Analysis
-
max time kernel
68s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
23-11-2022 10:46
Static task
static1
Behavioral task
behavioral1
Sample
0c610d24b864c6ff7960311a0c6d2f5788ea7cab08069d0abcf900cd52b4dcb0.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
0c610d24b864c6ff7960311a0c6d2f5788ea7cab08069d0abcf900cd52b4dcb0.exe
Resource
win10v2004-20220812-en
General
-
Target
0c610d24b864c6ff7960311a0c6d2f5788ea7cab08069d0abcf900cd52b4dcb0.exe
-
Size
622KB
-
MD5
eaa69b398c4493bfe92f3db94df0801b
-
SHA1
50a86dbb9fb1c8cd8b2ed11bac3e8ce48f295f4b
-
SHA256
0c610d24b864c6ff7960311a0c6d2f5788ea7cab08069d0abcf900cd52b4dcb0
-
SHA512
c7d8035980512e2d64af48a7ae4a00d92ab7f418f7b7aa948e7e658433fcd58c2951b777252559c3ccffb9d1de91db2b261ea2f2cf924cd5b305686d3c3385ca
-
SSDEEP
12288:dH4z6KQHwSjF/DNIs2JvpmhybhhEVil9KdxpwmjF/55c1tvpe:dcJYjRDzSBmOwiwNjR5mrBe
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
UpdaterService.exepid process 1284 UpdaterService.exe -
Loads dropped DLL 10 IoCs
Processes:
0c610d24b864c6ff7960311a0c6d2f5788ea7cab08069d0abcf900cd52b4dcb0.exepid process 1404 0c610d24b864c6ff7960311a0c6d2f5788ea7cab08069d0abcf900cd52b4dcb0.exe 1404 0c610d24b864c6ff7960311a0c6d2f5788ea7cab08069d0abcf900cd52b4dcb0.exe 1404 0c610d24b864c6ff7960311a0c6d2f5788ea7cab08069d0abcf900cd52b4dcb0.exe 1404 0c610d24b864c6ff7960311a0c6d2f5788ea7cab08069d0abcf900cd52b4dcb0.exe 1404 0c610d24b864c6ff7960311a0c6d2f5788ea7cab08069d0abcf900cd52b4dcb0.exe 1404 0c610d24b864c6ff7960311a0c6d2f5788ea7cab08069d0abcf900cd52b4dcb0.exe 1404 0c610d24b864c6ff7960311a0c6d2f5788ea7cab08069d0abcf900cd52b4dcb0.exe 1404 0c610d24b864c6ff7960311a0c6d2f5788ea7cab08069d0abcf900cd52b4dcb0.exe 1404 0c610d24b864c6ff7960311a0c6d2f5788ea7cab08069d0abcf900cd52b4dcb0.exe 1404 0c610d24b864c6ff7960311a0c6d2f5788ea7cab08069d0abcf900cd52b4dcb0.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 10 IoCs
Processes:
0c610d24b864c6ff7960311a0c6d2f5788ea7cab08069d0abcf900cd52b4dcb0.exedescription ioc process File created C:\Program Files (x86)\SoftwareUpdater\AppsUpdater.exe 0c610d24b864c6ff7960311a0c6d2f5788ea7cab08069d0abcf900cd52b4dcb0.exe File created C:\Program Files (x86)\SoftwareUpdater\UpdaterService.exe 0c610d24b864c6ff7960311a0c6d2f5788ea7cab08069d0abcf900cd52b4dcb0.exe File created C:\Program Files (x86)\SoftwareUpdater\uninstall.exe 0c610d24b864c6ff7960311a0c6d2f5788ea7cab08069d0abcf900cd52b4dcb0.exe File created C:\Program Files (x86)\SoftwareUpdater\AppsUpdater.exe.config 0c610d24b864c6ff7960311a0c6d2f5788ea7cab08069d0abcf900cd52b4dcb0.exe File created C:\Program Files (x86)\SoftwareUpdater\KeyGen.dll 0c610d24b864c6ff7960311a0c6d2f5788ea7cab08069d0abcf900cd52b4dcb0.exe File opened for modification C:\Program Files (x86)\SoftwareUpdater\AppsUpdaterSem.exe.config 0c610d24b864c6ff7960311a0c6d2f5788ea7cab08069d0abcf900cd52b4dcb0.exe File created C:\Program Files (x86)\SoftwareUpdater\translations.xml 0c610d24b864c6ff7960311a0c6d2f5788ea7cab08069d0abcf900cd52b4dcb0.exe File created C:\Program Files (x86)\SoftwareUpdater\config.xml 0c610d24b864c6ff7960311a0c6d2f5788ea7cab08069d0abcf900cd52b4dcb0.exe File created C:\Program Files (x86)\SoftwareUpdater\AppsUpdaterSem.exe.config 0c610d24b864c6ff7960311a0c6d2f5788ea7cab08069d0abcf900cd52b4dcb0.exe File created C:\Program Files (x86)\SoftwareUpdater\Interop.Shell32.dll 0c610d24b864c6ff7960311a0c6d2f5788ea7cab08069d0abcf900cd52b4dcb0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1716 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 1716 taskkill.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
0c610d24b864c6ff7960311a0c6d2f5788ea7cab08069d0abcf900cd52b4dcb0.exedescription pid process target process PID 1404 wrote to memory of 1716 1404 0c610d24b864c6ff7960311a0c6d2f5788ea7cab08069d0abcf900cd52b4dcb0.exe taskkill.exe PID 1404 wrote to memory of 1716 1404 0c610d24b864c6ff7960311a0c6d2f5788ea7cab08069d0abcf900cd52b4dcb0.exe taskkill.exe PID 1404 wrote to memory of 1716 1404 0c610d24b864c6ff7960311a0c6d2f5788ea7cab08069d0abcf900cd52b4dcb0.exe taskkill.exe PID 1404 wrote to memory of 1716 1404 0c610d24b864c6ff7960311a0c6d2f5788ea7cab08069d0abcf900cd52b4dcb0.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c610d24b864c6ff7960311a0c6d2f5788ea7cab08069d0abcf900cd52b4dcb0.exe"C:\Users\Admin\AppData\Local\Temp\0c610d24b864c6ff7960311a0c6d2f5788ea7cab08069d0abcf900cd52b4dcb0.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im AppsUpdater.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1716
-
-
C:\Program Files (x86)\SoftwareUpdater\UpdaterService.exe"C:\Program Files (x86)\SoftwareUpdater\UpdaterService.exe"1⤵
- Executes dropped EXE
PID:1284
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
38KB
MD5c4e8ae01d20299c7dbfadff02e83d0eb
SHA123404dcca3c5aa4301ca4792be774d1ffbb675bd
SHA256e068ca1471b7d8df63dff47d245e88f11006d06d48e8014c9d54247399172aac
SHA512f37c08e940bf804cb26b877262f387a6bc424b3c502989a2348c85d63c109dc49beab2654b722275d687417f102f5aa1e9633591062ceb338fdeaa9939587ea1
-
Filesize
38KB
MD5c4e8ae01d20299c7dbfadff02e83d0eb
SHA123404dcca3c5aa4301ca4792be774d1ffbb675bd
SHA256e068ca1471b7d8df63dff47d245e88f11006d06d48e8014c9d54247399172aac
SHA512f37c08e940bf804cb26b877262f387a6bc424b3c502989a2348c85d63c109dc49beab2654b722275d687417f102f5aa1e9633591062ceb338fdeaa9939587ea1
-
Filesize
61KB
MD5d63975ce28f801f236c4aca5af726961
SHA13d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9
SHA256e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43
SHA5128357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810
-
Filesize
61KB
MD5d63975ce28f801f236c4aca5af726961
SHA13d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9
SHA256e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43
SHA5128357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810
-
Filesize
61KB
MD5d63975ce28f801f236c4aca5af726961
SHA13d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9
SHA256e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43
SHA5128357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810
-
Filesize
61KB
MD5d63975ce28f801f236c4aca5af726961
SHA13d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9
SHA256e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43
SHA5128357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810
-
Filesize
11KB
MD5c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
-
Filesize
6KB
MD5acc2b699edfea5bf5aae45aba3a41e96
SHA1d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe
-
Filesize
110KB
MD56b997e803a10663fa4a2995c030ba1a9
SHA13f81a5fc93601f04a4327ffd7c5a063dbf50a882
SHA2569f50688db497c70cc2c84558dcb71b19d076f983557f2b7de8a742fa804ba060
SHA5124cb8ecc7bb54c9e506e5061b452d474fd077b9f34b89384f54647dffabd77138fc4ad43e3fc14c6a65da21d72f655cf40560d53179a8317bb7b04382ff5bd776
-
Filesize
110KB
MD56b997e803a10663fa4a2995c030ba1a9
SHA13f81a5fc93601f04a4327ffd7c5a063dbf50a882
SHA2569f50688db497c70cc2c84558dcb71b19d076f983557f2b7de8a742fa804ba060
SHA5124cb8ecc7bb54c9e506e5061b452d474fd077b9f34b89384f54647dffabd77138fc4ad43e3fc14c6a65da21d72f655cf40560d53179a8317bb7b04382ff5bd776
-
Filesize
222KB
MD5ea79ad436f5e54ee5dc2aba13fe1b15a
SHA166e248962bfb1f370796dac393621367638c21b1
SHA2560ae09d65f5284409e6d9a2d40d7aaa8cbf1dd1815e67a9c12a9557f5de1f7832
SHA512dbd40403126c6ef6f5747c900809140c8897376f03696247cd8d10431bec7abb0c7191761e8ea551cfde2234059ec087ffbca54510ddf0dc78b8329f598fab2e
-
Filesize
222KB
MD5ea79ad436f5e54ee5dc2aba13fe1b15a
SHA166e248962bfb1f370796dac393621367638c21b1
SHA2560ae09d65f5284409e6d9a2d40d7aaa8cbf1dd1815e67a9c12a9557f5de1f7832
SHA512dbd40403126c6ef6f5747c900809140c8897376f03696247cd8d10431bec7abb0c7191761e8ea551cfde2234059ec087ffbca54510ddf0dc78b8329f598fab2e