Analysis
-
max time kernel
149s -
max time network
190s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
18-06-2021 07:27
Static task
static1
Behavioral task
behavioral1
Sample
c66544e5f49feda32c75e9f796681499bda314866e6ae1e11398be9b4bc89349.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
c66544e5f49feda32c75e9f796681499bda314866e6ae1e11398be9b4bc89349.exe
Resource
win10v20210408
General
-
Target
c66544e5f49feda32c75e9f796681499bda314866e6ae1e11398be9b4bc89349.exe
-
Size
3.1MB
-
MD5
14471a353788bb6cdb6071d0e0a83004
-
SHA1
c90b5c534ce0d622547bc5b96075eb3d4212d660
-
SHA256
c66544e5f49feda32c75e9f796681499bda314866e6ae1e11398be9b4bc89349
-
SHA512
57d2cc72d41fdcd2363b9dd56fedf75b99512c9aa50386c1595ae59aad70b8d19e264fe82224b446f5b1bbe9b470dc349582782ad061be34d47abd42016c37e8
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
updater10.exepid Process 2044 updater10.exe -
Processes:
resource yara_rule behavioral1/files/0x00040000000130db-61.dat upx behavioral1/files/0x00040000000130db-62.dat upx behavioral1/files/0x00040000000130db-63.dat upx behavioral1/files/0x00040000000130db-65.dat upx -
Deletes itself 1 IoCs
Processes:
updater10.exepid Process 2044 updater10.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid Process 2028 cmd.exe 2028 cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
updater10.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Updater = "\"C:\\Users\\Admin\\AppData\\Local\\Windows Update\\updater10.exe\" -0 -0" updater10.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Updater = "\"C:\\Users\\Admin\\AppData\\Local\\Windows Update\\updater10.exe\" -0 -0" updater10.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 api.ipify.org 3 api.ipify.org -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exeWMIC.exedescription pid Process Token: SeIncreaseQuotaPrivilege 776 wmic.exe Token: SeSecurityPrivilege 776 wmic.exe Token: SeTakeOwnershipPrivilege 776 wmic.exe Token: SeLoadDriverPrivilege 776 wmic.exe Token: SeSystemProfilePrivilege 776 wmic.exe Token: SeSystemtimePrivilege 776 wmic.exe Token: SeProfSingleProcessPrivilege 776 wmic.exe Token: SeIncBasePriorityPrivilege 776 wmic.exe Token: SeCreatePagefilePrivilege 776 wmic.exe Token: SeBackupPrivilege 776 wmic.exe Token: SeRestorePrivilege 776 wmic.exe Token: SeShutdownPrivilege 776 wmic.exe Token: SeDebugPrivilege 776 wmic.exe Token: SeSystemEnvironmentPrivilege 776 wmic.exe Token: SeRemoteShutdownPrivilege 776 wmic.exe Token: SeUndockPrivilege 776 wmic.exe Token: SeManageVolumePrivilege 776 wmic.exe Token: 33 776 wmic.exe Token: 34 776 wmic.exe Token: 35 776 wmic.exe Token: SeIncreaseQuotaPrivilege 776 wmic.exe Token: SeSecurityPrivilege 776 wmic.exe Token: SeTakeOwnershipPrivilege 776 wmic.exe Token: SeLoadDriverPrivilege 776 wmic.exe Token: SeSystemProfilePrivilege 776 wmic.exe Token: SeSystemtimePrivilege 776 wmic.exe Token: SeProfSingleProcessPrivilege 776 wmic.exe Token: SeIncBasePriorityPrivilege 776 wmic.exe Token: SeCreatePagefilePrivilege 776 wmic.exe Token: SeBackupPrivilege 776 wmic.exe Token: SeRestorePrivilege 776 wmic.exe Token: SeShutdownPrivilege 776 wmic.exe Token: SeDebugPrivilege 776 wmic.exe Token: SeSystemEnvironmentPrivilege 776 wmic.exe Token: SeRemoteShutdownPrivilege 776 wmic.exe Token: SeUndockPrivilege 776 wmic.exe Token: SeManageVolumePrivilege 776 wmic.exe Token: 33 776 wmic.exe Token: 34 776 wmic.exe Token: 35 776 wmic.exe Token: SeIncreaseQuotaPrivilege 2040 WMIC.exe Token: SeSecurityPrivilege 2040 WMIC.exe Token: SeTakeOwnershipPrivilege 2040 WMIC.exe Token: SeLoadDriverPrivilege 2040 WMIC.exe Token: SeSystemProfilePrivilege 2040 WMIC.exe Token: SeSystemtimePrivilege 2040 WMIC.exe Token: SeProfSingleProcessPrivilege 2040 WMIC.exe Token: SeIncBasePriorityPrivilege 2040 WMIC.exe Token: SeCreatePagefilePrivilege 2040 WMIC.exe Token: SeBackupPrivilege 2040 WMIC.exe Token: SeRestorePrivilege 2040 WMIC.exe Token: SeShutdownPrivilege 2040 WMIC.exe Token: SeDebugPrivilege 2040 WMIC.exe Token: SeSystemEnvironmentPrivilege 2040 WMIC.exe Token: SeRemoteShutdownPrivilege 2040 WMIC.exe Token: SeUndockPrivilege 2040 WMIC.exe Token: SeManageVolumePrivilege 2040 WMIC.exe Token: 33 2040 WMIC.exe Token: 34 2040 WMIC.exe Token: 35 2040 WMIC.exe Token: SeIncreaseQuotaPrivilege 2040 WMIC.exe Token: SeSecurityPrivilege 2040 WMIC.exe Token: SeTakeOwnershipPrivilege 2040 WMIC.exe Token: SeLoadDriverPrivilege 2040 WMIC.exe -
Suspicious use of WriteProcessMemory 39 IoCs
Processes:
c66544e5f49feda32c75e9f796681499bda314866e6ae1e11398be9b4bc89349.execmd.exeupdater10.execmd.execmd.execmd.execmd.exedescription pid Process procid_target PID 1164 wrote to memory of 2028 1164 c66544e5f49feda32c75e9f796681499bda314866e6ae1e11398be9b4bc89349.exe 26 PID 1164 wrote to memory of 2028 1164 c66544e5f49feda32c75e9f796681499bda314866e6ae1e11398be9b4bc89349.exe 26 PID 1164 wrote to memory of 2028 1164 c66544e5f49feda32c75e9f796681499bda314866e6ae1e11398be9b4bc89349.exe 26 PID 2028 wrote to memory of 2044 2028 cmd.exe 28 PID 2028 wrote to memory of 2044 2028 cmd.exe 28 PID 2028 wrote to memory of 2044 2028 cmd.exe 28 PID 2044 wrote to memory of 776 2044 updater10.exe 32 PID 2044 wrote to memory of 776 2044 updater10.exe 32 PID 2044 wrote to memory of 776 2044 updater10.exe 32 PID 2044 wrote to memory of 1764 2044 updater10.exe 35 PID 2044 wrote to memory of 1764 2044 updater10.exe 35 PID 2044 wrote to memory of 1764 2044 updater10.exe 35 PID 2044 wrote to memory of 1592 2044 updater10.exe 37 PID 2044 wrote to memory of 1592 2044 updater10.exe 37 PID 2044 wrote to memory of 1592 2044 updater10.exe 37 PID 1592 wrote to memory of 2040 1592 cmd.exe 39 PID 1592 wrote to memory of 2040 1592 cmd.exe 39 PID 1592 wrote to memory of 2040 1592 cmd.exe 39 PID 2044 wrote to memory of 988 2044 updater10.exe 40 PID 2044 wrote to memory of 988 2044 updater10.exe 40 PID 2044 wrote to memory of 988 2044 updater10.exe 40 PID 988 wrote to memory of 1424 988 cmd.exe 42 PID 988 wrote to memory of 1424 988 cmd.exe 42 PID 988 wrote to memory of 1424 988 cmd.exe 42 PID 2044 wrote to memory of 1536 2044 updater10.exe 43 PID 2044 wrote to memory of 1536 2044 updater10.exe 43 PID 2044 wrote to memory of 1536 2044 updater10.exe 43 PID 1536 wrote to memory of 948 1536 cmd.exe 45 PID 1536 wrote to memory of 948 1536 cmd.exe 45 PID 1536 wrote to memory of 948 1536 cmd.exe 45 PID 2044 wrote to memory of 272 2044 updater10.exe 46 PID 2044 wrote to memory of 272 2044 updater10.exe 46 PID 2044 wrote to memory of 272 2044 updater10.exe 46 PID 2044 wrote to memory of 1984 2044 updater10.exe 48 PID 2044 wrote to memory of 1984 2044 updater10.exe 48 PID 2044 wrote to memory of 1984 2044 updater10.exe 48 PID 1984 wrote to memory of 1316 1984 cmd.exe 50 PID 1984 wrote to memory of 1316 1984 cmd.exe 50 PID 1984 wrote to memory of 1316 1984 cmd.exe 50
Processes
-
C:\Users\Admin\AppData\Local\Temp\c66544e5f49feda32c75e9f796681499bda314866e6ae1e11398be9b4bc89349.exe"C:\Users\Admin\AppData\Local\Temp\c66544e5f49feda32c75e9f796681499bda314866e6ae1e11398be9b4bc89349.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\system32\cmd.execmd /C start "C:\Users\Admin\AppData\Local\Windows Update\updater10.exe" "C:\Users\Admin\AppData\Local\Windows Update\updater10.exe" \"-0\" \"-0\" \"-C:\Users\Admin\AppData\Local\Temp\c66544e5f49feda32c75e9f796681499bda314866e6ae1e11398be9b4bc89349.exe\"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Users\Admin\AppData\Local\Windows Update\updater10.exe"C:\Users\Admin\AppData\Local\Windows Update\updater10.exe" \"-0\" \"-0\" \"-C:\Users\Admin\AppData\Local\Temp\c66544e5f49feda32c75e9f796681499bda314866e6ae1e11398be9b4bc89349.exe\"3⤵
