Analysis
-
max time kernel
151s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 21:51
Static task
static1
Behavioral task
behavioral1
Sample
57d0fa9b3e5a00b72597ab1464bd2d296135e61c71b3a4a6e5bc662e0ae835f8.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
57d0fa9b3e5a00b72597ab1464bd2d296135e61c71b3a4a6e5bc662e0ae835f8.exe
Resource
win10v2004-20220812-en
General
-
Target
57d0fa9b3e5a00b72597ab1464bd2d296135e61c71b3a4a6e5bc662e0ae835f8.exe
-
Size
376KB
-
MD5
b9d14ea30ffa2930ba00e3123edb1b2f
-
SHA1
9d922046f22c796186bd55b2e78c297a08b60a75
-
SHA256
57d0fa9b3e5a00b72597ab1464bd2d296135e61c71b3a4a6e5bc662e0ae835f8
-
SHA512
81f2b456e06b5e8b1dceb72a4d9f0571f2c7d8a1eb916b739d993c9c6d16b64711dfcd40ccbe58733aa7faf15d164d1a0ffbe5d5065df999da6645a67a4b5267
-
SSDEEP
6144:A9ufYgqOwOQCPTbksaYhBaBt9pqT2pKsEQN89xUNdD9nFSpXbe9zum7lflnIcLRH:qgXPHVh0Bt9oSPqUNdDHOy9JflxRPco
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
MUpdate.exepid process 3728 MUpdate.exe -
Loads dropped DLL 1 IoCs
Processes:
MUpdate.exepid process 3728 MUpdate.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
MUpdate.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CTFM0N = "c:\\J240584625carp240584625\\MUpdate.exe c:\\J24058~1\\Qjkot.dll,ALSTS_ExecuteAction" MUpdate.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
MUpdate.exedescription ioc process File opened (read-only) \??\a: MUpdate.exe File opened (read-only) \??\b: MUpdate.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
MUpdate.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 MUpdate.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
MUpdate.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MUpdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString MUpdate.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
MUpdate.exepid process 3728 MUpdate.exe 3728 MUpdate.exe 3728 MUpdate.exe 3728 MUpdate.exe 3728 MUpdate.exe 3728 MUpdate.exe 3728 MUpdate.exe 3728 MUpdate.exe 3728 MUpdate.exe 3728 MUpdate.exe 3728 MUpdate.exe 3728 MUpdate.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
57d0fa9b3e5a00b72597ab1464bd2d296135e61c71b3a4a6e5bc662e0ae835f8.exepid process 1380 57d0fa9b3e5a00b72597ab1464bd2d296135e61c71b3a4a6e5bc662e0ae835f8.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
57d0fa9b3e5a00b72597ab1464bd2d296135e61c71b3a4a6e5bc662e0ae835f8.execmd.exedescription pid process target process PID 1380 wrote to memory of 3728 1380 57d0fa9b3e5a00b72597ab1464bd2d296135e61c71b3a4a6e5bc662e0ae835f8.exe MUpdate.exe PID 1380 wrote to memory of 3728 1380 57d0fa9b3e5a00b72597ab1464bd2d296135e61c71b3a4a6e5bc662e0ae835f8.exe MUpdate.exe PID 1380 wrote to memory of 3728 1380 57d0fa9b3e5a00b72597ab1464bd2d296135e61c71b3a4a6e5bc662e0ae835f8.exe MUpdate.exe PID 1380 wrote to memory of 4672 1380 57d0fa9b3e5a00b72597ab1464bd2d296135e61c71b3a4a6e5bc662e0ae835f8.exe cmd.exe PID 1380 wrote to memory of 4672 1380 57d0fa9b3e5a00b72597ab1464bd2d296135e61c71b3a4a6e5bc662e0ae835f8.exe cmd.exe PID 1380 wrote to memory of 4672 1380 57d0fa9b3e5a00b72597ab1464bd2d296135e61c71b3a4a6e5bc662e0ae835f8.exe cmd.exe PID 4672 wrote to memory of 4300 4672 cmd.exe PING.EXE PID 4672 wrote to memory of 4300 4672 cmd.exe PING.EXE PID 4672 wrote to memory of 4300 4672 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\57d0fa9b3e5a00b72597ab1464bd2d296135e61c71b3a4a6e5bc662e0ae835f8.exe"C:\Users\Admin\AppData\Local\Temp\57d0fa9b3e5a00b72597ab1464bd2d296135e61c71b3a4a6e5bc662e0ae835f8.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\J240584625carp240584625\MUpdate.exec:\J240584625carp240584625\MUpdate.exe "c:\J240584625carp240584625\Qjkot.dll",ALSTS_ExecuteAction2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3&del "C:\Users\Admin\AppData\Local\Temp\57d0fa9b3e5a00b72597ab1464bd2d296135e61c71b3a4a6e5bc662e0ae835f8.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 33⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\J240584625carp240584625\MUpdate.exeFilesize
60KB
MD5889b99c52a60dd49227c5e485a016679
SHA18fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA2566cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA51208933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641
-
C:\J240584625carp240584625\Qjkot.dllFilesize
86.3MB
MD5173c49cbd5618bc7d46214b105c9de39
SHA1f14666689fd46b17fe12a8c4d1ac0cf95b913302
SHA256f3a2e144b957ebddd414b63b7cdfdc05e561ac6d3ed29a57eb5e498ad5c4648e
SHA512ce900c68d8d21cf3e3380f99a5a8a8d07fdeb514555130080ca3bfb39a00480707f0229616ee8cb0981d26a2a351a68e98a707d85afa22677e927e05dfa2ea41
-
\??\c:\J240584625carp240584625\MUpdate.exeFilesize
60KB
MD5889b99c52a60dd49227c5e485a016679
SHA18fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA2566cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA51208933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641
-
\??\c:\J240584625carp240584625\Qjkot.dllFilesize
86.3MB
MD5173c49cbd5618bc7d46214b105c9de39
SHA1f14666689fd46b17fe12a8c4d1ac0cf95b913302
SHA256f3a2e144b957ebddd414b63b7cdfdc05e561ac6d3ed29a57eb5e498ad5c4648e
SHA512ce900c68d8d21cf3e3380f99a5a8a8d07fdeb514555130080ca3bfb39a00480707f0229616ee8cb0981d26a2a351a68e98a707d85afa22677e927e05dfa2ea41
-
memory/3728-132-0x0000000000000000-mapping.dmp
-
memory/4300-138-0x0000000000000000-mapping.dmp
-
memory/4672-135-0x0000000000000000-mapping.dmp