57c0b576e421237eb9964bda5a2b33592d410f58163f4dfbf4e86ced20361759

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
24/02/2024, 08:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a167c6f4c18acef13e1923c2cb7947d7.exe
Size

60KB
MD5

a167c6f4c18acef13e1923c2cb7947d7
SHA1

81a6f0d86e9a6979b6870b6bad894a118f70adb4
SHA256

57c0b576e421237eb9964bda5a2b33592d410f58163f4dfbf4e86ced20361759
SHA512

6ee740414bc8724af2f63d8a935efbea89f62e22fcf68be208ee0fa0275b264de73833553e45ef9df57eb3285acfc51680a8b8dc15ccf381ef8cea99d11fa380
SSDEEP

1536:XmscLfmnpbaycIxO7PDIv63BCZuPaOWjcloFsK:2inMyh63BCkPaOWyAsK

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3054445511-921769590-4013668107-1000\Control Panel\International\Geo\Nation	wuauclt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3054445511-921769590-4013668107-1000\Control Panel\International\Geo\Nation	a167c6f4c18acef13e1923c2cb7947d7.exe

Executes dropped EXE 2 IoCs

pid	Process
1344	wuauclt.exe
1528	wuauclt.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\wuauclt.exe"	a167c6f4c18acef13e1923c2cb7947d7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\wuauclt.exe"	wuauclt.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	wuauclt.exe
File opened (read-only)	\??\J:	wuauclt.exe
File opened (read-only)	\??\L:	wuauclt.exe
File opened (read-only)	\??\O:	wuauclt.exe
File opened (read-only)	\??\S:	wuauclt.exe
File opened (read-only)	\??\V:	wuauclt.exe
File opened (read-only)	\??\E:	wuauclt.exe
File opened (read-only)	\??\G:	wuauclt.exe
File opened (read-only)	\??\H:	wuauclt.exe
File opened (read-only)	\??\M:	wuauclt.exe
File opened (read-only)	\??\N:	wuauclt.exe
File opened (read-only)	\??\P:	wuauclt.exe
File opened (read-only)	\??\U:	wuauclt.exe
File opened (read-only)	\??\Y:	wuauclt.exe
File opened (read-only)	\??\Q:	wuauclt.exe
File opened (read-only)	\??\R:	wuauclt.exe
File opened (read-only)	\??\T:	wuauclt.exe
File opened (read-only)	\??\X:	wuauclt.exe
File opened (read-only)	\??\Z:	wuauclt.exe
File opened (read-only)	\??\K:	wuauclt.exe
File opened (read-only)	\??\W:	wuauclt.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	F:\autorun.inf	wuauclt.exe
File created	F:\autorun.inf	wuauclt.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2196 set thread context of 1004	2196	a167c6f4c18acef13e1923c2cb7947d7.exe	87
PID 1344 set thread context of 1528	1344	wuauclt.exe	91

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\wuauclt.exe	wuauclt.exe
File created	C:\Windows\wuauclt.exe	wuauclt.exe
File created	C:\Windows\noruns.reg	a167c6f4c18acef13e1923c2cb7947d7.exe
File opened for modification	C:\Windows\noruns.reg	a167c6f4c18acef13e1923c2cb7947d7.exe
File opened for modification	C:\Windows\wuauclt.exe	a167c6f4c18acef13e1923c2cb7947d7.exe
File created	C:\Windows\wuauclt.exe	a167c6f4c18acef13e1923c2cb7947d7.exe
File opened for modification	C:\Windows\noruns.reg	wuauclt.exe

