Analysis
-
max time kernel
134s -
max time network
146s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
18-06-2021 07:27
Static task
static1
Behavioral task
behavioral1
Sample
c9a2a966086a37276cc200c0f22f735d49df4e87f591fe806ca8d8597b9f60b7.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
c9a2a966086a37276cc200c0f22f735d49df4e87f591fe806ca8d8597b9f60b7.exe
Resource
win10v20210408
General
-
Target
c9a2a966086a37276cc200c0f22f735d49df4e87f591fe806ca8d8597b9f60b7.exe
-
Size
3.1MB
-
MD5
327090cbddf94fc901662f0e863ba0cb
-
SHA1
fd357aad2d5529127d90757987a2c5ce88ea2a76
-
SHA256
c9a2a966086a37276cc200c0f22f735d49df4e87f591fe806ca8d8597b9f60b7
-
SHA512
16b971fab6ed01c1f72982baa11e9c2e110093746b49daa9387c329718b27b7586090fc59014a4459f14078a568497b4f96ee05e1bb65a57bca27b20959595c6
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
updater10.exepid Process 1688 updater10.exe -
Processes:
resource yara_rule behavioral1/files/0x0005000000013154-63.dat upx behavioral1/files/0x0005000000013154-65.dat upx behavioral1/files/0x0005000000013154-64.dat upx behavioral1/files/0x0005000000013154-67.dat upx -
Deletes itself 1 IoCs
Processes:
updater10.exepid Process 1688 updater10.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid Process 568 cmd.exe 568 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
updater10.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Updater = "\"C:\\Users\\Admin\\AppData\\Local\\Windows Update\\updater10.exe\" -1 -0" updater10.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org 5 api.ipify.org -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exewmic.exedescription pid Process Token: SeIncreaseQuotaPrivilege 1384 wmic.exe Token: SeSecurityPrivilege 1384 wmic.exe Token: SeTakeOwnershipPrivilege 1384 wmic.exe Token: SeLoadDriverPrivilege 1384 wmic.exe Token: SeSystemProfilePrivilege 1384 wmic.exe Token: SeSystemtimePrivilege 1384 wmic.exe Token: SeProfSingleProcessPrivilege 1384 wmic.exe Token: SeIncBasePriorityPrivilege 1384 wmic.exe Token: SeCreatePagefilePrivilege 1384 wmic.exe Token: SeBackupPrivilege 1384 wmic.exe Token: SeRestorePrivilege 1384 wmic.exe Token: SeShutdownPrivilege 1384 wmic.exe Token: SeDebugPrivilege 1384 wmic.exe Token: SeSystemEnvironmentPrivilege 1384 wmic.exe Token: SeRemoteShutdownPrivilege 1384 wmic.exe Token: SeUndockPrivilege 1384 wmic.exe Token: SeManageVolumePrivilege 1384 wmic.exe Token: 33 1384 wmic.exe Token: 34 1384 wmic.exe Token: 35 1384 wmic.exe Token: SeIncreaseQuotaPrivilege 1384 wmic.exe Token: SeSecurityPrivilege 1384 wmic.exe Token: SeTakeOwnershipPrivilege 1384 wmic.exe Token: SeLoadDriverPrivilege 1384 wmic.exe Token: SeSystemProfilePrivilege 1384 wmic.exe Token: SeSystemtimePrivilege 1384 wmic.exe Token: SeProfSingleProcessPrivilege 1384 wmic.exe Token: SeIncBasePriorityPrivilege 1384 wmic.exe Token: SeCreatePagefilePrivilege 1384 wmic.exe Token: SeBackupPrivilege 1384 wmic.exe Token: SeRestorePrivilege 1384 wmic.exe Token: SeShutdownPrivilege 1384 wmic.exe Token: SeDebugPrivilege 1384 wmic.exe Token: SeSystemEnvironmentPrivilege 1384 wmic.exe Token: SeRemoteShutdownPrivilege 1384 wmic.exe Token: SeUndockPrivilege 1384 wmic.exe Token: SeManageVolumePrivilege 1384 wmic.exe Token: 33 1384 wmic.exe Token: 34 1384 wmic.exe Token: 35 1384 wmic.exe Token: SeIncreaseQuotaPrivilege 1400 wmic.exe Token: SeSecurityPrivilege 1400 wmic.exe Token: SeTakeOwnershipPrivilege 1400 wmic.exe Token: SeLoadDriverPrivilege 1400 wmic.exe Token: SeSystemProfilePrivilege 1400 wmic.exe Token: SeSystemtimePrivilege 1400 wmic.exe Token: SeProfSingleProcessPrivilege 1400 wmic.exe Token: SeIncBasePriorityPrivilege 1400 wmic.exe Token: SeCreatePagefilePrivilege 1400 wmic.exe Token: SeBackupPrivilege 1400 wmic.exe Token: SeRestorePrivilege 1400 wmic.exe Token: SeShutdownPrivilege 1400 wmic.exe Token: SeDebugPrivilege 1400 wmic.exe Token: SeSystemEnvironmentPrivilege 1400 wmic.exe Token: SeRemoteShutdownPrivilege 1400 wmic.exe Token: SeUndockPrivilege 1400 wmic.exe Token: SeManageVolumePrivilege 1400 wmic.exe Token: 33 1400 wmic.exe Token: 34 1400 wmic.exe Token: 35 1400 wmic.exe Token: SeIncreaseQuotaPrivilege 1400 wmic.exe Token: SeSecurityPrivilege 1400 wmic.exe Token: SeTakeOwnershipPrivilege 1400 wmic.exe Token: SeLoadDriverPrivilege 1400 wmic.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
c9a2a966086a37276cc200c0f22f735d49df4e87f591fe806ca8d8597b9f60b7.execmd.exeupdater10.exedescription pid Process procid_target PID 1088 wrote to memory of 1384 1088 c9a2a966086a37276cc200c0f22f735d49df4e87f591fe806ca8d8597b9f60b7.exe 29 PID 1088 wrote to memory of 1384 1088 c9a2a966086a37276cc200c0f22f735d49df4e87f591fe806ca8d8597b9f60b7.exe 29 PID 1088 wrote to memory of 1384 1088 c9a2a966086a37276cc200c0f22f735d49df4e87f591fe806ca8d8597b9f60b7.exe 29 PID 1088 wrote to memory of 1400 1088 c9a2a966086a37276cc200c0f22f735d49df4e87f591fe806ca8d8597b9f60b7.exe 32 PID 1088 wrote to memory of 1400 1088 c9a2a966086a37276cc200c0f22f735d49df4e87f591fe806ca8d8597b9f60b7.exe 32 PID 1088 wrote to memory of 1400 1088 c9a2a966086a37276cc200c0f22f735d49df4e87f591fe806ca8d8597b9f60b7.exe 32 PID 1088 wrote to memory of 1732 1088 c9a2a966086a37276cc200c0f22f735d49df4e87f591fe806ca8d8597b9f60b7.exe 34 PID 1088 wrote to memory of 1732 1088 c9a2a966086a37276cc200c0f22f735d49df4e87f591fe806ca8d8597b9f60b7.exe 34 PID 1088 wrote to memory of 1732 1088 c9a2a966086a37276cc200c0f22f735d49df4e87f591fe806ca8d8597b9f60b7.exe 34 PID 1088 wrote to memory of 568 1088 c9a2a966086a37276cc200c0f22f735d49df4e87f591fe806ca8d8597b9f60b7.exe 36 PID 1088 wrote to memory of 568 1088 c9a2a966086a37276cc200c0f22f735d49df4e87f591fe806ca8d8597b9f60b7.exe 36 PID 1088 wrote to memory of 568 1088 c9a2a966086a37276cc200c0f22f735d49df4e87f591fe806ca8d8597b9f60b7.exe 36 PID 568 wrote to memory of 1688 568 cmd.exe 38 PID 568 wrote to memory of 1688 568 cmd.exe 38 PID 568 wrote to memory of 1688 568 cmd.exe 38 PID 1688 wrote to memory of 960 1688 updater10.exe 39 PID 1688 wrote to memory of 960 1688 updater10.exe 39 PID 1688 wrote to memory of 960 1688 updater10.exe 39 PID 1688 wrote to memory of 1448 1688 updater10.exe 41 PID 1688 wrote to memory of 1448 1688 updater10.exe 41 PID 1688 wrote to memory of 1448 1688 updater10.exe 41 PID 1688 wrote to memory of 296 1688 updater10.exe 43 PID 1688 wrote to memory of 296 1688 updater10.exe 43 PID 1688 wrote to memory of 296 1688 updater10.exe 43 PID 1688 wrote to memory of 1204 1688 updater10.exe 45 PID 1688 wrote to memory of 1204 1688 updater10.exe 45 PID 1688 wrote to memory of 1204 1688 updater10.