297273f12014539fb8a2be3de4888d13e5688e87469fc0411fe665c0eb9c79fd

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2024, 03:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

297273f12014539fb8a2be3de4888d13e5688e87469fc0411fe665c0eb9c79fd.exe
Size

2.6MB
MD5

aea12bdd5027ff4d84e6c0790fb9f86a
SHA1

d68e26bf803ce55eb3446dbffdb2b7c22b49f1e9
SHA256

297273f12014539fb8a2be3de4888d13e5688e87469fc0411fe665c0eb9c79fd
SHA512

e68c6012dfb30a2d159b5b089bf4d9b8f409cb8928686d0477284b84d5ffe6e278c912b086417ca17d8c9266f73a2d87d2055260074c223b06ddacf9c345b8a1
SSDEEP

49152:heP79xB2SqwXgOxC4AkeOVSM82k8gTQx4hRpZqmMnvbHtfWgP:up2Sq/OxeOH820TQx4hRpohn7tfWw

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3204	patchupdater.exe

Loads dropped DLL 3 IoCs

pid	Process
3008	297273f12014539fb8a2be3de4888d13e5688e87469fc0411fe665c0eb9c79fd.exe
3008	297273f12014539fb8a2be3de4888d13e5688e87469fc0411fe665c0eb9c79fd.exe
3008	297273f12014539fb8a2be3de4888d13e5688e87469fc0411fe665c0eb9c79fd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	297273f12014539fb8a2be3de4888d13e5688e87469fc0411fe665c0eb9c79fd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	patchupdater.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 3204	3008	297273f12014539fb8a2be3de4888d13e5688e87469fc0411fe665c0eb9c79fd.exe	85
PID 3008 wrote to memory of 3204	3008	297273f12014539fb8a2be3de4888d13e5688e87469fc0411fe665c0eb9c79fd.exe	85
PID 3008 wrote to memory of 3204	3008	297273f12014539fb8a2be3de4888d13e5688e87469fc0411fe665c0eb9c79fd.exe	85

C:\Users\Admin\AppData\Local\Temp\297273f12014539fb8a2be3de4888d13e5688e87469fc0411fe665c0eb9c79fd.exe
"C:\Users\Admin\AppData\Local\Temp\297273f12014539fb8a2be3de4888d13e5688e87469fc0411fe665c0eb9c79fd.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Users\Admin\AppData\Local\Temp\nsj8FBF.tmp\patchupdater.exe
  "C:\Users\Admin\AppData\Local\Temp\nsj8FBF.tmp\patchupdater.exe" --action=install --oldhash=0c32c2ca4b34743466be4302105bfdf9 --newhash=dd139bf8c19f18e1f3931521e89fb1ad --oldv=14.8.0.9906 --newv=14.8.0.9942 --extra=""
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsj8FBF.tmp\System.dll

Filesize
11KB

MD5
c51fc979c1c3e17bece7bd194aeb6ea2

SHA1
9a5d000d6393f2980062b4cc6e8f543493b1be8f

SHA256
93a8e95708882e56250ae55aef93417333b2dbe7ea99590abed34cdca2227e61

SHA512
716cdeb890307ff42901464dd24aa94e29415ef20d4e975c2733e34330fdf85edfd4ad9e00878edbe98921deebe44153279cb95acb309c5e1812026716dcdc4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj8FBF.tmp\nsExec.dll

Filesize
6KB

MD5
d7d0c9d3b5e38be79ce8765a9b492787

SHA1
27873370f5f3e88365612e0606247173a43eae60

SHA256
74e2c4b7905e3daa30a6d10d9e4de6b56316b965b4be068c4ed9017febd4613b

SHA512
ed10326f8cf747b173c707fa3b4d0ef6c46492bda2eb712cf32a10544de0dd35a13a8cf1948e335df08fad418545be12a2d782fea5cefae453dafd578b53d36b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj8FBF.tmp\patchupdater.exe

Filesize
2.0MB

MD5
5a25a557d6a4f26c41d0161b2ed5c0b9

SHA1
4fba64b59981de723e7baedc790f4e379a2e8392

SHA256
1a02299d3f768854033429f48f2dbea8650ff3d343dfd4bb439ff52f9f6ed45c

SHA512
304ed5767520726660a5d5b37ce95382cfe4f26135720d7c5725e3fe9da55c1efa010c20e144bfb44d22fc829ca26ba36f3658fd40cafde3c55e3c1c37618c3b

Download Submit