Analysis
-
max time kernel
132s -
max time network
149s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
18-06-2021 07:27
Static task
static1
Behavioral task
behavioral1
Sample
c9a2a966086a37276cc200c0f22f735d49df4e87f591fe806ca8d8597b9f60b7.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
c9a2a966086a37276cc200c0f22f735d49df4e87f591fe806ca8d8597b9f60b7.exe
Resource
win10v20210408
General
-
Target
c9a2a966086a37276cc200c0f22f735d49df4e87f591fe806ca8d8597b9f60b7.exe
-
Size
3.1MB
-
MD5
327090cbddf94fc901662f0e863ba0cb
-
SHA1
fd357aad2d5529127d90757987a2c5ce88ea2a76
-
SHA256
c9a2a966086a37276cc200c0f22f735d49df4e87f591fe806ca8d8597b9f60b7
-
SHA512
16b971fab6ed01c1f72982baa11e9c2e110093746b49daa9387c329718b27b7586090fc59014a4459f14078a568497b4f96ee05e1bb65a57bca27b20959595c6
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
updater10.exepid Process 2328 updater10.exe -
Processes:
resource yara_rule behavioral2/files/0x000100000001ab2a-119.dat upx behavioral2/files/0x000100000001ab2a-120.dat upx -
Deletes itself 1 IoCs
Processes:
updater10.exepid Process 2328 updater10.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
updater10.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Updater = "\"C:\\Users\\Admin\\AppData\\Local\\Windows Update\\updater10.exe\" -1 -0" updater10.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 13 api.ipify.org 14 api.ipify.org -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exewmic.exedescription pid Process Token: SeIncreaseQuotaPrivilege 492 wmic.exe Token: SeSecurityPrivilege 492 wmic.exe Token: SeTakeOwnershipPrivilege 492 wmic.exe Token: SeLoadDriverPrivilege 492 wmic.exe Token: SeSystemProfilePrivilege 492 wmic.exe Token: SeSystemtimePrivilege 492 wmic.exe Token: SeProfSingleProcessPrivilege 492 wmic.exe Token: SeIncBasePriorityPrivilege 492 wmic.exe Token: SeCreatePagefilePrivilege 492 wmic.exe Token: SeBackupPrivilege 492 wmic.exe Token: SeRestorePrivilege 492 wmic.exe Token: SeShutdownPrivilege 492 wmic.exe Token: SeDebugPrivilege 492 wmic.exe Token: SeSystemEnvironmentPrivilege 492 wmic.exe Token: SeRemoteShutdownPrivilege 492 wmic.exe Token: SeUndockPrivilege 492 wmic.exe Token: SeManageVolumePrivilege 492 wmic.exe Token: 33 492 wmic.exe Token: 34 492 wmic.exe Token: 35 492 wmic.exe Token: 36 492 wmic.exe Token: SeIncreaseQuotaPrivilege 492 wmic.exe Token: SeSecurityPrivilege 492 wmic.exe Token: SeTakeOwnershipPrivilege 492 wmic.exe Token: SeLoadDriverPrivilege 492 wmic.exe Token: SeSystemProfilePrivilege 492 wmic.exe Token: SeSystemtimePrivilege 492 wmic.exe Token: SeProfSingleProcessPrivilege 492 wmic.exe Token: SeIncBasePriorityPrivilege 492 wmic.exe Token: SeCreatePagefilePrivilege 492 wmic.exe Token: SeBackupPrivilege 492 wmic.exe Token: SeRestorePrivilege 492 wmic.exe Token: SeShutdownPrivilege 492 wmic.exe Token: SeDebugPrivilege 492 wmic.exe Token: SeSystemEnvironmentPrivilege 492 wmic.exe Token: SeRemoteShutdownPrivilege 492 wmic.exe Token: SeUndockPrivilege 492 wmic.exe Token: SeManageVolumePrivilege 492 wmic.exe Token: 33 492 wmic.exe Token: 34 492 wmic.exe Token: 35 492 wmic.exe Token: 36 492 wmic.exe Token: SeIncreaseQuotaPrivilege 2936 wmic.exe Token: SeSecurityPrivilege 2936 wmic.exe Token: SeTakeOwnershipPrivilege 2936 wmic.exe Token: SeLoadDriverPrivilege 2936 wmic.exe Token: SeSystemProfilePrivilege 2936 wmic.exe Token: SeSystemtimePrivilege 2936 wmic.exe Token: SeProfSingleProcessPrivilege 2936 wmic.exe Token: SeIncBasePriorityPrivilege 2936 wmic.exe Token: SeCreatePagefilePrivilege 2936 wmic.exe Token: SeBackupPrivilege 2936 wmic.exe Token: SeRestorePrivilege 2936 wmic.exe Token: SeShutdownPrivilege 2936 wmic.exe Token: SeDebugPrivilege 2936 wmic.exe Token: SeSystemEnvironmentPrivilege 2936 wmic.exe Token: SeRemoteShutdownPrivilege 2936 wmic.exe Token: SeUndockPrivilege 2936 wmic.exe Token: SeManageVolumePrivilege 2936 wmic.exe Token: 33 2936 wmic.exe Token: 34 2936 wmic.exe Token: 35 2936 wmic.exe Token: 36 2936 wmic.exe Token: SeIncreaseQuotaPrivilege 2936 wmic.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
