Overview

overview

10

Static

static

updatewin1.exe

windows7_x64

10

Analysis

  • max time kernel
    61s
  • max time network
    12s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    18-08-2021 00:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    updatewin1.exe

  • Size

    272KB

  • MD5

    5b4bd24d6240f467bfbc74803c9f15b0

  • SHA1

    c17f98c182d299845c54069872e8137645768a1a

  • SHA256

    14c7bec7369d4175c6d92554b033862b3847ff98a04dfebdf9f5bb30180ed13e

  • SHA512

    a896acc38a6ff9641b0803f0598369c0d4fa8e38da28c1653c57948fe5e3274880d1b2e7959cd1b1da43375a1318b3ba72e13240bf40b27c852ee72bbb16cadc

Score
10/10
evasion

Malware Config

Signatures

  • Deletes Windows Defender Definitions 2 TTPs 1 IoCs

    Uses mpcmdrun utility to delete all AV definitions.

    evasion
  • Disables Task Manager via registry modification
    evasion
  • Deletes itself 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 58 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 63 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\updatewin1.exe
    "C:\Users\Admin\AppData\Local\Temp\updatewin1.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1684
    • C:\Users\Admin\AppData\Local\Temp\updatewin1.exe
      "C:\Users\Admin\AppData\Local\Temp\updatewin1.exe" --Admin
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1972
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command Set-ExecutionPolicy -Scope CurrentUser RemoteSigned
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2036
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -NoProfile -ExecutionPolicy Bypass -Command "& {Start-Process PowerShell -ArgumentList '-NoProfile -ExecutionPolicy Bypass -File ""C:\Users\Admin\AppData\Local\script.ps1""' -Verb RunAs}"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1236
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\script.ps1
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1716
      • C:\Program Files\Windows Defender\mpcmdrun.exe
        "C:\Program Files\Windows Defender\mpcmdrun.exe" -removedefinitions -all
        3⤵
        • Deletes Windows Defender Definitions
        PID:1684
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\delself.bat""
        3⤵
        • Deletes itself
        PID:1144
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1992
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:1316

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1602f747-c1a3-4345-8dec-4dcb8b1f72e5
      MD5

      02ff38ac870de39782aeee04d7b48231

      SHA1

      0390d39fa216c9b0ecdb38238304e518fb2b5095

      SHA256

      fbd66a9baf753db31b8de23f2d51b67f8676687503653103080c45b16f1dc876

      SHA512

      24a1ff76ee42ff7a5ea42843928c4df07b06178f7781cd840e1e086e88735d81506eb67259ff1e6ce5aaa7c5baea03886da265eb7e025ff4dc4c4b5f8cd3e341

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_2d686436-375c-4ee1-bd4a-9e44ccd248ba
      MD5

      75a8da7754349b38d64c87c938545b1b

      SHA1

      5c28c257d51f1c1587e29164cc03ea880c21b417

      SHA256

      bf08151c174b5d00c9dbc7907b2c6a01b4be76bfa3afce1e8bd98a04ad833c96

      SHA512

      798797bc74c56c874e9a5fdcb0157c04e37a1b3cce285ef064b01bceef8cec45f11a5198918c6c647220b62883606b5e12e3cca3ea369f3a66e69dea6e15f643

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4375eeb7-a65d-43f1-a616-02c5ad6c5370
      MD5

      be4d72095faf84233ac17b94744f7084

      SHA1

      cc78ce5b9c57573bd214a8f423ee622b00ebb1ec

      SHA256

      b0d72c5c22e57913476ac8fc686a4593f137c6667d5094522c0a0685dabd7adc

      SHA512

      43856e9b1032b8690ceea810c931bed3655e9190414bb220fb6afc136f31b8335e07604dffb28405d4006f266a54cff424c527d29924b1b732c9647a3252b097

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6fe5bd95-2cea-4aea-9c8c-dd67bac4295b
      MD5

      df44874327d79bd75e4264cb8dc01811

      SHA1

      1396b06debed65ea93c24998d244edebd3c0209d

      SHA256

      55de642c5c9e436ec01c57004dae797022442c3245daf7162d19a5585f221181

      SHA512

      95dc9298b8db059bbe746f67e6a7f8515781c7053cc60c01532e47623a996be7e1bd23d1bd8f5f2045adff27454f44930d503c15b695690088841cedbd2a06c3

