Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
16-05-2021 01:42
Static task
static1
Behavioral task
behavioral1
Sample
2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exe
Resource
win10v20210410
General
-
Target
2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exe
-
Size
1.4MB
-
MD5
07a4de5e099cd55e79a6d78c19776a14
-
SHA1
df22642227a1dd4f4f158ee793a88581797dfaab
-
SHA256
2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6
-
SHA512
2734c721f66126f1fdd5979c8ae6ccbaadd938e17b0f4efabf8448f2863ce500fa1470e14352c10ca6f5c5e445f0c65e00225ad285ca36dc5c4982e88acea1de
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windupdt\\winupdate.exe" 2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
winupdate.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "1" winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" winupdate.exe -
Executes dropped EXE 2 IoCs
Processes:
winupdate.exewinupdate.exepid process 4016 winupdate.exe 204 winupdate.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exewinupdate.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate 2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winupdate.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation 2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exe -
Processes:
winupdate.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winupdate.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run 2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe" 2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exewinupdate.exedescription pid process target process PID 2232 set thread context of 1760 2232 2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exe 2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exe PID 4016 set thread context of 204 4016 winupdate.exe winupdate.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exewinupdate.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier 2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier winupdate.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exewinupdate.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier 2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winupdate.exe -
Modifies registry class 1 IoCs
Processes:
2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance 2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
winupdate.exepid process 204 winupdate.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exewinupdate.exedescription pid process Token: SeIncreaseQuotaPrivilege 1760 2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exe Token: SeSecurityPrivilege 1760 2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exe Token: SeTakeOwnershipPrivilege 1760 2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exe Token: SeLoadDriverPrivilege 1760 2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exe Token: SeSystemProfilePrivilege 1760 2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exe Token: SeSystemtimePrivilege 1760 2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exe Token: SeProfSingleProcessPrivilege 1760 2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exe Token: SeIncBasePriorityPrivilege 1760 2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exe Token: SeCreatePagefilePrivilege 1760 2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exe Token: SeBackupPrivilege 1760 2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exe Token: SeRestorePrivilege 1760 2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exe Token: SeShutdownPrivilege 1760 2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exe Token: SeDebugPrivilege 1760 2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exe Token: SeSystemEnvironmentPrivilege 1760 2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exe Token: SeChangeNotifyPrivilege 1760 2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exe Token: SeRemoteShutdownPrivilege 1760 2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exe Token: SeUndockPrivilege 1760 2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exe Token: SeManageVolumePrivilege 1760 2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exe Token: SeImpersonatePrivilege 1760 2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exe Token: SeCreateGlobalPrivilege 1760 2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exe Token: 33 1760 2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exe Token: 34 1760 2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exe Token: 35 1760 2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exe Token: 36 1760 2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exe Token: SeIncreaseQuotaPrivilege 204 winupdate.exe Token: SeSecurityPrivilege 204 winupdate.exe Token: SeTakeOwnershipPrivilege 204 winupdate.exe Token: SeLoadDriverPrivilege 204 winupdate.exe Token: SeSystemProfilePrivilege 204 winupdate.exe Token: SeSystemtimePrivilege 204 winupdate.exe Token: SeProfSingleProcessPrivilege 204 winupdate.exe Token: SeIncBasePriorityPrivilege 204 winupdate.exe Token: SeCreatePagefilePrivilege 204 winupdate.exe Token: SeBackupPrivilege 204 winupdate.exe Token: SeRestorePrivilege 204 winupdate.exe Token: SeShutdownPrivilege 204 winupdate.exe Token: SeDebugPrivilege 204 winupdate.exe Token: SeSystemEnvironmentPrivilege 204 winupdate.exe Token: SeChangeNotifyPrivilege 204 winupdate.exe Token: SeRemoteShutdownPrivilege 204 winupdate.exe Token: SeUndockPrivilege 204 winupdate.exe Token: SeManageVolumePrivilege 204 winupdate.exe Token: SeImpersonatePrivilege 204 winupdate.exe Token: SeCreateGlobalPrivilege 204 winupdate.exe Token: 33 204 winupdate.exe Token: 34 204 winupdate.exe Token: 35 204 winupdate.exe Token: 36 204 winupdate.