Analysis
-
max time kernel
151s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 17:54
Behavioral task
behavioral1
Sample
43957594ef8ae331dad685cf5fdfdb1fcdfe4b040ddf776cd2bf53ce8df11987.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
43957594ef8ae331dad685cf5fdfdb1fcdfe4b040ddf776cd2bf53ce8df11987.exe
Resource
win10v2004-20220901-en
General
-
Target
43957594ef8ae331dad685cf5fdfdb1fcdfe4b040ddf776cd2bf53ce8df11987.exe
-
Size
305KB
-
MD5
1a1733bae2a5c22dc130d2f0f82302ef
-
SHA1
5334d5f2c4d14c214ce4e86fe3f5098b7f38d008
-
SHA256
43957594ef8ae331dad685cf5fdfdb1fcdfe4b040ddf776cd2bf53ce8df11987
-
SHA512
0b9b54cc679e2c89cb296e598695df66367281793899002751ca40e56c12cdced91f10d031e8051bb70f91b4449a65d1dfd21b7884e1cfb57e1fe31092eb2e30
-
SSDEEP
6144:XNFawti8qjlBtYCcYWctAnvLxSRO3NO4n06qAOssKfpYT:doQiDpBuCcB9WO3U40hAOssMps
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 4 IoCs
Processes:
WindowsUpdatechecker.execsrss.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdatechecker.exe" WindowsUpdatechecker.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdatechecker.exe" WindowsUpdatechecker.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdatechecker.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdatechecker.exe" csrss.exe -
Executes dropped EXE 1 IoCs
Processes:
csrss.exepid process 2300 csrss.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
43957594ef8ae331dad685cf5fdfdb1fcdfe4b040ddf776cd2bf53ce8df11987.exeWindowsUpdatechecker.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 43957594ef8ae331dad685cf5fdfdb1fcdfe4b040ddf776cd2bf53ce8df11987.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation WindowsUpdatechecker.exe -
Obfuscated with Agile.Net obfuscator 2 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\csrss.exe agile_net C:\Users\Admin\AppData\Roaming\csrss.exe agile_net -
Checks for any installed AV software in registry 1 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avira svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\avast! Antivirus svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
WindowsUpdatechecker.exedescription pid process target process PID 4712 set thread context of 452 4712 WindowsUpdatechecker.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4888 2620 WerFault.exe svchost.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 svchost.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
svchost.exepid process 452 svchost.exe 452 svchost.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
43957594ef8ae331dad685cf5fdfdb1fcdfe4b040ddf776cd2bf53ce8df11987.exepid process 1368 43957594ef8ae331dad685cf5fdfdb1fcdfe4b040ddf776cd2bf53ce8df11987.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
svchost.execsrss.exedescription pid process Token: SeRestorePrivilege 452 svchost.exe Token: SeBackupPrivilege 452 svchost.exe Token: SeDebugPrivilege 2300 csrss.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
43957594ef8ae331dad685cf5fdfdb1fcdfe4b040ddf776cd2bf53ce8df11987.exeWindowsUpdatechecker.exesvchost.exedescription pid process target process PID 1368 wrote to memory of 4712 1368 43957594ef8ae331dad685cf5fdfdb1fcdfe4b040ddf776cd2bf53ce8df11987.exe WindowsUpdatechecker.exe PID 1368 wrote to memory of 4712 1368 43957594ef8ae331dad685cf5fdfdb1fcdfe4b040ddf776cd2bf53ce8df11987.exe WindowsUpdatechecker.exe PID 1368 wrote to memory of 4712 1368 43957594ef8ae331dad685cf5fdfdb1fcdfe4b040ddf776cd2bf53ce8df11987.exe WindowsUpdatechecker.exe PID 4712 wrote to memory of 452 4712 WindowsUpdatechecker.exe svchost.exe PID 4712 wrote to memory of 452 4712 WindowsUpdatechecker.exe svchost.exe PID 4712 wrote to memory of 452 4712 WindowsUpdatechecker.exe svchost.exe PID 4712 wrote to memory of 452 4712 WindowsUpdatechecker.exe svchost.exe PID 4712 wrote to memory of 452 4712 WindowsUpdatechecker.exe svchost.exe PID 4712 wrote to memory of 452 4712 WindowsUpdatechecker.exe svchost.exe PID 4712 wrote to memory of 452 4712 WindowsUpdatechecker.exe svchost.exe PID 4712 wrote to memory of 452 4712 WindowsUpdatechecker.exe svchost.exe PID 4712 wrote to memory of 452 4712 WindowsUpdatechecker.exe svchost.exe PID 4712 wrote to memory of 2300 4712 WindowsUpdatechecker.exe csrss.exe PID 4712 wrote to memory of 2300 4712 WindowsUpdatechecker.exe csrss.exe PID 4712 wrote to memory of 2300 4712 WindowsUpdatechecker.exe csrss.exe PID 452 wrote to memory of 2620 452 svchost.exe svchost.exe PID 452 wrote to memory of 2620 452 svchost.exe svchost.exe PID 452 wrote to memory of 2620 452 svchost.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\43957594ef8ae331dad685cf5fdfdb1fcdfe4b040ddf776cd2bf53ce8df11987.exe"C:\Users\Admin\AppData\Local\Temp\43957594ef8ae331dad685cf5fdfdb1fcdfe4b040ddf776cd2bf53ce8df11987.exe"1⤵
- Checks computer location settings
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\WindowsUpdatechecker.exe"C:\Users\Admin\AppData\Roaming\WindowsUpdatechecker.exe"2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"3⤵
- Checks for any installed AV software in registry
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exe-k NetworkService4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 885⤵
- Program crash
-
C:\Users\Admin\AppData\Roaming\csrss.exe"C:\Users\Admin\AppData\Roaming\csrss.exe" -reg "explorer.exe, C:\Users\Admin\AppData\Roaming\WindowsUpdatechecker.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2620 -ip 26201⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\csrss.exeFilesize
305KB
MD51a1733bae2a5c22dc130d2f0f82302ef
SHA15334d5f2c4d14c214ce4e86fe3f5098b7f38d008
SHA25643957594ef8ae331dad685cf5fdfdb1fcdfe4b040ddf776cd2bf53ce8df11987
SHA5120b9b54cc679e2c89cb296e598695df66367281793899002751ca40e56c12cdced91f10d031e8051bb70f91b4449a65d1dfd21b7884e1cfb57e1fe31092eb2e30
-
C:\Users\Admin\AppData\Roaming\csrss.exeFilesize
305KB
MD51a1733bae2a5c22dc130d2f0f82302ef
SHA15334d5f2c4d14c214ce4e86fe3f5098b7f38d008
SHA25643957594ef8ae331dad685cf5fdfdb1fcdfe4b040ddf776cd2bf53ce8df11987
SHA5120b9b54cc679e2c89cb296e598695df66367281793899002751ca40e56c12cdced91f10d031e8051bb70f91b4449a65d1dfd21b7884e1cfb57e1fe31092eb2e30
-
memory/452-144-0x0000000001760000-0x00000000017AB000-memory.dmpFilesize
300KB
-
memory/452-142-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/452-136-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/452-137-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/452-138-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/452-135-0x0000000000000000-mapping.dmp
-
memory/452-139-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/452-151-0x0000000003560000-0x000000000356B000-memory.dmpFilesize
44KB
-
memory/452-150-0x0000000001760000-0x00000000017AB000-memory.dmpFilesize
300KB
-
memory/1368-134-0x00000000752A0000-0x0000000075851000-memory.dmpFilesize
5.7MB
-
memory/1368-132-0x00000000752A0000-0x0000000075851000-memory.dmpFilesize
5.7MB
-
memory/2300-152-0x00000000752A0000-0x0000000075851000-memory.dmpFilesize
5.7MB
-
memory/2300-145-0x0000000000000000-mapping.dmp
-
memory/2300-154-0x00000000752A0000-0x0000000075851000-memory.dmpFilesize
5.7MB
-
memory/2620-149-0x0000000000000000-mapping.dmp
-
memory/2620-153-0x0000000077B50000-0x0000000077CF3000-memory.dmpFilesize
1.6MB
-
memory/4712-148-0x00000000752A0000-0x0000000075851000-memory.dmpFilesize
5.7MB
-
memory/4712-133-0x0000000000000000-mapping.dmp
-
memory/4712-140-0x00000000752A0000-0x0000000075851000-memory.dmpFilesize
5.7MB