25ace20639977320f2e7432af2532d0607e29087d4496ef1bda97ca8d165cb3f

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/04/2024, 16:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

QuickUpgrade.exe
Size

473KB
MD5

729e8143ca0dabda69f5d043c52c5eb3
SHA1

40ac606cdfaa0925f913e188804606eb7f217cc7
SHA256

ca42142193983be4ea809ce82af10f8a2794fe955b9425d4063e2d6f21a1e17d
SHA512

3b81d5e884bebeaadc0e7081c99a8bd11a9f715ac568164dfd267c37504dac54763f9f5a3068949f424e59408c06c7bd4501b6fcd614c1bdc889b748c2a5d84c
SSDEEP

6144:LvDoEduafjNzm6uhfY38ZcWX7A9G4Gena7WG4/:4bafjNzm6uSQTh4LaKG4/

Score

6^/10

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	QuickUpgrade.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	pl4sfx.exe

Executes dropped EXE 4 IoCs

pid	Process
2848	pl4sfx.exe
412	PostUpdate.exe
4288	bitsumsessionagent.exe
3896	processlasso.exe

Loads dropped DLL 6 IoCs

pid	Process
4576	QuickUpgrade.exe
4576	QuickUpgrade.exe
412	PostUpdate.exe
412	PostUpdate.exe
3896	processlasso.exe
3896	processlasso.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	PostUpdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	processlasso.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	processlasso.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	PostUpdate.exe

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d60168000000010000000800000000409120d035d901030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	QuickUpgrade.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1368000000010000000800000000409120d035d9017e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	QuickUpgrade.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	QuickUpgrade.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4288	bitsumsessionagent.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	3896	processlasso.exe
Token: SeDebugPrivilege	3896	processlasso.exe
Token: SeChangeNotifyPrivilege	3896	processlasso.exe
Token: SeIncBasePriorityPrivilege	3896	processlasso.exe
Token: SeIncreaseQuotaPrivilege	3896	processlasso.exe
Token: SeCreateGlobalPrivilege	3896	processlasso.exe
Token: SeProfSingleProcessPrivilege	3896	processlasso.exe
Token: SeBackupPrivilege	3896	processlasso.exe
Token: SeRestorePrivilege	3896	processlasso.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 4576 wrote to memory of 2848	4576	QuickUpgrade.exe	84
PID 4576 wrote to memory of 2848	4576	QuickUpgrade.exe	84
PID 4576 wrote to memory of 2848	4576	QuickUpgrade.exe	84
PID 2848 wrote to memory of 412	2848	pl4sfx.exe	90
PID 2848 wrote to memory of 412	2848	pl4sfx.exe	90
PID 412 wrote to memory of 3896	412	PostUpdate.exe	93
PID 412 wrote to memory of 3896	412	PostUpdate.exe	93

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\QuickUpgrade.exe
"C:\Users\Admin\AppData\Local\Temp\QuickUpgrade.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:4576
- C:\Users\Admin\AppData\Local\Temp\bitsum\processlasso\pl4sfx.exe
  "C:\Users\Admin\AppData\Local\Temp\bitsum\processlasso\pl4sfx.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Users\Admin\AppData\Local\Temp\PostUpdate.exe
    "C:\Users\Admin\AppData\Local\Temp\PostUpdate.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious use of WriteProcessMemory
    PID:412
  - - C:\Users\Admin\AppData\Local\Temp\processlasso.exe
      /postupdate
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks processor information in registry
      Suspicious use of AdjustPrivilegeToken
      PID:3896

C:\Users\Admin\AppData\Local\Temp\bitsumsessionagent.exe
C:\Users\Admin\AppData\Local\Temp\bitsumsessionagent.exe ----------------------------------------------------------------
1⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:4288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\PostUpdate.exe

Filesize
667KB

MD5
73b4252305d8e60aff518e24570d7f7f

SHA1
6d4f3f9d41b666a230ff8610b0fbf14f621e8cf0

SHA256
d7df98151c2fd9c2fdd366b0bd933d6d07f4afb68761f4d3ce50440c0d0541ec

SHA512
78aefebb05958c140eade0046751852b1c68c8883c054d3fc57f182b3271030d6a82b142399ce61998145b52f55b342cf39ea93b499e2ea2a30e0ffceb4ab234

Download Submit
C:\Users\Admin\AppData\Local\Temp\ProcessLasso.exe

Filesize
1.8MB

MD5
9661fb6149241173ea6809e1b605d683

SHA1
b7817f9ed0eed9b8da02d9d14673e134422b1d92

SHA256
774557893da35092845440cb9a79f9f2a813913a6d8353fd03c215d5f0de5a88

SHA512
47700890db3f3b8ff172fbb99b11b82499f6cf2656b99dc7c63b828aab913669f59331518863a487b52a076e65a98b98475091c7efcf1eba3f99fe6b35b99cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\QuickUpgrade.exe.Replacement

Filesize
473KB

MD5
729e8143ca0dabda69f5d043c52c5eb3

SHA1
40ac606cdfaa0925f913e188804606eb7f217cc7

SHA256
ca42142193983be4ea809ce82af10f8a2794fe955b9425d4063e2d6f21a1e17d

SHA512
3b81d5e884bebeaadc0e7081c99a8bd11a9f715ac568164dfd267c37504dac54763f9f5a3068949f424e59408c06c7bd4501b6fcd614c1bdc889b748c2a5d84c

Download Submit
C:\Users\Admin\AppData\Local\Temp\bitsum\processlasso\pl4sfx.exe

Filesize
2.9MB

MD5
3003c62962a7f04ff69fee6ecd19395c

SHA1
87d4bf436f00b3254036ed6acbe85633e081b90a

SHA256
aebdadc68f467c9463362bf8eb6b165b341b0e4a08f11e81d58520ab7319ca5a

SHA512
9c68fd50131b8418a71b04e6464fd40e9047d6c1f581393f96f393925016f969f6e54f7ba9704de325d845921ea2d566ca8288a6b701ccf8cc6bd646d0def1da

Download Submit
C:\Users\Admin\AppData\Local\Temp\bitsumsessionagent.exe

Filesize
181KB

MD5
6f86caae0d9a5981d44bcb1cde7dadca

SHA1
b92d479b7ed042296bfebfb18f2823befeefcee3

SHA256
fe7aa00ec480f6fa1ec75aba47bbd6e1686c11382eff49dd0e12a82b4cc76496

SHA512
b89f90c4392cd3a3b85a93b6fbfd6b71b1fe7585a168d16b8a523adb1d6041a19ea2e99fb754a1123ed76940d1f1a66d91f66cd3e8d9e631467cc6286dc50d32

Download Submit
C:\Users\Admin\AppData\Local\Temp\pl_rsrc_temp.dll

Filesize
1.9MB

MD5
1a32e7e6bf9e29fbdf6793a435c52989

SHA1
afada8149480d85e92d82b948783c30e9668fcf8

SHA256
5ce28825a3b4fe08fcc97371e3dcfa13b31fd072fcfac0b11e563b36e14f4785

SHA512
45adcaeddf2b5ffc73271e25ff112066e55656b4093cecd86316811ec22baacbfd1fc7619658f466fe2d369935148b6ca91e62f1751d20bce67e7a557b1f09cc

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads