Analysis
-
max time kernel
190s -
max time network
193s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 13:44
Static task
static1
Behavioral task
behavioral1
Sample
88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe
Resource
win7-20221111-en
General
-
Target
88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe
-
Size
372KB
-
MD5
e0a53248959cc237d502045760eab3da
-
SHA1
f2747b669016607a3b44bb15be395b4d06afca31
-
SHA256
88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef
-
SHA512
ccc48f7c9618939dbf176869bd73798e6ea967a7c12af6750d159dc89dca17714d48e59a0eb2b2bd412eea112f486acb66fea944f98c2fa87ebb9c341cd77a6c
-
SSDEEP
6144:ciJB3eMyCkgJeNXXr5k5MhPHq+pzQAABAh6Sn0/8163IG3vnpvSd8tnmTx+:hnOMyCqXre5i6AA+c81X8U8tn
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
WUDHost.exeAcctres.exepid process 4040 WUDHost.exe 4708 Acctres.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
WUDHost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Boot File Servicing Utility = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\WUDHost.exe" WUDHost.exe -
Processes:
88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exedescription pid process target process PID 632 set thread context of 2560 632 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exepid process 632 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe 632 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe 632 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe 2560 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe 2560 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe 2560 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe 632 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe 632 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe 632 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe 632 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe 632 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe 632 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe 632 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe 632 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe 632 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe 632 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe 632 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe 632 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe 632 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe 632 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe 632 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe 632 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe 632 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe 632 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe 632 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe 632 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe 632 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe 632 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe 632 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe 632 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe 632 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe 632 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe 632 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe 632 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe 632 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe 632 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe 632 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe 632 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe 632 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe 632 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe 632 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe 632 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe 632 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe 632 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe 632 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe 632 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe 632 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe 632 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe 632 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe 632 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe 632 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe 632 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe 632 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe 632 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe 632 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe 632 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe 632 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe 632 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe 632 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe 632 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe 632 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe 632 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe 632 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe 632 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exepid process 2560 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exeWUDHost.exeAcctres.exedescription pid process Token: SeDebugPrivilege 632 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe Token: SeDebugPrivilege 2560 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe Token: SeDebugPrivilege 4040 WUDHost.exe Token: SeDebugPrivilege 4708 Acctres.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exeWUDHost.exeAcctres.exedescription pid process target process PID 632 wrote to memory of 2560 632 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe PID 632 wrote to memory of 2560 632 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe PID 632 wrote to memory of 2560 632 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe PID 632 wrote to memory of 2560 632 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe PID 632 wrote to memory of 2560 632 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe PID 632 wrote to memory of 2560 632 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe PID 632 wrote to memory of 2560 632 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe PID 632 wrote to memory of 2560 632 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe PID 632 wrote to memory of 4040 632 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe WUDHost.exe PID 632 wrote to memory of 4040 632 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe WUDHost.exe PID 632 wrote to memory of 4040 632 88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe WUDHost.exe PID 4040 wrote to memory of 4708 4040 WUDHost.exe Acctres.exe PID 4040 wrote to memory of 4708 4040 WUDHost.exe Acctres.exe PID 4040 wrote to memory of 4708 4040 WUDHost.exe Acctres.exe PID 4708 wrote to memory of 4356 4708 Acctres.exe dw20.exe PID 4708 wrote to memory of 4356 4708 Acctres.exe dw20.exe PID 4708 wrote to memory of 4356 4708 Acctres.exe dw20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe"C:\Users\Admin\AppData\Local\Temp\88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe"C:\Users\Admin\AppData\Local\Temp\88f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef.exe"2⤵
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 10204⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exeFilesize
372KB
MD5e0a53248959cc237d502045760eab3da
SHA1f2747b669016607a3b44bb15be395b4d06afca31
SHA25688f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef
SHA512ccc48f7c9618939dbf176869bd73798e6ea967a7c12af6750d159dc89dca17714d48e59a0eb2b2bd412eea112f486acb66fea944f98c2fa87ebb9c341cd77a6c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exeFilesize
372KB
MD5e0a53248959cc237d502045760eab3da
SHA1f2747b669016607a3b44bb15be395b4d06afca31
SHA25688f91655388ba7e3f8c3ba4df516adecf49ed1462233ba84b4bf5a2361d784ef
SHA512ccc48f7c9618939dbf176869bd73798e6ea967a7c12af6750d159dc89dca17714d48e59a0eb2b2bd412eea112f486acb66fea944f98c2fa87ebb9c341cd77a6c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exeFilesize
13KB
MD587c7263aa4cb3444ef282661c4587035
SHA15e879db395d5ec83d7477c04fbb2fa63c6b0a6d9
SHA256e84385b30e77b96b9461e34993a399cdcefbdea475a1ef3eb974d0744a42b46c
SHA5121bbd4d4caad626282802e22a51211f0eb6afb08406eb8ac7868b0c06496d661c2c6ef67a506bf25f2a8296bbce82825fe00d67eda0b3caa40c9f30b4008f3426
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\WUDHost.exeFilesize
13KB
MD587c7263aa4cb3444ef282661c4587035
SHA15e879db395d5ec83d7477c04fbb2fa63c6b0a6d9
SHA256e84385b30e77b96b9461e34993a399cdcefbdea475a1ef3eb974d0744a42b46c
SHA5121bbd4d4caad626282802e22a51211f0eb6afb08406eb8ac7868b0c06496d661c2c6ef67a506bf25f2a8296bbce82825fe00d67eda0b3caa40c9f30b4008f3426
-
memory/632-132-0x0000000074A00000-0x0000000074FB1000-memory.dmpFilesize
5.7MB
-
memory/632-133-0x0000000074A00000-0x0000000074FB1000-memory.dmpFilesize
5.7MB
-
memory/2560-135-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/2560-137-0x0000000074A00000-0x0000000074FB1000-memory.dmpFilesize
5.7MB
-
memory/2560-134-0x0000000000000000-mapping.dmp
-
memory/2560-136-0x0000000074A00000-0x0000000074FB1000-memory.dmpFilesize
5.7MB
-
memory/4040-138-0x0000000000000000-mapping.dmp
-
memory/4040-142-0x0000000074A00000-0x0000000074FB1000-memory.dmpFilesize
5.7MB
-
memory/4040-141-0x0000000074A00000-0x0000000074FB1000-memory.dmpFilesize
5.7MB
-
memory/4356-147-0x0000000000000000-mapping.dmp
-
memory/4708-143-0x0000000000000000-mapping.dmp
-
memory/4708-146-0x0000000074A00000-0x0000000074FB1000-memory.dmpFilesize
5.7MB
-
memory/4708-148-0x0000000074A00000-0x0000000074FB1000-memory.dmpFilesize
5.7MB