Analysis
-
max time kernel
207s -
max time network
212s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 18:19
Behavioral task
behavioral1
Sample
4fff64c207d1d0ebe4073f120bb99720a90b79a8b9558e316f80b926c56ebf3b.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
4fff64c207d1d0ebe4073f120bb99720a90b79a8b9558e316f80b926c56ebf3b.exe
Resource
win10v2004-20220812-en
General
-
Target
4fff64c207d1d0ebe4073f120bb99720a90b79a8b9558e316f80b926c56ebf3b.exe
-
Size
325KB
-
MD5
8bbb3b4c01554e0ff1a618554c067dc3
-
SHA1
294d26f917ed996c1f8aae3a57f723666cc49843
-
SHA256
4fff64c207d1d0ebe4073f120bb99720a90b79a8b9558e316f80b926c56ebf3b
-
SHA512
5454ae34b4bd6dfbe896a91a7d41197dcad048ed4b2aa8286dad5f2ed70fd41e5799815175aba059c4ca96997dd0e11ed30a48adb0f0486d7e656a560dab428c
-
SSDEEP
6144:XuIlWqB+ihabs7Ch9KwyF5LeLodp2D1Mmakda0qLcnSR51yB3l1G:e6Wq4aaE6KwyF5L0Y2D1PqLt5sBvG
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
WinUpdat.exesvchost.exepid process 3196 WinUpdat.exe 2136 svchost.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Processes:
resource yara_rule behavioral2/memory/2608-132-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral2/memory/2608-138-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral2/memory/2608-141-0x0000000000400000-0x00000000004BA000-memory.dmp upx -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
4fff64c207d1d0ebe4073f120bb99720a90b79a8b9558e316f80b926c56ebf3b.exeWinUpdat.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 4fff64c207d1d0ebe4073f120bb99720a90b79a8b9558e316f80b926c56ebf3b.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation WinUpdat.exe -
Drops startup file 4 IoCs
Processes:
WScript.exesvchost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinUpdat.vbs WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinUpdat.vbs WScript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8cc5db40eb97299bd658a6eaa7488f79.exe svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8cc5db40eb97299bd658a6eaa7488f79.exe svchost.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
svchost.exeWScript.exeWinUpdat.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\Users\\Admin\\AppData\\Local\\10.exe" svchost.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\software\microsoft\windows\currentversion\run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinUpdat = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WinUpdat.vbs\"" WScript.exe Key created \REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinUpdat = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WinUpdat.vbs\"" WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8cc5db40eb97299bd658a6eaa7488f79 = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\" .." svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8cc5db40eb97299bd658a6eaa7488f79 = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\" .." svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\Users\\Admin\\AppData\\Local\\10.exe" WinUpdat.exe -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/2608-138-0x0000000000400000-0x00000000004BA000-memory.dmp autoit_exe behavioral2/memory/2608-141-0x0000000000400000-0x00000000004BA000-memory.dmp autoit_exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
4fff64c207d1d0ebe4073f120bb99720a90b79a8b9558e316f80b926c56ebf3b.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings 4fff64c207d1d0ebe4073f120bb99720a90b79a8b9558e316f80b926c56ebf3b.exe -
Suspicious use of AdjustPrivilegeToken 31 IoCs
Processes:
svchost.exedescription pid process Token: SeDebugPrivilege 2136 svchost.exe Token: 33 2136 svchost.exe Token: SeIncBasePriorityPrivilege 2136 svchost.exe Token: 33 2136 svchost.exe Token: SeIncBasePriorityPrivilege 2136 svchost.exe Token: 33 2136 svchost.exe Token: SeIncBasePriorityPrivilege 2136 svchost.exe Token: 33 2136 svchost.exe Token: SeIncBasePriorityPrivilege 2136 svchost.exe Token: 33 2136 svchost.exe Token: SeIncBasePriorityPrivilege 2136 svchost.exe Token: 33 2136 svchost.exe Token: SeIncBasePriorityPrivilege 2136 svchost.exe Token: 33 2136 svchost.exe Token: SeIncBasePriorityPrivilege 2136 svchost.exe Token: 33 2136 svchost.exe Token: SeIncBasePriorityPrivilege 2136 svchost.exe Token: 33 2136 svchost.exe Token: SeIncBasePriorityPrivilege 2136 svchost.exe Token: 33 2136 svchost.exe Token: SeIncBasePriorityPrivilege 2136 svchost.exe Token: 33 2136 svchost.exe Token: SeIncBasePriorityPrivilege 2136 svchost.exe Token: 33 2136 svchost.exe Token: SeIncBasePriorityPrivilege 2136 svchost.exe Token: 33 2136 svchost.exe Token: SeIncBasePriorityPrivilege 2136 svchost.exe Token: 33 2136 svchost.exe Token: SeIncBasePriorityPrivilege 2136 svchost.exe Token: 33 2136 svchost.exe Token: SeIncBasePriorityPrivilege 2136 svchost.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
