ec22fe1001066151dcaba55d013dd5a69886ec09d947118a9682f4a673890512

Analysis

max time kernel
137s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
21-12-2022 11:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

stripped.exe
Size

239KB
MD5

4efaf3c856cbc3a0a9078e8105c4c2a1
SHA1

5258925002bbc57405578a59375dff67edfdfb6f
SHA256

ec22fe1001066151dcaba55d013dd5a69886ec09d947118a9682f4a673890512
SHA512

4949819f589a6042604879aae0424c9d172cf6e18b1e6ca01a53de6d136249a59fa3fe77e3cac56942499d7c319b7156b83db5c31711d36a58a219808e3a3f2f
SSDEEP

3072:HAcREh6pPlF7LCh8dM7QlBP5o3x8YcwIFU9OImpVYe3d3ROR:PKMpPlfy70zBYcwIe9DkL3pRO

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3784	svcupdater.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	stripped.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3356	schtasks.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4892 wrote to memory of 3356	4892	stripped.exe	87
PID 4892 wrote to memory of 3356	4892	stripped.exe	87
PID 4892 wrote to memory of 3356	4892	stripped.exe	87

C:\Users\Admin\AppData\Local\Temp\stripped.exe
"C:\Users\Admin\AppData\Local\Temp\stripped.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4892
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /tn "svcupdater" /tr "C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
  2⤵
  - Creates scheduled task(s)
  PID:3356

C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe
C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe
1⤵
- Executes dropped EXE
PID:3784

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe

Filesize
661.1MB

MD5
2399d7a9c7e8dae43abfe0c6f60f80a0

SHA1
7733f024f9032b2518fdf4f0f3ae6866bd0ace06

SHA256
e03c1cccb4ab19467a03a024a19ee3c58617a4e9d2c072341cd8949b85a2f9a1

SHA512
ceab6ea18ff76e2fa36fc8fa545b7850c75e8d8dc6c1ddd720ecc5209d258aee7ad1d481455a881e39d415bc1f3f7bd1e3cdf8b911a6476e9807aa9841763afd

Download Submit
C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe

Filesize
660.7MB

MD5
bdff60def68c4b0e7bf0bceb6caa1bdd

SHA1
1ef257a3dd23d0412b8a8a6e917bc93e44eaf6d6

SHA256
a6e20a003b6a80e959993a77eec027ee1914f940d1997fc6c0fae2d2f6b668a4

SHA512
2cf7ec2dd6617ac507a2323d7155e97190b594bfb849746bf749f88c02d5e01369bdced05f6112861c924aa8143e2c7afa977c02700670ba9f90690613c74918

Download Submit
memory/3784-139-0x0000000000FF0000-0x0000000001009000-memory.dmp

Filesize
100KB

Download
memory/4892-132-0x0000000001230000-0x0000000001249000-memory.dmp

Filesize
100KB

Download
memory/4892-133-0x0000000001230000-0x0000000001249000-memory.dmp

Filesize
100KB

Download
memory/4892-135-0x0000000001230000-0x0000000001249000-memory.dmp

Filesize
100KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads