a109132c0b88c58a79fc6fcf05ec7351cea81dcd4aeae58d44d361ecada56c3c

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
28/11/2022, 04:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a109132c0b88c58a79fc6fcf05ec7351cea81dcd4aeae58d44d361ecada56c3c.exe
Size

3.5MB
MD5

55f0d3df522944e35ac1226f39429a55
SHA1

8b6c8f80b0bffab29a0c6f0ebca29982fec2f1b7
SHA256

a109132c0b88c58a79fc6fcf05ec7351cea81dcd4aeae58d44d361ecada56c3c
SHA512

ac93404723cf19c8232886debeed9cb087ada64dadfa8f494a8607f85c1381b466cbb53ba074d68d6a65e70da085bfe79ae7d10e486ebf2585eee68c873e73a7
SSDEEP

49152:Z5vleLEv0Lnt2OD9NHBu0KgoqAcpxWN5xHawdRqpJTK5Aj3We/ZSMTwwTFs:ZEo0rwOBUgoJcmNWwdRqXB3P/8fwTK

Score

8^/10

discovery

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
676	Super_Updater.exe
736	Super_Updater.tmp
5012	SUTray.exe
4896	SuperUpdater.exe
2016	SUStartScan.exe
488	SuperUpdater.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	SUStartScan.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	SuperUpdater.exe

Loads dropped DLL 2 IoCs

pid	Process
4896	SuperUpdater.exe
488	SuperUpdater.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Super Updater\unins000.dat	Super_Updater.tmp
File opened for modification	C:\Program Files (x86)\Super Updater\SUTray.exe	Super_Updater.tmp
File created	C:\Program Files (x86)\Super Updater\is-3C2VH.tmp	Super_Updater.tmp
File opened for modification	C:\Program Files (x86)\Super Updater\7z.dll	Super_Updater.tmp
File created	C:\Program Files (x86)\Super Updater\unins000.dat	Super_Updater.tmp
File created	C:\Program Files (x86)\Super Updater\is-OKUQO.tmp	Super_Updater.tmp
File created	C:\Program Files (x86)\Super Updater\is-RMKKF.tmp	Super_Updater.tmp
File created	C:\Program Files (x86)\Super Updater\is-EHLF0.tmp	Super_Updater.tmp
File created	C:\Program Files (x86)\Super Updater\unins000.msg	Super_Updater.tmp
File opened for modification	C:\Program Files (x86)\Super Updater\SuperUpdater.chm	Super_Updater.tmp
File opened for modification	C:\Program Files (x86)\Super Updater\SupUpdHelper.dll	Super_Updater.tmp
File opened for modification	C:\Program Files (x86)\Super Updater\SUStartScan.exe	Super_Updater.tmp
File created	C:\Program Files (x86)\Super Updater\is-TJKTL.tmp	Super_Updater.tmp
File created	C:\Program Files (x86)\Super Updater\is-IJ3FA.tmp	Super_Updater.tmp
File created	C:\Program Files (x86)\Super Updater\is-0BBEM.tmp	Super_Updater.tmp
File opened for modification	C:\Program Files (x86)\Super Updater\sqlite3.dll	Super_Updater.tmp
File opened for modification	C:\Program Files (x86)\Super Updater\SuperUpdater.exe	Super_Updater.tmp
File created	C:\Program Files (x86)\Super Updater\is-G5JVO.tmp	Super_Updater.tmp
File created	C:\Program Files (x86)\Super Updater\is-7L31K.tmp	Super_Updater.tmp
File created	C:\Program Files (x86)\Super Updater\is-ANC9I.tmp	Super_Updater.tmp
File created	C:\Program Files (x86)\Super Updater\is-2T7O9.tmp	Super_Updater.tmp
File created	C:\Program Files (x86)\Super Updater\is-S0DRL.tmp	Super_Updater.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3256	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SuperUpdater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	SuperUpdater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	SuperUpdater.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
736	Super_Updater.tmp
736	Super_Updater.tmp
4896	SuperUpdater.exe
4896	SuperUpdater.exe
488	SuperUpdater.exe
488	SuperUpdater.exe
5012	SUTray.exe
5012	SUTray.exe
5012	SUTray.exe
5012	SUTray.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4896	SuperUpdater.exe
Token: SeIncreaseQuotaPrivilege	4896	SuperUpdater.exe
Token: SeImpersonatePrivilege	4896	SuperUpdater.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
736	Super_Updater.tmp

