a61f5dce76befc938a45abcdc7ae50445eaad4d0a1a93e12b22da7530d831f26

General

Target

a61f5dce76befc938a45abcdc7ae50445eaad4d0a1a93e12b22da7530d831f26.exe
Size

6.0MB
MD5

a08c752bce88a8fb3a3ca811f8033d9e
SHA1

e77828b97a614ad91af1dec5bd07aac3cc0a4f4a
SHA256

a61f5dce76befc938a45abcdc7ae50445eaad4d0a1a93e12b22da7530d831f26
SHA512

07240b51b1a0812b7429ba0a9a9140a178396717aa087b230afa4c9cba054d7982c7ac12ec710d38af539d8f5ee8ddf9bfedb2d4ca85bd7b6323b2d4856d0edf
SSDEEP

98304:acp+CgTmGHqC3v/fq6Q3vxTSsTyVlP4AvZ8X16DhKWAZvhUdmWLOPvKlu0CbxaN+:X+JT8G/y6QMsTyVlPGMDhGUd7aylu0CP

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2276	MicrosoftNetUpdate.exe
4236	MicrosoftNetUpdate.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000022e38-133.dat	upx
behavioral2/files/0x0007000000022e38-134.dat	upx
behavioral2/memory/2276-135-0x0000000000400000-0x0000000000F0C000-memory.dmp	upx
behavioral2/memory/2276-136-0x0000000000400000-0x0000000000F0C000-memory.dmp	upx
behavioral2/files/0x0007000000022e38-139.dat	upx
behavioral2/memory/2276-142-0x0000000000400000-0x0000000000F0C000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	a61f5dce76befc938a45abcdc7ae50445eaad4d0a1a93e12b22da7530d831f26.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2276 set thread context of 4236	2276	MicrosoftNetUpdate.exe	83

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4236	MicrosoftNetUpdate.exe
4236	MicrosoftNetUpdate.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4236	MicrosoftNetUpdate.exe
4236	MicrosoftNetUpdate.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4172 wrote to memory of 2276	4172	a61f5dce76befc938a45abcdc7ae50445eaad4d0a1a93e12b22da7530d831f26.exe	80
PID 4172 wrote to memory of 2276	4172	a61f5dce76befc938a45abcdc7ae50445eaad4d0a1a93e12b22da7530d831f26.exe	80
PID 4172 wrote to memory of 2276	4172	a61f5dce76befc938a45abcdc7ae50445eaad4d0a1a93e12b22da7530d831f26.exe	80
PID 2276 wrote to memory of 4236	2276	MicrosoftNetUpdate.exe	83
PID 2276 wrote to memory of 4236	2276	MicrosoftNetUpdate.exe	83
PID 2276 wrote to memory of 4236	2276	MicrosoftNetUpdate.exe	83
PID 2276 wrote to memory of 4236	2276	MicrosoftNetUpdate.exe	83
PID 2276 wrote to memory of 4236	2276	MicrosoftNetUpdate.exe	83
PID 2276 wrote to memory of 4236	2276	MicrosoftNetUpdate.exe	83
PID 2276 wrote to memory of 4236	2276	MicrosoftNetUpdate.exe	83
PID 2276 wrote to memory of 4236	2276	MicrosoftNetUpdate.exe	83
PID 2276 wrote to memory of 4236	2276	MicrosoftNetUpdate.exe	83
PID 2276 wrote to memory of 4236	2276	MicrosoftNetUpdate.exe	83
PID 2276 wrote to memory of 4236	2276	MicrosoftNetUpdate.exe	83
PID 2276 wrote to memory of 4236	2276	MicrosoftNetUpdate.exe	83
PID 2276 wrote to memory of 4236	2276	MicrosoftNetUpdate.exe	83
PID 2276 wrote to memory of 4236	2276	MicrosoftNetUpdate.exe	83
PID 2276 wrote to memory of 4236	2276	MicrosoftNetUpdate.exe	83
PID 2276 wrote to memory of 4236	2276	MicrosoftNetUpdate.exe	83
PID 2276 wrote to memory of 4236	2276	MicrosoftNetUpdate.exe	83

C:\Users\Admin\AppData\Local\Temp\a61f5dce76befc938a45abcdc7ae50445eaad4d0a1a93e12b22da7530d831f26.exe
"C:\Users\Admin\AppData\Local\Temp\a61f5dce76befc938a45abcdc7ae50445eaad4d0a1a93e12b22da7530d831f26.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4172
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\MicrosoftNetUpdate.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\MicrosoftNetUpdate.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2276
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\MicrosoftNetUpdate.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\MicrosoftNetUpdate.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4236

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\MicrosoftNetUpdate.exe

Filesize
4.3MB

MD5
f3ca4a31ddc6c7dbe64d9d185afff578

SHA1
4acbae5dd99db1b0c5ea1c063d6f361fb8ed8f81

SHA256
6b8df22ceee49baff3b30f68d493d545fa9ed825181c7a2c73992a987595429e

SHA512
4cdfd2e780b0acb94ed1eb5e9286b8d16745122d8a957bb4e12bf6b5daa44c1d982d5233f60894c2c3862f3b2888fb3556937c38a381b990cbba9c523376e2dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\MicrosoftNetUpdate.exe

Filesize
4.3MB

MD5
f3ca4a31ddc6c7dbe64d9d185afff578

SHA1
4acbae5dd99db1b0c5ea1c063d6f361fb8ed8f81

SHA256
6b8df22ceee49baff3b30f68d493d545fa9ed825181c7a2c73992a987595429e

SHA512
4cdfd2e780b0acb94ed1eb5e9286b8d16745122d8a957bb4e12bf6b5daa44c1d982d5233f60894c2c3862f3b2888fb3556937c38a381b990cbba9c523376e2dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\MicrosoftNetUpdate.exe

Filesize
4.3MB

MD5
f3ca4a31ddc6c7dbe64d9d185afff578

SHA1
4acbae5dd99db1b0c5ea1c063d6f361fb8ed8f81

SHA256
6b8df22ceee49baff3b30f68d493d545fa9ed825181c7a2c73992a987595429e

SHA512
4cdfd2e780b0acb94ed1eb5e9286b8d16745122d8a957bb4e12bf6b5daa44c1d982d5233f60894c2c3862f3b2888fb3556937c38a381b990cbba9c523376e2dc

Download Submit
memory/2276-135-0x0000000000400000-0x0000000000F0C000-memory.dmp

Filesize
11.0MB

Download
memory/2276-136-0x0000000000400000-0x0000000000F0C000-memory.dmp

Filesize
11.0MB

Download
memory/2276-142-0x0000000000400000-0x0000000000F0C000-memory.dmp

Filesize
11.0MB

Download
memory/4236-138-0x0000000000400000-0x0000000000A03000-memory.dmp

Filesize
6.0MB

Download
memory/4236-140-0x0000000000400000-0x0000000000A03000-memory.dmp

Filesize
6.0MB

Download
memory/4236-141-0x0000000000400000-0x0000000000A03000-memory.dmp

Filesize
6.0MB

Download
memory/4236-143-0x0000000000400000-0x0000000000A03000-memory.dmp

Filesize
6.0MB

Download
memory/4236-144-0x0000000000400000-0x0000000000A03000-memory.dmp

Filesize
6.0MB

Download
memory/4236-145-0x0000000000400000-0x0000000000A03000-memory.dmp

Filesize
6.0MB

Download

Analysis

Sharing