Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
16-05-2021 02:26
Static task
static1
Behavioral task
behavioral1
Sample
6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exe
Resource
win10v20210410
General
-
Target
6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exe
-
Size
680KB
-
MD5
ed5d29a9ba18920e91a5947fa81e10ee
-
SHA1
2900a0904d02f022c270f2996294bd3687b47135
-
SHA256
6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8
-
SHA512
437f039df0d403bef6e05be82e41883ba4ceeb43448e9dcef878b003d96ba6d2f4c44240b4c973133df0c3dadf9b7dbca6227e87f91c118033c4347164f6be8e
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Windupdt\\winupdate.exe" 6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exe -
Executes dropped EXE 1 IoCs
Processes:
winupdate.exepid process 1600 winupdate.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1640 cmd.exe -
Loads dropped DLL 4 IoCs
Processes:
6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exewinupdate.exepid process 1096 6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exe 1600 winupdate.exe 1600 winupdate.exe 1600 winupdate.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exewinupdate.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Windupdt\\winupdate.exe" 6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Windupdt\\winupdate.exe" winupdate.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exewinupdate.exedescription pid process Token: SeIncreaseQuotaPrivilege 1096 6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exe Token: SeSecurityPrivilege 1096 6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exe Token: SeTakeOwnershipPrivilege 1096 6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exe Token: SeLoadDriverPrivilege 1096 6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exe Token: SeSystemProfilePrivilege 1096 6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exe Token: SeSystemtimePrivilege 1096 6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exe Token: SeProfSingleProcessPrivilege 1096 6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exe Token: SeIncBasePriorityPrivilege 1096 6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exe Token: SeCreatePagefilePrivilege 1096 6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exe Token: SeBackupPrivilege 1096 6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exe Token: SeRestorePrivilege 1096 6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exe Token: SeShutdownPrivilege 1096 6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exe Token: SeDebugPrivilege 1096 6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exe Token: SeSystemEnvironmentPrivilege 1096 6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exe Token: SeChangeNotifyPrivilege 1096 6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exe Token: SeRemoteShutdownPrivilege 1096 6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exe Token: SeUndockPrivilege 1096 6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exe Token: SeManageVolumePrivilege 1096 6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exe Token: SeImpersonatePrivilege 1096 6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exe Token: SeCreateGlobalPrivilege 1096 6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exe Token: 33 1096 6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exe Token: 34 1096 6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exe Token: 35 1096 6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exe Token: SeIncreaseQuotaPrivilege 1600 winupdate.exe Token: SeSecurityPrivilege 1600 winupdate.exe Token: SeTakeOwnershipPrivilege 1600 winupdate.exe Token: SeLoadDriverPrivilege 1600 winupdate.exe Token: SeSystemProfilePrivilege 1600 winupdate.exe Token: SeSystemtimePrivilege 1600 winupdate.exe Token: SeProfSingleProcessPrivilege 1600 winupdate.exe Token: SeIncBasePriorityPrivilege 1600 winupdate.exe Token: SeCreatePagefilePrivilege 1600 winupdate.exe Token: SeBackupPrivilege 1600 winupdate.exe Token: SeRestorePrivilege 1600 winupdate.exe Token: SeShutdownPrivilege 1600 winupdate.exe Token: SeDebugPrivilege 1600 winupdate.exe Token: SeSystemEnvironmentPrivilege 1600 winupdate.exe Token: SeChangeNotifyPrivilege 1600 winupdate.exe Token: SeRemoteShutdownPrivilege 1600 winupdate.exe Token: SeUndockPrivilege 1600 winupdate.exe Token: SeManageVolumePrivilege 1600 winupdate.exe Token: SeImpersonatePrivilege 1600 winupdate.exe Token: SeCreateGlobalPrivilege 1600 winupdate.exe Token: 33 1600 winupdate.exe Token: 34 1600 winupdate.exe Token: 35 1600 winupdate.