Analysis
-
max time kernel
200s -
max time network
214s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 20:13
Behavioral task
behavioral1
Sample
d62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4.exe
Resource
win7-20221111-en
General
-
Target
d62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4.exe
-
Size
54KB
-
MD5
57e34387cdcaf4921dc9b9e7f8706800
-
SHA1
f229b450fc64ad1bb0360121a94b353eddd42f16
-
SHA256
d62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4
-
SHA512
a5c4caf7ca37568cd3825657e76849001b1f9cbc32672267a30afd52550526387a439ca583c5997f1b8a46038478705301b3e8c00d30a21b953ed1ad3ed6fd54
-
SSDEEP
1536:AErdoU9DEfPF3CZBwaX35U+KOgfSuPhKUrtEYBFBtnyNc:AErnTB7Xp2fSKBxEK5a
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
SceUpdata.exepid process 2236 SceUpdata.exe -
Processes:
resource yara_rule behavioral2/memory/4788-132-0x0000000000400000-0x0000000000417000-memory.dmp upx C:\Windows\SysWOW64\SceUpdata.exe upx C:\Windows\SysWOW64\SceUpdata.exe upx behavioral2/memory/4788-141-0x0000000000400000-0x0000000000417000-memory.dmp upx -
Processes:
resource yara_rule C:\Windows\SysWOW64\GoogleApp.dll vmprotect C:\Windows\SysWOW64\GoogleApp.dll vmprotect C:\Windows\SysWOW64\GoogleApp.dll vmprotect C:\Windows\SysWOW64\GoogleApp.dll vmprotect -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
d62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation d62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4.exe -
Loads dropped DLL 3 IoCs
Processes:
d62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4.exeSceUpdata.exepid process 4788 d62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4.exe 2236 SceUpdata.exe 2236 SceUpdata.exe -
Drops file in System32 directory 5 IoCs
Processes:
SceUpdata.exed62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4.exedescription ioc process File opened for modification C:\Windows\SysWOW64\zmdll.lst SceUpdata.exe File created C:\Windows\SysWOW64\GoogleApp.dll d62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4.exe File opened for modification C:\Windows\SysWOW64\zmdll.lst d62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4.exe File created C:\Windows\SysWOW64\SceUpdata.exe d62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4.exe File opened for modification C:\Windows\SysWOW64\SceUpdata.exe d62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
d62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4.exepid process 4788 d62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4.exe 4788 d62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4.exe 4788 d62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4.exe 4788 d62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4.exe 4788 d62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4.exe 4788 d62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4.exe 4788 d62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4.exe 4788 d62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4.exe 4788 d62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4.exe 4788 d62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4.exe 4788 d62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4.exe 4788 d62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4.exe 4788 d62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4.exe 4788 d62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4.exe -
Suspicious behavior: LoadsDriver 6 IoCs
Processes:
d62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4.exeSceUpdata.exepid process 4788 d62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4.exe 660 2236 SceUpdata.exe 660 2236 SceUpdata.exe 660 -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
d62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4.exeSceUpdata.exedescription pid process Token: SeLoadDriverPrivilege 4788 d62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4.exe Token: SeLoadDriverPrivilege 2236 SceUpdata.exe Token: SeLoadDriverPrivilege 2236 SceUpdata.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
d62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4.exedescription pid process target process PID 4788 wrote to memory of 2236 4788 d62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4.exe SceUpdata.exe PID 4788 wrote to memory of 2236 4788 d62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4.exe SceUpdata.exe PID 4788 wrote to memory of 2236 4788 d62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4.exe SceUpdata.exe PID 4788 wrote to memory of 3928 4788 d62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4.exe cmd.exe PID 4788 wrote to memory of 3928 4788 d62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4.exe cmd.exe PID 4788 wrote to memory of 3928 4788 d62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4.exe"C:\Users\Admin\AppData\Local\Temp\d62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Windows\SysWOW64\SceUpdata.exe"C:\Windows\system32\SceUpdata.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:2236 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\test.bat2⤵PID:3928
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\GoogleApp.dllFilesize
58KB
MD5d154681e1a8c7defe85355cf24462865
SHA1064ccce0a08229c79e32b7c7a34afdceee9543e9
SHA2560e71c8d551175a2212819b3f6b141b308d6cf997746f4af4e73b92ec63b337e3
SHA5128b47439cfec2f2797d9cc1bdaa6cb5f4e4cc100a00ac6a858ba2e812a9e2455e392d022993cb2eddb0c87003f95432789248667886a7d7543795a3939e6c97dc
-
C:\Windows\SysWOW64\GoogleApp.dllFilesize
58KB
MD5d154681e1a8c7defe85355cf24462865
SHA1064ccce0a08229c79e32b7c7a34afdceee9543e9
SHA2560e71c8d551175a2212819b3f6b141b308d6cf997746f4af4e73b92ec63b337e3
SHA5128b47439cfec2f2797d9cc1bdaa6cb5f4e4cc100a00ac6a858ba2e812a9e2455e392d022993cb2eddb0c87003f95432789248667886a7d7543795a3939e6c97dc
-
C:\Windows\SysWOW64\GoogleApp.dllFilesize
58KB
MD5d154681e1a8c7defe85355cf24462865
SHA1064ccce0a08229c79e32b7c7a34afdceee9543e9
SHA2560e71c8d551175a2212819b3f6b141b308d6cf997746f4af4e73b92ec63b337e3
SHA5128b47439cfec2f2797d9cc1bdaa6cb5f4e4cc100a00ac6a858ba2e812a9e2455e392d022993cb2eddb0c87003f95432789248667886a7d7543795a3939e6c97dc
-
C:\Windows\SysWOW64\GoogleApp.dllFilesize
58KB
MD5d154681e1a8c7defe85355cf24462865
SHA1064ccce0a08229c79e32b7c7a34afdceee9543e9
SHA2560e71c8d551175a2212819b3f6b141b308d6cf997746f4af4e73b92ec63b337e3
SHA5128b47439cfec2f2797d9cc1bdaa6cb5f4e4cc100a00ac6a858ba2e812a9e2455e392d022993cb2eddb0c87003f95432789248667886a7d7543795a3939e6c97dc
-
C:\Windows\SysWOW64\SceUpdata.exeFilesize
54KB
MD557e34387cdcaf4921dc9b9e7f8706800
SHA1f229b450fc64ad1bb0360121a94b353eddd42f16
SHA256d62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4
SHA512a5c4caf7ca37568cd3825657e76849001b1f9cbc32672267a30afd52550526387a439ca583c5997f1b8a46038478705301b3e8c00d30a21b953ed1ad3ed6fd54
-
C:\Windows\SysWOW64\SceUpdata.exeFilesize
54KB
MD557e34387cdcaf4921dc9b9e7f8706800
SHA1f229b450fc64ad1bb0360121a94b353eddd42f16
SHA256d62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4
SHA512a5c4caf7ca37568cd3825657e76849001b1f9cbc32672267a30afd52550526387a439ca583c5997f1b8a46038478705301b3e8c00d30a21b953ed1ad3ed6fd54
-
C:\Windows\SysWOW64\zmdll.lstFilesize
200B
MD5d796710eebbe3f0584f0099d4e7ddb65
SHA1420b2032f1dddf12a12e392e2284390403e13c34
SHA256658cce9eefaa457e5f60428da451cdbf8e96920c459f2a1c5586c0f70eea5d6f
SHA512af14c79648d9c2c098fb295e2c9d8ddcd7849f44134fa4e44fe9f59f93a31d87736250e2390e200bd959e4d187a58c41011b980ca661ab19ee9d9b1bd555c045
-
\??\c:\test.batFilesize
249B
MD57dc0a405c8721cf02e6bc87e5804d812
SHA156e6cea3532d6b3afdf60713ac1aeb20750a6eaf
SHA256ca248b677cc89b276ba89993dba97050a232994caa981acae6507f9475c67b19
SHA5125b856f8c6422c8af2c62c2c9cc0adbcdf55760371109bf07a625c3da88d3bcd395c6108263cc8bcf319e058ab5db56048d7422e1098a9f11cbfa472f33038ba3
-
memory/2236-134-0x0000000000000000-mapping.dmp
-
memory/3928-140-0x0000000000000000-mapping.dmp
-
memory/4788-132-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/4788-141-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB