Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
15-05-2021 08:24
Static task
static1
Behavioral task
behavioral1
Sample
965c44e42eed1cf973292171363735be199a1e914da22a402dc1c019b69dbd22.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
965c44e42eed1cf973292171363735be199a1e914da22a402dc1c019b69dbd22.exe
Resource
win10v20210408
General
-
Target
965c44e42eed1cf973292171363735be199a1e914da22a402dc1c019b69dbd22.exe
-
Size
740KB
-
MD5
7a03a13ed4082028a93e64d744cd6c31
-
SHA1
d2c133f83b8e6907411f96008036cb5add897c37
-
SHA256
965c44e42eed1cf973292171363735be199a1e914da22a402dc1c019b69dbd22
-
SHA512
6f4c7e42cc4c23f0882a1d7090487d3430c64f89631a42a00c894fad1b56b7a0320f872c0b2e0048b2c2d41ecd569786ee66b497a97b780649345e1568fc61e0
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
tmp.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\Windows Update\\winupdate.exe" tmp.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
winupdate.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" winupdate.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
winupdate.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" winupdate.exe -
Executes dropped EXE 2 IoCs
Processes:
tmp.exewinupdate.exepid process 4040 tmp.exe 2100 winupdate.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
tmp.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation tmp.exe -
Processes:
winupdate.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winupdate.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
tmp.exenotepad.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Windows\\Windows Update\\winupdate.exe" tmp.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Windows\\Windows Update\\winupdate.exe" notepad.exe -
Drops file in Windows directory 4 IoCs
Processes:
tmp.exenotepad.exedescription ioc process File opened for modification C:\Windows\Windows Update\winupdate.exe tmp.exe File opened for modification C:\Windows\Windows Update\ tmp.exe File created C:\Windows\Windows Update\winupdate.exe notepad.exe File created C:\Windows\Windows Update\winupdate.exe tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
tmp.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance tmp.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
winupdate.exepid process 2100 winupdate.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
tmp.exewinupdate.exedescription pid process Token: SeIncreaseQuotaPrivilege 4040 tmp.exe Token: SeSecurityPrivilege 4040 tmp.exe Token: SeTakeOwnershipPrivilege 4040 tmp.exe Token: SeLoadDriverPrivilege 4040 tmp.exe Token: SeSystemProfilePrivilege 4040 tmp.exe Token: SeSystemtimePrivilege 4040 tmp.exe Token: SeProfSingleProcessPrivilege 4040 tmp.exe Token: SeIncBasePriorityPrivilege 4040 tmp.exe Token: SeCreatePagefilePrivilege 4040 tmp.exe Token: SeBackupPrivilege 4040 tmp.exe Token: SeRestorePrivilege 4040 tmp.exe Token: SeShutdownPrivilege 4040 tmp.exe Token: SeDebugPrivilege 4040 tmp.exe Token: SeSystemEnvironmentPrivilege 4040 tmp.exe Token: SeChangeNotifyPrivilege 4040 tmp.exe Token: SeRemoteShutdownPrivilege 4040 tmp.exe Token: SeUndockPrivilege 4040 tmp.exe Token: SeManageVolumePrivilege 4040 tmp.exe Token: SeImpersonatePrivilege 4040 tmp.exe Token: SeCreateGlobalPrivilege 4040 tmp.exe Token: 33 4040 tmp.exe Token: 34 4040 tmp.exe Token: 35 4040 tmp.exe Token: 36 4040 tmp.exe Token: SeIncreaseQuotaPrivilege 2100 winupdate.exe Token: SeSecurityPrivilege 2100 winupdate.exe Token: SeTakeOwnershipPrivilege 2100 winupdate.exe Token: SeLoadDriverPrivilege 2100 winupdate.exe Token: SeSystemProfilePrivilege 2100 winupdate.exe Token: SeSystemtimePrivilege 2100 winupdate.exe Token: SeProfSingleProcessPrivilege 2100 winupdate.exe Token: SeIncBasePriorityPrivilege 2100 