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\c9a2a966086a37276cc200c0f22f735d49df4e87f591fe806ca8d8597b9f60b7.exe"C:\Users\Admin\AppData\Local\Temp\c9a2a966086a37276cc200c0f22f735d49df4e87f591fe806ca8d8597b9f60b7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\System32\Wbem\wmic.exewmic process get Caption,ParentProcessId,ProcessId2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1384
-
-
C:\Windows\System32\Wbem\wmic.exewmic process get Caption,ParentProcessId,ProcessId2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1400
-
-
C:\Windows\System32\Wbem\wmic.exewmic process get Caption,ParentProcessId,ProcessId2⤵PID:1732
-
-
C:\Windows\system32\cmd.execmd /C start "C:\Users\Admin\AppData\Local\Windows Update\updater10.exe" "C:\Users\Admin\AppData\Local\Windows Update\updater10.exe" \"-0\" \"-0\" \"-C:\Users\Admin\AppData\Local\Temp\c9a2a966086a37276cc200c0f22f735d49df4e87f591fe806ca8d8597b9f60b7.exe\"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Users\Admin\AppData\Local\Windows Update\updater10.exe"C:\Users\Admin\AppData\Local\Windows Update\updater10.exe" \"-0\" \"-0\" \"-C:\Users\Admin\AppData\Local\Temp\c9a2a966086a37276cc200c0f22f735d49df4e87f591fe806ca8d8597b9f60b7.exe\"3⤵
- Executes dropped EXE
- Deletes itself
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\System32\Wbem\wmic.exewmic process get Caption,ParentProcessId,ProcessId4⤵PID:960
-
-
C:\Windows\System32\Wbem\wmic.exewmic process get Caption,ParentProcessId,ProcessId4⤵PID:1448
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe ver4⤵PID:296
-
-
C:\Windows\System32\Wbem\wmic.exewmic process get Caption,ParentProcessId,ProcessId4⤵PID:1204
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
327090cbddf94fc901662f0e863ba0cb
SHA1fd357aad2d5529127d90757987a2c5ce88ea2a76
SHA256c9a2a966086a37276cc200c0f22f735d49df4e87f591fe806ca8d8597b9f60b7
SHA51216b971fab6ed01c1f72982baa11e9c2e110093746b49daa9387c329718b27b7586090fc59014a4459f14078a568497b4f96ee05e1bb65a57bca27b20959595c6
-
MD5
327090cbddf94fc901662f0e863ba0cb
SHA1fd357aad2d5529127d90757987a2c5ce88ea2a76
SHA256c9a2a966086a37276cc200c0f22f735d49df4e87f591fe806ca8d8597b9f60b7
SHA51216b971fab6ed01c1f72982baa11e9c2e110093746b49daa9387c329718b27b7586090fc59014a4459f14078a568497b4f96ee05e1bb65a57bca27b20959595c6
-
MD5
327090cbddf94fc901662f0e863ba0cb
SHA1fd357aad2d5529127d90757987a2c5ce88ea2a76
SHA256c9a2a966086a37276cc200c0f22f735d49df4e87f591fe806ca8d8597b9f60b7
SHA51216b971fab6ed01c1f72982baa11e9c2e110093746b49daa9387c329718b27b7586090fc59014a4459f14078a568497b4f96ee05e1bb65a57bca27b20959595c6
-
MD5
327090cbddf94fc901662f0e863ba0cb
SHA1fd357aad2d5529127d90757987a2c5ce88ea2a76
SHA256c9a2a966086a37276cc200c0f22f735d49df4e87f591fe806ca8d8597b9f60b7
SHA51216b971fab6ed01c1f72982baa11e9c2e110093746b49daa9387c329718b27b7586090fc59014a4459f14078a568497b4f96ee05e1bb65a57bca27b20959595c6