Overview

overview

8

Static

static

5

Patch.exe

windows7-x64

7

Patch.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    79s
  • max time network
    84s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/02/2024, 22:20

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Patch.exe

  • Size

    1.2MB

  • MD5

    bf5604a2957baa158daddaea930fb027

  • SHA1

    b03cefe194e509bc15e63ae853ff2b1d5f2c6a52

  • SHA256

    64f1ea7bf1b94f612d72ab74b36c11108b4b798adba3f2db79f4d5923e6d580a

  • SHA512

    c634b4bbe7442ce5ab13e303f582ad4bacdc008e19a067f5a69e0add0c298bf33b1810251a8300ae1b0c0c8da18b1533aacbcdcecd32954e6cf67ab3fe7f2bc8

  • SSDEEP

    24576:VrORE29TTVx8aBRd1h1orq+GWE0Jc5bDTj1Vyv9TvazHeqtGfUYh:V2EYTb8atv1orq+pEiSDTj1VyvBazHe/

Score
8/10
evasion

Malware Config

Signatures

  • Blocklisted process makes network request 6 IoCs
  • Modifies Windows Firewall 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 2 IoCs
  • Unexpected DNS network traffic destination 16 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 21 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Patch.exe
    "C:\Users\Admin\AppData\Local\Temp\Patch.exe"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:4136
    • C:\Windows\Temp\RunAsTI.exe
      C:\Windows\Temp\RunAsTI.exe "C:\Users\Admin\AppData\Local\Temp\Patch.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2016
      • C:\Windows\Temp\RunAsTI.exe
        /t /t C:\Users\Admin\AppData\Local\Temp\Patch.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2608
        • C:\Users\Admin\AppData\Local\Temp\Patch.exe
          "C:\Users\Admin\AppData\Local\Temp\Patch.exe"
          4⤵
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Modifies data under HKEY_USERS
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:5116
          • C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe
            PowerShell Set-ExecutionPolicy Bypass -scope Process -Force;(Get-NetRoute | Where-Object DestinationPrefix -eq '0.0.0.0/0' | Get-NetIPInterface | Where-Object ConnectionState -eq 'Connected') -ne $null
            5⤵
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3624
          • C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe
            PowerShell Set-ExecutionPolicy Bypass -scope Process -Force;$ips=@();$soa=(Resolve-DnsName -Name adobe.io -Type SOA).PrimaryServer;Do{$ip=(Resolve-DnsName -Name adobe.io -Server $soa).IPAddress;$ips+=$ip;$ips=$ips|Select -Unique|Sort-Object}While($ips.Count -lt 8);$list=$ips -join ',';$list
            5⤵
            • Blocklisted process makes network request
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2128
          • C:\Windows\SYSTEM32\netsh.exe
            netsh advfirewall firewall delete rule name="Adobe Unlicensed Pop-up"
            5⤵
            • Modifies Windows Firewall
            PID:764
          • C:\Windows\SYSTEM32\netsh.exe
            netsh advfirewall firewall add rule name="Adobe Unlicensed Pop-up" dir=out action=block remoteip="107.22.247.231,18.207.85.246,23.22.254.206,34.193.227.236,52.202.204.11,52.5.13.197,54.144.73.197,54.227.187.23"
            5⤵
            • Modifies Windows Firewall
            PID:3548
          • C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe
            PowerShell Set-ExecutionPolicy Bypass -scope Process -Force;(Get-NetRoute | Where-Object DestinationPrefix -eq '0.0.0.0/0' | Get-NetIPInterface | Where-Object ConnectionState -eq 'Connected') -ne $null
            5⤵
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:640
          • C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe
            PowerShell Set-ExecutionPolicy Bypass -scope Process -Force;$ips=@();$soa=(Resolve-DnsName -Name adobe.io -Type SOA).PrimaryServer;Do{$ip=(Resolve-DnsName -Name adobe.io -Server $soa).IPAddress;$ips+=$ip;$ips=$ips|Select -Unique|Sort-Object}While($ips.Count -lt 8);$list=$ips -join ',';$list
            5⤵
              PID:4136

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\config.ini
            Filesize

            4KB

            MD5

            d6d17e00792f0b8a921a90da98368f2c

            SHA1

            98742206a597a6d1ebddff01e078c90148fcfe31

            SHA256

            fee63317eb729b3037ab4f18d4cc57d2ad39413585a8d48c9da922e4f2db1ab2

            SHA512

            db9ec02502590b7ab46b2eba16593e328c587d2300098356e65ef721483c415971e6bfc9f143c009a881790556923652892b185d4fcf242e4ae84c9e23a7d3dc

            Download Submit

          • C:\Users\Default\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            b8103610082fe82a9ed52aad96797352

            SHA1

            22b036145f7d1604a5645eb9dc5d9cf796fc1c4f

            SHA256

            31c9133b94257a5be0e886f4ded6b5432415af3ca1fd01580015c3d6630f96b3

            SHA512

            fcf35a15c38dc61f55e3864d7a7bff62211a4992a6e8fa922d646a46f5c43ee693098efe76ae789209c68dd4747c20c211c8a7c16d23f4563fedfb7e927583a5

