09594dcf9515998adfa96906c066bd6edd9ea455c0ebadacdbd54c84472d382b

General

Target

09594dcf9515998adfa96906c066bd6edd9ea455c0ebadacdbd54c84472d382b.exe
Size

6.0MB
MD5

548583e54077fec31049220709e7f4b9
SHA1

4d0822015fbcdb4dbd1dc8f57a116fd91fb35fd3
SHA256

09594dcf9515998adfa96906c066bd6edd9ea455c0ebadacdbd54c84472d382b
SHA512

9f8f32cc42d79c3473493d3b0f2839a95ca1df509733f7dc47e4ee8b35caf29d16e2e9361a2adabe6d3104de9e35f4e3dbba047b87d92d98f524d1826673aef6
SSDEEP

98304:a6p+CgTmGHqC3v/fq6Q3vxTSsTyVlP4AvZ8X16DhKWAZvhUdmWLOPvKlu0CbxaC2:x+JT8G/y6QMsTyVlPGMDhGUd7aylu0Cy

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
940	MicrosoftNetUpdate.exe
908	MicrosoftNetUpdate.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000022e4b-133.dat	upx
behavioral2/files/0x0007000000022e4b-134.dat	upx
behavioral2/memory/940-135-0x0000000000400000-0x0000000000F0C000-memory.dmp	upx
behavioral2/memory/940-136-0x0000000000400000-0x0000000000F0C000-memory.dmp	upx
behavioral2/files/0x0007000000022e4b-139.dat	upx
behavioral2/memory/940-143-0x0000000000400000-0x0000000000F0C000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	09594dcf9515998adfa96906c066bd6edd9ea455c0ebadacdbd54c84472d382b.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 940 set thread context of 908	940	MicrosoftNetUpdate.exe	81

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
908	MicrosoftNetUpdate.exe
908	MicrosoftNetUpdate.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
908	MicrosoftNetUpdate.exe
908	MicrosoftNetUpdate.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 940	1476	09594dcf9515998adfa96906c066bd6edd9ea455c0ebadacdbd54c84472d382b.exe	79
PID 1476 wrote to memory of 940	1476	09594dcf9515998adfa96906c066bd6edd9ea455c0ebadacdbd54c84472d382b.exe	79
PID 1476 wrote to memory of 940	1476	09594dcf9515998adfa96906c066bd6edd9ea455c0ebadacdbd54c84472d382b.exe	79
PID 940 wrote to memory of 908	940	MicrosoftNetUpdate.exe	81
PID 940 wrote to memory of 908	940	MicrosoftNetUpdate.exe	81
PID 940 wrote to memory of 908	940	MicrosoftNetUpdate.exe	81
PID 940 wrote to memory of 908	940	MicrosoftNetUpdate.exe	81
PID 940 wrote to memory of 908	940	MicrosoftNetUpdate.exe	81
PID 940 wrote to memory of 908	940	MicrosoftNetUpdate.exe	81
PID 940 wrote to memory of 908	940	MicrosoftNetUpdate.exe	81
PID 940 wrote to memory of 908	940	MicrosoftNetUpdate.exe	81
PID 940 wrote to memory of 908	940	MicrosoftNetUpdate.exe	81
PID 940 wrote to memory of 908	940	MicrosoftNetUpdate.exe	81
PID 940 wrote to memory of 908	940	MicrosoftNetUpdate.exe	81
PID 940 wrote to memory of 908	940	MicrosoftNetUpdate.exe	81
PID 940 wrote to memory of 908	940	MicrosoftNetUpdate.exe	81
PID 940 wrote to memory of 908	940	MicrosoftNetUpdate.exe	81
PID 940 wrote to memory of 908	940	MicrosoftNetUpdate.exe	81
PID 940 wrote to memory of 908	940	MicrosoftNetUpdate.exe	81
PID 940 wrote to memory of 908	940	MicrosoftNetUpdate.exe	81

C:\Users\Admin\AppData\Local\Temp\09594dcf9515998adfa96906c066bd6edd9ea455c0ebadacdbd54c84472d382b.exe
"C:\Users\Admin\AppData\Local\Temp\09594dcf9515998adfa96906c066bd6edd9ea455c0ebadacdbd54c84472d382b.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\MicrosoftNetUpdate.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\MicrosoftNetUpdate.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:940
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\MicrosoftNetUpdate.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\MicrosoftNetUpdate.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:908

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\MicrosoftNetUpdate.exe

Filesize
4.3MB

MD5
f3ca4a31ddc6c7dbe64d9d185afff578

SHA1
4acbae5dd99db1b0c5ea1c063d6f361fb8ed8f81

SHA256
6b8df22ceee49baff3b30f68d493d545fa9ed825181c7a2c73992a987595429e

SHA512
4cdfd2e780b0acb94ed1eb5e9286b8d16745122d8a957bb4e12bf6b5daa44c1d982d5233f60894c2c3862f3b2888fb3556937c38a381b990cbba9c523376e2dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\MicrosoftNetUpdate.exe

Filesize
4.3MB

MD5
f3ca4a31ddc6c7dbe64d9d185afff578

SHA1
4acbae5dd99db1b0c5ea1c063d6f361fb8ed8f81

SHA256
6b8df22ceee49baff3b30f68d493d545fa9ed825181c7a2c73992a987595429e

SHA512
4cdfd2e780b0acb94ed1eb5e9286b8d16745122d8a957bb4e12bf6b5daa44c1d982d5233f60894c2c3862f3b2888fb3556937c38a381b990cbba9c523376e2dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\MicrosoftNetUpdate.exe

Filesize
4.3MB

MD5
f3ca4a31ddc6c7dbe64d9d185afff578

SHA1
4acbae5dd99db1b0c5ea1c063d6f361fb8ed8f81

SHA256
6b8df22ceee49baff3b30f68d493d545fa9ed825181c7a2c73992a987595429e

SHA512
4cdfd2e780b0acb94ed1eb5e9286b8d16745122d8a957bb4e12bf6b5daa44c1d982d5233f60894c2c3862f3b2888fb3556937c38a381b990cbba9c523376e2dc

Download Submit
memory/908-142-0x0000000000400000-0x0000000000A03000-memory.dmp

Filesize
6.0MB

Download
memory/908-138-0x0000000000400000-0x0000000000A03000-memory.dmp

Filesize
6.0MB

Download
memory/908-140-0x0000000000400000-0x0000000000A03000-memory.dmp

Filesize
6.0MB

Download
memory/908-144-0x0000000000400000-0x0000000000A03000-memory.dmp

Filesize
6.0MB

Download
memory/908-145-0x0000000000400000-0x0000000000A03000-memory.dmp

Filesize
6.0MB

Download
memory/908-146-0x0000000000400000-0x0000000000A03000-memory.dmp

Filesize
6.0MB

Download
memory/940-136-0x0000000000400000-0x0000000000F0C000-memory.dmp

Filesize
11.0MB

Download
memory/940-135-0x0000000000400000-0x0000000000F0C000-memory.dmp

Filesize
11.0MB

Download
memory/940-143-0x0000000000400000-0x0000000000F0C000-memory.dmp

Filesize
11.0MB

Download

Analysis

Sharing