33322c2dbdf8f8010a1813a793d5421f7c78f96d011658f9ab6a97daa48386a4

Analysis

max time kernel
190s
max time network
216s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 09:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33322c2dbdf8f8010a1813a793d5421f7c78f96d011658f9ab6a97daa48386a4.exe
Size

2.2MB
MD5

04cf9237aa8eddd8737e9dbb401caa92
SHA1

de08a0a729e1eeaa9d8bbfa0e270e3cbe8d5991a
SHA256

33322c2dbdf8f8010a1813a793d5421f7c78f96d011658f9ab6a97daa48386a4
SHA512

3a5018aa81adf9116b67cbcb14d1977636a77a8dddcd5bc79addcaa451150873b05adf6732d4f42b33969b1e2fd5dcfb09a87937ed183d22d41b21dc6ebd18ed
SSDEEP

49152:IWEkDtfxp768xuWm02sm+N4q/Iu50+wm0cCPT0X2zzkwgDd3bqlWCxQPMDR:IWE0Z36y3NzIngCPTaPDdrMQE1

Score

8^/10

collection

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

changeq.exeliveupdate.exe

pid process

3648 changeq.exe
2456 liveupdate.exe

pid	process
3648	changeq.exe
2456	liveupdate.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

33322c2dbdf8f8010a1813a793d5421f7c78f96d011658f9ab6a97daa48386a4.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	33322c2dbdf8f8010a1813a793d5421f7c78f96d011658f9ab6a97daa48386a4.exe

Loads dropped DLL 2 IoCs

Processes:

liveupdate.exe

pid process

2456 liveupdate.exe
2456 liveupdate.exe

pid	process
2456	liveupdate.exe
2456	liveupdate.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

liveupdate.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	liveupdate.exe

Drops file in Windows directory 1 IoCs

Processes:

liveupdate.exe

description ioc process

File created C:\Windows\Tasks\WinmendUpdateTask_Admin.job liveupdate.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\Tasks\WinmendUpdateTask_Admin.job	liveupdate.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

liveupdate.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\International\AcceptLanguage.bak = "en-US"	liveupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\International\AcceptLanguage = "en-US"	liveupdate.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\International	liveupdate.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

liveupdate.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\International	liveupdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\International\AcceptLanguage.bak = "en-US"	liveupdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\International\AcceptLanguage = "en-US"	liveupdate.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

33322c2dbdf8f8010a1813a793d5421f7c78f96d011658f9ab6a97daa48386a4.exe

pid	process
3792	33322c2dbdf8f8010a1813a793d5421f7c78f96d011658f9ab6a97daa48386a4.exe
3792	33322c2dbdf8f8010a1813a793d5421f7c78f96d011658f9ab6a97daa48386a4.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

liveupdate.exe

description pid process

Token: SeSecurityPrivilege 2456 liveupdate.exe

description	pid	process
Token: SeSecurityPrivilege	2456	liveupdate.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

33322c2dbdf8f8010a1813a793d5421f7c78f96d011658f9ab6a97daa48386a4.exeliveupdate.exe

pid	process
3792	33322c2dbdf8f8010a1813a793d5421f7c78f96d011658f9ab6a97daa48386a4.exe
3792	33322c2dbdf8f8010a1813a793d5421f7c78f96d011658f9ab6a97daa48386a4.exe
2456	liveupdate.exe
2456	liveupdate.exe
2456	liveupdate.exe
2456	liveupdate.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

33322c2dbdf8f8010a1813a793d5421f7c78f96d011658f9ab6a97daa48386a4.exeliveupdate.execmd.execmd.exe

description	pid	process	target process
PID 3792 wrote to memory of 3648	3792	33322c2dbdf8f8010a1813a793d5421f7c78f96d011658f9ab6a97daa48386a4.exe	changeq.exe
PID 3792 wrote to memory of 3648	3792	33322c2dbdf8f8010a1813a793d5421f7c78f96d011658f9ab6a97daa48386a4.exe	changeq.exe
PID 3792 wrote to memory of 3648	3792	33322c2dbdf8f8010a1813a793d5421f7c78f96d011658f9ab6a97daa48386a4.exe	changeq.exe
PID 3792 wrote to memory of 2456	3792	33322c2dbdf8f8010a1813a793d5421f7c78f96d011658f9ab6a97daa48386a4.exe	liveupdate.exe
PID 3792 wrote to memory of 2456	3792	33322c2dbdf8f8010a1813a793d5421f7c78f96d011658f9ab6a97daa48386a4.exe	liveupdate.exe
PID 3792 wrote to memory of 2456	3792	33322c2dbdf8f8010a1813a793d5421f7c78f96d011658f9ab6a97daa48386a4.exe	liveupdate.exe
PID 2456 wrote to memory of 5068	2456	liveupdate.exe	cmd.exe
PID 2456 wrote to memory of 5068	2456	liveupdate.exe	cmd.exe
PID 2456 wrote to memory of 5068	2456	liveupdate.exe	cmd.exe
PID 5068 wrote to memory of 2560	5068	cmd.exe	chcp.com
PID 5068 wrote to memory of 2560	5068	cmd.exe	chcp.com
PID 5068 wrote to memory of 2560	5068	cmd.exe	chcp.com
PID 2456 wrote to memory of 4396	2456	liveupdate.exe	cmd.exe
PID 2456 wrote to memory of 4396	2456	liveupdate.exe	cmd.exe
PID 2456 wrote to memory of 4396	2456	liveupdate.exe	cmd.exe
PID 4396 wrote to memory of 1272	4396	cmd.exe	chcp.com
PID 4396 wrote to memory of 1272	4396	cmd.exe	chcp.com
PID 4396 wrote to memory of 1272	4396	cmd.exe	chcp.com
PID 4396 wrote to memory of 4776	4396	cmd.exe	schtasks.exe
PID 4396 wrote to memory of 4776	4396	cmd.exe	schtasks.exe
PID 4396 wrote to memory of 4776	4396	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\33322c2dbdf8f8010a1813a793d5421f7c78f96d011658f9ab6a97daa48386a4.exe
"C:\Users\Admin\AppData\Local\Temp\33322c2dbdf8f8010a1813a793d5421f7c78f96d011658f9ab6a97daa48386a4.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3792

C:\Users\Admin\AppData\Local\Temp\changeq.exe
"C:\Users\Admin\AppData\Local\Temp\changeq.exe" "c:\users\admin\appdata\local\temp"
2⤵
- Executes dropped EXE
PID:3648

C:\Users\Admin\AppData\Local\Temp\liveupdate.exe
"C:\Users\Admin\AppData\Local\Temp\liveupdate.exe" upgrade
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2456

C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:5068

C:\Windows\SysWOW64\chcp.com
chcp 437
4⤵
PID:2560

C:\Windows\SysWOW64\cmd.exe
"cmd.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:4396

C:\Windows\SysWOW64\chcp.com
chcp 437
4⤵
PID:1272

C:\Windows\SysWOW64\schtasks.exe
schtasks /query /tn WinmendUpdateTask_Admin
4⤵
PID:4776

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\LiveUpdate.exe

Filesize
978KB

MD5
4d95db4eeb52e50655255d19965861de

SHA1
22751a06fbdaa3f84708ec4113b23cb5bf211081

SHA256
1340d73b35b1bd5193d9b3f37537fb051569e1294daf34b538bf3051ff709ba1

SHA512
b7e0b75b101d2a25516ef270d0cf1b49e009683b1b21520b33e598c49eaf5c712ffa18c811665c199f2810a9a2302a437bdebd1ea8a11783b6a70ff208daf638

Download Submit
C:\Users\Admin\AppData\Local\Temp\LiveUpdate.exe.new

Filesize
978KB

MD5
4d95db4eeb52e50655255d19965861de

SHA1
22751a06fbdaa3f84708ec4113b23cb5bf211081

SHA256
1340d73b35b1bd5193d9b3f37537fb051569e1294daf34b538bf3051ff709ba1

SHA512
b7e0b75b101d2a25516ef270d0cf1b49e009683b1b21520b33e598c49eaf5c712ffa18c811665c199f2810a9a2302a437bdebd1ea8a11783b6a70ff208daf638

Download Submit
C:\Users\Admin\AppData\Local\Temp\basefunc.dll

Filesize
1.2MB

MD5
64e8185572a9259fa60c1d2ccf31b814

SHA1
f97d84a6a046439b068c481908441d2ec864e73f

SHA256
e83071bb25bc970e99be4897ef0229cb5d48f0b86c6c99e88de181fb0613f8ee

SHA512
9ecad0e5c537ed69888022a8c8ea6e445506401f8bc991146bb1bdbff5ae51412c7a0eb0db1ca44732e4feff121f8347546b11feeefc6c20b6e31bac45e7d27a

Download Submit
C:\Users\Admin\AppData\Local\Temp\basefunc.dll

Filesize
1.2MB

MD5
64e8185572a9259fa60c1d2ccf31b814

SHA1
f97d84a6a046439b068c481908441d2ec864e73f

SHA256
e83071bb25bc970e99be4897ef0229cb5d48f0b86c6c99e88de181fb0613f8ee

SHA512
9ecad0e5c537ed69888022a8c8ea6e445506401f8bc991146bb1bdbff5ae51412c7a0eb0db1ca44732e4feff121f8347546b11feeefc6c20b6e31bac45e7d27a