            Download Submit

          • C:\Users\Default\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            d31f41c0b780aa9574968f1a7a9dd6dc

            SHA1

            ed8788e11edd29e1ee547d37865cf453c0eb9d3b

            SHA256

            832c68a191b3224d27f4ab368fc62f3e97c52446b560abd641774a31f0788dfb

            SHA512

            5bdcef73ba6a5697362d715082edccff9f4017811adf04e20c078f2843c2ebfe9b4974065a14208078119b6f679ac1c810e3d649703106b28d320aeac469b9ba

            Download Submit

          • C:\Users\Default\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            a5380f82dd29b7bd4ffbf9a5d6c6a710

            SHA1

            414a234baa9490ad34480d777a826880763366b2

            SHA256

            05493445f44db360c87d7b9be5f8535e6e61b68843524a63d42cecd72265d1e6

            SHA512

            3d7e6a084186e72994d7ea81b3e6b33bd29066d9aa392db2bfe40176a174777af9f2cd37e904b2131200c9515233bfdd0424bbea2fe05ed8f0ae247004f2a746

            Download Submit

          • C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms
            Filesize

            5KB

            MD5

            33c8d3e3fbe5bb8c78c99b02d7329672

            SHA1

            ce3b9a79792b05c78a703c5bd53988ea800b0836

            SHA256

            ad00598abd97db3f2865642d040f968ca462f03f24039a3b591b1fec6457d177

            SHA512

            09460b48d11fac808c6e504a5e7f88713fbd23a7e3f53ce9fa5e8fd04274697832cbb82c49acf8f8e949217c552170dadb5bb6ad6a0ab6539278efcafdc9006e

            Download Submit

          • C:\Windows\Temp\RunAsTI.exe
            Filesize

            26KB

            MD5

            80454e70784f1ddb0c91d41469e2498d

            SHA1

            2f3f04ef670895de12cdfbae17c9d427e7caa97a

            SHA256

            a3e0ba70ba908de8a75825c3a1ff36147e02c686280993c2caa8a9a6968764b0

            SHA512

            709ed0fc9e2520a5beb57379e90be12cac680060b4c72ff50e9d9897f3a4d7a57f84b9be04b78974e6f6b73cda7202bfc617835cee3011eed7f0ee6f5e82edf7

            Download Submit

          • C:\Windows\Temp\__PSScriptPolicyTest_ehmr2qqs.kz4.ps1
            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            Download Submit

          • memory/640-125-0x00007FF4AD000000-0x00007FF4AD010000-memory.dmp

            Filesize

            64KB

            Download

          • memory/640-124-0x000001359ADC0000-0x000001359AE75000-memory.dmp

            Filesize

            724KB

            Download

          • memory/640-104-0x000001359A030000-0x000001359A040000-memory.dmp

            Filesize

            64KB

            Download

          • memory/640-103-0x00007FFDF6910000-0x00007FFDF73D1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/640-126-0x000001359A030000-0x000001359A040000-memory.dmp

            Filesize

            64KB

            Download

          • memory/640-128-0x00007FFDF6910000-0x00007FFDF73D1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2128-71-0x0000015950240000-0x0000015950250000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2128-72-0x0000015950490000-0x00000159504AA000-memory.dmp

            Filesize

            104KB

            Download

          • memory/2128-50-0x000001594F520000-0x000001594F530000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2128-49-0x00007FFDF7250000-0x00007FFDF7D11000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/2128-70-0x000001594F520000-0x000001594F530000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2128-74-0x00007FFDF7250000-0x00007FFDF7D11000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/3624-42-0x00007FF4486A0000-0x00007FF4486B0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3624-29-0x00000262D6EA0000-0x00000262D6EB0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3624-45-0x00000262D6E70000-0x00000262D6E7A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/3624-43-0x00000262D6EA0000-0x00000262D6EB0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3624-44-0x00000262EFDD0000-0x00000262EFE85000-memory.dmp

            Filesize

            724KB

            Download

          • memory/3624-48-0x00007FFDF7250000-0x00007FFDF7D11000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/3624-41-0x00000262D6E80000-0x00000262D6E9C000-memory.dmp

            Filesize

            112KB

            Download

          • memory/3624-31-0x00000262D6D50000-0x00000262D6D72000-memory.dmp

            Filesize

            136KB

            Download

          • memory/3624-30-0x00000262D6EA0000-0x00000262D6EB0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3624-46-0x00000262D6ED0000-0x00000262D6EEC000-memory.dmp

            Filesize

            112KB

            Download

          • memory/3624-28-0x00007FFDF7250000-0x00007FFDF7D11000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4136-130-0x000001F8D3D60000-0x000001F8D3D70000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4136-129-0x00007FFDF6910000-0x00007FFDF73D1000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4136-152-0x000001F8D3D60000-0x000001F8D3D70000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4136-151-0x000001F8ED0A0000-0x000001F8ED155000-memory.dmp

            Filesize

            724KB

            Download

          • memory/4136-150-0x00007FF4ABBD0000-0x00007FF4ABBE0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4136-154-0x00007FFDF6910000-0x00007FFDF73D1000-memory.dmp

            Filesize

            10.8MB

            Download