- Executes dropped EXE
- Deletes itself
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\System32\Wbem\wmic.exewmic process get Caption,ParentProcessId,ProcessId4⤵
- Suspicious use of AdjustPrivilegeToken
PID:776
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe ver4⤵PID:1764
-
-
C:\Windows\system32\cmd.execmd /C "wmic /namespace:'\\root\subscription' PATH __EventFilter CREATE Name='GuacBypassFilter', EventNameSpace='root\cimv2', QueryLanguage='WQL', Query='SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System''"4⤵
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:'\\root\subscription' PATH __EventFilter CREATE Name='GuacBypassFilter', EventNameSpace='root\cimv2', QueryLanguage='WQL', Query='SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System''5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2040
-
-
-
C:\Windows\system32\cmd.execmd /C "wmic /namespace:'\\root\subscription' PATH CommandLineEventConsumer CREATE Name='GuacBypassConsumer', ExecutablePath='\"C:\Users\Admin\AppData\Local\Windows Update\updater10.exe\" -0 -0', CommandLineTemplate='\"C:\Users\Admin\AppData\Local\Windows Update\updater10.exe\" -0 -0'"4⤵
- Suspicious use of WriteProcessMemory
PID:988 -
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:'\\root\subscription' PATH CommandLineEventConsumer CREATE Name='GuacBypassConsumer', ExecutablePath='\"C:\Users\Admin\AppData\Local\Windows Update\updater10.exe\" -0 -0', CommandLineTemplate='\"C:\Users\Admin\AppData\Local\Windows Update\updater10.exe\" -0 -0'5⤵PID:1424
-
-
-
C:\Windows\system32\cmd.execmd /C "wmic /namespace:'\\root\subscription' PATH __FilterToConsumerBinding CREATE Filter='__EventFilter.Name='GuacBypassFilter'', Consumer='CommandLineEventConsumer.Name='GuacBypassConsomer'')"4⤵
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:'\\root\subscription' PATH __FilterToConsumerBinding CREATE Filter='__EventFilter.Name='GuacBypassFilter'', Consumer='CommandLineEventConsumer.Name='GuacBypassConsomer'')5⤵PID:948
-
-
-
C:\Windows\System32\Wbem\wmic.exewmic process get Caption,ParentProcessId,ProcessId4⤵PID:272
-
-
C:\Windows\system32\cmd.execmd /C "wmic /namespace:'\\root\subscription' PATH __EventFilter CREATE Name='GuacBypassFilter', EventNameSpace='root\cimv2', QueryLanguage='WQL', Query='SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System''"4⤵
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:'\\root\subscription' PATH __EventFilter CREATE Name='GuacBypassFilter', EventNameSpace='root\cimv2', QueryLanguage='WQL', Query='SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System''5⤵PID:1316
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
14471a353788bb6cdb6071d0e0a83004
SHA1c90b5c534ce0d622547bc5b96075eb3d4212d660
SHA256c66544e5f49feda32c75e9f796681499bda314866e6ae1e11398be9b4bc89349
SHA51257d2cc72d41fdcd2363b9dd56fedf75b99512c9aa50386c1595ae59aad70b8d19e264fe82224b446f5b1bbe9b470dc349582782ad061be34d47abd42016c37e8
-
MD5
14471a353788bb6cdb6071d0e0a83004
SHA1c90b5c534ce0d622547bc5b96075eb3d4212d660
SHA256c66544e5f49feda32c75e9f796681499bda314866e6ae1e11398be9b4bc89349
SHA51257d2cc72d41fdcd2363b9dd56fedf75b99512c9aa50386c1595ae59aad70b8d19e264fe82224b446f5b1bbe9b470dc349582782ad061be34d47abd42016c37e8
-
MD5
14471a353788bb6cdb6071d0e0a83004
SHA1c90b5c534ce0d622547bc5b96075eb3d4212d660
SHA256c66544e5f49feda32c75e9f796681499bda314866e6ae1e11398be9b4bc89349
SHA51257d2cc72d41fdcd2363b9dd56fedf75b99512c9aa50386c1595ae59aad70b8d19e264fe82224b446f5b1bbe9b470dc349582782ad061be34d47abd42016c37e8
-
MD5
14471a353788bb6cdb6071d0e0a83004
SHA1c90b5c534ce0d622547bc5b96075eb3d4212d660
SHA256c66544e5f49feda32c75e9f796681499bda314866e6ae1e11398be9b4bc89349
SHA51257d2cc72d41fdcd2363b9dd56fedf75b99512c9aa50386c1595ae59aad70b8d19e264fe82224b446f5b1bbe9b470dc349582782ad061be34d47abd42016c37e8