82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee

General

Target

82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe
Size

371KB
MD5

8da70b07970cfa92d731183c78734056
SHA1

596f5da72da49e8ba0803153d440ce2290384b9e
SHA256

82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee
SHA512

9dff1a721f4709f6a8d9fd409a894f0c851bdd363eba1750f48b45b0d297ba5675ef9092730d2204984a1b6608d5836c359d81a3c515509a52a936aaae7a37cc

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

CompPkgSup.exeCompPkgSup.exeCompPkgSup.exeCompPkgSup.exe

pid process

2980 CompPkgSup.exe
1708 CompPkgSup.exe
1472 CompPkgSup.exe
1776 CompPkgSup.exe

pid	process
2980	CompPkgSup.exe
1708	CompPkgSup.exe
1472	CompPkgSup.exe
1776	CompPkgSup.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WMI Update Service = "C:\\ProgramData\\Component Package Support\\CompPkgSup.exe"	82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exeCompPkgSup.exe

description	pid	process	target process
PID 1080 set thread context of 4420	1080	82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe	82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe
PID 2980 set thread context of 1776	2980	CompPkgSup.exe	CompPkgSup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4540 schtasks.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

CompPkgSup.exe

pid process

1776 CompPkgSup.exe

pid	process
4540	schtasks.exe

pid	process
1776	CompPkgSup.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exeCompPkgSup.exeCompPkgSup.exe

pid	process
1080	82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe
1080	82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe
1080	82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe
4420	82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe
2980	CompPkgSup.exe
2980	CompPkgSup.exe
2980	CompPkgSup.exe
2980	CompPkgSup.exe
2980	CompPkgSup.exe
1708	CompPkgSup.exe
1708	CompPkgSup.exe
1708	CompPkgSup.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exeCompPkgSup.exeCompPkgSup.exeCompPkgSup.exe

description	pid	process
Token: SeDebugPrivilege	1080	82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe
Token: SeDebugPrivilege	4420	82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe
Token: SeDebugPrivilege	2980	CompPkgSup.exe
Token: SeDebugPrivilege	1708	CompPkgSup.exe
Token: SeDebugPrivilege	1776	CompPkgSup.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exeCompPkgSup.exe

description	pid	process	target process
PID 1080 wrote to memory of 4420	1080	82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe	82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe
PID 1080 wrote to memory of 4420	1080	82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe	82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe
PID 1080 wrote to memory of 4420	1080	82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe	82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe
PID 1080 wrote to memory of 4420	1080	82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe	82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe
PID 1080 wrote to memory of 4420	1080	82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe	82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe
PID 1080 wrote to memory of 4420	1080	82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe	82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe
PID 1080 wrote to memory of 4420	1080	82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe	82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe
PID 1080 wrote to memory of 4420	1080	82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe	82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe
PID 1080 wrote to memory of 4420	1080	82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe	82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe
PID 1080 wrote to memory of 4420	1080	82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe	82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe
PID 4420 wrote to memory of 2980	4420	82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe	CompPkgSup.exe
PID 4420 wrote to memory of 2980	4420	82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe	CompPkgSup.exe
PID 4420 wrote to memory of 2980	4420	82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe	CompPkgSup.exe
PID 4420 wrote to memory of 4540	4420	82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe	schtasks.exe
PID 4420 wrote to memory of 4540	4420	82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe	schtasks.exe
PID 4420 wrote to memory of 4540	4420	82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe	schtasks.exe
PID 2980 wrote to memory of 1472	2980	CompPkgSup.exe	CompPkgSup.exe
PID 2980 wrote to memory of 1472	2980	CompPkgSup.exe	CompPkgSup.exe
PID 2980 wrote to memory of 1472	2980	CompPkgSup.exe	CompPkgSup.exe
PID 2980 wrote to memory of 1776	2980	CompPkgSup.exe	CompPkgSup.exe
PID 2980 wrote to memory of 1776	2980	CompPkgSup.exe	CompPkgSup.exe
PID 2980 wrote to memory of 1776	2980	CompPkgSup.exe	CompPkgSup.exe
PID 2980 wrote to memory of 1776	2980	CompPkgSup.exe	CompPkgSup.exe
PID 2980 wrote to memory of 1776	2980	CompPkgSup.exe	CompPkgSup.exe
PID 2980 wrote to memory of 1776	2980	CompPkgSup.exe	CompPkgSup.exe
PID 2980 wrote to memory of 1776	2980	CompPkgSup.exe	CompPkgSup.exe
PID 2980 wrote to memory of 1776	2980	CompPkgSup.exe	CompPkgSup.exe
PID 2980 wrote to memory of 1776	2980	CompPkgSup.exe	CompPkgSup.exe
PID 2980 wrote to memory of 1776	2980	CompPkgSup.exe	CompPkgSup.exe

C:\Users\Admin\AppData\Local\Temp\82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe
"C:\Users\Admin\AppData\Local\Temp\82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1080

C:\Users\Admin\AppData\Local\Temp\82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe
"{path}"
2⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4420

C:\ProgramData\Component Package Support\CompPkgSup.exe
"C:\ProgramData\Component Package Support\CompPkgSup.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2980

C:\ProgramData\Component Package Support\CompPkgSup.exe
"{path}"
4⤵
- Executes dropped EXE
PID:1472

C:\ProgramData\Component Package Support\CompPkgSup.exe
"{path}"
4⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
PID:1776

