Overview

overview

10

Static

static

updatewin1.exe

windows7_x64

10

updatewin1.exe

windows10_x64

10

Analysis

  • max time kernel
    27s
  • max time network
    114s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    13-06-2021 09:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    updatewin1.exe

  • Size

    272KB

  • MD5

    5b4bd24d6240f467bfbc74803c9f15b0

  • SHA1

    c17f98c182d299845c54069872e8137645768a1a

  • SHA256

    14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e

  • SHA512

    a896acc38a6ff9641b0803f0598369c0d4fa8e38da28c1653c57948fe5e3274880d1b2e7959cd1b1da43375a1318b3ba72e13240bf40b27c852ee72bbb16cadc

Score
10/10
evasion

Malware Config

Signatures

  • Deletes Windows Defender Definitions 2 TTPs 1 IoCs

    Uses mpcmdrun utility to delete all AV definitions.

    evasion
  • Disables Task Manager via registry modification
    evasion
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\updatewin1.exe
    "C:\Users\Admin\AppData\Local\Temp\updatewin1.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:624
    • C:\Users\Admin\AppData\Local\Temp\updatewin1.exe
      "C:\Users\Admin\AppData\Local\Temp\updatewin1.exe" --Admin
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1180
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command Set-ExecutionPolicy -Scope CurrentUser RemoteSigned
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1500
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -NoProfile -ExecutionPolicy Bypass -Command "& {Start-Process PowerShell -ArgumentList '-NoProfile -ExecutionPolicy Bypass -File ""C:\Users\Admin\AppData\Local\script.ps1""' -Verb RunAs}"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:384
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\script.ps1
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3852
      • C:\Program Files\Windows Defender\mpcmdrun.exe
        "C:\Program Files\Windows Defender\mpcmdrun.exe" -removedefinitions -all
        3⤵
        • Deletes Windows Defender Definitions
        PID:2288
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\delself.bat""
        3⤵
          PID:3904

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Command-Line Interface

    1
    T1059

    Persistence

    Privilege Escalation

    Defense Evasion

    Impair Defenses

    1
    T1562

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      MD5

      13151583954f0def829054cc3eae25ec

      SHA1

      2a2b013e8d4201ddc8a80f9680931873702d0213

      SHA256

      eb542ae9c791940e8e74833eb50543dbbcbc8bf8485698fad82a8b079546c8a7

      SHA512

      3f7a6d0e5ca29de7b02f5cb993c508ce0c0df12c3d970a3ad6da95149b4cb5cc7a138e7ed6f83e910cb39120f199b3f74fc0ec1a14ca86435a52f247c2514aaf

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      MD5

      372332d7afe64063e0bb01d5fd332b3e

      SHA1

      569a4c20fb1f605c831522d44e56b21d2242b3b2

      SHA256

      d3642c7b9a2c43f70454c1ef95b7eeccda68104231d6ac9889ccb9aaaf25a713

      SHA512

      f72def2ec02a4538e8ab2a0a1011e6ad9b3461b9d38aaf816b7121268598e2095b25a550fb666af19c0b935ba11fe49cc6ae0bc997e5f3bbc05194847a0f9425

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      MD5

      eab57e200a36d01ea294a0f53ae9ccc9

      SHA1

      7ab408d3b218435d382fa79f3569769379787804

      SHA256

      277b7a47e2169927dc3bc512028bd9c9725bcb98e2298662a9f2c30e24fd27ed

      SHA512

      ff57f6226e619ceef70332e96c855d597abaa15799b97fda5ca9debe0e443a5572ab4fd7e14d46adb13462cfe0a6b9dd83ba9fc5554cd709624e6df09c9f2655

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\delself.bat
      MD5

      9e5ded39abd73456458318c691bbd679

      SHA1

      0b111626c3687fbd3f647b01fa27d26c88c4583d

      SHA256

      2c4cad4d2fa2df8c8a61085b6ecc91215486fbb5d8e643eec889fc5709a5813f

      SHA512

      564c2319b34847b605c1a73db2427ad29d52579cc22cece04c327040b7a9a77591cc6e2dfffa825e70a4534451e70b80e04c01a0b9a3b12c0b96c594bb9c07e4

      Download Submit
    • C:\Users\Admin\AppData\Local\script.ps1
      MD5

      f972c62f986b5ed49ad7713d93bf6c9f

      SHA1

      4e157002bdb97e9526ab97bfafbf7c67e1d1efbf

      SHA256

      b47f85974a7ec2fd5aa82d52f08eb0f6cea7e596a98dd29e8b85b5c37beca0a8

      SHA512

      2c9e2e1b8b6cb5ffe3edf5dfbc2c3b917cd15ba6a5e5264207a43b02ce7020f44f5088aca195f7b428699f0d6bd693ce557a0227d67bbb4795e350a97314e9c4

      Download Submit
    • memory/384-193-0x0000000004B33000-0x0000000004B34000-memory.dmp
      Filesize

      4KB

      Download
    • memory/384-191-0x0000000004B32000-0x0000000004B33000-memory.dmp
      Filesize

      4KB

      Download
    • memory/384-190-0x0000000004B30000-0x0000000004B31000-memory.dmp
      Filesize

      4KB

      Download
    • memory/384-187-0x0000000000000000-mapping.dmp
      Download
    • memory/624-114-0x0000000000400000-0x000000000044D000-memory.dmp
      Filesize

      308KB

      Download
    • memory/1180-115-0x0000000000000000-mapping.dmp
      Download
    • memory/1180-117-0x0000000000400000-0x000000000044D000-memory.dmp
      Filesize

      308KB

      Download
    • memory/1500-152-0x0000000006A83000-0x0000000006A84000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1500-124-0x0000000006ED0000-0x0000000006ED1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1500-130-0x00000000080D0000-0x00000000080D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1500-138-0x0000000008E20000-0x0000000008E53000-memory.dmp
      Filesize

      204KB

      Download
    • memory/1500-145-0x0000000008E00000-0x0000000008E01000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1500-150-0x0000000008FD0000-0x0000000008FD1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1500-128-0x0000000007890000-0x0000000007891000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1500-151-0x000000007E510000-0x000000007E511000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1500-153-0x0000000009330000-0x0000000009331000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1500-186-0x0000000006A86000-0x0000000006A88000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1500-127-0x00000000079B0000-0x00000000079B1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1500-126-0x0000000007760000-0x0000000007761000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1500-125-0x00000000076F0000-0x00000000076F1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1500-129-0x0000000008290000-0x0000000008291000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1500-123-0x00000000070C0000-0x00000000070C1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1500-116-0x0000000000000000-mapping.dmp
      Download
    • memory/1500-121-0x0000000006A80000-0x0000000006A81000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1500-120-0x00000000068C0000-0x00000000068C1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1500-122-0x0000000006A82000-0x0000000006A83000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2288-194-0x0000000000000000-mapping.dmp
      Download
    • memory/3852-198-0x00000000072B0000-0x00000000072B1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3852-199-0x00000000072B2000-0x00000000072B3000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3852-192-0x0000000000000000-mapping.dmp
      Download
    • memory/3852-201-0x000000007EAB0000-0x000000007EAB1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3852-202-0x00000000072B3000-0x00000000072B4000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3904-195-0x0000000000000000-mapping.dmp
      Download