0cb9ac387bb3.exe -
Processes:
update.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" update.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" update.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
92760963e6eb5e27406510ce615900b7dd6d2ff618cd88f799bf0cb9ac387bb3.exeupdate.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\app\\update.exe" 92760963e6eb5e27406510ce615900b7dd6d2ff618cd88f799bf0cb9ac387bb3.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\app\\update.exe" update.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
92760963e6eb5e27406510ce615900b7dd6d2ff618cd88f799bf0cb9ac387bb3.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 92760963e6eb5e27406510ce615900b7dd6d2ff618cd88f799bf0cb9ac387bb3.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
92760963e6eb5e27406510ce615900b7dd6d2ff618cd88f799bf0cb9ac387bb3.exeupdate.exedescription pid process Token: SeIncreaseQuotaPrivilege 1228 92760963e6eb5e27406510ce615900b7dd6d2ff618cd88f799bf0cb9ac387bb3.exe Token: SeSecurityPrivilege 1228 92760963e6eb5e27406510ce615900b7dd6d2ff618cd88f799bf0cb9ac387bb3.exe Token: SeTakeOwnershipPrivilege 1228 92760963e6eb5e27406510ce615900b7dd6d2ff618cd88f799bf0cb9ac387bb3.exe Token: SeLoadDriverPrivilege 1228 92760963e6eb5e27406510ce615900b7dd6d2ff618cd88f799bf0cb9ac387bb3.exe Token: SeSystemProfilePrivilege 1228 92760963e6eb5e27406510ce615900b7dd6d2ff618cd88f799bf0cb9ac387bb3.exe Token: SeSystemtimePrivilege 1228 92760963e6eb5e27406510ce615900b7dd6d2ff618cd88f799bf0cb9ac387bb3.exe Token: SeProfSingleProcessPrivilege 1228 92760963e6eb5e27406510ce615900b7dd6d2ff618cd88f799bf0cb9ac387bb3.exe Token: SeIncBasePriorityPrivilege 1228 92760963e6eb5e27406510ce615900b7dd6d2ff618cd88f799bf0cb9ac387bb3.exe Token: SeCreatePagefilePrivilege 1228 92760963e6eb5e27406510ce615900b7dd6d2ff618cd88f799bf0cb9ac387bb3.exe Token: SeBackupPrivilege 1228 92760963e6eb5e27406510ce615900b7dd6d2ff618cd88f799bf0cb9ac387bb3.exe Token: SeRestorePrivilege 1228 92760963e6eb5e27406510ce615900b7dd6d2ff618cd88f799bf0cb9ac387bb3.exe Token: SeShutdownPrivilege 1228 92760963e6eb5e27406510ce615900b7dd6d2ff618cd88f799bf0cb9ac387bb3.exe Token: SeDebugPrivilege 1228 92760963e6eb5e27406510ce615900b7dd6d2ff618cd88f799bf0cb9ac387bb3.exe Token: SeSystemEnvironmentPrivilege 1228 92760963e6eb5e27406510ce615900b7dd6d2ff618cd88f799bf0cb9ac387bb3.exe Token: SeChangeNotifyPrivilege 1228 92760963e6eb5e27406510ce615900b7dd6d2ff618cd88f799bf0cb9ac387bb3.exe Token: SeRemoteShutdownPrivilege 1228 92760963e6eb5e27406510ce615900b7dd6d2ff618cd88f799bf0cb9ac387bb3.exe Token: SeUndockPrivilege 1228 92760963e6eb5e27406510ce615900b7dd6d2ff618cd88f799bf0cb9ac387bb3.exe Token: SeManageVolumePrivilege 1228 92760963e6eb5e27406510ce615900b7dd6d2ff618cd88f799bf0cb9ac387bb3.exe Token: SeImpersonatePrivilege 1228 92760963e6eb5e27406510ce615900b7dd6d2ff618cd88f799bf0cb9ac387bb3.exe Token: SeCreateGlobalPrivilege 1228 92760963e6eb5e27406510ce615900b7dd6d2ff618cd88f799bf0cb9ac387bb3.exe Token: 33 1228 92760963e6eb5e27406510ce615900b7dd6d2ff618cd88f799bf0cb9ac387bb3.exe Token: 34 1228 92760963e6eb5e27406510ce615900b7dd6d2ff618cd88f799bf0cb9ac387bb3.exe Token: 35 1228 92760963e6eb5e27406510ce615900b7dd6d2ff618cd88f799bf0cb9ac387bb3.exe Token: 36 1228 92760963e6eb5e27406510ce615900b7dd6d2ff618cd88f799bf0cb9ac387bb3.exe Token: SeIncreaseQuotaPrivilege 4172 update.exe Token: SeSecurityPrivilege 4172 update.exe Token: SeTakeOwnershipPrivilege 4172 update.exe Token: SeLoadDriverPrivilege 4172 update.exe Token: SeSystemProfilePrivilege 4172 update.exe Token: SeSystemtimePrivilege 4172 update.exe Token: SeProfSingleProcessPrivilege 4172 update.exe Token: SeIncBasePriorityPrivilege 4172 update.exe Token: SeCreatePagefilePrivilege 4172 update.exe Token: SeBackupPrivilege 4172 update.exe Token: SeRestorePrivilege 4172 update.exe Token: SeShutdownPrivilege 4172 update.exe Token: SeDebugPrivilege 4172 update.exe Token: SeSystemEnvironmentPrivilege 4172 update.exe Token: SeChangeNotifyPrivilege 4172 update.exe Token: SeRemoteShutdownPrivilege 4172 update.exe Token: SeUndockPrivilege 4172 update.exe Token: SeManageVolumePrivilege 4172 update.exe Token: SeImpersonatePrivilege 4172 update.exe Token: SeCreateGlobalPrivilege 4172 update.exe Token: 33 4172 update.exe Token: 34 4172 update.exe Token: 35 4172 update.exe Token: 36 4172 update.