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2588	sc.exe
4500	sc.exe
3120	sc.exe
3176	sc.exe
4716	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs .reg file with regedit 2 IoCs

pid	Process
1548	regedit.exe
2164	regedit.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1004	a167c6f4c18acef13e1923c2cb7947d7.exe
1004	a167c6f4c18acef13e1923c2cb7947d7.exe
1004	a167c6f4c18acef13e1923c2cb7947d7.exe
1004	a167c6f4c18acef13e1923c2cb7947d7.exe
1528	wuauclt.exe
1528	wuauclt.exe
1528	wuauclt.exe
1528	wuauclt.exe
1528	wuauclt.exe
1528	wuauclt.exe
1528	wuauclt.exe
1528	wuauclt.exe
1528	wuauclt.exe
1528	wuauclt.exe
1528	wuauclt.exe
1528	wuauclt.exe
1528	wuauclt.exe
1528	wuauclt.exe
1528	wuauclt.exe
1528	wuauclt.exe
1528	wuauclt.exe
1528	wuauclt.exe
1528	wuauclt.exe
1528	wuauclt.exe
1528	wuauclt.exe
1528	wuauclt.exe
1528	wuauclt.exe
1528	wuauclt.exe
1528	wuauclt.exe
1528	wuauclt.exe
1528	wuauclt.exe
1528	wuauclt.exe
1528	wuauclt.exe
1528	wuauclt.exe
1528	wuauclt.exe
1528	wuauclt.exe
1528	wuauclt.exe
1528	wuauclt.exe
1528	wuauclt.exe
1528	wuauclt.exe
1528	wuauclt.exe
1528	wuauclt.exe
1528	wuauclt.exe
1528	wuauclt.exe
1528	wuauclt.exe
1528	wuauclt.exe
1528	wuauclt.exe
1528	wuauclt.exe
1528	wuauclt.exe
1528	wuauclt.exe
1528	wuauclt.exe
1528	wuauclt.exe
1528	wuauclt.exe
1528	wuauclt.exe
1528	wuauclt.exe
1528	wuauclt.exe
1528	wuauclt.exe
1528	wuauclt.exe
1528	wuauclt.exe
1528	wuauclt.exe
1528	wuauclt.exe
1528	wuauclt.exe
1528	wuauclt.exe
1528	wuauclt.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 1004	2196	a167c6f4c18acef13e1923c2cb7947d7.exe	87
PID 2196 wrote to memory of 1004	2196	a167c6f4c18acef13e1923c2cb7947d7.exe	87
PID 2196 wrote to memory of 1004	2196	a167c6f4c18acef13e1923c2cb7947d7.exe	87
PID 2196 wrote to memory of 1004	2196	a167c6f4c18acef13e1923c2cb7947d7.exe	87
PID 2196 wrote to memory of 1004	2196	a167c6f4c18acef13e1923c2cb7947d7.exe	87
PID 1004 wrote to memory of 1344	1004	a167c6f4c18acef13e1923c2cb7947d7.exe	90
PID 1004 wrote to memory of 1344	1004	a167c6f4c18acef13e1923c2cb7947d7.exe	90
PID 1004 wrote to memory of 1344	1004	a167c6f4c18acef13e1923c2cb7947d7.exe	90
PID 1344 wrote to memory of 1528	1344	wuauclt.exe	91
PID 1344 wrote to memory of 1528	1344	wuauclt.exe	91
PID 1344 wrote to memory of 1528	1344	wuauclt.exe	91
PID 1344 wrote to memory of 1528	1344	wuauclt.exe	91
PID 1344 wrote to memory of 1528	1344	wuauclt.exe	91
PID 1528 wrote to memory of 2164	1528	wuauclt.exe	93
PID 1528 wrote to memory of 2164	1528	wuauclt.exe	93
PID 1528 wrote to memory of 2164	1528	wuauclt.exe	93
PID 1528 wrote to memory of 720	1528	wuauclt.exe	94
PID 1528 wrote to memory of 720	1528	wuauclt.exe	94
PID 1528 wrote to memory of 720	1528	wuauclt.exe	94
PID 1528 wrote to memory of 2948	1528	wuauclt.exe	96
PID 1528 wrote to memory of 2948	1528	wuauclt.exe	96
PID 1528 wrote to memory of 2948	1528	wuauclt.exe	96
PID 1528 wrote to memory of 2588	1528	wuauclt.exe	98
PID 1528 wrote to memory of 2588	1528	wuauclt.exe	98
PID 1528 wrote to memory of 2588	1528	wuauclt.exe	98
PID 1528 wrote to memory of 4124	1528	wuauclt.exe	100
PID 1528 wrote to memory of 4124	1528	wuauclt.exe	100
PID 1528 wrote to memory of 4124	1528	wuauclt.exe	100
PID 1528 wrote to memory of 4500	1528	wuauclt.exe	101
PID 1528 wrote to memory of 4500	1528	wuauclt.exe	101
PID 1528 wrote to memory of 4500	1528	wuauclt.exe	101
PID 1528 wrote to memory of 520	1528	wuauclt.exe	103
PID 1528 wrote to memory of 520	1528	wuauclt.exe	103
PID 1528 wrote to memory of 520	1528	wuauclt.exe	103
PID 2948 wrote to memory of 1040	2948	net.exe	106
PID 2948 wrote to memory of 1040	2948	net.exe	106
PID 2948 wrote to memory of 1040	2948	net.exe	106
PID 1528 wrote to memory of 3120	1528	wuauclt.exe	107
PID 1528 wrote to memory of 3120	1528	wuauclt.exe	107
PID 1528 wrote to memory of 3120	1528	wuauclt.exe	107
PID 1528 wrote to memory of 3176	1528	wuauclt.exe	108
PID 1528 wrote to memory of 3176	1528	wuauclt.exe	108
PID 1528 wrote to memory of 3176	1528	wuauclt.exe	108
PID 720 wrote to memory of 2636	720	net.exe	109
PID 720 wrote to memory of 2636	720	net.exe	109
PID 720 wrote to memory of 2636	720	net.exe	109
PID 1528 wrote to memory of 1676	1528	wuauclt.exe	111
PID 1528 wrote to memory of 1676	1528	wuauclt.exe	111
PID 1528 wrote to memory of 1676	1528	wuauclt.exe	111
PID 1528 wrote to memory of 4716	1528	wuauclt.exe	119
PID 1528 wrote to memory of 4716	1528	wuauclt.exe	119
PID 1528 wrote to memory of 4716	1528	wuauclt.exe	119
PID 1528 wrote to memory of 3316	1528	wuauclt.exe	114
PID 1528 wrote to memory of 3316	1528	wuauclt.exe	114
PID 1528 wrote to memory of 3316	1528	wuauclt.exe	114
PID 4124 wrote to memory of 2804	4124	net.exe	117
PID 4124 wrote to memory of 2804	4124	net.exe	117
PID 4124 wrote to memory of 2804	4124	net.exe	117
PID 520 wrote to memory of 2332	520	net.exe	116
PID 520 wrote to memory of 2332	520	net.exe	116
PID 520 wrote to memory of 2332	520	net.exe	116
PID 1676 wrote to memory of 3636	1676	net.exe	120
PID 1676 wrote to memory of 3636	1676	net.exe	120
PID 1676 wrote to memory of 3636	1676	net.exe	120

C:\Users\Admin\AppData\Local\Temp\a167c6f4c18acef13e1923c2cb7947d7.exe
"C:\Users\Admin\AppData\Local\Temp\a167c6f4c18acef13e1923c2cb7947d7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Users\Admin\AppData\Local\Temp\a167c6f4c18acef13e1923c2cb7947d7.exe
  C:\Users\Admin\AppData\Local\Temp\a167c6f4c18acef13e1923c2cb7947d7.exe
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1004
- - C:\Windows\SysWOW64\regedit.exe
    "C:\Windows\System32\regedit.exe" /s C:\Windows\noruns.reg
    3⤵
    - Runs .reg file with regedit
    PID:1548
- - C:\Windows\wuauclt.exe
    "C:\Windows\wuauclt.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1344
  - - C:\Windows\wuauclt.exe
      C:\Windows\wuauclt.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Enumerates connected drives
      Drops autorun.inf file
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1528
    - - C:\Windows\SysWOW64\regedit.exe
        
        "C:\Windows\System32\regedit.exe" /s C:\Windows\noruns.reg
        5⤵
        Runs .reg file with regedit
        
        PID:2164
    - - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" stop sharedaccess
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:720
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop sharedaccess
        6⤵
        
        PID:2636
    - - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" stop KVWSC
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2948
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop KVWSC
        6⤵
        
        PID:1040
    - - C:\Windows\SysWOW64\sc.exe
        
        "C:\Windows\System32\sc.exe" config KVWSC start= disabled
        5⤵
        Launches sc.exe
        
        PID:2588
    - - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" stop KVSrvXP
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4124
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop KVSrvXP
        6⤵
        
        PID:2804
    - - C:\Windows\SysWOW64\sc.exe
        
        "C:\Windows\System32\sc.exe" config KVSrvXP start= disabled
        5⤵
        Launches sc.exe
        
        PID:4500
    - - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" stop kavsvc
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:520
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop kavsvc
        6⤵
        
        PID:2332
    - - C:\Windows\SysWOW64\sc.exe
        
        "C:\Windows\System32\sc.exe" config kavsvc start= disabled
        5⤵
        Launches sc.exe
        
        PID:3120
    - - C:\Windows\SysWOW64\sc.exe
        
        "C:\Windows\System32\sc.exe" config RsRavMon start= disabled
        5⤵
        Launches sc.exe
        
        PID:3176
    - - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" stop RsCCenter
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1676
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop RsCCenter
        6⤵
        
        PID:3636
    - - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" stop RsRavMon
        5⤵
        
        PID:3316
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop RsRavMon
        6⤵
        
        PID:2940
    - - C:\Windows\SysWOW64\sc.exe
        
        "C:\Windows\System32\sc.exe" config RsCCenter start= disabled
        5⤵
        Launches sc.exe
        
        PID:4716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\noruns.reg

Filesize
122B

MD5
704f9f14e6c5b902de15f37bbb234bbc

SHA1
4e7bd14012b5fe1b07b9ed99a00565ed1d86348b

SHA256
69c8425b75d3be48f68c1abf33bb9d30688bbd9d28809d92f9dc537393a3d3b4

SHA512
02376153d198f415f53aabc67272c6042ee4f2c1048b3c5025200d8946f433669cd48295e1bfcd33d1fc8c24f4e1ff0dfb78e36926ad91a334e02718afa93042

Download Submit
C:\Windows\wuauclt.exe

Filesize
60KB

MD5
a167c6f4c18acef13e1923c2cb7947d7

SHA1
81a6f0d86e9a6979b6870b6bad894a118f70adb4

SHA256
57c0b576e421237eb9964bda5a2b33592d410f58163f4dfbf4e86ced20361759

SHA512
6ee740414bc8724af2f63d8a935efbea89f62e22fcf68be208ee0fa0275b264de73833553e45ef9df57eb3285acfc51680a8b8dc15ccf381ef8cea99d11fa380

Download Submit
F:\autorun.inf

Filesize
75B

MD5
9639ccf1d10474093ed03703b1717166

SHA1
0532f958feed3cd421118b18e28af5f0ecfaf593

SHA256
4fefe933180f06671bf129990f3c0d06890e77db7dda71d501fd906cb47811d3

SHA512
4cec93ff963a799eefbc1af28eebacdf200666cc2f736aafd5febb78955f8775f00a7ebe4b4f502a015f4b2d91283b4d88bcf911034eba7b46aae418fdeafd88

Download Submit
memory/1004-20-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1004-5-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1004-6-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1004-7-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1004-8-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1004-9-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1004-12-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1004-13-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1004-2-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1344-30-0x0000000001EC0000-0x0000000001F40000-memory.dmp

Filesize
512KB

Download
memory/1344-32-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/1344-27-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/1528-38-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1528-33-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1528-34-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1528-36-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1528-41-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1528-42-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1528-44-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1528-50-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1528-79-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2196-0-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/2196-4-0x0000000010000000-0x000000001005A000-memory.dmp

Filesize
360KB

Download
memory/2196-1-0x0000000002000000-0x0000000002080000-memory.dmp

Filesize
512KB

Download