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "WMI Services" /tr "C:\ProgramData\Component Package Support\CompPkgSup.exe" /f
3⤵
- Creates scheduled task(s)
PID:4540

C:\ProgramData\Component Package Support\CompPkgSup.exe
"C:\ProgramData\Component Package Support\CompPkgSup.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1708

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Component Package Support\CompPkgSup.exe
Filesize
371KB

MD5
8da70b07970cfa92d731183c78734056

SHA1
596f5da72da49e8ba0803153d440ce2290384b9e

SHA256
82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee

SHA512
9dff1a721f4709f6a8d9fd409a894f0c851bdd363eba1750f48b45b0d297ba5675ef9092730d2204984a1b6608d5836c359d81a3c515509a52a936aaae7a37cc

Download Submit
C:\ProgramData\Component Package Support\CompPkgSup.exe
Filesize
371KB

MD5
8da70b07970cfa92d731183c78734056

SHA1
596f5da72da49e8ba0803153d440ce2290384b9e

SHA256
82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee

SHA512
9dff1a721f4709f6a8d9fd409a894f0c851bdd363eba1750f48b45b0d297ba5675ef9092730d2204984a1b6608d5836c359d81a3c515509a52a936aaae7a37cc

Download Submit
C:\ProgramData\Component Package Support\CompPkgSup.exe
Filesize
371KB

MD5
8da70b07970cfa92d731183c78734056

SHA1
596f5da72da49e8ba0803153d440ce2290384b9e

SHA256
82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee

SHA512
9dff1a721f4709f6a8d9fd409a894f0c851bdd363eba1750f48b45b0d297ba5675ef9092730d2204984a1b6608d5836c359d81a3c515509a52a936aaae7a37cc

Download Submit
C:\ProgramData\Component Package Support\CompPkgSup.exe
Filesize
92KB

MD5
81f33d8ed0e4d381fb668de53f4f2b57

SHA1
eadd3c6b663d5a0ef2f50e1762ac16c5b3634f01

SHA256
fb52420a18a4557da25e8f339327470b6c3a177944e6873c5a3e0f79763151ee

SHA512
5d645f27182316fdbd7a5f9c7cd6fecd9793652b1b83973b41493de27e4ebb9a93c589b3fde93783cbfe1439afd1cf3533fc89e7cc8197aee5db992222e2407d

Download Submit
C:\ProgramData\Component Package Support\CompPkgSup.exe
Filesize
92KB

MD5
81f33d8ed0e4d381fb668de53f4f2b57

SHA1
eadd3c6b663d5a0ef2f50e1762ac16c5b3634f01

SHA256
fb52420a18a4557da25e8f339327470b6c3a177944e6873c5a3e0f79763151ee

SHA512
5d645f27182316fdbd7a5f9c7cd6fecd9793652b1b83973b41493de27e4ebb9a93c589b3fde93783cbfe1439afd1cf3533fc89e7cc8197aee5db992222e2407d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\82d9ab0e273c313abb19ba3e24902ca8b23e7ab89adfed197dadbec0e69f8bee.exe.log
Filesize
507B

MD5
9e402db53616b577d6b2ac678cf77274

SHA1
6664f7907c9b7fbb467ec3985f29aa52145f8125

SHA256
7cfe335d33a5b6eebba6bcabd2542f0edcdfed7575fafae135e34b5e1fba5a99

SHA512
f7c9b91c8ddbc3b5b610c99a3f5b17641c4dd8f9bf59cd4b77ee024a40ad0b63096f15d9a91b740baa2cd00539e3b7c024ff3e1038d237a0e4ac1b5de07dbc71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CompPkgSup.exe.log
Filesize
507B

MD5
9e402db53616b577d6b2ac678cf77274

SHA1
6664f7907c9b7fbb467ec3985f29aa52145f8125

SHA256
7cfe335d33a5b6eebba6bcabd2542f0edcdfed7575fafae135e34b5e1fba5a99

SHA512
f7c9b91c8ddbc3b5b610c99a3f5b17641c4dd8f9bf59cd4b77ee024a40ad0b63096f15d9a91b740baa2cd00539e3b7c024ff3e1038d237a0e4ac1b5de07dbc71

Download Submit
memory/1080-130-0x0000000000F50000-0x0000000000FB0000-memory.dmp

Filesize
384KB

Download
memory/1080-133-0x0000000006960000-0x0000000006F04000-memory.dmp

Filesize
5.6MB

Download
memory/1080-132-0x0000000005DD0000-0x0000000005E62000-memory.dmp

Filesize
584KB

Download
memory/1080-131-0x0000000005C90000-0x0000000005D2C000-memory.dmp

Filesize
624KB

Download
memory/1472-166-0x0000000000000000-mapping.dmp

Download
memory/1776-168-0x0000000000000000-mapping.dmp

Download
memory/1776-196-0x0000000005FD0000-0x0000000005FDA000-memory.dmp

Filesize
40KB

Download
memory/2980-161-0x0000000000000000-mapping.dmp

Download
memory/4420-152-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4420-149-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4420-144-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4420-143-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4420-142-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4420-141-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4420-140-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4420-138-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4420-147-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4420-146-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4420-151-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4420-135-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4420-155-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4420-157-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4420-158-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4420-160-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4420-139-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4420-134-0x0000000000000000-mapping.dmp

Download
memory/4540-164-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads