Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
16-05-2021 02:26
Static task
static1
Behavioral task
behavioral1
Sample
6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exe
Resource
win10v20210410
General
-
Target
6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exe
-
Size
680KB
-
MD5
ed5d29a9ba18920e91a5947fa81e10ee
-
SHA1
2900a0904d02f022c270f2996294bd3687b47135
-
SHA256
6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8
-
SHA512
437f039df0d403bef6e05be82e41883ba4ceeb43448e9dcef878b003d96ba6d2f4c44240b4c973133df0c3dadf9b7dbca6227e87f91c118033c4347164f6be8e
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Windupdt\\winupdate.exe" 6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exe -
Executes dropped EXE 1 IoCs
Processes:
winupdate.exepid process 2960 winupdate.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation 6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
winupdate.exe6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Windupdt\\winupdate.exe" winupdate.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Windupdt\\winupdate.exe" 6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance 6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exewinupdate.exedescription pid process Token: SeIncreaseQuotaPrivilege 2016 6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exe Token: SeSecurityPrivilege 2016 6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exe Token: SeTakeOwnershipPrivilege 2016 6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exe Token: SeLoadDriverPrivilege 2016 6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exe Token: SeSystemProfilePrivilege 2016 6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exe Token: SeSystemtimePrivilege 2016 6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exe Token: SeProfSingleProcessPrivilege 2016 6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exe Token: SeIncBasePriorityPrivilege 2016 6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exe Token: SeCreatePagefilePrivilege 2016 6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exe Token: SeBackupPrivilege 2016 6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exe Token: SeRestorePrivilege 2016 6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exe Token: SeShutdownPrivilege 2016 6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exe Token: SeDebugPrivilege 2016 6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exe Token: SeSystemEnvironmentPrivilege 2016 6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exe Token: SeChangeNotifyPrivilege 2016 6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exe Token: SeRemoteShutdownPrivilege 2016 6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exe Token: SeUndockPrivilege 2016 6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exe Token: SeManageVolumePrivilege 2016 6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exe Token: SeImpersonatePrivilege 2016 6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exe Token: SeCreateGlobalPrivilege 2016 6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exe Token: 33 2016 6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exe Token: 34 2016 6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exe Token: 35 2016 6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exe Token: 36 2016 6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exe Token: SeIncreaseQuotaPrivilege 2960 winupdate.exe Token: SeSecurityPrivilege 2960 winupdate.exe Token: SeTakeOwnershipPrivilege 2960 winupdate.exe Token: SeLoadDriverPrivilege 2960 winupdate.exe Token: SeSystemProfilePrivilege 2960 winupdate.exe Token: SeSystemtimePrivilege 2960 winupdate.exe Token: SeProfSingleProcessPrivilege 2960 winupdate.exe Token: SeIncBasePriorityPrivilege 2960 winupdate.exe Token: SeCreatePagefilePrivilege 2960 winupdate.exe Token: SeBackupPrivilege 2960 winupdate.exe Token: SeRestorePrivilege 2960 winupdate.exe Token: SeShutdownPrivilege 2960 winupdate.exe Token: SeDebugPrivilege 2960 winupdate.exe Token: SeSystemEnvironmentPrivilege 2960 winupdate.exe Token: SeChangeNotifyPrivilege 2960 winupdate.exe Token: SeRemoteShutdownPrivilege 2960 winupdate.exe Token: SeUndockPrivilege 2960 winupdate.exe Token: SeManageVolumePrivilege 2960 winupdate.exe Token: SeImpersonatePrivilege 2960 winupdate.exe Token: SeCreateGlobalPrivilege 2960 winupdate.exe Token: 33 2960 winupdate.exe Token: 34 2960 winupdate.exe Token: 35 2960 winupdate.exe Token: 36 2960 winupdate.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.execmd.exedescription pid process target process PID 2016 wrote to memory of 2960 2016 6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exe winupdate.exe PID 2016 wrote to memory of 2960 2016 6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exe winupdate.exe PID 2016 wrote to memory of 2960 2016 6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exe winupdate.exe PID 2016 wrote to memory of 1972 2016 6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exe cmd.exe PID 2016 wrote to memory of 1972 2016 6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exe cmd.exe PID 2016 wrote to memory of 1972 2016 6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exe cmd.exe PID 1972 wrote to memory of 4092 1972 cmd.exe PING.EXE PID 1972 wrote to memory of 4092 1972 cmd.exe PING.EXE PID 1972 wrote to memory of 4092 1972 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exe"C:\Users\Admin\AppData\Local\Temp\6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Microsoft\Windows\Start Menu\Windupdt\winupdate.exe"C:\ProgramData\Microsoft\Windows\Start Menu\Windupdt\winupdate.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Users\Admin\AppData\Local\Temp\6cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\Start Menu\Windupdt\winupdate.exeMD5
ed5d29a9ba18920e91a5947fa81e10ee
SHA12900a0904d02f022c270f2996294bd3687b47135
SHA2566cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8
SHA512437f039df0d403bef6e05be82e41883ba4ceeb43448e9dcef878b003d96ba6d2f4c44240b4c973133df0c3dadf9b7dbca6227e87f91c118033c4347164f6be8e
-
C:\ProgramData\Microsoft\Windows\Start Menu\Windupdt\winupdate.exeMD5
ed5d29a9ba18920e91a5947fa81e10ee
SHA12900a0904d02f022c270f2996294bd3687b47135
SHA2566cd7f3906f7f27fe29c4b66549d910fa4ea5e9b6dd133ee1a2701bac992fe6c8
SHA512437f039df0d403bef6e05be82e41883ba4ceeb43448e9dcef878b003d96ba6d2f4c44240b4c973133df0c3dadf9b7dbca6227e87f91c118033c4347164f6be8e
-
memory/1972-118-0x0000000000000000-mapping.dmp
-
memory/2016-114-0x00000000022E0000-0x00000000022E1000-memory.dmpFilesize
4KB
-
memory/2960-115-0x0000000000000000-mapping.dmp
-
memory/2960-119-0x00000000021A0000-0x00000000021A1000-memory.dmpFilesize
4KB
-
memory/4092-120-0x0000000000000000-mapping.dmp