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4896	SuperUpdater.exe
488	SuperUpdater.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 676	1048	a109132c0b88c58a79fc6fcf05ec7351cea81dcd4aeae58d44d361ecada56c3c.exe	81
PID 1048 wrote to memory of 676	1048	a109132c0b88c58a79fc6fcf05ec7351cea81dcd4aeae58d44d361ecada56c3c.exe	81
PID 1048 wrote to memory of 676	1048	a109132c0b88c58a79fc6fcf05ec7351cea81dcd4aeae58d44d361ecada56c3c.exe	81
PID 676 wrote to memory of 736	676	Super_Updater.exe	82
PID 676 wrote to memory of 736	676	Super_Updater.exe	82
PID 676 wrote to memory of 736	676	Super_Updater.exe	82
PID 736 wrote to memory of 5012	736	Super_Updater.tmp	84
PID 736 wrote to memory of 5012	736	Super_Updater.tmp	84
PID 736 wrote to memory of 5012	736	Super_Updater.tmp	84
PID 736 wrote to memory of 4896	736	Super_Updater.tmp	85
PID 736 wrote to memory of 4896	736	Super_Updater.tmp	85
PID 736 wrote to memory of 4896	736	Super_Updater.tmp	85
PID 736 wrote to memory of 2016	736	Super_Updater.tmp	86
PID 736 wrote to memory of 2016	736	Super_Updater.tmp	86
PID 736 wrote to memory of 2016	736	Super_Updater.tmp	86
PID 2016 wrote to memory of 488	2016	SUStartScan.exe	88
PID 2016 wrote to memory of 488	2016	SUStartScan.exe	88
PID 2016 wrote to memory of 488	2016	SUStartScan.exe	88
PID 488 wrote to memory of 3256	488	SuperUpdater.exe	89
PID 488 wrote to memory of 3256	488	SuperUpdater.exe	89
PID 488 wrote to memory of 3256	488	SuperUpdater.exe	89

C:\Users\Admin\AppData\Local\Temp\a109132c0b88c58a79fc6fcf05ec7351cea81dcd4aeae58d44d361ecada56c3c.exe
"C:\Users\Admin\AppData\Local\Temp\a109132c0b88c58a79fc6fcf05ec7351cea81dcd4aeae58d44d361ecada56c3c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Users\Admin\AppData\Local\Temp\Super_Updater.exe
  /VERYSILENT
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:676
- - C:\Users\Admin\AppData\Local\Temp\is-6VH6L.tmp\Super_Updater.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-6VH6L.tmp\Super_Updater.tmp" /SL5="$A0046,2930093,491520,C:\Users\Admin\AppData\Local\Temp\Super_Updater.exe" /VERYSILENT
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:736
  - - C:\Program Files (x86)\Super Updater\SUTray.exe
      "C:\Program Files (x86)\Super Updater\SUTray.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:5012
  - - C:\Program Files (x86)\Super Updater\SuperUpdater.exe
      "C:\Program Files (x86)\Super Updater\SuperUpdater.exe" /INSTALL
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:4896
  - - C:\Program Files (x86)\Super Updater\SUStartScan.exe
      "C:\Program Files (x86)\Super Updater\SUStartScan.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:2016
    - - C:\Program Files (x86)\Super Updater\SuperUpdater.exe
        
        "C:\Program Files (x86)\Super Updater\SuperUpdater.exe" /START
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Loads dropped DLL
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:488
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Super Updater Schedule" /TR "\"C:\Program Files (x86)\Super Updater\SUTray.exe\"" /SC ONLOGON /RL HIGHEST /F
        6⤵
        Creates scheduled task(s)
        
        PID:3256

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Super Updater\English.ini

Filesize
12KB

MD5
6b6c850523932d108113d6937d034159

SHA1
d575609103a02d3f5a4a15da1f6acda2e5b115b0

SHA256
88bc0c7ebe7ec1de4ce4bcbf7810d8c0f45e1185e792b4ea8865c0968e8bf653

SHA512
c4539658108fe14ae21a4c3c345f363bd18bfbde3b4443cb8c4df7f7a745e1512b20975cd57114e3904e0e8b1ed61c04112b01e832a3c365b402853c5577ca4c

Download Submit
C:\Program Files (x86)\Super Updater\SUStartScan.exe

Filesize
934KB

MD5
48922bd2da507e99dcbe54ac2870c3ee

SHA1
c5007e3c8d1d8ff27dd32c9c24611a0ef935711f

SHA256
ef9419ef231538e55a8dc1ed96c83638e3e70f14a96eac94228da3a8589fccd2

SHA512
7905e5e8db841d38df6e440a2ddc3518d4421f49f9a87084e4f337d7401d715a5b406ae1eea57c82d54997ce0dd06710622d01f1ce2c60849bb5a27eb7826386

Download Submit
C:\Program Files (x86)\Super Updater\SUStartScan.exe

Filesize
934KB

MD5
48922bd2da507e99dcbe54ac2870c3ee

SHA1
c5007e3c8d1d8ff27dd32c9c24611a0ef935711f

SHA256
ef9419ef231538e55a8dc1ed96c83638e3e70f14a96eac94228da3a8589fccd2

SHA512
7905e5e8db841d38df6e440a2ddc3518d4421f49f9a87084e4f337d7401d715a5b406ae1eea57c82d54997ce0dd06710622d01f1ce2c60849bb5a27eb7826386

Download Submit
C:\Program Files (x86)\Super Updater\SUTray.exe

Filesize
926KB

MD5
a82fed4858c32b82e2fd1f3e592dac5e

SHA1
f3d8ba2805b20777405df53bae008bfaabb93cbd

SHA256
e2b95ae6fd38af02d28025271e2307331e15f54e6d46c3871233b5a2f4db390d

SHA512
f2748de86a73608a158cfb771c1e7d79d107aa5b3445b92aff601c0dd3735c0123ac297cb327d904f3bee8170589abc74dda39545ca47e2431963f221465e564

Download Submit
C:\Program Files (x86)\Super Updater\SUTray.exe

Filesize
926KB

MD5
a82fed4858c32b82e2fd1f3e592dac5e

SHA1
f3d8ba2805b20777405df53bae008bfaabb93cbd

SHA256
e2b95ae6fd38af02d28025271e2307331e15f54e6d46c3871233b5a2f4db390d

SHA512
f2748de86a73608a158cfb771c1e7d79d107aa5b3445b92aff601c0dd3735c0123ac297cb327d904f3bee8170589abc74dda39545ca47e2431963f221465e564

Download Submit
C:\Program Files (x86)\Super Updater\SuperUpdater.exe

Filesize
3.5MB

MD5
5748528b3d50f53bc691e4098d65f34f

SHA1
3e04e93ed72cd553095e1b6699cbf99f690c0928

SHA256
ff40d3c4a3f8e0fba82fda32fd52499c7973156f1f53a4431cae73205dd7d40f

SHA512
c5870828e390a38b2524643cf80f9e7d2b5f44d75139d42e7e05d620326f58c79e9b59f3c3663ab962f3bf9b0f86d19c74ac1b17acecf4473fda27f8b9f65028

Download Submit
C:\Program Files (x86)\Super Updater\SuperUpdater.exe

Filesize
3.5MB

MD5
5748528b3d50f53bc691e4098d65f34f

SHA1
3e04e93ed72cd553095e1b6699cbf99f690c0928

SHA256
ff40d3c4a3f8e0fba82fda32fd52499c7973156f1f53a4431cae73205dd7d40f

SHA512
c5870828e390a38b2524643cf80f9e7d2b5f44d75139d42e7e05d620326f58c79e9b59f3c3663ab962f3bf9b0f86d19c74ac1b17acecf4473fda27f8b9f65028

Download Submit
C:\Program Files (x86)\Super Updater\SuperUpdater.exe

Filesize
3.5MB

MD5
5748528b3d50f53bc691e4098d65f34f

SHA1
3e04e93ed72cd553095e1b6699cbf99f690c0928

SHA256
ff40d3c4a3f8e0fba82fda32fd52499c7973156f1f53a4431cae73205dd7d40f

SHA512
c5870828e390a38b2524643cf80f9e7d2b5f44d75139d42e7e05d620326f58c79e9b59f3c3663ab962f3bf9b0f86d19c74ac1b17acecf4473fda27f8b9f65028

Download Submit
C:\Program Files (x86)\Super Updater\sqlite3.dll

Filesize
508KB

MD5
0f66e8e2340569fb17e774dac2010e31

SHA1
406bb6854e7384ff77c0b847bf2f24f3315874a3

SHA256
de818c832308b82c2fabd5d3d4339c489e6f4e9d32bb8152c0dcd8359392695f

SHA512
39275df6e210836286e62a95ace7f66c7d2736a07b80f9b7e9bd2a716a6d074c79deae54e2d21505b74bac63df0328d6780a2129cdfda93aec1f75b523da9e05

Download Submit
C:\Program Files (x86)\Super Updater\sqlite3.dll

Filesize
508KB

MD5
0f66e8e2340569fb17e774dac2010e31

SHA1
406bb6854e7384ff77c0b847bf2f24f3315874a3

SHA256
de818c832308b82c2fabd5d3d4339c489e6f4e9d32bb8152c0dcd8359392695f

SHA512
39275df6e210836286e62a95ace7f66c7d2736a07b80f9b7e9bd2a716a6d074c79deae54e2d21505b74bac63df0328d6780a2129cdfda93aec1f75b523da9e05

Download Submit
C:\Program Files (x86)\Super Updater\sqlite3.dll

Filesize
508KB

MD5
0f66e8e2340569fb17e774dac2010e31

SHA1
406bb6854e7384ff77c0b847bf2f24f3315874a3

SHA256
de818c832308b82c2fabd5d3d4339c489e6f4e9d32bb8152c0dcd8359392695f

SHA512
39275df6e210836286e62a95ace7f66c7d2736a07b80f9b7e9bd2a716a6d074c79deae54e2d21505b74bac63df0328d6780a2129cdfda93aec1f75b523da9e05

Download Submit
C:\Users\Admin\AppData\Local\Temp\Super_Updater.exe

Filesize
3.3MB

MD5
2c2d442431a1b685b5fe5ae11d1a3cdc

SHA1
70e59130e3229e397e13fe408fb3c7a5fd520001

SHA256
20abc30501c749cc4541ed3104cd26a825a4f6e8d8a5381938caef2b0ea49b6e

SHA512
082925808f6fbeae3074f8108041c6580c2d3b1968f096f9fdcb0c2d2ca4a05802870f43b7d46f8b389cdbc05d34f89822fa985b1759aad7f71a99119f6a61e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Super_Updater.exe

Filesize
3.3MB

MD5
2c2d442431a1b685b5fe5ae11d1a3cdc

SHA1
70e59130e3229e397e13fe408fb3c7a5fd520001

SHA256
20abc30501c749cc4541ed3104cd26a825a4f6e8d8a5381938caef2b0ea49b6e

SHA512
082925808f6fbeae3074f8108041c6580c2d3b1968f096f9fdcb0c2d2ca4a05802870f43b7d46f8b389cdbc05d34f89822fa985b1759aad7f71a99119f6a61e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-6VH6L.tmp\Super_Updater.tmp

Filesize
1.5MB

MD5
be27fdbe242476544b45aed4518c4a4a

SHA1
d7215e1307c2d16c2352ceab9286a23b522d5132

SHA256
366d21286f2e8f80626d5e59c5137db4ddbb880b964ddb1ddba8952a21720cb7

SHA512
6594ab889d32ecc86d8fb19e0bb07a13277b44a944080ea16b0e0f07577261a1da2cb7397c84fef2880c59abaa61f810b248aab779861f45271449b83aa52b14

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-6VH6L.tmp\Super_Updater.tmp

Filesize
1.5MB

MD5
be27fdbe242476544b45aed4518c4a4a

SHA1
d7215e1307c2d16c2352ceab9286a23b522d5132

SHA256
366d21286f2e8f80626d5e59c5137db4ddbb880b964ddb1ddba8952a21720cb7

SHA512
6594ab889d32ecc86d8fb19e0bb07a13277b44a944080ea16b0e0f07577261a1da2cb7397c84fef2880c59abaa61f810b248aab779861f45271449b83aa52b14

Download Submit
C:\Users\Admin\AppData\Roaming\Super Updater\program.log

Filesize
290B

MD5
2b46cee363bb570e6ffd21d5fd9fbf96

SHA1
62d75bfe85a9286f7b1543d1d66723e6d2cccaf4

SHA256
2c1afae391d1f5764f35388382176a3dfe08f17c43fa34a670e6b6998f789e73

SHA512
00a6b5316464dad809931baa1975ae7d9e545802d7e31bfd0a4b6c50f61bacf499185bb1655460d6a947ca785b6a0f964a17f0f553ce04035b25b9a4c4d0d443

Download Submit
memory/676-135-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/676-153-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/676-137-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download