4fff64c207d1d0ebe4073f120bb99720a90b79a8b9558e316f80b926c56ebf3b.exeWinUpdat.exesvchost.exedescription pid process target process PID 2608 wrote to memory of 3196 2608 4fff64c207d1d0ebe4073f120bb99720a90b79a8b9558e316f80b926c56ebf3b.exe WinUpdat.exe PID 2608 wrote to memory of 3196 2608 4fff64c207d1d0ebe4073f120bb99720a90b79a8b9558e316f80b926c56ebf3b.exe WinUpdat.exe PID 2608 wrote to memory of 3812 2608 4fff64c207d1d0ebe4073f120bb99720a90b79a8b9558e316f80b926c56ebf3b.exe WScript.exe PID 2608 wrote to memory of 3812 2608 4fff64c207d1d0ebe4073f120bb99720a90b79a8b9558e316f80b926c56ebf3b.exe WScript.exe PID 2608 wrote to memory of 3812 2608 4fff64c207d1d0ebe4073f120bb99720a90b79a8b9558e316f80b926c56ebf3b.exe WScript.exe PID 3196 wrote to memory of 2136 3196 WinUpdat.exe svchost.exe PID 3196 wrote to memory of 2136 3196 WinUpdat.exe svchost.exe PID 2136 wrote to memory of 332 2136 svchost.exe netsh.exe PID 2136 wrote to memory of 332 2136 svchost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4fff64c207d1d0ebe4073f120bb99720a90b79a8b9558e316f80b926c56ebf3b.exe"C:\Users\Admin\AppData\Local\Temp\4fff64c207d1d0ebe4073f120bb99720a90b79a8b9558e316f80b926c56ebf3b.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\WinUpdat.exeC:\Users\Admin\AppData\Local\Temp\WinUpdat.exe2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svchost.exe" "svchost.exe" ENABLE4⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\WinUpdat.vbs"2⤵
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\WinUpdat.exeFilesize
34KB
MD51a6459624ba5b71bcf976bf8373c21ea
SHA1fdc3cfdefae69381f9593bbe0a80f06081ee8562
SHA25665194990e7fea29c62b454d28db89df2eb106db4e796b74360720d08c3b387da
SHA512b64294ea997fef20818f14b3bfd86b1bc4c2f916d8c1a3e6eef3a8ad483985a1ca2877cabe15fe26000e190c38d52b57c41e02e0323bd51461cfb208c8c42cda
-
C:\Users\Admin\AppData\Local\Temp\WinUpdat.exeFilesize
34KB
MD51a6459624ba5b71bcf976bf8373c21ea
SHA1fdc3cfdefae69381f9593bbe0a80f06081ee8562
SHA25665194990e7fea29c62b454d28db89df2eb106db4e796b74360720d08c3b387da
SHA512b64294ea997fef20818f14b3bfd86b1bc4c2f916d8c1a3e6eef3a8ad483985a1ca2877cabe15fe26000e190c38d52b57c41e02e0323bd51461cfb208c8c42cda
-
C:\Users\Admin\AppData\Local\Temp\WinUpdat.vbsFilesize
41KB
MD542d2072ef26e5e85b3eefd7913797d17
SHA13d9440e20655e9afb8bcbce247f239f52f615392
SHA256f7b68b8fa35ee0b28b40f2a207a276a3d0e7307e9ac74109fc7979585f3e33ca
SHA51273e2c5715c7106f298bfd6d4fb875c04a5d97e92c765daaa5cbf61a15a447496c4b6e1113e0860a4b07fea1cc687f9e55c698990d23bf4ace2814e96a6328210
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
34KB
MD51a6459624ba5b71bcf976bf8373c21ea
SHA1fdc3cfdefae69381f9593bbe0a80f06081ee8562
SHA25665194990e7fea29c62b454d28db89df2eb106db4e796b74360720d08c3b387da
SHA512b64294ea997fef20818f14b3bfd86b1bc4c2f916d8c1a3e6eef3a8ad483985a1ca2877cabe15fe26000e190c38d52b57c41e02e0323bd51461cfb208c8c42cda
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
34KB
MD51a6459624ba5b71bcf976bf8373c21ea
SHA1fdc3cfdefae69381f9593bbe0a80f06081ee8562
SHA25665194990e7fea29c62b454d28db89df2eb106db4e796b74360720d08c3b387da
SHA512b64294ea997fef20818f14b3bfd86b1bc4c2f916d8c1a3e6eef3a8ad483985a1ca2877cabe15fe26000e190c38d52b57c41e02e0323bd51461cfb208c8c42cda
-
memory/332-148-0x0000000000000000-mapping.dmp
-
memory/2136-149-0x00007FFF39CB0000-0x00007FFF3A771000-memory.dmpFilesize
10.8MB
-
memory/2136-147-0x00007FFF39CB0000-0x00007FFF3A771000-memory.dmpFilesize
10.8MB
-
memory/2136-143-0x0000000000000000-mapping.dmp
-
memory/2608-132-0x0000000000400000-0x00000000004BA000-memory.dmpFilesize
744KB
-
memory/2608-138-0x0000000000400000-0x00000000004BA000-memory.dmpFilesize
744KB
-
memory/2608-141-0x0000000000400000-0x00000000004BA000-memory.dmpFilesize
744KB
-
memory/3196-136-0x0000000000F90000-0x0000000000F9E000-memory.dmpFilesize
56KB
-
memory/3196-146-0x00007FFF39CB0000-0x00007FFF3A771000-memory.dmpFilesize
10.8MB
-
memory/3196-139-0x00007FFF39CB0000-0x00007FFF3A771000-memory.dmpFilesize
10.8MB
-
memory/3196-137-0x00007FFF39CB0000-0x00007FFF3A771000-memory.dmpFilesize
10.8MB
-
memory/3196-133-0x0000000000000000-mapping.dmp
-
memory/3812-140-0x0000000000000000-mapping.dmp