Analysis
-
max time kernel
153s -
max time network
169s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
13-05-2021 13:29
Static task
static1
Behavioral task
behavioral1
Sample
95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exe
Resource
win10v20210408
General
-
Target
95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exe
-
Size
1.4MB
-
MD5
c141544a4f99774f1bcf7defa3e3baba
-
SHA1
ab484007489c1f7795edb0623dc4b1fce3310811
-
SHA256
95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f
-
SHA512
347e17179bb9db514701166f2f5061c2407d8e194e4ca91c99d6ff083ea1e4832791e1fdf47e410f582518a851724cfea7cf5e185142ba65b295b7dcf7503718
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windupdt\\winupdate.exe" 95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
winupdate.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "1" winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" winupdate.exe -
Executes dropped EXE 2 IoCs
Processes:
winupdate.exewinupdate.exepid process 2844 winupdate.exe 632 winupdate.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exewinupdate.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate 95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winupdate.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation 95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exe -
Processes:
winupdate.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winupdate.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run 95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe" 95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exewinupdate.exedescription pid process target process PID 908 set thread context of 3888 908 95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exe 95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exe PID 2844 set thread context of 632 2844 winupdate.exe winupdate.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exewinupdate.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier 95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier winupdate.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exewinupdate.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier 95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winupdate.exe -
Modifies registry class 1 IoCs
Processes:
95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance 95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
winupdate.exepid process 632 winupdate.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exewinupdate.exedescription pid process Token: SeIncreaseQuotaPrivilege 3888 95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exe Token: SeSecurityPrivilege 3888 95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exe Token: SeTakeOwnershipPrivilege 3888 95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exe Token: SeLoadDriverPrivilege 3888 95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exe Token: SeSystemProfilePrivilege 3888 95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exe Token: SeSystemtimePrivilege 3888 95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exe Token: SeProfSingleProcessPrivilege 3888 95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exe Token: SeIncBasePriorityPrivilege 3888 95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exe Token: SeCreatePagefilePrivilege 3888 95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exe Token: SeBackupPrivilege 3888 95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exe Token: SeRestorePrivilege 3888 95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exe Token: SeShutdownPrivilege 3888 95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exe Token: SeDebugPrivilege 3888 95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exe Token: SeSystemEnvironmentPrivilege 3888 95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exe Token: SeChangeNotifyPrivilege 3888 95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exe Token: SeRemoteShutdownPrivilege 3888 95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exe Token: SeUndockPrivilege 3888 95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exe Token: SeManageVolumePrivilege 3888 95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exe Token: SeImpersonatePrivilege 3888 95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exe Token: SeCreateGlobalPrivilege 3888 95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exe Token: 33 3888 95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exe Token: 34 3888 95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exe Token: 35 3888 95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exe Token: 36 3888 95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exe Token: SeIncreaseQuotaPrivilege 632 winupdate.exe Token: SeSecurityPrivilege 632 winupdate.exe Token: SeTakeOwnershipPrivilege 632 winupdate.exe Token: SeLoadDriverPrivilege 632 winupdate.exe Token: SeSystemProfilePrivilege 632 winupdate.exe Token: SeSystemtimePrivilege 632 winupdate.exe Token: SeProfSingleProcessPrivilege 632 winupdate.exe Token: SeIncBasePriorityPrivilege 632 winupdate.exe Token: SeCreatePagefilePrivilege 632 winupdate.exe Token: SeBackupPrivilege 632 winupdate.exe Token: SeRestorePrivilege 632 winupdate.exe Token: SeShutdownPrivilege 632 winupdate.exe Token: SeDebugPrivilege 632 winupdate.exe Token: SeSystemEnvironmentPrivilege 632 winupdate.exe Token: SeChangeNotifyPrivilege 632 winupdate.exe Token: SeRemoteShutdownPrivilege 632 winupdate.exe Token: SeUndockPrivilege 632 winupdate.exe Token: SeManageVolumePrivilege 632 winupdate.exe Token: SeImpersonatePrivilege 632 winupdate.exe Token: SeCreateGlobalPrivilege 632 winupdate.exe Token: 33 632 winupdate.exe Token: 34 632 winupdate.exe Token: 35 632 winupdate.exe Token: 36 632 winupdate.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exewinupdate.exewinupdate.exepid process 908 95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exe 2844 winupdate.exe 632 winupdate.exe -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exe95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exewinupdate.exedescription pid process target process PID 908 wrote to memory of 3888 908 95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exe 95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exe PID 908 wrote to memory of 3888 908 95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exe 95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exe PID 908 wrote to memory of 3888 908 95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exe 95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exe PID 908 wrote to memory of 3888 908 95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exe 95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exe PID 908 wrote to memory of 3888 908 95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exe 95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exe PID 908 wrote to memory of 3888 908 95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exe 95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exe PID 908 wrote to memory of 3888 908 95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exe 95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exe PID 908 wrote to memory of 3888 908 95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exe 95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exe PID 908 wrote to memory of 3888 908 95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exe 95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exe PID 908 wrote to memory of 3888 908 95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exe 95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exe PID 908 wrote to memory of 3888 908 95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exe 95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exe PID 908 wrote to memory of 3888 908 95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exe 95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exe PID 908 wrote to memory of 3888 908 95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exe 95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exe PID 908 wrote to memory of 3888 908 95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exe 95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exe PID 3888 wrote to memory of 2844 3888 95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exe winupdate.exe PID 3888 wrote to memory of 2844 3888 95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exe winupdate.exe PID 3888 wrote to memory of 2844 3888 95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exe winupdate.exe PID 2844 wrote to memory of 632 2844 winupdate.exe winupdate.exe PID 2844 wrote to memory of 632 2844 winupdate.exe winupdate.exe PID 2844 wrote to memory of 632 2844 winupdate.exe winupdate.exe PID 2844 wrote to memory of 632 2844 winupdate.exe winupdate.exe PID 2844 wrote to memory of 632 2844 winupdate.exe winupdate.exe PID 2844 wrote to memory of 632 2844 winupdate.exe winupdate.exe PID 2844 wrote to memory of 632 2844 winupdate.exe winupdate.exe PID 2844 wrote to memory of 632 2844 winupdate.exe winupdate.exe PID 2844 wrote to memory of 632 2844 winupdate.exe winupdate.exe PID 2844 wrote to memory of 632 2844 winupdate.exe winupdate.exe PID 2844 wrote to memory of 632 2844 winupdate.exe winupdate.exe PID 2844 wrote to memory of 632 2844 winupdate.exe winupdate.exe PID 2844 wrote to memory of 632 2844 winupdate.exe winupdate.exe PID 2844 wrote to memory of 632 2844 winupdate.exe winupdate.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exe"C:\Users\Admin\AppData\Local\Temp\95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Users\Admin\AppData\Local\Temp\95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exe"C:\Users\Admin\AppData\Local\Temp\95c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f.exe"2⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3888 -
C:\Windupdt\winupdate.exe"C:\Windupdt\winupdate.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windupdt\winupdate.exe"C:\Windupdt\winupdate.exe"4⤵
- Modifies firewall policy service
- Executes dropped EXE
- Checks BIOS information in registry
- Windows security modification
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:632
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1594587808-2047097707-2163810515-1000\88603cb2913a7df3fbd16b5f958e6447_cc51e87d-bda7-4ef7-80cf-c431fec6b805MD5
5fc2ac2a310f49c14d195230b91a8885
SHA190855cc11136ba31758fe33b5cf9571f9a104879
SHA256374e0e2897a7a82e0e44794cad89df0f3cdd7703886239c1fe06d625efd48092
SHA512ab46554df9174b9fe9beba50a640f67534c3812f64d96a1fb8adfdc136dfe730ca2370825cd45b7f87a544d6a58dd868cb5a3a7f42e2789f6d679dbc0fdd52c3
-
C:\Windupdt\winupdate.exeMD5
c141544a4f99774f1bcf7defa3e3baba
SHA1ab484007489c1f7795edb0623dc4b1fce3310811
SHA25695c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f
SHA512347e17179bb9db514701166f2f5061c2407d8e194e4ca91c99d6ff083ea1e4832791e1fdf47e410f582518a851724cfea7cf5e185142ba65b295b7dcf7503718
-
C:\Windupdt\winupdate.exeMD5
c141544a4f99774f1bcf7defa3e3baba
SHA1ab484007489c1f7795edb0623dc4b1fce3310811
SHA25695c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f
SHA512347e17179bb9db514701166f2f5061c2407d8e194e4ca91c99d6ff083ea1e4832791e1fdf47e410f582518a851724cfea7cf5e185142ba65b295b7dcf7503718
-
C:\Windupdt\winupdate.exeMD5
c141544a4f99774f1bcf7defa3e3baba
SHA1ab484007489c1f7795edb0623dc4b1fce3310811
SHA25695c0d030c5f53d1133be30a35abdf0627f1cc15ce6b769d1565c656db44d289f
SHA512347e17179bb9db514701166f2f5061c2407d8e194e4ca91c99d6ff083ea1e4832791e1fdf47e410f582518a851724cfea7cf5e185142ba65b295b7dcf7503718
-
memory/632-127-0x000000000049E90C-mapping.dmp
-
memory/632-130-0x00000000021C0000-0x00000000021C1000-memory.dmpFilesize
4KB
-
memory/632-129-0x0000000000400000-0x00000000004C0000-memory.dmpFilesize
768KB
-
memory/2844-120-0x0000000000000000-mapping.dmp
-
memory/3888-116-0x0000000000400000-0x00000000004C0000-memory.dmpFilesize
768KB
-
memory/3888-117-0x000000000049E90C-mapping.dmp
-
memory/3888-119-0x0000000002240000-0x0000000002241000-memory.dmpFilesize
4KB
-
memory/3888-118-0x0000000000400000-0x00000000004C0000-memory.dmpFilesize
768KB