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.execmd.exedescription pid process target process PID 1096 wrote to memory of 1600 1096 6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exe winupdate.exe PID 1096 wrote to memory of 1600 1096 6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exe winupdate.exe PID 1096 wrote to memory of 1600 1096 6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exe winupdate.exe PID 1096 wrote to memory of 1600 1096 6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exe winupdate.exe PID 1096 wrote to memory of 1600 1096 6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exe winupdate.exe PID 1096 wrote to memory of 1600 1096 6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exe winupdate.exe PID 1096 wrote to memory of 1600 1096 6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exe winupdate.exe PID 1096 wrote to memory of 1640 1096 6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exe cmd.exe PID 1096 wrote to memory of 1640 1096 6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exe cmd.exe PID 1096 wrote to memory of 1640 1096 6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exe cmd.exe PID 1096 wrote to memory of 1640 1096 6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exe cmd.exe PID 1640 wrote to memory of 396 1640 cmd.exe PING.EXE PID 1640 wrote to memory of 396 1640 cmd.exe PING.EXE PID 1640 wrote to memory of 396 1640 cmd.exe PING.EXE PID 1640 wrote to memory of 396 1640 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exe"C:\Users\Admin\AppData\Local\Temp\6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Microsoft\Windows\Start Menu\Windupdt\winupdate.exe"C:\ProgramData\Microsoft\Windows\Start Menu\Windupdt\winupdate.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Users\Admin\AppData\Local\Temp\6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\Start Menu\Windupdt\winupdate.exeMD5
ed5d29a9ba18920e91a5947fa81e10ee
SHA12900a0904d02f022c270f2996294bd3687b47135
SHA2566cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8
SHA512437f039df0d403bef6e05be82e41883ba4ceeb43448e9dcef878b003d96ba6d2f4c44240b4c973133df0c3dadf9b7dbca6227e87f91c118033c4347164f6be8e
-
C:\ProgramData\Microsoft\Windows\Start Menu\Windupdt\winupdate.exeMD5
ed5d29a9ba18920e91a5947fa81e10ee
SHA12900a0904d02f022c270f2996294bd3687b47135
SHA2566cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8
SHA512437f039df0d403bef6e05be82e41883ba4ceeb43448e9dcef878b003d96ba6d2f4c44240b4c973133df0c3dadf9b7dbca6227e87f91c118033c4347164f6be8e
-
\ProgramData\Microsoft\Windows\Start Menu\Windupdt\winupdate.exeMD5
ed5d29a9ba18920e91a5947fa81e10ee
SHA12900a0904d02f022c270f2996294bd3687b47135
SHA2566cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8
SHA512437f039df0d403bef6e05be82e41883ba4ceeb43448e9dcef878b003d96ba6d2f4c44240b4c973133df0c3dadf9b7dbca6227e87f91c118033c4347164f6be8e
-
\ProgramData\Microsoft\Windows\Start Menu\Windupdt\winupdate.exeMD5
ed5d29a9ba18920e91a5947fa81e10ee
SHA12900a0904d02f022c270f2996294bd3687b47135
SHA2566cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8
SHA512437f039df0d403bef6e05be82e41883ba4ceeb43448e9dcef878b003d96ba6d2f4c44240b4c973133df0c3dadf9b7dbca6227e87f91c118033c4347164f6be8e
-
\ProgramData\Microsoft\Windows\Start Menu\Windupdt\winupdate.exeMD5
ed5d29a9ba18920e91a5947fa81e10ee
SHA12900a0904d02f022c270f2996294bd3687b47135
SHA2566cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8
SHA512437f039df0d403bef6e05be82e41883ba4ceeb43448e9dcef878b003d96ba6d2f4c44240b4c973133df0c3dadf9b7dbca6227e87f91c118033c4347164f6be8e
-
\ProgramData\Microsoft\Windows\Start Menu\Windupdt\winupdate.exeMD5
ed5d29a9ba18920e91a5947fa81e10ee
SHA12900a0904d02f022c270f2996294bd3687b47135
SHA2566cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8
SHA512437f039df0d403bef6e05be82e41883ba4ceeb43448e9dcef878b003d96ba6d2f4c44240b4c973133df0c3dadf9b7dbca6227e87f91c118033c4347164f6be8e
-
memory/396-71-0x0000000000000000-mapping.dmp
-
memory/1096-60-0x00000000752F1000-0x00000000752F3000-memory.dmpFilesize
8KB
-
memory/1096-61-0x0000000000250000-0x0000000000251000-memory.dmpFilesize
4KB
-
memory/1600-63-0x0000000000000000-mapping.dmp
-
memory/1600-72-0x00000000003F0000-0x00000000003F1000-memory.dmpFilesize
4KB
-
memory/1640-70-0x0000000000000000-mapping.dmp