d5a2ddba0ee5c577268d69bbc129046d48f36c8306c8a57d4f6b2e2ded193202

General

Target

PatchMyPC.exe
Size

2.5MB
MD5

8a5fcb46ed7f458a508f9e7f31b2950c
SHA1

8b68711f8de7ba182427da118644b63083894fee
SHA256

d5a2ddba0ee5c577268d69bbc129046d48f36c8306c8a57d4f6b2e2ded193202
SHA512

c44e4f7b2782d36fe33ef8cbf22e0a2a3a086cde82aa4a2c8856099391ca202f7df7ee84c6f59bba24ada636964edcac1d966fb50c2cd0cad7219af4a273222f
SSDEEP

24576:DEZDSTqCIraM1VVPIpvl1SqEU/+uRuNixgxkaBRrI0kDf:DEo+DraM1VVPIpvl1SQ/+uMOg33Ibr

Score

6^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	PatchMyPC.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log	gacutil.exe
File created	C:\Windows\assembly\GACLock.dat	gacutil.exe
File created	C:\Windows\assembly\tmp\WS8T73A1\Microsoft.Win32.TaskScheduler.dll	gacutil.exe

Executes dropped EXE 1 IoCs

pid	Process
5100	gacutil.exe

Loads dropped DLL 2 IoCs

pid	Process
5100	gacutil.exe
5100	gacutil.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4108	PatchMyPC.exe
4108	PatchMyPC.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4108	PatchMyPC.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4108	PatchMyPC.exe
4108	PatchMyPC.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4108 wrote to memory of 5100	4108	PatchMyPC.exe	86
PID 4108 wrote to memory of 5100	4108	PatchMyPC.exe	86
PID 4108 wrote to memory of 5100	4108	PatchMyPC.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\PatchMyPC.exe
"C:\Users\Admin\AppData\Local\Temp\PatchMyPC.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4108
- C:\Users\Admin\AppData\Roaming\PatchMyPC\gacutil.exe
  "C:\Users\Admin\AppData\Roaming\PatchMyPC\gacutil.exe" /i C:\Users\Admin\AppData\Roaming\PatchMyPC\Microsoft.Win32.TaskScheduler.dll
  2⤵
  - Drops file in Windows directory
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\PatchMyPC\1033\gacutlrc.dll

Filesize
34KB

MD5
98724a7d91993527c8f821f0f722995d

SHA1
8a6d60541c7a6c40072fe7b4fe2cc4fec8f97628

SHA256
35b093f47a7220b789f431b866537e72bb78609fe03f45c7e12926db94c6634c

SHA512
d8bad501973d86a1800eee6ce89c9abefcdc0ccaabb693591fa167b291d3020d85a49b57daffa7658a06859c276deb63c4b959e8fff1868495bad64cd7a3b006

Download Submit
C:\Users\Admin\AppData\Roaming\PatchMyPC\Microsoft.Win32.TaskScheduler.dll

Filesize
300KB

MD5
e4a7b55e9f8c52b356e264c347035cd5

SHA1
cbba2789cd31d51bf1dd6841219799a9559d3e67

SHA256
f3c2d5a2db68b9e6ca161ac126bb8fa47b5889d5786b5ddb28f9193dd500c87d

SHA512
5c0af9046149c89235f46762954c75fce0b82834d614e313aa630ce859cd04a54f6e11321f4efa41ea817cae9439555a9923c2be5ef34c55d6786a44fe8dbbd3

Download Submit
C:\Users\Admin\AppData\Roaming\PatchMyPC\gacutil.exe

Filesize
127KB

MD5
4da261a56b625bc2f8d4ae2e59f85e2f

SHA1
567c858bbfc4ddddc92c13cf9362bbf1ec98d589

SHA256
2f53f6a2024128e750f21b98607328dac6238d675e0b44ef3d540f4e61a28ad8

SHA512
93f326399d219e2a6b5803c25853e96039d5d5044d500d2acbea4792d31ee6237a790ca05572e36725d81eb7b68a9030b3df36660a09e2e684b31409e2f92383

Download Submit
C:\Users\Admin\AppData\Roaming\PatchMyPC\gacutil.exe.config

Filesize
223B

MD5
7033a6fa2f8a457716f6d642137cc7db

SHA1
7a2cb4bbf68074357e450d6cd6fa9e4fcaf0ed2a

SHA256
d1e116f59c6cf832090da36f95725827a7f5edb3173cbce13ffedc4fb6b61d2e

SHA512
7b3f7532c57590f16bd79a37b66392aed73c1bb2ecb185273e229b32a722ca7a96051f419a42e1df1f28132190170625a09e5354a26773d2482fc749f15ca9da

Download Submit
memory/4108-5-0x00007FFB54760000-0x00007FFB55221000-memory.dmp

Filesize
10.8MB

Download
memory/4108-3-0x00007FFB54760000-0x00007FFB55221000-memory.dmp

Filesize
10.8MB

Download
memory/4108-6-0x00007FFB54760000-0x00007FFB55221000-memory.dmp

Filesize
10.8MB

Download
memory/4108-7-0x00007FFB54760000-0x00007FFB55221000-memory.dmp

Filesize
10.8MB

Download
memory/4108-8-0x00007FFB54760000-0x00007FFB55221000-memory.dmp

Filesize
10.8MB

Download
memory/4108-36-0x00007FFB54760000-0x00007FFB55221000-memory.dmp

Filesize
10.8MB

Download
memory/4108-4-0x00007FFB54760000-0x00007FFB55221000-memory.dmp

Filesize
10.8MB

Download
memory/4108-0-0x00007FFB54763000-0x00007FFB54765000-memory.dmp

Filesize
8KB

Download
memory/4108-2-0x00007FFB54760000-0x00007FFB55221000-memory.dmp

Filesize
10.8MB

Download
memory/4108-76-0x00007FFB54760000-0x00007FFB55221000-memory.dmp

Filesize
10.8MB

Download
memory/4108-1-0x000001B5BEDE0000-0x000001B5BF05C000-memory.dmp

Filesize
2.5MB

Download
memory/4108-63-0x000001BDDDF60000-0x000001BDDDFAE000-memory.dmp

Filesize
312KB

Download
memory/4108-73-0x00007FFB54763000-0x00007FFB54765000-memory.dmp

Filesize
8KB

Download
memory/4108-74-0x00007FFB54760000-0x00007FFB55221000-memory.dmp

Filesize
10.8MB

Download
memory/4108-75-0x00007FFB54760000-0x00007FFB55221000-memory.dmp

Filesize
10.8MB

Download
memory/5100-58-0x0000000002320000-0x000000000236E000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing