Analysis
-
max time kernel
149s -
max time network
190s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
18-06-2021 07:27
Static task
static1
Behavioral task
behavioral1
Sample
c66544e5f49feda32c75e9f796681499bda314866e6ae1e11398be9b4bc89349.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
c66544e5f49feda32c75e9f796681499bda314866e6ae1e11398be9b4bc89349.exe
Resource
win10v20210408
General
-
Target
c66544e5f49feda32c75e9f796681499bda314866e6ae1e11398be9b4bc89349.exe
-
Size
3.1MB
-
MD5
14471a353788bb6cdb6071d0e0a83004
-
SHA1
c90b5c534ce0d622547bc5b96075eb3d4212d660
-
SHA256
c66544e5f49feda32c75e9f796681499bda314866e6ae1e11398be9b4bc89349
-
SHA512
57d2cc72d41fdcd2363b9dd56fedf75b99512c9aa50386c1595ae59aad70b8d19e264fe82224b446f5b1bbe9b470dc349582782ad061be34d47abd42016c37e8
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
updater10.exepid process 2044 updater10.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Windows Update\updater10.exe upx C:\Users\Admin\AppData\Local\Windows Update\updater10.exe upx \Users\Admin\AppData\Local\Windows Update\updater10.exe upx C:\Users\Admin\AppData\Local\Windows Update\updater10.exe upx -
Deletes itself 1 IoCs
Processes:
updater10.exepid process 2044 updater10.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 2028 cmd.exe 2028 cmd.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
updater10.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Updater = "\"C:\\Users\\Admin\\AppData\\Local\\Windows Update\\updater10.exe\" -0 -0" updater10.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Updater = "\"C:\\Users\\Admin\\AppData\\Local\\Windows Update\\updater10.exe\" -0 -0" updater10.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 api.ipify.org 3 api.ipify.org -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exeWMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 776 wmic.exe Token: SeSecurityPrivilege 776 wmic.exe Token: SeTakeOwnershipPrivilege 776 wmic.exe Token: SeLoadDriverPrivilege 776 wmic.exe Token: SeSystemProfilePrivilege 776 wmic.exe Token: SeSystemtimePrivilege 776 wmic.exe Token: SeProfSingleProcessPrivilege 776 wmic.exe Token: SeIncBasePriorityPrivilege 776 wmic.exe Token: SeCreatePagefilePrivilege 776 wmic.exe Token: SeBackupPrivilege 776 wmic.exe Token: SeRestorePrivilege 776 wmic.exe Token: SeShutdownPrivilege 776 wmic.exe Token: SeDebugPrivilege 776 wmic.exe Token: SeSystemEnvironmentPrivilege 776 wmic.exe Token: SeRemoteShutdownPrivilege 776 wmic.exe Token: SeUndockPrivilege 776 wmic.exe Token: SeManageVolumePrivilege 776 wmic.exe Token: 33 776 wmic.exe Token: 34 776 wmic.exe Token: 35 776 wmic.exe Token: SeIncreaseQuotaPrivilege 776 wmic.exe Token: SeSecurityPrivilege 776 wmic.exe Token: SeTakeOwnershipPrivilege 776 wmic.exe Token: SeLoadDriverPrivilege 776 wmic.exe Token: SeSystemProfilePrivilege 776 wmic.exe Token: SeSystemtimePrivilege 776 wmic.exe Token: SeProfSingleProcessPrivilege 776 wmic.exe Token: SeIncBasePriorityPrivilege 776 wmic.exe Token: SeCreatePagefilePrivilege 776 wmic.exe Token: SeBackupPrivilege 776 wmic.exe Token: SeRestorePrivilege 776 wmic.exe Token: SeShutdownPrivilege 776 wmic.exe Token: SeDebugPrivilege 776 wmic.exe Token: SeSystemEnvironmentPrivilege 776 wmic.exe Token: SeRemoteShutdownPrivilege 776 wmic.exe Token: SeUndockPrivilege 776 wmic.exe Token: SeManageVolumePrivilege 776 wmic.exe Token: 33 776 wmic.exe Token: 34 776 wmic.exe Token: 35 776 wmic.exe Token: SeIncreaseQuotaPrivilege 2040 WMIC.exe Token: SeSecurityPrivilege 2040 WMIC.exe Token: SeTakeOwnershipPrivilege 2040 WMIC.exe Token: SeLoadDriverPrivilege 2040 WMIC.exe Token: SeSystemProfilePrivilege 2040 WMIC.exe Token: SeSystemtimePrivilege 2040 WMIC.exe Token: SeProfSingleProcessPrivilege 2040 WMIC.exe Token: SeIncBasePriorityPrivilege 2040 WMIC.exe Token: SeCreatePagefilePrivilege 2040 WMIC.exe Token: SeBackupPrivilege 2040 WMIC.exe Token: SeRestorePrivilege 2040 WMIC.exe Token: SeShutdownPrivilege 2040 WMIC.exe Token: SeDebugPrivilege 2040 WMIC.exe Token: SeSystemEnvironmentPrivilege 2040 WMIC.exe Token: SeRemoteShutdownPrivilege 2040 WMIC.exe Token: SeUndockPrivilege 2040 WMIC.exe Token: SeManageVolumePrivilege 2040 WMIC.exe Token: 33 2040 WMIC.exe Token: 34 2040 WMIC.exe Token: 35 2040 WMIC.exe Token: SeIncreaseQuotaPrivilege 2040 WMIC.exe Token: SeSecurityPrivilege 2040 WMIC.exe Token: SeTakeOwnershipPrivilege 2040 WMIC.exe Token: SeLoadDriverPrivilege 2040 WMIC.exe -
Suspicious use of WriteProcessMemory 39 IoCs
Processes:
c66544e5f49feda32c75e9f796681499bda314866e6ae1e11398be9b4bc89349.execmd.exeupdater10.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1164 wrote to memory of 2028 1164 c66544e5f49feda32c75e9f796681499bda314866e6ae1e11398be9b4bc89349.exe cmd.exe PID 1164 wrote to memory of 2028 1164 c66544e5f49feda32c75e9f796681499bda314866e6ae1e11398be9b4bc89349.exe cmd.exe PID 1164 wrote to memory of 2028 1164 c66544e5f49feda32c75e9f796681499bda314866e6ae1e11398be9b4bc89349.exe cmd.exe PID 2028 wrote to memory of 2044 2028 cmd.exe updater10.exe PID 2028 wrote to memory of 2044 2028 cmd.exe updater10.exe PID 2028 wrote to memory of 2044 2028 cmd.exe updater10.exe PID 2044 wrote to memory of 776 2044 updater10.exe wmic.exe PID 2044 wrote to memory of 776 2044 updater10.exe wmic.exe PID 2044 wrote to memory of 776 2044 updater10.exe wmic.exe PID 2044 wrote to memory of 1764 2044 updater10.exe cmd.exe PID 2044 wrote to memory of 1764 2044 updater10.exe cmd.exe PID 2044 wrote to memory of 1764 2044 updater10.exe cmd.exe PID 2044 wrote to memory of 1592 2044 updater10.exe cmd.exe PID 2044 wrote to memory of 1592 2044 updater10.exe cmd.exe PID 2044 wrote to memory of 1592 2044 updater10.exe cmd.exe PID 1592 wrote to memory of 2040 1592 cmd.exe WMIC.exe PID 1592 wrote to memory of 2040 1592 cmd.exe WMIC.exe PID 1592 wrote to memory of 2040 1592 cmd.exe WMIC.exe PID 2044 wrote to memory of 988 2044 updater10.exe cmd.exe PID 2044 wrote to memory of 988 2044 updater10.exe cmd.exe PID 2044 wrote to memory of 988 2044 updater10.exe cmd.exe PID 988 wrote to memory of 1424 988 cmd.exe WMIC.exe PID 988 wrote to memory of 1424 988 cmd.exe WMIC.exe PID 988 wrote to memory of 1424 988 cmd.exe WMIC.exe PID 2044 wrote to memory of 1536 2044 updater10.exe cmd.exe PID 2044 wrote to memory of 1536 2044 updater10.exe cmd.exe PID 2044 wrote to memory of 1536 2044 updater10.exe cmd.exe PID 1536 wrote to memory of 948 1536 cmd.exe WMIC.exe PID 1536 wrote to memory of 948 1536 cmd.exe WMIC.exe PID 1536 wrote to memory of 948 1536 cmd.exe WMIC.exe PID 2044 wrote to memory of 272 2044 updater10.exe wmic.exe PID 2044 wrote to memory of 272 2044 updater10.exe wmic.exe PID 2044 wrote to memory of 272 2044 updater10.exe wmic.exe PID 2044 wrote to memory of 1984 2044 updater10.exe cmd.exe PID 2044 wrote to memory of 1984 2044 updater10.exe cmd.exe PID 2044 wrote to memory of 1984 2044 updater10.exe cmd.exe PID 1984 wrote to memory of 1316 1984 cmd.exe WMIC.exe PID 1984 wrote to memory of 1316 1984 cmd.exe WMIC.exe PID 1984 wrote to memory of 1316 1984 cmd.exe WMIC.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c66544e5f49feda32c75e9f796681499bda314866e6ae1e11398be9b4bc89349.exe"C:\Users\Admin\AppData\Local\Temp\c66544e5f49feda32c75e9f796681499bda314866e6ae1e11398be9b4bc89349.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /C start "C:\Users\Admin\AppData\Local\Windows Update\updater10.exe" "C:\Users\Admin\AppData\Local\Windows Update\updater10.exe" \"-0\" \"-0\" \"-C:\Users\Admin\AppData\Local\Temp\c66544e5f49feda32c75e9f796681499bda314866e6ae1e11398be9b4bc89349.exe\"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Windows Update\updater10.exe"C:\Users\Admin\AppData\Local\Windows Update\updater10.exe" \"-0\" \"-0\" \"-C:\Users\Admin\AppData\Local\Temp\c66544e5f49feda32c75e9f796681499bda314866e6ae1e11398be9b4bc89349.exe\"3⤵
- Executes dropped EXE
- Deletes itself
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\wmic.exewmic process get Caption,ParentProcessId,ProcessId4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe ver4⤵
-
C:\Windows\system32\cmd.execmd /C "wmic /namespace:'\\root\subscription' PATH __EventFilter CREATE Name='GuacBypassFilter', EventNameSpace='root\cimv2', QueryLanguage='WQL', Query='SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System''"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:'\\root\subscription' PATH __EventFilter CREATE Name='GuacBypassFilter', EventNameSpace='root\cimv2', QueryLanguage='WQL', Query='SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System''5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /C "wmic /namespace:'\\root\subscription' PATH CommandLineEventConsumer CREATE Name='GuacBypassConsumer', ExecutablePath='\"C:\Users\Admin\AppData\Local\Windows Update\updater10.exe\" -0 -0', CommandLineTemplate='\"C:\Users\Admin\AppData\Local\Windows Update\updater10.exe\" -0 -0'"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:'\\root\subscription' PATH CommandLineEventConsumer CREATE Name='GuacBypassConsumer', ExecutablePath='\"C:\Users\Admin\AppData\Local\Windows Update\updater10.exe\" -0 -0', CommandLineTemplate='\"C:\Users\Admin\AppData\Local\Windows Update\updater10.exe\" -0 -0'5⤵
