8ac61b93f7e385b42311b0fab71e21c88451defab6a9035dc3ae587e34ec7dc0

Analysis

max time kernel
189s
max time network
188s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
28/11/2022, 05:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8ac61b93f7e385b42311b0fab71e21c88451defab6a9035dc3ae587e34ec7dc0.exe
Size

356KB
MD5

4858fb78c4c4129c8f90d5db7d212ae4
SHA1

682d27589ebadc5cea5bb9a5a22b9bc70323fca7
SHA256

8ac61b93f7e385b42311b0fab71e21c88451defab6a9035dc3ae587e34ec7dc0
SHA512

130d5287ed44df8a1f6aac80c3eb4a905a55c55a3c63f547ac4f5810955824f0f8f2b3ef0ae1ca3bdc876c9064843281f688db3ad3b0853b899b0b84cbef63f4
SSDEEP

3072:GUANCc//////YXTJNDNV3AqS3rm+D7KNB34y2ppFjFS3:zc//////yTJnV3ABr376j2ppFRY

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4916	wuauclt.exe
552	wuauclt.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	8ac61b93f7e385b42311b0fab71e21c88451defab6a9035dc3ae587e34ec7dc0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	wuauclt.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	8ac61b93f7e385b42311b0fab71e21c88451defab6a9035dc3ae587e34ec7dc0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\wuauclt.exe"	8ac61b93f7e385b42311b0fab71e21c88451defab6a9035dc3ae587e34ec7dc0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	wuauclt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\wuauclt.exe"	wuauclt.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3488 set thread context of 1672	3488	8ac61b93f7e385b42311b0fab71e21c88451defab6a9035dc3ae587e34ec7dc0.exe	82
PID 4916 set thread context of 552	4916	wuauclt.exe	85

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\noruns.reg	8ac61b93f7e385b42311b0fab71e21c88451defab6a9035dc3ae587e34ec7dc0.exe
File opened for modification	C:\Windows\noruns.reg	8ac61b93f7e385b42311b0fab71e21c88451defab6a9035dc3ae587e34ec7dc0.exe
File opened for modification	C:\Windows\wuauclt.exe	wuauclt.exe
File created	C:\Windows\wuauclt.exe	wuauclt.exe
File opened for modification	C:\Windows\noruns.reg	wuauclt.exe
File opened for modification	C:\Windows\wuauclt.exe	8ac61b93f7e385b42311b0fab71e21c88451defab6a9035dc3ae587e34ec7dc0.exe
File created	C:\Windows\wuauclt.exe	8ac61b93f7e385b42311b0fab71e21c88451defab6a9035dc3ae587e34ec7dc0.exe

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3244	sc.exe
5084	sc.exe
864	sc.exe
2304	sc.exe
1868	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs .reg file with regedit 2 IoCs

pid	Process
4468	regedit.exe
216	regedit.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1672	8ac61b93f7e385b42311b0fab71e21c88451defab6a9035dc3ae587e34ec7dc0.exe
1672	8ac61b93f7e385b42311b0fab71e21c88451defab6a9035dc3ae587e34ec7dc0.exe
1672	8ac61b93f7e385b42311b0fab71e21c88451defab6a9035dc3ae587e34ec7dc0.exe
1672	8ac61b93f7e385b42311b0fab71e21c88451defab6a9035dc3ae587e34ec7dc0.exe
552	wuauclt.exe
552	wuauclt.exe
552	wuauclt.exe
552	wuauclt.exe
552	wuauclt.exe
552	wuauclt.exe
552	wuauclt.exe
552	wuauclt.exe
552	wuauclt.exe
552	wuauclt.exe
552	wuauclt.exe
552	wuauclt.exe
552	wuauclt.exe
552	wuauclt.exe
552	wuauclt.exe
552	wuauclt.exe
552	wuauclt.exe
552	wuauclt.exe
552	wuauclt.exe
552	wuauclt.exe
552	wuauclt.exe
552	wuauclt.exe
552	wuauclt.exe
552	wuauclt.exe
552	wuauclt.exe
552	wuauclt.exe
552	wuauclt.exe
552	wuauclt.exe
552	wuauclt.exe
552	wuauclt.exe
552	wuauclt.exe
552	wuauclt.exe
552	wuauclt.exe
552	wuauclt.exe
552	wuauclt.exe
552	wuauclt.exe
552	wuauclt.exe
552	wuauclt.exe
552	wuauclt.exe
552	wuauclt.exe
552	wuauclt.exe
552	wuauclt.exe
552	wuauclt.exe
552	wuauclt.exe
552	wuauclt.exe
552	wuauclt.exe
552	wuauclt.exe
552	wuauclt.exe
552	wuauclt.exe
552	wuauclt.exe
552	wuauclt.exe
552	wuauclt.exe
552	wuauclt.exe
552	wuauclt.exe
552	wuauclt.exe
552	wuauclt.exe
552	wuauclt.exe
552	wuauclt.exe
552	wuauclt.exe
552	wuauclt.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3488 wrote to memory of 1672	3488	8ac61b93f7e385b42311b0fab71e21c88451defab6a9035dc3ae587e34ec7dc0.exe	82
PID 3488 wrote to memory of 1672	3488	8ac61b93f7e385b42311b0fab71e21c88451defab6a9035dc3ae587e34ec7dc0.exe	82
PID 3488 wrote to memory of 1672	3488	8ac61b93f7e385b42311b0fab71e21c88451defab6a9035dc3ae587e34ec7dc0.exe	82
PID 3488 wrote to memory of 1672	3488	8ac61b93f7e385b42311b0fab71e21c88451defab6a9035dc3ae587e34ec7dc0.exe	82
PID 3488 wrote to memory of 1672	3488	8ac61b93f7e385b42311b0fab71e21c88451defab6a9035dc3ae587e34ec7dc0.exe	82
PID 1672 wrote to memory of 4468	1672	8ac61b93f7e385b42311b0fab71e21c88451defab6a9035dc3ae587e34ec7dc0.exe	84
PID 1672 wrote to memory of 4468	1672	8ac61b93f7e385b42311b0fab71e21c88451defab6a9035dc3ae587e34ec7dc0.exe	84
PID 1672 wrote to memory of 4468	1672	8ac61b93f7e385b42311b0fab71e21c88451defab6a9035dc3ae587e34ec7dc0.exe	84
PID 1672 wrote to memory of 4916	1672	8ac61b93f7e385b42311b0fab71e21c88451defab6a9035dc3ae587e34ec7dc0.exe	83
PID 1672 wrote to memory of 4916	1672	8ac61b93f7e385b42311b0fab71e21c88451defab6a9035dc3ae587e34ec7dc0.exe	83
PID 1672 wrote to memory of 4916	1672	8ac61b93f7e385b42311b0fab71e21c88451defab6a9035dc3ae587e34ec7dc0.exe	83
PID 4916 wrote to memory of 552	4916	wuauclt.exe	85
PID 4916 wrote to memory of 552	4916	wuauclt.exe	85
PID 4916 wrote to memory of 552	4916	wuauclt.exe	85
PID 4916 wrote to memory of 552	4916	wuauclt.exe	85
PID 4916 wrote to memory of 552	4916	wuauclt.exe	85
PID 552 wrote to memory of 216	552	wuauclt.exe	86
PID 552 wrote to memory of 216	552	wuauclt.exe	86
PID 552 wrote to memory of 216	552	wuauclt.exe	86
PID 552 wrote to memory of 2992	552	wuauclt.exe	87
PID 552 wrote to memory of 2992	552	wuauclt.exe	87
PID 552 wrote to memory of 2992	552	wuauclt.exe	87
PID 552 wrote to memory of 2736	552	wuauclt.exe	89
PID 552 wrote to memory of 2736	552	wuauclt.exe	89
PID 552 wrote to memory of 2736	552	wuauclt.exe	89
PID 552 wrote to memory of 5084	552	wuauclt.exe	91
PID 552 wrote to memory of 5084	552	wuauclt.exe	91
PID 552 wrote to memory of 5084	552	wuauclt.exe	91
PID 2992 wrote to memory of 2516	2992	net.exe	92
PID 2992 wrote to memory of 2516	2992	net.exe	92
PID 2992 wrote to memory of 2516	2992	net.exe	92
PID 552 wrote to memory of 2816	552	wuauclt.exe	94
PID 552 wrote to memory of 2816	552	wuauclt.exe	94
PID 552 wrote to memory of 2816	552	wuauclt.exe	94
PID 552 wrote to memory of 864	552	wuauclt.exe	95
PID 552 wrote to memory of 864	552	wuauclt.exe	95
PID 552 wrote to memory of 864	552	wuauclt.exe	95
PID 2736 wrote to memory of 772	2736	net.exe	98
PID 2736 wrote to memory of 772	2736	net.exe	98
PID 2736 wrote to memory of 772	2736	net.exe	98
PID 552 wrote to memory of 3092	552	wuauclt.exe	99
PID 552 wrote to memory of 3092	552	wuauclt.exe	99
PID 552 wrote to memory of 3092	552	wuauclt.exe	99
PID 552 wrote to memory of 2304	552	wuauclt.exe	101
PID 552 wrote to memory of 2304	552	wuauclt.exe	101
PID 552 wrote to memory of 2304	552	wuauclt.exe	101
PID 552 wrote to memory of 1868	552	wuauclt.exe	102
PID 552 wrote to memory of 1868	552	wuauclt.exe	102
PID 552 wrote to memory of 1868	552	wuauclt.exe	102
PID 2816 wrote to memory of 424	2816	net.exe	103
PID 2816 wrote to memory of 424	2816	net.exe	103
PID 2816 wrote to memory of 424	2816	net.exe	103
PID 552 wrote to memory of 2164	552	wuauclt.exe	104
PID 552 wrote to memory of 2164	552	wuauclt.exe	104
PID 552 wrote to memory of 2164	552	wuauclt.exe	104
PID 552 wrote to memory of 3244	552	wuauclt.exe	106
PID 552 wrote to memory of 3244	552	wuauclt.exe	106
PID 552 wrote to memory of 3244	552	wuauclt.exe	106
PID 552 wrote to memory of 1688	552	wuauclt.exe	110
PID 552 wrote to memory of 1688	552	wuauclt.exe	110
PID 552 wrote to memory of 1688	552	wuauclt.exe	110
PID 3092 wrote to memory of 4120	3092	net.exe	108
PID 3092 wrote to memory of 4120	3092	net.exe	108
PID 3092 wrote to memory of 4120	3092	net.exe	108

C:\Users\Admin\AppData\Local\Temp\8ac61b93f7e385b42311b0fab71e21c88451defab6a9035dc3ae587e34ec7dc0.exe
"C:\Users\Admin\AppData\Local\Temp\8ac61b93f7e385b42311b0fab71e21c88451defab6a9035dc3ae587e34ec7dc0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3488
- C:\Users\Admin\AppData\Local\Temp\8ac61b93f7e385b42311b0fab71e21c88451defab6a9035dc3ae587e34ec7dc0.exe
  C:\Users\Admin\AppData\Local\Temp\8ac61b93f7e385b42311b0fab71e21c88451defab6a9035dc3ae587e34ec7dc0.exe
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1672
- - C:\Windows\wuauclt.exe
    "C:\Windows\wuauclt.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4916
  - - C:\Windows\wuauclt.exe
      C:\Windows\wuauclt.exe
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:552
    - - C:\Windows\SysWOW64\regedit.exe
        
        "C:\Windows\System32\regedit.exe" /s C:\Windows\noruns.reg
        5⤵
        Runs .reg file with regedit
        
        PID:216
    - - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" stop sharedaccess
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2992
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop sharedaccess
        6⤵
        
        PID:2516
    - - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" stop KVWSC
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2736
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop KVWSC
        6⤵
        
        PID:772
    - - C:\Windows\SysWOW64\sc.exe
        
        "C:\Windows\System32\sc.exe" config KVWSC start= disabled
        5⤵
        Launches sc.exe
        
        PID:5084
    - - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" stop KVSrvXP
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2816
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop KVSrvXP
        6⤵
        
        PID:424
    - - C:\Windows\SysWOW64\sc.exe
        
        "C:\Windows\System32\sc.exe" config KVSrvXP start= disabled
        5⤵
        Launches sc.exe
        
        PID:864
    - - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" stop kavsvc
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3092
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop kavsvc
        6⤵
        
        PID:4120
    - - C:\Windows\SysWOW64\sc.exe
        
        "C:\Windows\System32\sc.exe" config kavsvc start= disabled
        5⤵
        Launches sc.exe
        
        PID:2304
    - - C:\Windows\SysWOW64\sc.exe
        
        "C:\Windows\System32\sc.exe" config RsRavMon start= disabled
        5⤵
        Launches sc.exe
        
        PID:1868
    - - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" stop RsCCenter
        5⤵
        
        PID:2164
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop RsCCenter
        6⤵
        
        PID:3736
    - - C:\Windows\SysWOW64\sc.exe
        
        "C:\Windows\System32\sc.exe" config RsCCenter start= disabled
        5⤵
        Launches sc.exe
        
        PID:3244
    - - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" stop RsRavMon
        5⤵
        
        PID:1688
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop RsRavMon
        6⤵
        
        PID:1628
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s C:\Windows\noruns.reg
    3⤵
    - Runs .reg file with regedit
    PID:4468

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\noruns.reg

Filesize
122B

MD5
704f9f14e6c5b902de15f37bbb234bbc

SHA1
4e7bd14012b5fe1b07b9ed99a00565ed1d86348b

SHA256
69c8425b75d3be48f68c1abf33bb9d30688bbd9d28809d92f9dc537393a3d3b4

SHA512
02376153d198f415f53aabc67272c6042ee4f2c1048b3c5025200d8946f433669cd48295e1bfcd33d1fc8c24f4e1ff0dfb78e36926ad91a334e02718afa93042

Download Submit
C:\Windows\noruns.reg

Filesize
122B

MD5
704f9f14e6c5b902de15f37bbb234bbc

SHA1
4e7bd14012b5fe1b07b9ed99a00565ed1d86348b

SHA256
69c8425b75d3be48f68c1abf33bb9d30688bbd9d28809d92f9dc537393a3d3b4

SHA512
02376153d198f415f53aabc67272c6042ee4f2c1048b3c5025200d8946f433669cd48295e1bfcd33d1fc8c24f4e1ff0dfb78e36926ad91a334e02718afa93042

Download Submit
C:\Windows\wuauclt.exe

Filesize
356KB

MD5
4858fb78c4c4129c8f90d5db7d212ae4

SHA1
682d27589ebadc5cea5bb9a5a22b9bc70323fca7

SHA256
8ac61b93f7e385b42311b0fab71e21c88451defab6a9035dc3ae587e34ec7dc0

SHA512
130d5287ed44df8a1f6aac80c3eb4a905a55c55a3c63f547ac4f5810955824f0f8f2b3ef0ae1ca3bdc876c9064843281f688db3ad3b0853b899b0b84cbef63f4

Download Submit
C:\Windows\wuauclt.exe

Filesize
356KB

MD5
4858fb78c4c4129c8f90d5db7d212ae4

SHA1
682d27589ebadc5cea5bb9a5a22b9bc70323fca7

SHA256
8ac61b93f7e385b42311b0fab71e21c88451defab6a9035dc3ae587e34ec7dc0

SHA512
130d5287ed44df8a1f6aac80c3eb4a905a55c55a3c63f547ac4f5810955824f0f8f2b3ef0ae1ca3bdc876c9064843281f688db3ad3b0853b899b0b84cbef63f4

Download Submit
C:\Windows\wuauclt.exe

Filesize
356KB

MD5
4858fb78c4c4129c8f90d5db7d212ae4

SHA1
682d27589ebadc5cea5bb9a5a22b9bc70323fca7

SHA256
8ac61b93f7e385b42311b0fab71e21c88451defab6a9035dc3ae587e34ec7dc0

SHA512
130d5287ed44df8a1f6aac80c3eb4a905a55c55a3c63f547ac4f5810955824f0f8f2b3ef0ae1ca3bdc876c9064843281f688db3ad3b0853b899b0b84cbef63f4

Download Submit
memory/552-154-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/552-155-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1672-134-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1672-137-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1672-138-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1672-139-0x0000000010000000-0x0000000010059000-memory.dmp

Filesize
356KB

Download
memory/1672-144-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3488-132-0x0000000010000000-0x0000000010059000-memory.dmp

Filesize
356KB

Download
memory/3488-136-0x0000000010000000-0x0000000010059000-memory.dmp

Filesize
356KB

Download
memory/4916-150-0x0000000010000000-0x0000000010059000-memory.dmp

Filesize
356KB

Download