8c2dcae5ff5261b3f416d6c80dbcf7e571176310cc2104ac9f486551a2dfac99

General

Target

8c2dcae5ff5261b3f416d6c80dbcf7e571176310cc2104ac9f486551a2dfac99.exe
Size

3.4MB
MD5

e854d8ea7fa2e3609eb837d7be2224b3
SHA1

dedcd5578202b9955f3b9f55ffa5652372832b39
SHA256

8c2dcae5ff5261b3f416d6c80dbcf7e571176310cc2104ac9f486551a2dfac99
SHA512

487377a3a839c803809e9d6716a42592a9110642a27814fad5b371c84e1ca2a176b96dd6fe056ff981e01a0e7e7532e61a3f7663b53f0a3a236f74655429e520
SSDEEP

49152:3fvAp68fIudhTdQR1yocZ4Clrx3PXrtRwW/okzrztg0F8vKD:3qDb3ZDdlP4WQgyQ

Score

8^/10

persistence vmprotect

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

CompPkgSup.exe

pid process

668 CompPkgSup.exe

pid	process
668	CompPkgSup.exe

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/656-55-0x0000000000A90000-0x0000000000F7A000-memory.dmp	vmprotect
C:\ProgramData\ComponentUpdater\CompPkgSup.exe	vmprotect
C:\ProgramData\ComponentUpdater\CompPkgSup.exe	vmprotect
behavioral1/memory/668-69-0x00000000000A0000-0x000000000058A000-memory.dmp	vmprotect

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\PackagesSupport = "C:\\ProgramData\\ComponentUpdater\\CompPkgSup.exe"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

584 schtasks.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1948 taskkill.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1956 reg.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 1948 taskkill.exe

pid	process
584	schtasks.exe

pid	process
1948	taskkill.exe

pid	process
1956	reg.exe

description	pid	process
Token: SeDebugPrivilege	1948	taskkill.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

8c2dcae5ff5261b3f416d6c80dbcf7e571176310cc2104ac9f486551a2dfac99.execmd.execmd.execmd.execmd.exetaskeng.exe

description	pid	process	target process
PID 656 wrote to memory of 2036	656	8c2dcae5ff5261b3f416d6c80dbcf7e571176310cc2104ac9f486551a2dfac99.exe	cmd.exe
PID 656 wrote to memory of 2036	656	8c2dcae5ff5261b3f416d6c80dbcf7e571176310cc2104ac9f486551a2dfac99.exe	cmd.exe
PID 656 wrote to memory of 2036	656	8c2dcae5ff5261b3f416d6c80dbcf7e571176310cc2104ac9f486551a2dfac99.exe	cmd.exe
PID 656 wrote to memory of 2036	656	8c2dcae5ff5261b3f416d6c80dbcf7e571176310cc2104ac9f486551a2dfac99.exe	cmd.exe
PID 2036 wrote to memory of 1948	2036	cmd.exe	taskkill.exe
PID 2036 wrote to memory of 1948	2036	cmd.exe	taskkill.exe
PID 2036 wrote to memory of 1948	2036	cmd.exe	taskkill.exe
PID 2036 wrote to memory of 1948	2036	cmd.exe	taskkill.exe
PID 656 wrote to memory of 1976	656	8c2dcae5ff5261b3f416d6c80dbcf7e571176310cc2104ac9f486551a2dfac99.exe	cmd.exe
PID 656 wrote to memory of 1976	656	8c2dcae5ff5261b3f416d6c80dbcf7e571176310cc2104ac9f486551a2dfac99.exe	cmd.exe
PID 656 wrote to memory of 1976	656	8c2dcae5ff5261b3f416d6c80dbcf7e571176310cc2104ac9f486551a2dfac99.exe	cmd.exe
PID 656 wrote to memory of 1976	656	8c2dcae5ff5261b3f416d6c80dbcf7e571176310cc2104ac9f486551a2dfac99.exe	cmd.exe
PID 656 wrote to memory of 1004	656	8c2dcae5ff5261b3f416d6c80dbcf7e571176310cc2104ac9f486551a2dfac99.exe	cmd.exe
PID 656 wrote to memory of 1004	656	8c2dcae5ff5261b3f416d6c80dbcf7e571176310cc2104ac9f486551a2dfac99.exe	cmd.exe
PID 656 wrote to memory of 1004	656	8c2dcae5ff5261b3f416d6c80dbcf7e571176310cc2104ac9f486551a2dfac99.exe	cmd.exe
PID 656 wrote to memory of 1004	656	8c2dcae5ff5261b3f416d6c80dbcf7e571176310cc2104ac9f486551a2dfac99.exe	cmd.exe
PID 1976 wrote to memory of 1776	1976	cmd.exe	attrib.exe
PID 1976 wrote to memory of 1776	1976	cmd.exe	attrib.exe
PID 1976 wrote to memory of 1776	1976	cmd.exe	attrib.exe
PID 1976 wrote to memory of 1776	1976	cmd.exe	attrib.exe
PID 656 wrote to memory of 584	656	8c2dcae5ff5261b3f416d6c80dbcf7e571176310cc2104ac9f486551a2dfac99.exe	schtasks.exe
PID 656 wrote to memory of 584	656	8c2dcae5ff5261b3f416d6c80dbcf7e571176310cc2104ac9f486551a2dfac99.exe	schtasks.exe
PID 656 wrote to memory of 584	656	8c2dcae5ff5261b3f416d6c80dbcf7e571176310cc2104ac9f486551a2dfac99.exe	schtasks.exe
PID 656 wrote to memory of 584	656	8c2dcae5ff5261b3f416d6c80dbcf7e571176310cc2104ac9f486551a2dfac99.exe	schtasks.exe
PID 656 wrote to memory of 340	656	8c2dcae5ff5261b3f416d6c80dbcf7e571176310cc2104ac9f486551a2dfac99.exe	cmd.exe
PID 656 wrote to memory of 340	656	8c2dcae5ff5261b3f416d6c80dbcf7e571176310cc2104ac9f486551a2dfac99.exe	cmd.exe
PID 656 wrote to memory of 340	656	8c2dcae5ff5261b3f416d6c80dbcf7e571176310cc2104ac9f486551a2dfac99.exe	cmd.exe
PID 656 wrote to memory of 340	656	8c2dcae5ff5261b3f416d6c80dbcf7e571176310cc2104ac9f486551a2dfac99.exe	cmd.exe
PID 1004 wrote to memory of 820	1004	cmd.exe	attrib.exe
PID 1004 wrote to memory of 820	1004	cmd.exe	attrib.exe
PID 1004 wrote to memory of 820	1004	cmd.exe	attrib.exe
PID 1004 wrote to memory of 820	1004	cmd.exe	attrib.exe
PID 340 wrote to memory of 1956	340	cmd.exe	reg.exe
PID 340 wrote to memory of 1956	340	cmd.exe	reg.exe
PID 340 wrote to memory of 1956	340	cmd.exe	reg.exe
PID 340 wrote to memory of 1956	340	cmd.exe	reg.exe
PID 324 wrote to memory of 668	324	taskeng.exe	CompPkgSup.exe
PID 324 wrote to memory of 668	324	taskeng.exe	CompPkgSup.exe
PID 324 wrote to memory of 668	324	taskeng.exe	CompPkgSup.exe
PID 324 wrote to memory of 668	324	taskeng.exe	CompPkgSup.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

1776 attrib.exe
820 attrib.exe

pid	process
1776	attrib.exe
820	attrib.exe

C:\Users\Admin\AppData\Local\Temp\8c2dcae5ff5261b3f416d6c80dbcf7e571176310cc2104ac9f486551a2dfac99.exe
"C:\Users\Admin\AppData\Local\Temp\8c2dcae5ff5261b3f416d6c80dbcf7e571176310cc2104ac9f486551a2dfac99.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:656