Download Submit
C:\Users\Admin\AppData\Local\Temp\basefunc.dll

Filesize
1.2MB

MD5
64e8185572a9259fa60c1d2ccf31b814

SHA1
f97d84a6a046439b068c481908441d2ec864e73f

SHA256
e83071bb25bc970e99be4897ef0229cb5d48f0b86c6c99e88de181fb0613f8ee

SHA512
9ecad0e5c537ed69888022a8c8ea6e445506401f8bc991146bb1bdbff5ae51412c7a0eb0db1ca44732e4feff121f8347546b11feeefc6c20b6e31bac45e7d27a

Download Submit
C:\Users\Admin\AppData\Local\Temp\basefunc.dll.new

Filesize
1.2MB

MD5
64e8185572a9259fa60c1d2ccf31b814

SHA1
f97d84a6a046439b068c481908441d2ec864e73f

SHA256
e83071bb25bc970e99be4897ef0229cb5d48f0b86c6c99e88de181fb0613f8ee

SHA512
9ecad0e5c537ed69888022a8c8ea6e445506401f8bc991146bb1bdbff5ae51412c7a0eb0db1ca44732e4feff121f8347546b11feeefc6c20b6e31bac45e7d27a

Download Submit
C:\Users\Admin\AppData\Local\Temp\basefunc.ini

Filesize
402B

MD5
d9e17f236bd6fab2ceee4f8e1a1bdb8d

SHA1
c2d91dbf166d5bf269fd654bfd9f567fad5c3dec

SHA256
2a9ca3eef2dcb6d29dcda663deaf06ebb7d9c25edb487d75ad022712ca1b13cf

SHA512
c29119fd57f5800f9145798861bb094ec48e456287d68bf76bf10469de4fb282cf7f7bfb676c8a429b89b3ee5d23d66423ded8f2905df89a8573f2886d8a1474

Download Submit
C:\Users\Admin\AppData\Local\Temp\changeq.exe

Filesize
69KB

MD5
815fc6c303193a2e714a8923a38c3f21

SHA1
3008111fd59a0a794644c5c5a47360541ca40ee9

SHA256
734f8208d82978bf50ff55a101bdaee88598a25bebd105c8980b4faa26134871

SHA512
4c4b6d225f1fb4b3372a6b6941fc1e0373c520cc059eb54e7ce54ddd39690ab96180ecddce1830a42b213b07eca052caf4ed05e294759acf2be1b7206e1773c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\changeq.exe

Filesize
69KB

MD5
815fc6c303193a2e714a8923a38c3f21

SHA1
3008111fd59a0a794644c5c5a47360541ca40ee9

SHA256
734f8208d82978bf50ff55a101bdaee88598a25bebd105c8980b4faa26134871

SHA512
4c4b6d225f1fb4b3372a6b6941fc1e0373c520cc059eb54e7ce54ddd39690ab96180ecddce1830a42b213b07eca052caf4ed05e294759acf2be1b7206e1773c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\checkupdate.exe.new

Filesize
805KB

MD5
e9152af169e49f451a3070cfbb091fdf

SHA1
b03a4008f9197dbea8aa3de38e0266cf2b21ec29

SHA256
026b913bb01f8909be5a223c7667acfb561418d71c5b4662d3ce091321111f7b

SHA512
82c168b471eac219f39458a35076c0c2eea969078413d72a76b91378c9657522cb86968c69a1e0b87412fae47370b38c03dbc975afee28de3a63c792aa110327

Download Submit
C:\Users\Admin\AppData\Local\Temp\commonbase.dll.new

Filesize
1.1MB

MD5
a4ad11bf501c6a17d06affe24b9d9161

SHA1
f65f3d27be96b4bf504aac0ca3c9419f492faa58

SHA256
ade0c082aacd5a746bcee9d5c8c122b62a6d3e4a7bdbad820ad0990a7056f019

SHA512
fa5143aaf71d7499e7ad5f01aa4a9a908951b8a4e7f723926d57025d4734ba55dc4ca008fc46fd397a5b5172d4f23cf54567ce8c4873fa735df889343e69f849

Download Submit
C:\Users\Admin\AppData\Local\Temp\commonwnd.dll.new

Filesize
1.2MB

MD5
984e232137a25919c3b40ba76c4ea7e5

SHA1
0d4cdd49a586166fabba58fc26523654f65acd56

SHA256
b34812d24047e0ef3287a96b08f0896ac5b7018781e1975bd38ee8d1d72bedec

SHA512
c10d39aa569b1c063e1188625e8a98a8ba6d4f2118f8af416ef54e82ad0ed3cd3850ec8d2443ecdc918f00630e410def7d94cd3ab01d5166a937d26256aba865

Download Submit
C:\Users\Admin\AppData\Local\Temp\core.dll.new

Filesize
47KB

MD5
81cf0e2caec34b246a42f18d21a05387

SHA1
cac578efd6837c89ea24d3e8debe671f6d483bc4

SHA256
d980fcbd703bcee67786b0651c132eb9131364a73f26e70fa8e2b17b69e16b01

SHA512
1d12b408a3a18296d21225c94ba7487b53f8cc340dfe3c01d27cb5518f6bff0d982633ab14dbb8ec6715672d063d3097d7840ce8c445f806fa1d56908c028396

Download Submit
C:\Users\Admin\AppData\Local\Temp\corem.dll.new

Filesize
56KB

MD5
76a84320149eab54e24220b1ce880b70

SHA1
9c543288874dbc1f2c350182f563ba944dabe812

SHA256
64f840b16044dfe7ad9b449b4840fa07367e733c82a82f4a7aa8e444bbf02949

SHA512
a51b4012273711fcce6735b0bb2c6eb25a9c424bfde03f0d627126b6d55bede60c85ea56e0ac030360d7186daa36bf3199d9da9baa852bed400a6f1668466d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\corez.dll.new

Filesize
96KB

MD5
72bb7a70c6575a0c976dd7c0be6960e5

SHA1
cb503b76ab3caf9908d6cf372116a0cb5f5b7740

SHA256
573f0df8673fd2fee04f521fbdb070dfed9420dc1245182498edb91edbbad316

SHA512
3628ac835be4f2fea9ca56b123b78c44f172b7625328f756fb40fbfad0128309f8ed92a17087000c33ebdb56f932324974ce7d0c58eb8095fb2124e18c52ca82

Download Submit
C:\Users\Admin\AppData\Local\Temp\livereplace.exe.new

Filesize
104KB

MD5
2a4c2f027073c21fdbaf5d8295efd38e

SHA1
dac474e915bc4da74886f42f0e2dab078e865374

SHA256
9c3e4a6ad1a5602416d9d99f40ea6eff8f4c48e6682365b6791b961658fd3c3d

SHA512
5cc1b6314893f50ca0707f6febd71da025fea4f7cbd4c6c81f4a385025f74451d94ea1678523259daaa0208bfe7f8c15a8da7441f8be7147326908fe5202aa18

Download Submit
C:\Users\Admin\AppData\Local\Temp\liveupdate.exe

Filesize
978KB

MD5
4d95db4eeb52e50655255d19965861de

SHA1
22751a06fbdaa3f84708ec4113b23cb5bf211081

SHA256
1340d73b35b1bd5193d9b3f37537fb051569e1294daf34b538bf3051ff709ba1

SHA512
b7e0b75b101d2a25516ef270d0cf1b49e009683b1b21520b33e598c49eaf5c712ffa18c811665c199f2810a9a2302a437bdebd1ea8a11783b6a70ff208daf638

Download Submit
C:\Users\Admin\AppData\Local\Temp\mload.dll.new

Filesize
79KB

MD5
1f54f48b3eab9afa87e5f6b2336b8081

SHA1
213569a960da7f4ef92fdc371522709299db4024

SHA256
8867d6ee67fe807ad19abc18ff43c3908b883c9d3356a97f6fa9680fd5476101

SHA512
5fab7254aa7a1a6a594485b1fb5701c455996c3df7731566da2d3400cc051c7f3c981c2a3324105a7c7139ce28a80fe65025331f2bbb24cc7f6f95316b8ff8d1

Download Submit
memory/1272-161-0x0000000000000000-mapping.dmp

Download
memory/2456-149-0x0000000000000000-mapping.dmp

Download
memory/2456-155-0x0000000000860000-0x0000000000999000-memory.dmp

Filesize
1.2MB

Download
memory/2560-159-0x0000000000000000-mapping.dmp

Download
memory/3648-136-0x0000000000000000-mapping.dmp

Download
memory/3792-134-0x0000000000400000-0x0000000000A5E000-memory.dmp

Filesize
6.4MB

Download
memory/3792-132-0x0000000000400000-0x0000000000A5E000-memory.dmp

Filesize
6.4MB

Download
memory/3792-157-0x0000000000400000-0x0000000000A5E000-memory.dmp

Filesize
6.4MB

Download
memory/3792-133-0x0000000000400000-0x0000000000A5E000-memory.dmp

Filesize
6.4MB

Download
memory/3792-135-0x0000000000400000-0x0000000000A5E000-memory.dmp

Filesize
6.4MB

Download
memory/4396-160-0x0000000000000000-mapping.dmp

Download
memory/4776-162-0x0000000000000000-mapping.dmp

Download
memory/5068-158-0x0000000000000000-mapping.dmp

Download