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
update.exepid process 4172 update.exe -
Suspicious use of WriteProcessMemory 54 IoCs
Processes:
92760963e6eb5e27406510ce615900b7dd6d2ff618cd88f799bf0cb9ac387bb3.execmd.execmd.exeupdate.exedescription pid process target process PID 1228 wrote to memory of 3164 1228 92760963e6eb5e27406510ce615900b7dd6d2ff618cd88f799bf0cb9ac387bb3.exe cmd.exe PID 1228 wrote to memory of 3164 1228 92760963e6eb5e27406510ce615900b7dd6d2ff618cd88f799bf0cb9ac387bb3.exe cmd.exe PID 1228 wrote to memory of 3164 1228 92760963e6eb5e27406510ce615900b7dd6d2ff618cd88f799bf0cb9ac387bb3.exe cmd.exe PID 1228 wrote to memory of 3244 1228 92760963e6eb5e27406510ce615900b7dd6d2ff618cd88f799bf0cb9ac387bb3.exe cmd.exe PID 1228 wrote to memory of 3244 1228 92760963e6eb5e27406510ce615900b7dd6d2ff618cd88f799bf0cb9ac387bb3.exe cmd.exe PID 1228 wrote to memory of 3244 1228 92760963e6eb5e27406510ce615900b7dd6d2ff618cd88f799bf0cb9ac387bb3.exe cmd.exe PID 1228 wrote to memory of 2516 1228 92760963e6eb5e27406510ce615900b7dd6d2ff618cd88f799bf0cb9ac387bb3.exe notepad.exe PID 1228 wrote to memory of 2516 1228 92760963e6eb5e27406510ce615900b7dd6d2ff618cd88f799bf0cb9ac387bb3.exe notepad.exe PID 1228 wrote to memory of 2516 1228 92760963e6eb5e27406510ce615900b7dd6d2ff618cd88f799bf0cb9ac387bb3.exe notepad.exe PID 1228 wrote to memory of 2516 1228 92760963e6eb5e27406510ce615900b7dd6d2ff618cd88f799bf0cb9ac387bb3.exe notepad.exe PID 1228 wrote to memory of 2516 1228 92760963e6eb5e27406510ce615900b7dd6d2ff618cd88f799bf0cb9ac387bb3.exe notepad.exe PID 1228 wrote to memory of 2516 1228 92760963e6eb5e27406510ce615900b7dd6d2ff618cd88f799bf0cb9ac387bb3.exe notepad.exe PID 1228 wrote to memory of 2516 1228 92760963e6eb5e27406510ce615900b7dd6d2ff618cd88f799bf0cb9ac387bb3.exe notepad.exe PID 1228 wrote to memory of 2516 1228 92760963e6eb5e27406510ce615900b7dd6d2ff618cd88f799bf0cb9ac387bb3.exe notepad.exe PID 1228 wrote to memory of 2516 1228 92760963e6eb5e27406510ce615900b7dd6d2ff618cd88f799bf0cb9ac387bb3.exe notepad.exe PID 1228 wrote to memory of 2516 1228 92760963e6eb5e27406510ce615900b7dd6d2ff618cd88f799bf0cb9ac387bb3.exe notepad.exe PID 1228 wrote to memory of 2516 1228 92760963e6eb5e27406510ce615900b7dd6d2ff618cd88f799bf0cb9ac387bb3.exe notepad.exe PID 1228 wrote to memory of 2516 1228 92760963e6eb5e27406510ce615900b7dd6d2ff618cd88f799bf0cb9ac387bb3.exe notepad.exe PID 1228 wrote to memory of 2516 1228 92760963e6eb5e27406510ce615900b7dd6d2ff618cd88f799bf0cb9ac387bb3.exe notepad.exe PID 1228 wrote to memory of 2516 1228 92760963e6eb5e27406510ce615900b7dd6d2ff618cd88f799bf0cb9ac387bb3.exe notepad.exe PID 1228 wrote to memory of 2516 1228 92760963e6eb5e27406510ce615900b7dd6d2ff618cd88f799bf0cb9ac387bb3.exe notepad.exe PID 1228 wrote to memory of 2516 1228 92760963e6eb5e27406510ce615900b7dd6d2ff618cd88f799bf0cb9ac387bb3.exe notepad.exe PID 1228 wrote to memory of 2516 1228 92760963e6eb5e27406510ce615900b7dd6d2ff618cd88f799bf0cb9ac387bb3.exe notepad.exe PID 3164 wrote to memory of 3232 3164 cmd.exe attrib.exe PID 3164 wrote to memory of 3232 3164 cmd.exe attrib.exe PID 3164 wrote to memory of 3232 3164 cmd.exe attrib.exe PID 3244 wrote to memory of 2664 3244 cmd.exe attrib.exe PID 3244 wrote to memory of 2664 3244 cmd.exe attrib.exe PID 3244 wrote to memory of 2664 3244 cmd.exe attrib.exe PID 1228 wrote to memory of 4172 1228 92760963e6eb5e27406510ce615900b7dd6d2ff618cd88f799bf0cb9ac387bb3.exe update.exe PID 1228 wrote to memory of 4172 1228 92760963e6eb5e27406510ce615900b7dd6d2ff618cd88f799bf0cb9ac387bb3.exe update.exe PID 1228 wrote to memory of 4172 1228 92760963e6eb5e27406510ce615900b7dd6d2ff618cd88f799bf0cb9ac387bb3.exe update.exe PID 4172 wrote to memory of 2624 4172 update.exe notepad.exe PID 4172 wrote to memory of 2624 4172 update.exe notepad.exe PID 4172 wrote to memory of 2624 4172 update.exe notepad.exe PID 4172 wrote to memory of 2624 4172 update.exe notepad.exe PID 4172 wrote to memory of 2624 4172 update.exe notepad.exe PID 4172 wrote to memory of 2624 4172 update.exe notepad.exe PID 4172 wrote to memory of 2624 4172 update.exe notepad.exe PID 4172 wrote to memory of 2624 4172 update.exe notepad.exe PID 4172 wrote to memory of 2624 4172 update.exe notepad.exe PID 4172 wrote to memory of 2624 4172 update.exe notepad.exe PID 4172 wrote to memory of 2624 4172 update.exe notepad.exe PID 4172 wrote to memory of 2624 4172 update.exe notepad.exe PID 4172 wrote to memory of 2624 4172 update.exe notepad.exe PID 4172 wrote to memory of 2624 4172 update.exe notepad.exe PID 4172 wrote to memory of 2624 4172 update.exe notepad.exe PID 4172 wrote to memory of 2624 4172 update.exe notepad.exe PID 4172 wrote to memory of 2624 4172 update.exe notepad.exe PID 4172 wrote to memory of 2624 4172 update.exe notepad.exe PID 4172 wrote to memory of 2624 4172 update.exe notepad.exe PID 4172 wrote to memory of 2624 4172 update.exe notepad.exe PID 4172 wrote to memory of 2624 4172 update.exe notepad.exe PID 4172 wrote to memory of 2624 4172 update.exe notepad.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
update.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion update.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern update.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" update.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 3232 attrib.exe 2664 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\92760963e6eb5e27406510ce615900b7dd6d2ff618cd88f799bf0cb9ac387bb3.exe"C:\Users\Admin\AppData\Local\Temp\92760963e6eb5e27406510ce615900b7dd6d2ff618cd88f799bf0cb9ac387bb3.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\92760963e6eb5e27406510ce615900b7dd6d2ff618cd88f799bf0cb9ac387bb3.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\92760963e6eb5e27406510ce615900b7dd6d2ff618cd88f799bf0cb9ac387bb3.exe" +s +h3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\notepad.exenotepad2⤵
-
C:\Users\Admin\AppData\Roaming\app\update.exe"C:\Users\Admin\AppData\Roaming\app\update.exe"2⤵
- Modifies security service
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\app\update.exeFilesize
254KB
MD5175f2d9aebc4ac568a483a86af5e2188
SHA11883c73576b01e32c59643f00730906058795175
SHA25692760963e6eb5e27406510ce615900b7dd6d2ff618cd88f799bf0cb9ac387bb3
SHA512c1801bccb90550511c23524f01278232bed5e03a6e65b01c5d90d683830083d155a035efe1e5c6b64268f594d64b0d0a064a4eb2e5ec1b0fa9f53f517395ee15
-
C:\Users\Admin\AppData\Roaming\app\update.exeFilesize
254KB
MD5175f2d9aebc4ac568a483a86af5e2188
SHA11883c73576b01e32c59643f00730906058795175
SHA25692760963e6eb5e27406510ce615900b7dd6d2ff618cd88f799bf0cb9ac387bb3
SHA512c1801bccb90550511c23524f01278232bed5e03a6e65b01c5d90d683830083d155a035efe1e5c6b64268f594d64b0d0a064a4eb2e5ec1b0fa9f53f517395ee15
-
memory/2516-132-0x0000000000000000-mapping.dmp
-
memory/2624-138-0x0000000000000000-mapping.dmp
-
memory/2664-134-0x0000000000000000-mapping.dmp
-
memory/3164-130-0x0000000000000000-mapping.dmp
-
memory/3232-133-0x0000000000000000-mapping.dmp
-
memory/3244-131-0x0000000000000000-mapping.dmp
-
memory/4172-135-0x0000000000000000-mapping.dmp