fa7edd0d0c5a367b18e127813ddcb0b73848408613b672117962f75e99fc2842

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
14/06/2023, 06:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Windows Ftp Update.exe
Size

26KB
MD5

c73c55d7295479819ed072a0ad44e450
SHA1

c0657f9ee90c57416a1ef44d9d55e80bc961d3ed
SHA256

fa7edd0d0c5a367b18e127813ddcb0b73848408613b672117962f75e99fc2842
SHA512

1bc51989f1eedaf4bd6341f39302d99c6bfad8ea86069dba46704254a1ffdd8e7b065345a76ce500f0a496e0b8adb1cdca8e5f45ead697d816cf0106e5f48ea8
SSDEEP

768:llhJRlhe5+P4SkYybFOnN0Xu5otYcF6/Vc6K:ldhe4zkJbFONpE2Vcl

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	Windows Ftp Update.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\Microsoft Agent Service\Microsoft Agent Serviceinstall.bat	Windows Ftp Update.exe
File created	C:\Windows\system32\Windows Host Service\Windows Host Serviceinstall.bat	Windows Ftp Update.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 10 IoCs

evasion

pid	Process
3900	taskkill.exe
2268	taskkill.exe
1568	taskkill.exe
2200	taskkill.exe
1828	taskkill.exe
2000	taskkill.exe
212	taskkill.exe
1280	taskkill.exe
1516	taskkill.exe
4152	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings	Windows Ftp Update.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4220	Windows Ftp Update.exe
4220	Windows Ftp Update.exe
4220	Windows Ftp Update.exe
4220	Windows Ftp Update.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	4220	Windows Ftp Update.exe
Token: SeDebugPrivilege	1280	taskkill.exe
Token: SeDebugPrivilege	2268	taskkill.exe
Token: SeDebugPrivilege	1568	taskkill.exe
Token: SeDebugPrivilege	1516	taskkill.exe
Token: SeDebugPrivilege	2200	taskkill.exe
Token: SeDebugPrivilege	4152	taskkill.exe
Token: SeDebugPrivilege	3900	taskkill.exe
Token: SeDebugPrivilege	1828	taskkill.exe
Token: SeDebugPrivilege	2000	taskkill.exe
Token: SeDebugPrivilege	212	taskkill.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 4220 wrote to memory of 1280	4220	Windows Ftp Update.exe	84
PID 4220 wrote to memory of 1280	4220	Windows Ftp Update.exe	84
PID 4220 wrote to memory of 2268	4220	Windows Ftp Update.exe	85
PID 4220 wrote to memory of 2268	4220	Windows Ftp Update.exe	85
PID 4220 wrote to memory of 1568	4220	Windows Ftp Update.exe	86
PID 4220 wrote to memory of 1568	4220	Windows Ftp Update.exe	86
PID 4220 wrote to memory of 1516	4220	Windows Ftp Update.exe	87
PID 4220 wrote to memory of 1516	4220	Windows Ftp Update.exe	87
PID 4220 wrote to memory of 2200	4220	Windows Ftp Update.exe	88
PID 4220 wrote to memory of 2200	4220	Windows Ftp Update.exe	88
PID 4220 wrote to memory of 4152	4220	Windows Ftp Update.exe	89
PID 4220 wrote to memory of 4152	4220	Windows Ftp Update.exe	89
PID 4220 wrote to memory of 3900	4220	Windows Ftp Update.exe	90
PID 4220 wrote to memory of 3900	4220	Windows Ftp Update.exe	90
PID 4220 wrote to memory of 1828	4220	Windows Ftp Update.exe	91
PID 4220 wrote to memory of 1828	4220	Windows Ftp Update.exe	91
PID 4220 wrote to memory of 2000	4220	Windows Ftp Update.exe	92
PID 4220 wrote to memory of 2000	4220	Windows Ftp Update.exe	92
PID 4220 wrote to memory of 212	4220	Windows Ftp Update.exe	93
PID 4220 wrote to memory of 212	4220	Windows Ftp Update.exe	93
PID 4220 wrote to memory of 1732	4220	Windows Ftp Update.exe	94
PID 4220 wrote to memory of 3152	4220	Windows Ftp Update.exe	95
PID 4220 wrote to memory of 3152	4220	Windows Ftp Update.exe	95
PID 4220 wrote to memory of 1732	4220	Windows Ftp Update.exe	94
PID 3152 wrote to memory of 2764	3152	cmd.exe	98
PID 3152 wrote to memory of 2764	3152	cmd.exe	98
PID 1732 wrote to memory of 2972	1732	cmd.exe	99
PID 1732 wrote to memory of 2972	1732	cmd.exe	99
PID 4220 wrote to memory of 5036	4220	Windows Ftp Update.exe	101
PID 4220 wrote to memory of 5036	4220	Windows Ftp Update.exe	101
PID 4220 wrote to memory of 3348	4220	Windows Ftp Update.exe	100
PID 4220 wrote to memory of 3348	4220	Windows Ftp Update.exe	100
PID 5036 wrote to memory of 2148	5036	cmd.exe	105
PID 5036 wrote to memory of 2148	5036	cmd.exe	105
PID 3348 wrote to memory of 1048	3348	cmd.exe	104
PID 3348 wrote to memory of 1048	3348	cmd.exe	104

C:\Users\Admin\AppData\Local\Temp\Windows Ftp Update.exe
"C:\Users\Admin\AppData\Local\Temp\Windows Ftp Update.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4220
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill" /F /im "Windows Host Service.exe"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1280
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill" /F /im "Microsoft Agent Service.exe"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2268
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill" /F /im "Windows Host Service.exe"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1568
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill" /F /im "Microsoft Agent Service.exe"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1516
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill" /F /im "Windows Host Service.exe"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2200
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill" /F /im "Microsoft Agent Service.exe"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4152
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill" /F /im "Windows Host Service.exe"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3900
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill" /F /im "Microsoft Agent Service.exe"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1828
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill" /F /im "Windows Host Service.exe"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2000
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill" /F /im "Microsoft Agent Service.exe"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:212
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Microsoft Agent Serviceuninstall.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
    installutil.exe /u "C:\Windows\system32\Microsoft Agent Service\MicrosoftAgentService.exe"
    3⤵
    PID:2972
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Windows Host Serviceuninstall.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3152
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
    installutil.exe /u "C:\Windows\system32\Windows Host Service\WindowsHostService.exe"
    3⤵
    PID:2764
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Windows\system32\Microsoft Agent Service\Microsoft Agent Serviceinstall.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3348
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
    installutil.exe /i "C:\Windows\system32\Microsoft Agent Service\MicrosoftAgentService.exe"
    3⤵
    PID:1048
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Windows\system32\Windows Host Service\Windows Host Serviceinstall.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5036
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
    installutil.exe /i "C:\Windows\system32\Windows Host Service\WindowsHostService.exe"
    3⤵
    PID:2148

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\InstallUtil.exe.log

Filesize
468B

MD5
97af1bbb1ddc9d3aa9757362b485dd9e

SHA1
baeeee0b8b3cd9b570ff56737a290d323190f160

SHA256
912bff844acecaa1ba949ffb9c4e9e591f83c51cc57dbe1f45d50377058f5903

SHA512
c5955d64062e0c485ee4cabdcae2299625e9afb4fa1be1f3ae13aa1c62c428a4de1d64a300ea5b827c23d88630c57e2cc78b6e0665d3643851b65bfe549450d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Agent Serviceuninstall.bat

Filesize
247B

MD5
7adeea8f336ff24324748404ef8e4e1c

SHA1
aa31ac4be772880fc46ca76a0c1c6bc2bca17762

SHA256
b0404ea6e09a988c14c350008da2de7e3bbcf3a53df3fd79892a9a1a0c7f66f0

SHA512
6971e1fc80c56bf8543f7cce4b078674fa911959d5c9555ee44e584ed0b8592abada00f2ab01bb3703b7f37e0e9005aab7ebda8d1209571192f1496cee5be9e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Host Serviceuninstall.bat

Filesize
241B

MD5
1f471c6e16e8489c969318d721a34735

SHA1
7ce958044797036e64a1d540416cb8267548d486

SHA256
13242ba76eb74e67cd2aaaa5b5ad2546780941ce70c27e6c11eb7fcb1c6c034b

SHA512
b6a084a96f82639c70a6762b8f128b61770b58ae36dc410994032e9780996f9b692d345f7841c2d85d671c95a32e38d47b9165adc72d9cb00be6c3c222be8013

Download Submit
C:\Windows\system32\Microsoft Agent Service\Microsoft Agent Serviceinstall.bat

Filesize
247B

MD5
58fd6cd4aab40914440eea1fd5a26076

SHA1
266ea46dc4982442b09f48f54c2acd08eea09b00

SHA256
b4bbd7d4821503c709198b0786e050897d7ebf0f8d295acd5c5ff3724132f822

SHA512
d6e6e738c943ec7950a40039e35420d62dba326646ee7f29a3bed379ed0774a40ad623375debba3a06b0ac55a8bb0ae8434c826de3b3fd6bce4b21457997f29d

Download Submit
C:\Windows\system32\Windows Host Service\Windows Host Serviceinstall.bat

Filesize
241B

MD5
7cf79275ee30a4befa2288e4f8905698

SHA1
86dfaac85afc06fb785af64199d54c93b45d4847

SHA256
7421cd76569d294e77e3ecf73c1382919482f0bab9add46fc016cb83928ad671

SHA512
fb8ff7f479ffae3d532abe5a001be9850fb2ebfb5cb17bb64bdbc3bd8b48871732bb883d8051a28b12cc4f936cf82bbec16eec57cff3f1bd8bd09dd80a89165d

Download Submit
memory/2972-141-0x0000026A3C860000-0x0000026A3C86A000-memory.dmp

Filesize
40KB

Download
memory/4220-133-0x0000000000AC0000-0x0000000000ACC000-memory.dmp

Filesize
48KB

Download
memory/4220-134-0x000000001B650000-0x000000001B660000-memory.dmp

Filesize
64KB

Download
memory/4220-143-0x000000001B650000-0x000000001B660000-memory.dmp

Filesize
64KB

Download