84151bf5826e3300a67914ca85ff63424a775876b7372da82110d48c216610e6

Analysis

max time kernel
598s
max time network
602s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
23/11/2023, 02:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

update_manager.exe
Size

100KB
MD5

df5cbc617d2472681ca28261574023c7
SHA1

f0f7d08b755eca7da6d0e534f8db9351b4a36f55
SHA256

84151bf5826e3300a67914ca85ff63424a775876b7372da82110d48c216610e6
SHA512

0b8316ead733bd2fd5368dc0372cddbf2e4aed7d96c83a581e09899e265316d947b9f1aa489001ddab7770d8b53371fe64cb0db055f731df69a89d06c7200e56
SSDEEP

3072:9ThRuiU7PEEukPe+RDlb9fAicrkcRRn1221K8nsi2S:9T5Uz5PekDlJfOk81D1znsq

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
51	4212	wscript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	update_manager.exe

Loads dropped DLL 6 IoCs

pid	Process
4760	update_manager.exe
4760	update_manager.exe
4760	update_manager.exe
4760	update_manager.exe
4760	update_manager.exe
4760	update_manager.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1800	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
4212	wscript.exe
4212	wscript.exe
4212	wscript.exe
4212	wscript.exe
4212	wscript.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4212	wscript.exe
Token: SeDebugPrivilege	4212	wscript.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4212	wscript.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4760 wrote to memory of 1800	4760	update_manager.exe	95
PID 4760 wrote to memory of 1800	4760	update_manager.exe	95
PID 4760 wrote to memory of 1800	4760	update_manager.exe	95
PID 4760 wrote to memory of 4032	4760	update_manager.exe	97
PID 4760 wrote to memory of 4032	4760	update_manager.exe	97
PID 4760 wrote to memory of 4032	4760	update_manager.exe	97

C:\Users\Admin\AppData\Local\Temp\update_manager.exe
"C:\Users\Admin\AppData\Local\Temp\update_manager.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4760
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\system32\schtasks /create /xml "C:\Users\Admin\AppData\Local\Temp\ar.xml" /tn CoreTemp /f
  2⤵
  - Creates scheduled task(s)
  PID:1800
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\system32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\CoreTemp.vbs"
  2⤵
  PID:4032

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\CoreTemp.vbs
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CoreTemp.vbs

Filesize
981KB

MD5
aa4bc480a94d8933f5cb65a194d72617

SHA1
78011f328bd9e78075beec7cdfeadc510777a907

SHA256
23713d0465bddbf630b10f9df7ae53c9daea66a563ba73820741427aaed6b6df

SHA512
d092be12b6e3085b5d94451c8d9a38daaa9905c9016ba8008d62a97db368553c35bbb6008c3a45d28d410ece417f8b8528c3b354bbc70027925c81e2a87f298d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ar.xml

Filesize
3KB

MD5
18c96746bc45bab4766c77e10325be4b

SHA1
8a8e54f91c87893ab50a776e02a1ecd1c65230fa

SHA256
3b8c21f3ea0c51ec06aa1df69c04002b19bb575f627144bafd4ea29241b37124

SHA512
4823733526b864ca18a1911b8d7c064a2e8999a80ed9b1e4adc946366ec163c5eb0fdd0033b6445b5ee036b978a77badd6d2a938c86ce8f92b5c6c0e0b99c54d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstDC87.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstDC87.tmp\inetc.dll

Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstDC87.tmp\inetc.dll

Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstDC87.tmp\inetc.dll

Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstDC87.tmp\inetc.dll

Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstDC87.tmp\nsDialogs.dll

Filesize
9KB

MD5
6c3f8c94d0727894d706940a8a980543

SHA1
0d1bcad901be377f38d579aafc0c41c0ef8dcefd

SHA256
56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

SHA512
2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstDC87.tmp\nsExec.dll

Filesize
7KB

MD5
675c4948e1efc929edcabfe67148eddd

SHA1
f5bdd2c4329ed2732ecfe3423c3cc482606eb28e

SHA256
1076ca39c449ed1a968021b76ef31f22a5692dfafeea29460e8d970a63c59906

SHA512
61737021f86f54279d0a4e35db0d0808e9a55d89784a31d597f2e4b65b7bbeec99aa6c79d65258259130eeda2e5b2820f4f1247777a3010f2dc53e30c612a683

Download Submit
C:\Windows\Temp\text_log.dbg

Filesize
17KB

MD5
c7186fa21be207f15d0364ddfc9b70fa

SHA1
8dbd959c8d5bdbb20bebc5f3b89892cc008debf1

SHA256
0b6e357cd48a00d7621b3531fbfba6bc2c91c73ca271b52c9d22b0416b01153b

SHA512
34e60d726cdd3d02cf40651080a3445060882ea0d98f11ed75c30f2a76d876d385b09927bcced363d92035d2592e7cab5058662b7e666e9d17eec2f5218e5b58

Download Submit
C:\Windows\Temp\text_log.dbg

Filesize
129B

MD5
5e9bd76f5b7ec54e7b4db7d32141ff21

SHA1
0d23295fed90faa1614fa52d1cb20a6a3cfa6bbb

SHA256
8fb48592fe18e4aa5c0dda71041e5f7461ff6d83ed4e7c2417bd31c631c09bee

SHA512
10d83111399bb6e5d2c66115ef963bae28b7efab74d9a631583030289a12512192f5bc3cb72ac2a1cf4de055b1a3eaebe87d2ddd6d9224d2857142864e4b34ca

Download Submit
C:\Windows\Temp\text_log.dbg

Filesize
129B

MD5
5e9bd76f5b7ec54e7b4db7d32141ff21

SHA1
0d23295fed90faa1614fa52d1cb20a6a3cfa6bbb

SHA256
8fb48592fe18e4aa5c0dda71041e5f7461ff6d83ed4e7c2417bd31c631c09bee

SHA512
10d83111399bb6e5d2c66115ef963bae28b7efab74d9a631583030289a12512192f5bc3cb72ac2a1cf4de055b1a3eaebe87d2ddd6d9224d2857142864e4b34ca

Download Submit
C:\Windows\Temp\text_log.dbg

Filesize
548B

MD5
0afeeb2ac698a9f873ec98c7ee87875b

SHA1
c39f96a683f38bdcc558f2361840d7f569948cf6

SHA256
dbef818285fa84321ccdc3838df2a97a2d430e4656014322d91938167e6990d0

SHA512
05b6db1b174dc437a6231fff58c67635742b6497a157a5609fe0927f61d27ca422dfbbf86fb07528ea2339bea7feb36845a7f298e774440a00d889abb7970f81

Download Submit
memory/4032-48-0x0000000006600000-0x000000000677E000-memory.dmp

Filesize
1.5MB

Download
memory/4032-46-0x00000000064A0000-0x00000000065F4000-memory.dmp

Filesize
1.3MB

Download
memory/4032-51-0x0000000007BB0000-0x00000000080DC000-memory.dmp

Filesize
5.2MB

Download
memory/4032-52-0x0000000006B30000-0x0000000006B7C000-memory.dmp

Filesize
304KB

Download
memory/4032-49-0x00000000070D0000-0x0000000007674000-memory.dmp

Filesize
5.6MB

Download
memory/4032-47-0x0000000006490000-0x00000000064A0000-memory.dmp

Filesize
64KB

Download
memory/4032-69-0x0000000074230000-0x00000000749E0000-memory.dmp

Filesize
7.7MB

Download
memory/4032-50-0x0000000006BC0000-0x0000000006C52000-memory.dmp

Filesize
584KB

Download
memory/4032-45-0x0000000074230000-0x00000000749E0000-memory.dmp

Filesize
7.7MB

Download
memory/4212-1877-0x0000024DF6E10000-0x0000024DF6E31000-memory.dmp

Filesize
132KB

Download
memory/4212-1882-0x0000024DF9550000-0x0000024DF95A1000-memory.dmp

Filesize
324KB

Download
memory/4212-72-0x0000024DF9680000-0x0000024DF97FE000-memory.dmp

Filesize
1.5MB

Download
memory/4212-71-0x0000024DF6D80000-0x0000024DF6D90000-memory.dmp

Filesize
64KB

Download
memory/4212-1866-0x0000024DF6E10000-0x0000024DF6E31000-memory.dmp

Filesize
132KB

Download
memory/4212-1873-0x0000024DF9550000-0x0000024DF95A1000-memory.dmp

Filesize
324KB

Download
memory/4212-1874-0x0000024DF9550000-0x0000024DF95A1000-memory.dmp

Filesize
324KB

Download
memory/4212-1875-0x0000024DF9550000-0x0000024DF95A1000-memory.dmp

Filesize
324KB

Download
memory/4212-70-0x00007FFFAA760000-0x00007FFFAB221000-memory.dmp

Filesize
10.8MB

Download
memory/4212-1878-0x0000024DF9550000-0x0000024DF95A1000-memory.dmp

Filesize
324KB

Download
memory/4212-1881-0x0000024DF9550000-0x0000024DF95A1000-memory.dmp

Filesize
324KB

Download
memory/4212-1880-0x0000024DF9550000-0x0000024DF95A1000-memory.dmp

Filesize
324KB

Download
memory/4212-1879-0x0000024DF9550000-0x0000024DF95A1000-memory.dmp

Filesize
324KB

Download
memory/4212-73-0x0000024DFAB30000-0x0000024DFB058000-memory.dmp

Filesize
5.2MB

Download
memory/4212-1887-0x0000024DF9550000-0x0000024DF95A1000-memory.dmp

Filesize
324KB

Download
memory/4212-1888-0x0000024DF9550000-0x0000024DF95A1000-memory.dmp

Filesize
324KB

Download
memory/4212-1891-0x0000024DF9550000-0x0000024DF95A1000-memory.dmp

Filesize
324KB

Download
memory/4212-1892-0x0000024DF9550000-0x0000024DF95A1000-memory.dmp

Filesize
324KB

Download
memory/4212-1905-0x0000024DF9550000-0x0000024DF95A1000-memory.dmp

Filesize
324KB

Download
memory/4212-1906-0x0000024DF9550000-0x0000024DF95A1000-memory.dmp

Filesize
324KB

Download
memory/4212-1907-0x0000024DF9550000-0x0000024DF95A1000-memory.dmp

Filesize
324KB

Download
memory/4212-1910-0x0000024DF9550000-0x0000024DF95A1000-memory.dmp

Filesize
324KB

Download
memory/4212-1913-0x0000024DF9550000-0x0000024DF95A1000-memory.dmp

Filesize
324KB

Download
memory/4212-1915-0x0000024DF9550000-0x0000024DF95A1000-memory.dmp

Filesize
324KB

Download
memory/4212-1917-0x00007FFFAA760000-0x00007FFFAB221000-memory.dmp

Filesize
10.8MB

Download
memory/4212-1918-0x0000024DF9550000-0x0000024DF95A1000-memory.dmp

Filesize
324KB

Download