winupdate.exe Token: SeCreatePagefilePrivilege 2100 winupdate.exe Token: SeBackupPrivilege 2100 winupdate.exe Token: SeRestorePrivilege 2100 winupdate.exe Token: SeShutdownPrivilege 2100 winupdate.exe Token: SeDebugPrivilege 2100 winupdate.exe Token: SeSystemEnvironmentPrivilege 2100 winupdate.exe Token: SeChangeNotifyPrivilege 2100 winupdate.exe Token: SeRemoteShutdownPrivilege 2100 winupdate.exe Token: SeUndockPrivilege 2100 winupdate.exe Token: SeManageVolumePrivilege 2100 winupdate.exe Token: SeImpersonatePrivilege 2100 winupdate.exe Token: SeCreateGlobalPrivilege 2100 winupdate.exe Token: 33 2100 winupdate.exe Token: 34 2100 winupdate.exe Token: 35 2100 winupdate.exe Token: 36 2100 winupdate.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
965c44e42eed1cf973292171363735be199a1e914da22a402dc1c019b69dbd22.exewinupdate.exepid process 632 965c44e42eed1cf973292171363735be199a1e914da22a402dc1c019b69dbd22.exe 2100 winupdate.exe -
Suspicious use of WriteProcessMemory 52 IoCs
Processes:
965c44e42eed1cf973292171363735be199a1e914da22a402dc1c019b69dbd22.exetmp.exedescription pid process target process PID 632 wrote to memory of 4040 632 965c44e42eed1cf973292171363735be199a1e914da22a402dc1c019b69dbd22.exe tmp.exe PID 632 wrote to memory of 4040 632 965c44e42eed1cf973292171363735be199a1e914da22a402dc1c019b69dbd22.exe tmp.exe PID 632 wrote to memory of 4040 632 965c44e42eed1cf973292171363735be199a1e914da22a402dc1c019b69dbd22.exe tmp.exe PID 4040 wrote to memory of 200 4040 tmp.exe notepad.exe PID 4040 wrote to memory of 200 4040 tmp.exe notepad.exe PID 4040 wrote to memory of 200 4040 tmp.exe notepad.exe PID 4040 wrote to memory of 200 4040 tmp.exe notepad.exe PID 4040 wrote to memory of 200 4040 tmp.exe notepad.exe PID 4040 wrote to memory of 200 4040 tmp.exe notepad.exe PID 4040 wrote to memory of 200 4040 tmp.exe notepad.exe PID 4040 wrote to memory of 200 4040 tmp.exe notepad.exe PID 4040 wrote to memory of 200 4040 tmp.exe notepad.exe PID 4040 wrote to memory of 200 4040 tmp.exe notepad.exe PID 4040 wrote to memory of 200 4040 tmp.exe notepad.exe PID 4040 wrote to memory of 200 4040 tmp.exe notepad.exe PID 4040 wrote to memory of 200 4040 tmp.exe notepad.exe PID 4040 wrote to memory of 200 4040 tmp.exe notepad.exe PID 4040 wrote to memory of 200 4040 tmp.exe notepad.exe PID 4040 wrote to memory of 200 4040 tmp.exe notepad.exe PID 4040 wrote to memory of 200 4040 tmp.exe notepad.exe PID 4040 wrote to memory of 200 4040 tmp.exe notepad.exe PID 4040 wrote to memory of 200 4040 tmp.exe notepad.exe PID 4040 wrote to memory of 200 4040 tmp.exe notepad.exe PID 4040 wrote to memory of 200 4040 tmp.exe notepad.exe PID 4040 wrote to memory of 200 4040 tmp.exe notepad.exe PID 4040 wrote to memory of 200 4040 tmp.exe notepad.exe PID 4040 wrote to memory of 2316 4040 tmp.exe attrib.exe PID 4040 wrote to memory of 2316 4040 tmp.exe attrib.exe PID 4040 wrote to memory of 2316 4040 tmp.exe attrib.exe PID 4040 wrote to memory of 1964 4040 tmp.exe attrib.exe PID 4040 wrote to memory of 1964 4040 tmp.exe attrib.exe PID 4040 wrote to memory of 1964 4040 tmp.exe attrib.exe PID 4040 wrote to memory of 2100 4040 tmp.exe winupdate.exe PID 4040 wrote to memory of 2100 4040 tmp.exe winupdate.exe PID 4040 wrote to memory of 2100 4040 tmp.exe winupdate.exe PID 4040 wrote to memory of 3828 4040 tmp.exe notepad.exe PID 4040 wrote to memory of 3828 4040 tmp.exe notepad.exe PID 4040 wrote to memory of 3828 4040 tmp.exe notepad.exe PID 4040 wrote to memory of 3828 4040 tmp.exe notepad.exe PID 4040 wrote to memory of 3828 4040 tmp.exe notepad.exe PID 4040 wrote to memory of 3828 4040 tmp.exe notepad.exe PID 4040 wrote to memory of 3828 4040 tmp.exe notepad.exe PID 4040 wrote to memory of 3828 4040 tmp.exe notepad.exe PID 4040 wrote to memory of 3828 4040 tmp.exe notepad.exe PID 4040 wrote to memory of 3828 4040 tmp.exe notepad.exe PID 4040 wrote to memory of 3828 4040 tmp.exe notepad.exe PID 4040 wrote to memory of 3828 4040 tmp.exe notepad.exe PID 4040 wrote to memory of 3828 4040 tmp.exe notepad.exe PID 4040 wrote to memory of 3828 4040 tmp.exe notepad.exe PID 4040 wrote to memory of 3828 4040 tmp.exe notepad.exe PID 4040 wrote to memory of 3828 4040 tmp.exe notepad.exe PID 4040 wrote to memory of 3828 4040 tmp.exe notepad.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
winupdate.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" winupdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion winupdate.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 2316 attrib.exe 1964 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\965c44e42eed1cf973292171363735be199a1e914da22a402dc1c019b69dbd22.exe"C:\Users\Admin\AppData\Local\Temp\965c44e42eed1cf973292171363735be199a1e914da22a402dc1c019b69dbd22.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Users\Admin\AppData\Local\Temp\tmp.exeC:\Users\Admin\AppData\Local\Temp\tmp.exe2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\Windows\SysWOW64\notepad.exenotepad3⤵
- Adds Run key to start application
- Drops file in Windows directory
PID:200 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\tmp.exe" +s +h3⤵
- Views/modifies file attributes
PID:2316 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Views/modifies file attributes
PID:1964 -
C:\Windows\Windows Update\winupdate.exe"C:\Windows\Windows Update\winupdate.exe"3⤵
- Modifies firewall policy service
- Modifies security service
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2100 -
C:\Windows\SysWOW64\notepad.exeC:\Windows\SysWOW64\notepad.exe3⤵PID:3828
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp.exeMD5
4d97a5d80be972483e90aa1e4f848347
SHA1b127f774134b97aeb9f930a9179b08e36ad1a1b3
SHA256f6a9004f6c7c09a92e209d5c2cb0c107be3aa4276207f504f9c9d577489788c2
SHA5121b5afd2a8d121aaff0bfbbea28eed4f31be0e6fd15d4a817ea1e17082d52359f5ffb493d12bfd5587c36b3766a45eae9f4f6ab1eb1e1c177b4362a5dd1a8a7da
-
C:\Users\Admin\AppData\Local\Temp\tmp.exeMD5
4d97a5d80be972483e90aa1e4f848347
SHA1b127f774134b97aeb9f930a9179b08e36ad1a1b3
SHA256f6a9004f6c7c09a92e209d5c2cb0c107be3aa4276207f504f9c9d577489788c2
SHA5121b5afd2a8d121aaff0bfbbea28eed4f31be0e6fd15d4a817ea1e17082d52359f5ffb493d12bfd5587c36b3766a45eae9f4f6ab1eb1e1c177b4362a5dd1a8a7da
-
C:\Windows\Windows Update\winupdate.exeMD5
4d97a5d80be972483e90aa1e4f848347
SHA1b127f774134b97aeb9f930a9179b08e36ad1a1b3
SHA256f6a9004f6c7c09a92e209d5c2cb0c107be3aa4276207f504f9c9d577489788c2
SHA5121b5afd2a8d121aaff0bfbbea28eed4f31be0e6fd15d4a817ea1e17082d52359f5ffb493d12bfd5587c36b3766a45eae9f4f6ab1eb1e1c177b4362a5dd1a8a7da
-
C:\Windows\Windows Update\winupdate.exeMD5
4d97a5d80be972483e90aa1e4f848347
SHA1b127f774134b97aeb9f930a9179b08e36ad1a1b3
SHA256f6a9004f6c7c09a92e209d5c2cb0c107be3aa4276207f504f9c9d577489788c2
SHA5121b5afd2a8d121aaff0bfbbea28eed4f31be0e6fd15d4a817ea1e17082d52359f5ffb493d12bfd5587c36b3766a45eae9f4f6ab1eb1e1c177b4362a5dd1a8a7da
-
memory/200-123-0x00000000006B0000-0x00000000007FA000-memory.dmpFilesize
1.3MB
-
memory/200-120-0x0000000000000000-mapping.dmp
-
memory/1964-122-0x0000000000000000-mapping.dmp
-
memory/2100-124-0x0000000000000000-mapping.dmp
-
memory/2100-129-0x0000000002020000-0x0000000002021000-memory.dmpFilesize
4KB
-
memory/2316-121-0x0000000000000000-mapping.dmp
-
memory/3828-127-0x0000000000000000-mapping.dmp
-
memory/3828-128-0x0000000003590000-0x0000000003591000-memory.dmpFilesize
4KB
-
memory/4040-116-0x0000000000000000-mapping.dmp
-
memory/4040-119-0x0000000002240000-0x0000000002241000-memory.dmpFilesize
4KB