-
C:\Windows\system32\cmd.execmd /C "wmic /namespace:'\\root\subscription' PATH __FilterToConsumerBinding CREATE Filter='__EventFilter.Name='GuacBypassFilter'', Consumer='CommandLineEventConsumer.Name='GuacBypassConsomer'')"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:'\\root\subscription' PATH __FilterToConsumerBinding CREATE Filter='__EventFilter.Name='GuacBypassFilter'', Consumer='CommandLineEventConsumer.Name='GuacBypassConsomer'')5⤵
-
C:\Windows\System32\Wbem\wmic.exewmic process get Caption,ParentProcessId,ProcessId4⤵
-
C:\Windows\system32\cmd.execmd /C "wmic /namespace:'\\root\subscription' PATH __EventFilter CREATE Name='GuacBypassFilter', EventNameSpace='root\cimv2', QueryLanguage='WQL', Query='SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System''"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:'\\root\subscription' PATH __EventFilter CREATE Name='GuacBypassFilter', EventNameSpace='root\cimv2', QueryLanguage='WQL', Query='SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System''5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Windows Update\updater10.exeMD5
14471a353788bb6cdb6071d0e0a83004
SHA1c90b5c534ce0d622547bc5b96075eb3d4212d660
SHA256c66544e5f49feda32c75e9f796681499bda314866e6ae1e11398be9b4bc89349
SHA51257d2cc72d41fdcd2363b9dd56fedf75b99512c9aa50386c1595ae59aad70b8d19e264fe82224b446f5b1bbe9b470dc349582782ad061be34d47abd42016c37e8
-
C:\Users\Admin\AppData\Local\Windows Update\updater10.exeMD5
14471a353788bb6cdb6071d0e0a83004
SHA1c90b5c534ce0d622547bc5b96075eb3d4212d660
SHA256c66544e5f49feda32c75e9f796681499bda314866e6ae1e11398be9b4bc89349
SHA51257d2cc72d41fdcd2363b9dd56fedf75b99512c9aa50386c1595ae59aad70b8d19e264fe82224b446f5b1bbe9b470dc349582782ad061be34d47abd42016c37e8
-
\Users\Admin\AppData\Local\Windows Update\updater10.exeMD5
14471a353788bb6cdb6071d0e0a83004
SHA1c90b5c534ce0d622547bc5b96075eb3d4212d660
SHA256c66544e5f49feda32c75e9f796681499bda314866e6ae1e11398be9b4bc89349
SHA51257d2cc72d41fdcd2363b9dd56fedf75b99512c9aa50386c1595ae59aad70b8d19e264fe82224b446f5b1bbe9b470dc349582782ad061be34d47abd42016c37e8
-
\Users\Admin\AppData\Local\Windows Update\updater10.exeMD5
14471a353788bb6cdb6071d0e0a83004
SHA1c90b5c534ce0d622547bc5b96075eb3d4212d660
SHA256c66544e5f49feda32c75e9f796681499bda314866e6ae1e11398be9b4bc89349
SHA51257d2cc72d41fdcd2363b9dd56fedf75b99512c9aa50386c1595ae59aad70b8d19e264fe82224b446f5b1bbe9b470dc349582782ad061be34d47abd42016c37e8
-
memory/272-74-0x0000000000000000-mapping.dmp
-
memory/776-66-0x0000000000000000-mapping.dmp
-
memory/948-73-0x0000000000000000-mapping.dmp
-
memory/988-70-0x0000000000000000-mapping.dmp
-
memory/1316-76-0x0000000000000000-mapping.dmp
-
memory/1424-71-0x0000000000000000-mapping.dmp
-
memory/1536-72-0x0000000000000000-mapping.dmp
-
memory/1592-68-0x0000000000000000-mapping.dmp
-
memory/1764-67-0x0000000000000000-mapping.dmp
-
memory/1984-75-0x0000000000000000-mapping.dmp
-
memory/2028-60-0x0000000000000000-mapping.dmp
-
memory/2040-69-0x0000000000000000-mapping.dmp
-
memory/2044-64-0x0000000000000000-mapping.dmp