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /F /IM CompPkgSup.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM CompPkgSup.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1948

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ATTRIB +h +s C:\ProgramData\ComponentUpdater
2⤵
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\SysWOW64\attrib.exe
ATTRIB +h +s C:\ProgramData\ComponentUpdater
3⤵
- Views/modifies file attributes
PID:1776

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ATTRIB +h +s C:\ProgramData\ComponentUpdater\CompPkgSup.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1004

C:\Windows\SysWOW64\attrib.exe
ATTRIB +h +s C:\ProgramData\ComponentUpdater\CompPkgSup.exe
3⤵
- Views/modifies file attributes
PID:820

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "PackagesSupport" /tr "C:\ProgramData\ComponentUpdater\CompPkgSup.exe" /f
2⤵
- Creates scheduled task(s)
PID:584

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "PackagesSupport" /d "C:\ProgramData\ComponentUpdater\CompPkgSup.exe" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:340

C:\Windows\SysWOW64\reg.exe
reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "PackagesSupport" /d "C:\ProgramData\ComponentUpdater\CompPkgSup.exe" /f
3⤵
- Adds Run key to start application
- Modifies registry key
PID:1956

C:\Windows\system32\taskeng.exe
taskeng.exe {AE413937-900E-4C07-82C1-C91228B24B0C} S-1-5-21-2292972927-2705560509-2768824231-1000:GRXNNIIE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:324

C:\ProgramData\ComponentUpdater\CompPkgSup.exe
C:\ProgramData\ComponentUpdater\CompPkgSup.exe
2⤵
- Executes dropped EXE
PID:668

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Hidden Files and Directories

1

T1158

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

2

T1112

Hidden Files and Directories

1

T1158

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ComponentUpdater\CompPkgSup.exe
Filesize
3.4MB

MD5
e854d8ea7fa2e3609eb837d7be2224b3

SHA1
dedcd5578202b9955f3b9f55ffa5652372832b39

SHA256
8c2dcae5ff5261b3f416d6c80dbcf7e571176310cc2104ac9f486551a2dfac99

SHA512
487377a3a839c803809e9d6716a42592a9110642a27814fad5b371c84e1ca2a176b96dd6fe056ff981e01a0e7e7532e61a3f7663b53f0a3a236f74655429e520

Download Submit
C:\ProgramData\ComponentUpdater\CompPkgSup.exe
Filesize
3.4MB

MD5
e854d8ea7fa2e3609eb837d7be2224b3

SHA1
dedcd5578202b9955f3b9f55ffa5652372832b39

SHA256
8c2dcae5ff5261b3f416d6c80dbcf7e571176310cc2104ac9f486551a2dfac99

SHA512
487377a3a839c803809e9d6716a42592a9110642a27814fad5b371c84e1ca2a176b96dd6fe056ff981e01a0e7e7532e61a3f7663b53f0a3a236f74655429e520

Download Submit
memory/340-62-0x0000000000000000-mapping.dmp

Download
memory/584-61-0x0000000000000000-mapping.dmp

Download
memory/656-55-0x0000000000A90000-0x0000000000F7A000-memory.dmp

Filesize
4.9MB

Download
memory/656-54-0x0000000075131000-0x0000000075133000-memory.dmp

Filesize
8KB

Download
memory/668-69-0x00000000000A0000-0x000000000058A000-memory.dmp

Filesize
4.9MB

Download
memory/668-66-0x0000000000000000-mapping.dmp

Download
memory/820-63-0x0000000000000000-mapping.dmp

Download
memory/1004-59-0x0000000000000000-mapping.dmp

Download
memory/1776-60-0x0000000000000000-mapping.dmp

Download
memory/1948-57-0x0000000000000000-mapping.dmp

Download
memory/1956-64-0x0000000000000000-mapping.dmp

Download
memory/1976-58-0x0000000000000000-mapping.dmp

Download
memory/2036-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads