d01c9c808e5c30ff410020ea0cdb1e2a492d522f2977721d52d5597232743090

Analysis

max time kernel
150s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
19/07/2024, 10:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

QuickUpgrade.exe
Size

421KB
MD5

8050d4606a492a8c9d9613152f9abf76
SHA1

cf26af41c84fb12310e3459dfc919e1e139d7d62
SHA256

485e6b46d8cea429a923728fd25f4f61cf3cea3f9a441afb616a4b3aa247e461
SHA512

318b52292ed83888b2d130df0376ee6bf095fa0931f7f94e8f95e4cc49af331ead8da284aa99f4bad6a9c0cdaac6e5b4fab2a89f1eb96ea577d8a19fa872efa6
SSDEEP

3072:IO/MhH3DRb2Dg3gNgdIQ3WruEEtPoAWY07Dk4VQzPLyQKlQ2k7HoZ7WK7TBaR0pr:JI39bkgwa3WSZtQAb0ntxQ27WG4RCv/

Score

6^/10

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation	QuickUpgrade.exe
Key value queried	\REGISTRY\USER\S-1-5-21-47134698-4092160662-1261813102-1000\Control Panel\International\Geo\Nation	pl4sfx.exe

Executes dropped EXE 4 IoCs

pid	Process
1880	pl4sfx.exe
4056	PostUpdate.exe
8	bitsumsessionagent.exe
4508	processlasso.exe

Loads dropped DLL 6 IoCs

pid	Process
4560	QuickUpgrade.exe
4560	QuickUpgrade.exe
4056	PostUpdate.exe
4056	PostUpdate.exe
4508	processlasso.exe
4508	processlasso.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	PostUpdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	PostUpdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	processlasso.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	processlasso.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
8	bitsumsessionagent.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	4508	processlasso.exe
Token: SeDebugPrivilege	4508	processlasso.exe
Token: SeChangeNotifyPrivilege	4508	processlasso.exe
Token: SeIncBasePriorityPrivilege	4508	processlasso.exe
Token: SeIncreaseQuotaPrivilege	4508	processlasso.exe
Token: SeCreateGlobalPrivilege	4508	processlasso.exe
Token: SeProfSingleProcessPrivilege	4508	processlasso.exe
Token: SeBackupPrivilege	4508	processlasso.exe
Token: SeRestorePrivilege	4508	processlasso.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4560 wrote to memory of 1880	4560	QuickUpgrade.exe	87
PID 4560 wrote to memory of 1880	4560	QuickUpgrade.exe	87
PID 4560 wrote to memory of 1880	4560	QuickUpgrade.exe	87
PID 1880 wrote to memory of 4056	1880	pl4sfx.exe	91
PID 1880 wrote to memory of 4056	1880	pl4sfx.exe	91
PID 1880 wrote to memory of 4056	1880	pl4sfx.exe	91
PID 4056 wrote to memory of 4508	4056	PostUpdate.exe	96
PID 4056 wrote to memory of 4508	4056	PostUpdate.exe	96
PID 4056 wrote to memory of 4508	4056	PostUpdate.exe	96

C:\Users\Admin\AppData\Local\Temp\QuickUpgrade.exe
"C:\Users\Admin\AppData\Local\Temp\QuickUpgrade.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4560
- C:\Users\Admin\AppData\Local\Temp\bitsum\processlasso\pl4sfx.exe
  "C:\Users\Admin\AppData\Local\Temp\bitsum\processlasso\pl4sfx.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1880
- - C:\Users\Admin\AppData\Local\Temp\PostUpdate.exe
    "C:\Users\Admin\AppData\Local\Temp\PostUpdate.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious use of WriteProcessMemory
    PID:4056
  - - C:\Users\Admin\AppData\Local\Temp\processlasso.exe
      /postupdate
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks processor information in registry
      Suspicious use of AdjustPrivilegeToken
      PID:4508

C:\Users\Admin\AppData\Local\Temp\bitsumsessionagent.exe
C:\Users\Admin\AppData\Local\Temp\bitsumsessionagent.exe ----------------------------------------------------------------
1⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:8

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\PostUpdate.exe

Filesize
615KB

MD5
dedc52876c60294151f79ba3ec62a1d2

SHA1
a7fe9b9e6ec8ce524d6d37ba351dd89e387961f1

SHA256
b9e375a220cfa31c35563381818adb488321ea8365940825a9d4f1ee303cb1ca

SHA512
40c897425ff794a82a81ac3c6c4de50a2eda1c9b0cfe7e8241efdc9dbee0ddcced12c8c5be03acd8862ba7ca710856b5d43feeecae69c0e3fbd39db1fbf5c9f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ProcessLasso.exe

Filesize
1.6MB

MD5
c37112a7b09342e0b7c60d07ca0080b8

SHA1
ef0b0acd2ddf00da9fe1dd075210b761c3bdadb5

SHA256
f3a6b930505d4f2bceab83305958263ed24916c625f37d58958f9f37f78d948b

SHA512
8932e9e2232600a09f160323f7eb857633f674fcfc783648b9726a78e355ad77e68d7572a344c2ccc9ede844a1161234370ea6fa2a67ab911247c934ef947819

Download Submit
C:\Users\Admin\AppData\Local\Temp\QuickUpgrade.exe.Replacement

Filesize
422KB

MD5
fa64f6ca0506e75ff04d1041cf57e540

SHA1
1b1a1f28db59a49b913e70fdf7c2f4a1f765ea69

SHA256
4b8c496606f49767a0e368acb95fb7eee92f423227b99e826b0b9997fa00217b

SHA512
37484b840ec1c4e67000a5354045adc52b0a9a439a360979be9cd07f9e398f4037da656bd1016f5787b915e0548da12b27c0d93afd16473d2b4b8e1e1b21362d

Download Submit
C:\Users\Admin\AppData\Local\Temp\bitsum\processlasso\pl4sfx.exe

Filesize
2.6MB

MD5
f3ec871cf4deedd0df35b19a88a5ba99

SHA1
a117915167299a6a61ff13a07302c18e1ffbcc06

SHA256
944f32418d26ae9f4b955422410c924940fb597f0feac8dba7663c270fcf9462

SHA512
4815c6e33781b32296f3874d032362719ebff1c83c5d9452dec2ae24b155093633ab9005061e42a0aa9baa8dbcff1fd6a0f1e06152035285d60b1c046c6a6db1

Download Submit
C:\Users\Admin\AppData\Local\Temp\bitsumsessionagent.exe

Filesize
141KB

MD5
94a60f039968f05035b5d6a28c81bbd8

SHA1
f815496d02429d586b72955b2b64532fcf524e50

SHA256
a32dab9b1fb3da1ca56a1fca2262de12eb61e53ecb134a3c4d3549f7ce154808

SHA512
86c1d90c4e550d51e58ec6cf971865961db88eac26edcc566f5b29cd350d67db1d6cf21a5f8852aa6c85383b7c350f8259eacad48e5dc90caf6159b851fe7a47

Download Submit
C:\Users\Admin\AppData\Local\Temp\pl_rsrc_english.dll

Filesize
1.9MB

MD5
870e780dbc822d555fb32c9a29829aff

SHA1
f067406bdc3185a9b04f66002c21d881ecb5ba61

SHA256
5d38250c54b31c8861932dc29c926265ca450514865d6a96336d94b9e3fd41c3

SHA512
a1849cf29c60d9127e649e1b9df7cba972ed0adb6583d7d68e446918e1e94d8703d0def534ea1c8699cd3727338ff528601a05e616e1283168758e0fde79d7a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\pl_rsrc_temp.dll

Filesize
1.9MB

MD5
6624738e851815fe0e04e375ee221d9f

SHA1
01f37c1b6f63cc1812794ea0541be77a739a6bf8

SHA256
d9a1bdae9b17d9f1385b07c8fb196c66ba5c6046f00f86651dd457ebcc1201c6

SHA512
2c4e176ae541317aeb411f4c084a510e22963854d1615532a9193c03329f93a3d04d474aa6050facd1c51e84a6fdcb581fc305bd2f5c9ddc58066170e1294a4f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads