d62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4

General

Target

d62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4.exe
Size

54KB
MD5

57e34387cdcaf4921dc9b9e7f8706800
SHA1

f229b450fc64ad1bb0360121a94b353eddd42f16
SHA256

d62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4
SHA512

a5c4caf7ca37568cd3825657e76849001b1f9cbc32672267a30afd52550526387a439ca583c5997f1b8a46038478705301b3e8c00d30a21b953ed1ad3ed6fd54
SSDEEP

1536:AErdoU9DEfPF3CZBwaX35U+KOgfSuPhKUrtEYBFBtnyNc:AErnTB7Xp2fSKBxEK5a

Score

8^/10

upx vmprotect

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

SceUpdata.exe

pid process

2236 SceUpdata.exe

pid	process
2236	SceUpdata.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4788-132-0x0000000000400000-0x0000000000417000-memory.dmp	upx
C:\Windows\SysWOW64\SceUpdata.exe	upx
C:\Windows\SysWOW64\SceUpdata.exe	upx
behavioral2/memory/4788-141-0x0000000000400000-0x0000000000417000-memory.dmp	upx

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Windows\SysWOW64\GoogleApp.dll	vmprotect
C:\Windows\SysWOW64\GoogleApp.dll	vmprotect
C:\Windows\SysWOW64\GoogleApp.dll	vmprotect
C:\Windows\SysWOW64\GoogleApp.dll	vmprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	d62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4.exe

Loads dropped DLL 3 IoCs

Processes:

d62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4.exeSceUpdata.exe

pid process

4788 d62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4.exe
2236 SceUpdata.exe
2236 SceUpdata.exe

Drops file in System32 directory 5 IoCs

Processes:

SceUpdata.exed62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\zmdll.lst	SceUpdata.exe
File created	C:\Windows\SysWOW64\GoogleApp.dll	d62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4.exe
File opened for modification	C:\Windows\SysWOW64\zmdll.lst	d62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4.exe
File created	C:\Windows\SysWOW64\SceUpdata.exe	d62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4.exe
File opened for modification	C:\Windows\SysWOW64\SceUpdata.exe	d62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

d62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4.exe

pid	process
4788	d62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4.exe
4788	d62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4.exe
4788	d62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4.exe
4788	d62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4.exe
4788	d62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4.exe
4788	d62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4.exe
4788	d62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4.exe
4788	d62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4.exe
4788	d62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4.exe
4788	d62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4.exe
4788	d62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4.exe
4788	d62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4.exe
4788	d62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4.exe
4788	d62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4.exe

Suspicious behavior: LoadsDriver 6 IoCs

Processes:

d62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4.exeSceUpdata.exe

pid process

4788 d62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4.exe
660
2236 SceUpdata.exe
660
2236 SceUpdata.exe
660

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

d62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4.exeSceUpdata.exe

description	pid	process
Token: SeLoadDriverPrivilege	4788	d62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4.exe
Token: SeLoadDriverPrivilege	2236	SceUpdata.exe
Token: SeLoadDriverPrivilege	2236	SceUpdata.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

d62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4.exe

description	pid	process	target process
PID 4788 wrote to memory of 2236	4788	d62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4.exe	SceUpdata.exe
PID 4788 wrote to memory of 2236	4788	d62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4.exe	SceUpdata.exe
PID 4788 wrote to memory of 2236	4788	d62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4.exe	SceUpdata.exe
PID 4788 wrote to memory of 3928	4788	d62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4.exe	cmd.exe
PID 4788 wrote to memory of 3928	4788	d62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4.exe	cmd.exe
PID 4788 wrote to memory of 3928	4788	d62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\d62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4.exe
"C:\Users\Admin\AppData\Local\Temp\d62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4788

C:\Windows\SysWOW64\SceUpdata.exe
"C:\Windows\system32\SceUpdata.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:2236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\test.bat
2⤵
PID:3928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\GoogleApp.dll
Filesize
58KB

MD5
d154681e1a8c7defe85355cf24462865

SHA1
064ccce0a08229c79e32b7c7a34afdceee9543e9

SHA256
0e71c8d551175a2212819b3f6b141b308d6cf997746f4af4e73b92ec63b337e3

SHA512
8b47439cfec2f2797d9cc1bdaa6cb5f4e4cc100a00ac6a858ba2e812a9e2455e392d022993cb2eddb0c87003f95432789248667886a7d7543795a3939e6c97dc

