0c610d24b864c6ff7960311a0c6d2f5788ea7cab08069d0abcf900cd52b4dcb0

Analysis

max time kernel
177s
max time network
183s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 10:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c610d24b864c6ff7960311a0c6d2f5788ea7cab08069d0abcf900cd52b4dcb0.exe
Size

622KB
MD5

eaa69b398c4493bfe92f3db94df0801b
SHA1

50a86dbb9fb1c8cd8b2ed11bac3e8ce48f295f4b
SHA256

0c610d24b864c6ff7960311a0c6d2f5788ea7cab08069d0abcf900cd52b4dcb0
SHA512

c7d8035980512e2d64af48a7ae4a00d92ab7f418f7b7aa948e7e658433fcd58c2951b777252559c3ccffb9d1de91db2b261ea2f2cf924cd5b305686d3c3385ca
SSDEEP

12288:dH4z6KQHwSjF/DNIs2JvpmhybhhEVil9KdxpwmjF/55c1tvpe:dcJYjRDzSBmOwiwNjR5mrBe

Score

8^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

UpdaterService.exe

pid process

4936 UpdaterService.exe

pid	process
4936	UpdaterService.exe

Loads dropped DLL 15 IoCs

Processes:

0c610d24b864c6ff7960311a0c6d2f5788ea7cab08069d0abcf900cd52b4dcb0.exe

pid	process
2092	0c610d24b864c6ff7960311a0c6d2f5788ea7cab08069d0abcf900cd52b4dcb0.exe
2092	0c610d24b864c6ff7960311a0c6d2f5788ea7cab08069d0abcf900cd52b4dcb0.exe
2092	0c610d24b864c6ff7960311a0c6d2f5788ea7cab08069d0abcf900cd52b4dcb0.exe
2092	0c610d24b864c6ff7960311a0c6d2f5788ea7cab08069d0abcf900cd52b4dcb0.exe
2092	0c610d24b864c6ff7960311a0c6d2f5788ea7cab08069d0abcf900cd52b4dcb0.exe
2092	0c610d24b864c6ff7960311a0c6d2f5788ea7cab08069d0abcf900cd52b4dcb0.exe
2092	0c610d24b864c6ff7960311a0c6d2f5788ea7cab08069d0abcf900cd52b4dcb0.exe
2092	0c610d24b864c6ff7960311a0c6d2f5788ea7cab08069d0abcf900cd52b4dcb0.exe
2092	0c610d24b864c6ff7960311a0c6d2f5788ea7cab08069d0abcf900cd52b4dcb0.exe
2092	0c610d24b864c6ff7960311a0c6d2f5788ea7cab08069d0abcf900cd52b4dcb0.exe
2092	0c610d24b864c6ff7960311a0c6d2f5788ea7cab08069d0abcf900cd52b4dcb0.exe
2092	0c610d24b864c6ff7960311a0c6d2f5788ea7cab08069d0abcf900cd52b4dcb0.exe
2092	0c610d24b864c6ff7960311a0c6d2f5788ea7cab08069d0abcf900cd52b4dcb0.exe
2092	0c610d24b864c6ff7960311a0c6d2f5788ea7cab08069d0abcf900cd52b4dcb0.exe
2092	0c610d24b864c6ff7960311a0c6d2f5788ea7cab08069d0abcf900cd52b4dcb0.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 10 IoCs

Processes:

0c610d24b864c6ff7960311a0c6d2f5788ea7cab08069d0abcf900cd52b4dcb0.exe

description	ioc	process
File created	C:\Program Files (x86)\SoftwareUpdater\translations.xml	0c610d24b864c6ff7960311a0c6d2f5788ea7cab08069d0abcf900cd52b4dcb0.exe
File opened for modification	C:\Program Files (x86)\SoftwareUpdater\AppsUpdaterSem.exe.config	0c610d24b864c6ff7960311a0c6d2f5788ea7cab08069d0abcf900cd52b4dcb0.exe
File created	C:\Program Files (x86)\SoftwareUpdater\UpdaterService.exe	0c610d24b864c6ff7960311a0c6d2f5788ea7cab08069d0abcf900cd52b4dcb0.exe
File created	C:\Program Files (x86)\SoftwareUpdater\config.xml	0c610d24b864c6ff7960311a0c6d2f5788ea7cab08069d0abcf900cd52b4dcb0.exe
File created	C:\Program Files (x86)\SoftwareUpdater\AppsUpdaterSem.exe.config	0c610d24b864c6ff7960311a0c6d2f5788ea7cab08069d0abcf900cd52b4dcb0.exe
File created	C:\Program Files (x86)\SoftwareUpdater\AppsUpdater.exe.config	0c610d24b864c6ff7960311a0c6d2f5788ea7cab08069d0abcf900cd52b4dcb0.exe
File created	C:\Program Files (x86)\SoftwareUpdater\Interop.Shell32.dll	0c610d24b864c6ff7960311a0c6d2f5788ea7cab08069d0abcf900cd52b4dcb0.exe
File created	C:\Program Files (x86)\SoftwareUpdater\KeyGen.dll	0c610d24b864c6ff7960311a0c6d2f5788ea7cab08069d0abcf900cd52b4dcb0.exe
File created	C:\Program Files (x86)\SoftwareUpdater\AppsUpdater.exe	0c610d24b864c6ff7960311a0c6d2f5788ea7cab08069d0abcf900cd52b4dcb0.exe
File created	C:\Program Files (x86)\SoftwareUpdater\uninstall.exe	0c610d24b864c6ff7960311a0c6d2f5788ea7cab08069d0abcf900cd52b4dcb0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

5092 taskkill.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 5092 taskkill.exe

pid	process
5092	taskkill.exe

description	pid	process
Token: SeDebugPrivilege	5092	taskkill.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

0c610d24b864c6ff7960311a0c6d2f5788ea7cab08069d0abcf900cd52b4dcb0.exe

description	pid	process	target process
PID 2092 wrote to memory of 5092	2092	0c610d24b864c6ff7960311a0c6d2f5788ea7cab08069d0abcf900cd52b4dcb0.exe	taskkill.exe
PID 2092 wrote to memory of 5092	2092	0c610d24b864c6ff7960311a0c6d2f5788ea7cab08069d0abcf900cd52b4dcb0.exe	taskkill.exe
PID 2092 wrote to memory of 5092	2092	0c610d24b864c6ff7960311a0c6d2f5788ea7cab08069d0abcf900cd52b4dcb0.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\0c610d24b864c6ff7960311a0c6d2f5788ea7cab08069d0abcf900cd52b4dcb0.exe
"C:\Users\Admin\AppData\Local\Temp\0c610d24b864c6ff7960311a0c6d2f5788ea7cab08069d0abcf900cd52b4dcb0.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im AppsUpdater.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5092

C:\Program Files (x86)\SoftwareUpdater\UpdaterService.exe
"C:\Program Files (x86)\SoftwareUpdater\UpdaterService.exe"
1⤵
- Executes dropped EXE
PID:4936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\SoftwareUpdater\UpdaterService.exe

Filesize
38KB

MD5
c4e8ae01d20299c7dbfadff02e83d0eb

SHA1
23404dcca3c5aa4301ca4792be774d1ffbb675bd

SHA256
e068ca1471b7d8df63dff47d245e88f11006d06d48e8014c9d54247399172aac

SHA512
f37c08e940bf804cb26b877262f387a6bc424b3c502989a2348c85d63c109dc49beab2654b722275d687417f102f5aa1e9633591062ceb338fdeaa9939587ea1

Download Submit
C:\Program Files (x86)\SoftwareUpdater\UpdaterService.exe

Filesize
38KB

MD5
c4e8ae01d20299c7dbfadff02e83d0eb

SHA1
23404dcca3c5aa4301ca4792be774d1ffbb675bd

SHA256
e068ca1471b7d8df63dff47d245e88f11006d06d48e8014c9d54247399172aac

SHA512
f37c08e940bf804cb26b877262f387a6bc424b3c502989a2348c85d63c109dc49beab2654b722275d687417f102f5aa1e9633591062ceb338fdeaa9939587ea1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf21A2.tmp\SimpleSC.dll

Filesize
61KB

MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf21A2.tmp\SimpleSC.dll

Filesize
61KB

MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf21A2.tmp\SimpleSC.dll

Filesize
61KB

MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf21A2.tmp\SimpleSC.dll

Filesize
61KB

MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf21A2.tmp\SimpleSC.dll

Filesize
61KB

MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf21A2.tmp\SimpleSC.dll

Filesize
61KB

MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf21A2.tmp\SimpleSC.dll

Filesize
61KB

MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf21A2.tmp\SimpleSC.dll

Filesize
61KB

MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf21A2.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf21A2.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf21A2.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf21A2.tmp\nsURL.dll

Filesize
110KB

MD5
6b997e803a10663fa4a2995c030ba1a9

SHA1
3f81a5fc93601f04a4327ffd7c5a063dbf50a882

SHA256
9f50688db497c70cc2c84558dcb71b19d076f983557f2b7de8a742fa804ba060

SHA512
4cb8ecc7bb54c9e506e5061b452d474fd077b9f34b89384f54647dffabd77138fc4ad43e3fc14c6a65da21d72f655cf40560d53179a8317bb7b04382ff5bd776

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf21A2.tmp\nsURL.dll

Filesize
110KB

MD5
6b997e803a10663fa4a2995c030ba1a9

SHA1
3f81a5fc93601f04a4327ffd7c5a063dbf50a882

SHA256
9f50688db497c70cc2c84558dcb71b19d076f983557f2b7de8a742fa804ba060

SHA512
4cb8ecc7bb54c9e506e5061b452d474fd077b9f34b89384f54647dffabd77138fc4ad43e3fc14c6a65da21d72f655cf40560d53179a8317bb7b04382ff5bd776

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf21A2.tmp\tkDecript.dll

Filesize
222KB

MD5
ea79ad436f5e54ee5dc2aba13fe1b15a

SHA1
66e248962bfb1f370796dac393621367638c21b1

SHA256
0ae09d65f5284409e6d9a2d40d7aaa8cbf1dd1815e67a9c12a9557f5de1f7832

SHA512
dbd40403126c6ef6f5747c900809140c8897376f03696247cd8d10431bec7abb0c7191761e8ea551cfde2234059ec087ffbca54510ddf0dc78b8329f598fab2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf21A2.tmp\tkDecript.dll

Filesize
222KB

MD5
ea79ad436f5e54ee5dc2aba13fe1b15a

SHA1
66e248962bfb1f370796dac393621367638c21b1

SHA256
0ae09d65f5284409e6d9a2d40d7aaa8cbf1dd1815e67a9c12a9557f5de1f7832

SHA512
dbd40403126c6ef6f5747c900809140c8897376f03696247cd8d10431bec7abb0c7191761e8ea551cfde2234059ec087ffbca54510ddf0dc78b8329f598fab2e

Download Submit
memory/2092-147-0x0000000002D80000-0x0000000002D93000-memory.dmp

Filesize
76KB

Download
memory/2092-135-0x00000000023D0000-0x00000000023E3000-memory.dmp

Filesize
76KB

Download
memory/4936-153-0x00007FFE7F8A0000-0x00007FFE802D6000-memory.dmp

Filesize
10.2MB

Download
memory/5092-142-0x0000000000000000-mapping.dmp

Download