f3195afb7dbb0b90dad896528070992736461fb400273c57bed1498896512cb1

General

Target

f3195afb7dbb0b90dad896528070992736461fb400273c57bed1498896512cb1.exe
Size

96KB
MD5

160acdb0d86f849f9f47342ef3fe5f95
SHA1

c50c1e22b815ef0ba28b63fe70bfa06bd85c3e93
SHA256

f3195afb7dbb0b90dad896528070992736461fb400273c57bed1498896512cb1
SHA512

8fa729cf7f945d678e41b90928a294a2ec64b896039da6c2ebc232abcd28178c06dd9d4debe3deac9303ae5c85a0b067cc5679f7a6b2dcb9ca00d135b09a56a5
SSDEEP

1536:vTkzigHR3ShXPeT/YatdfI2lNYeT6JXOzVK9PAPGvP9Fk/a5NRdMe:A3YX0/XNjlNTT6dOGHP9Fk/avr1

Score

8^/10

vmprotect

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2740	update.exe

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/4040-132-0x0000000000400000-0x0000000002E31000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	f3195afb7dbb0b90dad896528070992736461fb400273c57bed1498896512cb1.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\windows\Comres.dll	f3195afb7dbb0b90dad896528070992736461fb400273c57bed1498896512cb1.exe
File created	C:\windows\update.exe	f3195afb7dbb0b90dad896528070992736461fb400273c57bed1498896512cb1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3140	2740	WerFault.exe	83

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\68A12DE4422589E97E1C6396FE17B5024FE0547A	f3195afb7dbb0b90dad896528070992736461fb400273c57bed1498896512cb1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\68A12DE4422589E97E1C6396FE17B5024FE0547A\Blob = 03000000010000001400000068a12de4422589e97e1c6396fe17b5024fe0547a2000000001000000600200003082025c308201c5a0030201020210a675093732e9e788423ec7ea62044de5300d06092a864886f70d01010405003036313430320603550403132b566572695369676e2054696d65205374616d70696e67205365727669636573205369676e6572202d204732301e170d3131303531393134333632345a170d3339313233313233353935395a3036313430320603550403132b566572695369676e2054696d65205374616d70696e67205365727669636573205369676e6572202d20473230819f300d06092a864886f70d010101050003818d0030818902818100ae2150b067d03ac307c1d6cfb294b8e57d1ec3335542584552a96b7926d1b95483aa79a52165c6c18b4aa502ca2f736d2ea84a299def604899f8a50b9932200c00a32c187fdfed2fb767783c1d6c27e55fee9aeb5d7b1085cb8fcc151bdebcdbecc5748cbb451b20f5ecd9e197c154e477d9d5d6a0cf8e9dabaf4e07fbf5f79f0203010001a36b306930670603551d010460305e80102128591d26a9fe32d38e84450f52f750a1383036313430320603550403132b566572695369676e2054696d65205374616d70696e67205365727669636573205369676e6572202d2047328210a675093732e9e788423ec7ea62044de5300d06092a864886f70d01010405000381810069c4dcd3b8649bd6c952a0251d6a645c98c3d94ba7a9945992ee06fdbc1d36c53f9e4c77f25f77b6ad4df7599089a7d68cf89221fc49fda540341c833f692ee6cdd740da4b599e9a902c325b2de32d3657d8cf1206883b2e8296ab9c1d4ef406603a138ce17b8ee0740c990c99774f63fe8f8d5bd35d35591d2a3d6675b49967	f3195afb7dbb0b90dad896528070992736461fb400273c57bed1498896512cb1.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4040	f3195afb7dbb0b90dad896528070992736461fb400273c57bed1498896512cb1.exe
4040	f3195afb7dbb0b90dad896528070992736461fb400273c57bed1498896512cb1.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeBackupPrivilege	4040	f3195afb7dbb0b90dad896528070992736461fb400273c57bed1498896512cb1.exe
Token: SeRestorePrivilege	4040	f3195afb7dbb0b90dad896528070992736461fb400273c57bed1498896512cb1.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4040 wrote to memory of 2740	4040	f3195afb7dbb0b90dad896528070992736461fb400273c57bed1498896512cb1.exe	83
PID 4040 wrote to memory of 2740	4040	f3195afb7dbb0b90dad896528070992736461fb400273c57bed1498896512cb1.exe	83
PID 4040 wrote to memory of 2740	4040	f3195afb7dbb0b90dad896528070992736461fb400273c57bed1498896512cb1.exe	83
PID 4040 wrote to memory of 4912	4040	f3195afb7dbb0b90dad896528070992736461fb400273c57bed1498896512cb1.exe	86
PID 4040 wrote to memory of 4912	4040	f3195afb7dbb0b90dad896528070992736461fb400273c57bed1498896512cb1.exe	86
PID 4040 wrote to memory of 4912	4040	f3195afb7dbb0b90dad896528070992736461fb400273c57bed1498896512cb1.exe	86

C:\Users\Admin\AppData\Local\Temp\f3195afb7dbb0b90dad896528070992736461fb400273c57bed1498896512cb1.exe
"C:\Users\Admin\AppData\Local\Temp\f3195afb7dbb0b90dad896528070992736461fb400273c57bed1498896512cb1.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4040
- C:\windows\update.exe
  "C:\windows\update.exe"
  2⤵
  - Executes dropped EXE
  PID:2740
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2740 -s 368
    3⤵
    - Program crash
    PID:3140
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c afc9fe2f418b00a0.bat
  2⤵
  PID:4912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2740 -ip 2740
1⤵
PID:1592

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\afc9fe2f418b00a0.bat

Filesize
2KB

MD5
94b36f268cd343094fc1729b621cdb49

SHA1
1a88e26c6a07899b8c505ec70ebb0b6be02c4235

SHA256
536ae83d24100b1818307de4759d9bb4b776b6f9ff976914b2be966579d7a5e8

SHA512
9c0be04db3c4bc392a1a8ba05ebef883fd558da369ff1b90353c438bf2d29d088dc2915b6004f3cad149b7c1236330c190fccfc694245a336ffb02038d40eba7

Download Submit
C:\Windows\update.exe

Filesize
21.0MB

MD5
6b4ac8638169ce5a27885f1d65adf20f

SHA1
b662efbdff8557f1ea2c86c8c4a04e66cc9cb666

SHA256
8263ee0148924218221b6d20b30693aa40f48ecb9a9f8b06e8f8d26068191be4

SHA512
555213076ddd9bad3915a2a048025e57a55c4165a2cc69d51b3720bb71256f40e140851b3e8d353c8fd4bf074beb3c4d62690217d56fbd71834521812945122e

Download Submit
C:\windows\update.exe

Filesize
21.0MB

MD5
6b4ac8638169ce5a27885f1d65adf20f

SHA1
b662efbdff8557f1ea2c86c8c4a04e66cc9cb666

SHA256
8263ee0148924218221b6d20b30693aa40f48ecb9a9f8b06e8f8d26068191be4

SHA512
555213076ddd9bad3915a2a048025e57a55c4165a2cc69d51b3720bb71256f40e140851b3e8d353c8fd4bf074beb3c4d62690217d56fbd71834521812945122e

Download Submit
memory/2740-136-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4040-132-0x0000000000400000-0x0000000002E31000-memory.dmp

Filesize
42.2MB

Download

Analysis

Sharing