Download Submit
C:\Windows\SysWOW64\GoogleApp.dll
Filesize
58KB

MD5
d154681e1a8c7defe85355cf24462865

SHA1
064ccce0a08229c79e32b7c7a34afdceee9543e9

SHA256
0e71c8d551175a2212819b3f6b141b308d6cf997746f4af4e73b92ec63b337e3

SHA512
8b47439cfec2f2797d9cc1bdaa6cb5f4e4cc100a00ac6a858ba2e812a9e2455e392d022993cb2eddb0c87003f95432789248667886a7d7543795a3939e6c97dc

Download Submit
C:\Windows\SysWOW64\GoogleApp.dll
Filesize
58KB

MD5
d154681e1a8c7defe85355cf24462865

SHA1
064ccce0a08229c79e32b7c7a34afdceee9543e9

SHA256
0e71c8d551175a2212819b3f6b141b308d6cf997746f4af4e73b92ec63b337e3

SHA512
8b47439cfec2f2797d9cc1bdaa6cb5f4e4cc100a00ac6a858ba2e812a9e2455e392d022993cb2eddb0c87003f95432789248667886a7d7543795a3939e6c97dc

Download Submit
C:\Windows\SysWOW64\GoogleApp.dll
Filesize
58KB

MD5
d154681e1a8c7defe85355cf24462865

SHA1
064ccce0a08229c79e32b7c7a34afdceee9543e9

SHA256
0e71c8d551175a2212819b3f6b141b308d6cf997746f4af4e73b92ec63b337e3

SHA512
8b47439cfec2f2797d9cc1bdaa6cb5f4e4cc100a00ac6a858ba2e812a9e2455e392d022993cb2eddb0c87003f95432789248667886a7d7543795a3939e6c97dc

Download Submit
C:\Windows\SysWOW64\SceUpdata.exe
Filesize
54KB

MD5
57e34387cdcaf4921dc9b9e7f8706800

SHA1
f229b450fc64ad1bb0360121a94b353eddd42f16

SHA256
d62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4

SHA512
a5c4caf7ca37568cd3825657e76849001b1f9cbc32672267a30afd52550526387a439ca583c5997f1b8a46038478705301b3e8c00d30a21b953ed1ad3ed6fd54

Download Submit
C:\Windows\SysWOW64\SceUpdata.exe
Filesize
54KB

MD5
57e34387cdcaf4921dc9b9e7f8706800

SHA1
f229b450fc64ad1bb0360121a94b353eddd42f16

SHA256
d62e3c24de3e6fb4bc2d033be03a52bb4c69ee5141f046defa0003c4afac7cd4

SHA512
a5c4caf7ca37568cd3825657e76849001b1f9cbc32672267a30afd52550526387a439ca583c5997f1b8a46038478705301b3e8c00d30a21b953ed1ad3ed6fd54

Download Submit
C:\Windows\SysWOW64\zmdll.lst
Filesize
200B

MD5
d796710eebbe3f0584f0099d4e7ddb65

SHA1
420b2032f1dddf12a12e392e2284390403e13c34

SHA256
658cce9eefaa457e5f60428da451cdbf8e96920c459f2a1c5586c0f70eea5d6f

SHA512
af14c79648d9c2c098fb295e2c9d8ddcd7849f44134fa4e44fe9f59f93a31d87736250e2390e200bd959e4d187a58c41011b980ca661ab19ee9d9b1bd555c045

Download Submit
\??\c:\test.bat
Filesize
249B

MD5
7dc0a405c8721cf02e6bc87e5804d812

SHA1
56e6cea3532d6b3afdf60713ac1aeb20750a6eaf

SHA256
ca248b677cc89b276ba89993dba97050a232994caa981acae6507f9475c67b19

SHA512
5b856f8c6422c8af2c62c2c9cc0adbcdf55760371109bf07a625c3da88d3bcd395c6108263cc8bcf319e058ab5db56048d7422e1098a9f11cbfa472f33038ba3

Download Submit
memory/2236-134-0x0000000000000000-mapping.dmp

Download
memory/3928-140-0x0000000000000000-mapping.dmp

Download
memory/4788-132-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4788-141-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads