a46de7b1eb5d6bd50182eebb1822b4535f3018136cd98af27ae6c462583a2267

Analysis

max time kernel
148s
max time network
150s
platform
windows10_x64
resource
win10v20201028
submitted
15-02-2021 04:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c2ed23b08dc766bf925748880bbf70a63516caba3f8646418bca231488708d6c.exe

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

StUpdate.exeStUpdate.exeStUpdate.exe

pid process

4576 StUpdate.exe
636 StUpdate.exe
1388 StUpdate.exe

pid	process
4576	StUpdate.exe
636	StUpdate.exe
1388	StUpdate.exe

Drops startup file 1 IoCs

Processes:

c2ed23b08dc766bf925748880bbf70a63516caba3f8646418bca231488708d6c.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.URL	c2ed23b08dc766bf925748880bbf70a63516caba3f8646418bca231488708d6c.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3796 schtasks.exe

pid	process
3796	schtasks.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

Processes:

c2ed23b08dc766bf925748880bbf70a63516caba3f8646418bca231488708d6c.exeStUpdate.exeStUpdate.exeStUpdate.exe

description	pid	process
Token: SeDebugPrivilege	4768	c2ed23b08dc766bf925748880bbf70a63516caba3f8646418bca231488708d6c.exe
Token: 33	4768	c2ed23b08dc766bf925748880bbf70a63516caba3f8646418bca231488708d6c.exe
Token: SeIncBasePriorityPrivilege	4768	c2ed23b08dc766bf925748880bbf70a63516caba3f8646418bca231488708d6c.exe
Token: 33	4768	c2ed23b08dc766bf925748880bbf70a63516caba3f8646418bca231488708d6c.exe
Token: SeIncBasePriorityPrivilege	4768	c2ed23b08dc766bf925748880bbf70a63516caba3f8646418bca231488708d6c.exe
Token: SeDebugPrivilege	4576	StUpdate.exe
Token: 33	4768	c2ed23b08dc766bf925748880bbf70a63516caba3f8646418bca231488708d6c.exe
Token: SeIncBasePriorityPrivilege	4768	c2ed23b08dc766bf925748880bbf70a63516caba3f8646418bca231488708d6c.exe
Token: 33	4768	c2ed23b08dc766bf925748880bbf70a63516caba3f8646418bca231488708d6c.exe
Token: SeIncBasePriorityPrivilege	4768	c2ed23b08dc766bf925748880bbf70a63516caba3f8646418bca231488708d6c.exe
Token: 33	4768	c2ed23b08dc766bf925748880bbf70a63516caba3f8646418bca231488708d6c.exe
Token: SeIncBasePriorityPrivilege	4768	c2ed23b08dc766bf925748880bbf70a63516caba3f8646418bca231488708d6c.exe
Token: 33	4768	c2ed23b08dc766bf925748880bbf70a63516caba3f8646418bca231488708d6c.exe
Token: SeIncBasePriorityPrivilege	4768	c2ed23b08dc766bf925748880bbf70a63516caba3f8646418bca231488708d6c.exe
Token: 33	4768	c2ed23b08dc766bf925748880bbf70a63516caba3f8646418bca231488708d6c.exe
Token: SeIncBasePriorityPrivilege	4768	c2ed23b08dc766bf925748880bbf70a63516caba3f8646418bca231488708d6c.exe
Token: 33	4768	c2ed23b08dc766bf925748880bbf70a63516caba3f8646418bca231488708d6c.exe
Token: SeIncBasePriorityPrivilege	4768	c2ed23b08dc766bf925748880bbf70a63516caba3f8646418bca231488708d6c.exe
Token: 33	4768	c2ed23b08dc766bf925748880bbf70a63516caba3f8646418bca231488708d6c.exe
Token: SeIncBasePriorityPrivilege	4768	c2ed23b08dc766bf925748880bbf70a63516caba3f8646418bca231488708d6c.exe
Token: SeDebugPrivilege	636	StUpdate.exe
Token: 33	4768	c2ed23b08dc766bf925748880bbf70a63516caba3f8646418bca231488708d6c.exe
Token: SeIncBasePriorityPrivilege	4768	c2ed23b08dc766bf925748880bbf70a63516caba3f8646418bca231488708d6c.exe
Token: 33	4768	c2ed23b08dc766bf925748880bbf70a63516caba3f8646418bca231488708d6c.exe
Token: SeIncBasePriorityPrivilege	4768	c2ed23b08dc766bf925748880bbf70a63516caba3f8646418bca231488708d6c.exe
Token: 33	4768	c2ed23b08dc766bf925748880bbf70a63516caba3f8646418bca231488708d6c.exe
Token: SeIncBasePriorityPrivilege	4768	c2ed23b08dc766bf925748880bbf70a63516caba3f8646418bca231488708d6c.exe
Token: 33	4768	c2ed23b08dc766bf925748880bbf70a63516caba3f8646418bca231488708d6c.exe
Token: SeIncBasePriorityPrivilege	4768	c2ed23b08dc766bf925748880bbf70a63516caba3f8646418bca231488708d6c.exe
Token: 33	4768	c2ed23b08dc766bf925748880bbf70a63516caba3f8646418bca231488708d6c.exe
Token: SeIncBasePriorityPrivilege	4768	c2ed23b08dc766bf925748880bbf70a63516caba3f8646418bca231488708d6c.exe
Token: 33	4768	c2ed23b08dc766bf925748880bbf70a63516caba3f8646418bca231488708d6c.exe
Token: SeIncBasePriorityPrivilege	4768	c2ed23b08dc766bf925748880bbf70a63516caba3f8646418bca231488708d6c.exe
Token: 33	4768	c2ed23b08dc766bf925748880bbf70a63516caba3f8646418bca231488708d6c.exe
Token: SeIncBasePriorityPrivilege	4768	c2ed23b08dc766bf925748880bbf70a63516caba3f8646418bca231488708d6c.exe
Token: SeDebugPrivilege	1388	StUpdate.exe
Token: 33	4768	c2ed23b08dc766bf925748880bbf70a63516caba3f8646418bca231488708d6c.exe
Token: SeIncBasePriorityPrivilege	4768	c2ed23b08dc766bf925748880bbf70a63516caba3f8646418bca231488708d6c.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

c2ed23b08dc766bf925748880bbf70a63516caba3f8646418bca231488708d6c.exe

description	pid	process	target process
PID 4768 wrote to memory of 3796	4768	c2ed23b08dc766bf925748880bbf70a63516caba3f8646418bca231488708d6c.exe	schtasks.exe
PID 4768 wrote to memory of 3796	4768	c2ed23b08dc766bf925748880bbf70a63516caba3f8646418bca231488708d6c.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\c2ed23b08dc766bf925748880bbf70a63516caba3f8646418bca231488708d6c.exe
"C:\Users\Admin\AppData\Local\Temp\c2ed23b08dc766bf925748880bbf70a63516caba3f8646418bca231488708d6c.exe"
1⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4768

C:\Windows\SYSTEM32\schtasks.exe
schtasks /create /sc minute /mo 1 /tn StUpdate /tr C:\Users\Admin\AppData\Local\Temp/StUpdate.exe
2⤵
- Creates scheduled task(s)
PID:3796

C:\Users\Admin\AppData\Local\Temp\StUpdate.exe
C:\Users\Admin\AppData\Local\Temp/StUpdate.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4576

C:\Users\Admin\AppData\Local\Temp\StUpdate.exe
C:\Users\Admin\AppData\Local\Temp/StUpdate.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:636

C:\Users\Admin\AppData\Local\Temp\StUpdate.exe
C:\Users\Admin\AppData\Local\Temp/StUpdate.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1388

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\StUpdate.exe.log
MD5
5acd51316c5e9c164f43b53174ef9fce

SHA1
27878274e69b69991456d321b603d20c60d9cd2e

SHA256
66f51ffd023996189643cd328a78b42ca5c6bb00281980147630db93ef5e1847

SHA512
abb671148c7013ab627dbb5d29fa296bdb8c78476032e9802853296a8aa906d18ceda8cc56a76daca1258e675e4a2d264898ea5b093049430aeed2a64e1c070c

Download Submit
C:\Users\Admin\AppData\Local\Temp\StUpdate.exe
MD5
960191154378e1cce6b97afecb7ce257

SHA1
6ad76d2ef1d98eabe85fb51c369e7033e6846c38

SHA256
c2ed23b08dc766bf925748880bbf70a63516caba3f8646418bca231488708d6c

SHA512
68bb33002fd109a745f965e3936ccdc11ad4220122017bba3694a3122e99e3b04c9b04dfafaa7646d14a3461f23806b30701ce5c2eda8eef7950a8e796724846

Download Submit
C:\Users\Admin\AppData\Local\Temp\StUpdate.exe
MD5
960191154378e1cce6b97afecb7ce257

SHA1
6ad76d2ef1d98eabe85fb51c369e7033e6846c38

SHA256
c2ed23b08dc766bf925748880bbf70a63516caba3f8646418bca231488708d6c

SHA512
68bb33002fd109a745f965e3936ccdc11ad4220122017bba3694a3122e99e3b04c9b04dfafaa7646d14a3461f23806b30701ce5c2eda8eef7950a8e796724846

Download Submit
C:\Users\Admin\AppData\Local\Temp\StUpdate.exe
MD5
960191154378e1cce6b97afecb7ce257

SHA1
6ad76d2ef1d98eabe85fb51c369e7033e6846c38

SHA256
c2ed23b08dc766bf925748880bbf70a63516caba3f8646418bca231488708d6c

SHA512
68bb33002fd109a745f965e3936ccdc11ad4220122017bba3694a3122e99e3b04c9b04dfafaa7646d14a3461f23806b30701ce5c2eda8eef7950a8e796724846

Download Submit
C:\Users\Admin\AppData\Local\Temp\StUpdate.exe
MD5
960191154378e1cce6b97afecb7ce257

SHA1
6ad76d2ef1d98eabe85fb51c369e7033e6846c38

SHA256
c2ed23b08dc766bf925748880bbf70a63516caba3f8646418bca231488708d6c

SHA512
68bb33002fd109a745f965e3936ccdc11ad4220122017bba3694a3122e99e3b04c9b04dfafaa7646d14a3461f23806b30701ce5c2eda8eef7950a8e796724846

Download Submit
memory/636-27-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/636-26-0x000000001AE30000-0x000000001AE32000-memory.dmp

Filesize
8KB

Download
memory/636-23-0x00007FFBE4620000-0x00007FFBE500C000-memory.dmp

Filesize
9.9MB

Download
memory/1388-36-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/1388-35-0x000000001AF70000-0x000000001AF72000-memory.dmp

Filesize
8KB

Download
memory/1388-32-0x00007FFBE4620000-0x00007FFBE500C000-memory.dmp

Filesize
9.9MB

Download
memory/3796-10-0x0000000000000000-mapping.dmp

Download
memory/4576-13-0x00007FFBE4620000-0x00007FFBE500C000-memory.dmp

Filesize
9.9MB

Download
memory/4576-16-0x000000001BA80000-0x000000001BA82000-memory.dmp

Filesize
8KB

Download
memory/4576-17-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

Filesize
4KB

Download
memory/4768-2-0x00007FFBE4620000-0x00007FFBE500C000-memory.dmp

Filesize
9.9MB

Download
memory/4768-9-0x000000001C7F0000-0x000000001C7F1000-memory.dmp

Filesize
4KB

Download
memory/4768-8-0x0000000000B00000-0x0000000000B01000-memory.dmp

Filesize
4KB

Download
memory/4768-7-0x0000000000B20000-0x0000000000B27000-memory.dmp

Filesize
28KB

Download
memory/4768-6-0x000000001B360000-0x000000001B362000-memory.dmp

Filesize
8KB

Download
memory/4768-5-0x0000000000B10000-0x0000000000B19000-memory.dmp

Filesize
36KB

Download
memory/4768-3-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download