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exewinupdate.exewinupdate.exepid process 2232 2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exe 4016 winupdate.exe 204 winupdate.exe -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exe2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exewinupdate.exedescription pid process target process PID 2232 wrote to memory of 1760 2232 2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exe 2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exe PID 2232 wrote to memory of 1760 2232 2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exe 2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exe PID 2232 wrote to memory of 1760 2232 2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exe 2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exe PID 2232 wrote to memory of 1760 2232 2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exe 2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exe PID 2232 wrote to memory of 1760 2232 2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exe 2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exe PID 2232 wrote to memory of 1760 2232 2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exe 2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exe PID 2232 wrote to memory of 1760 2232 2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exe 2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exe PID 2232 wrote to memory of 1760 2232 2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exe 2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exe PID 2232 wrote to memory of 1760 2232 2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exe 2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exe PID 2232 wrote to memory of 1760 2232 2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exe 2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exe PID 2232 wrote to memory of 1760 2232 2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exe 2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exe PID 2232 wrote to memory of 1760 2232 2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exe 2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exe PID 2232 wrote to memory of 1760 2232 2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exe 2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exe PID 2232 wrote to memory of 1760 2232 2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exe 2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exe PID 1760 wrote to memory of 4016 1760 2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exe winupdate.exe PID 1760 wrote to memory of 4016 1760 2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exe winupdate.exe PID 1760 wrote to memory of 4016 1760 2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exe winupdate.exe PID 4016 wrote to memory of 204 4016 winupdate.exe winupdate.exe PID 4016 wrote to memory of 204 4016 winupdate.exe winupdate.exe PID 4016 wrote to memory of 204 4016 winupdate.exe winupdate.exe PID 4016 wrote to memory of 204 4016 winupdate.exe winupdate.exe PID 4016 wrote to memory of 204 4016 winupdate.exe winupdate.exe PID 4016 wrote to memory of 204 4016 winupdate.exe winupdate.exe PID 4016 wrote to memory of 204 4016 winupdate.exe winupdate.exe PID 4016 wrote to memory of 204 4016 winupdate.exe winupdate.exe PID 4016 wrote to memory of 204 4016 winupdate.exe winupdate.exe PID 4016 wrote to memory of 204 4016 winupdate.exe winupdate.exe PID 4016 wrote to memory of 204 4016 winupdate.exe winupdate.exe PID 4016 wrote to memory of 204 4016 winupdate.exe winupdate.exe PID 4016 wrote to memory of 204 4016 winupdate.exe winupdate.exe PID 4016 wrote to memory of 204 4016 winupdate.exe winupdate.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exe"C:\Users\Admin\AppData\Local\Temp\2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exe"C:\Users\Admin\AppData\Local\Temp\2e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6.exe"2⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windupdt\winupdate.exe"C:\Windupdt\winupdate.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windupdt\winupdate.exe"C:\Windupdt\winupdate.exe"4⤵
- Modifies firewall policy service
- Executes dropped EXE
- Checks BIOS information in registry
- Windows security modification
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3686645723-710336880-414668232-1000\88603cb2913a7df3fbd16b5f958e6447_89bbad60-16d5-41c2-ad8d-716f4ac5f4c2MD5
5fc2ac2a310f49c14d195230b91a8885
SHA190855cc11136ba31758fe33b5cf9571f9a104879
SHA256374e0e2897a7a82e0e44794cad89df0f3cdd7703886239c1fe06d625efd48092
SHA512ab46554df9174b9fe9beba50a640f67534c3812f64d96a1fb8adfdc136dfe730ca2370825cd45b7f87a544d6a58dd868cb5a3a7f42e2789f6d679dbc0fdd52c3
-
C:\Windupdt\winupdate.exeMD5
07a4de5e099cd55e79a6d78c19776a14
SHA1df22642227a1dd4f4f158ee793a88581797dfaab
SHA2562e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6
SHA5122734c721f66126f1fdd5979c8ae6ccbaadd938e17b0f4efabf8448f2863ce500fa1470e14352c10ca6f5c5e445f0c65e00225ad285ca36dc5c4982e88acea1de
-
C:\Windupdt\winupdate.exeMD5
07a4de5e099cd55e79a6d78c19776a14
SHA1df22642227a1dd4f4f158ee793a88581797dfaab
SHA2562e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6
SHA5122734c721f66126f1fdd5979c8ae6ccbaadd938e17b0f4efabf8448f2863ce500fa1470e14352c10ca6f5c5e445f0c65e00225ad285ca36dc5c4982e88acea1de
-
C:\Windupdt\winupdate.exeMD5
07a4de5e099cd55e79a6d78c19776a14
SHA1df22642227a1dd4f4f158ee793a88581797dfaab
SHA2562e09bd5656c7d02caf8ebad3663412abbf24570f91c5884156ba57d428a61df6
SHA5122734c721f66126f1fdd5979c8ae6ccbaadd938e17b0f4efabf8448f2863ce500fa1470e14352c10ca6f5c5e445f0c65e00225ad285ca36dc5c4982e88acea1de
-
memory/204-127-0x000000000049E90C-mapping.dmp
-
memory/204-129-0x0000000000400000-0x00000000004C0000-memory.dmpFilesize
768KB
-
memory/204-130-0x00000000005E0000-0x000000000072A000-memory.dmpFilesize
1.3MB
-
memory/1760-116-0x0000000000400000-0x00000000004C0000-memory.dmpFilesize
768KB
-
memory/1760-117-0x000000000049E90C-mapping.dmp
-
memory/1760-118-0x0000000000400000-0x00000000004C0000-memory.dmpFilesize
768KB
-
memory/1760-119-0x0000000000660000-0x0000000000661000-memory.dmpFilesize
4KB
-
memory/4016-120-0x0000000000000000-mapping.dmp