c9a2a966086a37276cc200c0f22f735d49df4e87f591fe806ca8d8597b9f60b7.execmd.exeupdater10.exedescription pid Process procid_target PID 636 wrote to memory of 492 636 c9a2a966086a37276cc200c0f22f735d49df4e87f591fe806ca8d8597b9f60b7.exe 78 PID 636 wrote to memory of 492 636 c9a2a966086a37276cc200c0f22f735d49df4e87f591fe806ca8d8597b9f60b7.exe 78 PID 636 wrote to memory of 2936 636 c9a2a966086a37276cc200c0f22f735d49df4e87f591fe806ca8d8597b9f60b7.exe 80 PID 636 wrote to memory of 2936 636 c9a2a966086a37276cc200c0f22f735d49df4e87f591fe806ca8d8597b9f60b7.exe 80 PID 636 wrote to memory of 684 636 c9a2a966086a37276cc200c0f22f735d49df4e87f591fe806ca8d8597b9f60b7.exe 82 PID 636 wrote to memory of 684 636 c9a2a966086a37276cc200c0f22f735d49df4e87f591fe806ca8d8597b9f60b7.exe 82 PID 636 wrote to memory of 1140 636 c9a2a966086a37276cc200c0f22f735d49df4e87f591fe806ca8d8597b9f60b7.exe 84 PID 636 wrote to memory of 1140 636 c9a2a966086a37276cc200c0f22f735d49df4e87f591fe806ca8d8597b9f60b7.exe 84 PID 1140 wrote to memory of 2328 1140 cmd.exe 86 PID 1140 wrote to memory of 2328 1140 cmd.exe 86 PID 2328 wrote to memory of 3820 2328 updater10.exe 87 PID 2328 wrote to memory of 3820 2328 updater10.exe 87 PID 2328 wrote to memory of 3456 2328 updater10.exe 89 PID 2328 wrote to memory of 3456 2328 updater10.exe 89 PID 2328 wrote to memory of 2184 2328 updater10.exe 91 PID 2328 wrote to memory of 2184 2328 updater10.exe 91 PID 2328 wrote to memory of 196 2328 updater10.exe 93 PID 2328 wrote to memory of 196 2328 updater10.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\c9a2a966086a37276cc200c0f22f735d49df4e87f591fe806ca8d8597b9f60b7.exe"C:\Users\Admin\AppData\Local\Temp\c9a2a966086a37276cc200c0f22f735d49df4e87f591fe806ca8d8597b9f60b7.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Windows\System32\Wbem\wmic.exewmic process get Caption,ParentProcessId,ProcessId2⤵
- Suspicious use of AdjustPrivilegeToken
PID:492
-
-
C:\Windows\System32\Wbem\wmic.exewmic process get Caption,ParentProcessId,ProcessId2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2936
-
-
C:\Windows\System32\Wbem\wmic.exewmic process get Caption,ParentProcessId,ProcessId2⤵PID:684
-
-
C:\Windows\system32\cmd.execmd /C start "C:\Users\Admin\AppData\Local\Windows Update\updater10.exe" "C:\Users\Admin\AppData\Local\Windows Update\updater10.exe" \"-0\" \"-0\" \"-C:\Users\Admin\AppData\Local\Temp\c9a2a966086a37276cc200c0f22f735d49df4e87f591fe806ca8d8597b9f60b7.exe\"2⤵
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Users\Admin\AppData\Local\Windows Update\updater10.exe"C:\Users\Admin\AppData\Local\Windows Update\updater10.exe" \"-0\" \"-0\" \"-C:\Users\Admin\AppData\Local\Temp\c9a2a966086a37276cc200c0f22f735d49df4e87f591fe806ca8d8597b9f60b7.exe\"3⤵
- Executes dropped EXE
- Deletes itself
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\System32\Wbem\wmic.exewmic process get Caption,ParentProcessId,ProcessId4⤵PID:3820
-
-
C:\Windows\System32\Wbem\wmic.exewmic process get Caption,ParentProcessId,ProcessId4⤵PID:3456
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe ver4⤵PID:2184
-
-
C:\Windows\System32\Wbem\wmic.exewmic process get Caption,ParentProcessId,ProcessId4⤵PID:196
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
327090cbddf94fc901662f0e863ba0cb
SHA1fd357aad2d5529127d90757987a2c5ce88ea2a76
SHA256c9a2a966086a37276cc200c0f22f735d49df4e87f591fe806ca8d8597b9f60b7
SHA51216b971fab6ed01c1f72982baa11e9c2e110093746b49daa9387c329718b27b7586090fc59014a4459f14078a568497b4f96ee05e1bb65a57bca27b20959595c6
-
MD5
327090cbddf94fc901662f0e863ba0cb
SHA1fd357aad2d5529127d90757987a2c5ce88ea2a76
SHA256c9a2a966086a37276cc200c0f22f735d49df4e87f591fe806ca8d8597b9f60b7
SHA51216b971fab6ed01c1f72982baa11e9c2e110093746b49daa9387c329718b27b7586090fc59014a4459f14078a568497b4f96ee05e1bb65a57bca27b20959595c6