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fa12b0a1-3d6a-4bab-a74a-253a75ca0598
      MD5

      5e3c7184a75d42dda1a83606a45001d8

      SHA1

      94ca15637721d88f30eb4b6220b805c5be0360ed

      SHA256

      8278033a65d1ff48be4d86e11f87930d187692f59f8bf2f0a9d170de285afb59

      SHA512

      fae99b6e9b106e0f1c30aa4082b25ae1ad643455c1295c2c16ad534e3e611b9b08492353ffe1af1cfdddc9b2b7c330747a64012c45e62b8f4a4982dcc214e05b

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fd9bf4da-ec38-4847-85c5-d50f35796d4c
      MD5

      a725bb9fafcf91f3c6b7861a2bde6db2

      SHA1

      8bb5b83f3cc37ff1e5ea4f02acae38e72364c114

      SHA256

      51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431

      SHA512

      1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fe80cd26-0cf7-4e38-9884-6dab53b04ca9
      MD5

      b6d38f250ccc9003dd70efd3b778117f

      SHA1

      d5a17c02cac698d4f0a4a9b7d71db2aa19e3f18a

      SHA256

      4de9d7b5ccab7b67ca8efc83084c7ee6e5e872b7216ed4683bc5da950bf41265

      SHA512

      67d8195836b7f280d3f9219fd0f58276342e55d5dfdd8a4c54355030d96685d73f1b2b6da0eb39322ec7c3a1d1c5ef06b52d22646cea30a96f822de1800d31e9

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
      MD5

      89f4d691bff5500e98f9be03c97e1d82

      SHA1

      7636750a73204953af364957877e8c1d81a0aa26

      SHA256

      312434e6a55d61599850d03b1f0a906ea2be1e019a7e550de11d4ae61d82ea67

      SHA512

      70a10bb2e9c91a1422e2a8cecec5147d03ca16a89e044e97e2b91de3ccaeb81f70f77b12b26a9916f4c33aea383542f324648577bccc486bd4ea094f38d59f0d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\delself.bat
      MD5

      9e5ded39abd73456458318c691bbd679

      SHA1

      0b111626c3687fbd3f647b01fa27d26c88c4583d

      SHA256

      2c4cad4d2fa2df8c8a61085b6ecc91215486fbb5d8e643eec889fc5709a5813f

      SHA512

      564c2319b34847b605c1a73db2427ad29d52579cc22cece04c327040b7a9a77591cc6e2dfffa825e70a4534451e70b80e04c01a0b9a3b12c0b96c594bb9c07e4

      Download Submit

    • C:\Users\Admin\AppData\Local\script.ps1
      MD5

      f972c62f986b5ed49ad7713d93bf6c9f

      SHA1

      4e157002bdb97e9526ab97bfafbf7c67e1d1efbf

      SHA256

      b47f85974a7ec2fd5aa82d52f08eb0f6cea7e596a98dd29e8b85b5c37beca0a8

      SHA512

      2c9e2e1b8b6cb5ffe3edf5dfbc2c3b917cd15ba6a5e5264207a43b02ce7020f44f5088aca195f7b428699f0d6bd693ce557a0227d67bbb4795e350a97314e9c4

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
      MD5

      4c47333230496c53e0ef63d9d535559f

      SHA1

      2a60e2ccd3fe842206208d928a8999f5ba28f92d

      SHA256

      3feee54b6b10e78b42bcc9e7c0d84d8b7d654e339c8635db2fe2cb0f189c3909

      SHA512

      a0858193430344e78973e7c9bfdde7ae96dd03b8c05cbe6fd44533c8a9e6c1cc08ad53b3956d9a2f1896f435fc063635f705bb639d0191b7ed57f157007081bc

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
      MD5

      4c47333230496c53e0ef63d9d535559f

      SHA1

      2a60e2ccd3fe842206208d928a8999f5ba28f92d

      SHA256

      3feee54b6b10e78b42bcc9e7c0d84d8b7d654e339c8635db2fe2cb0f189c3909

      SHA512

      a0858193430344e78973e7c9bfdde7ae96dd03b8c05cbe6fd44533c8a9e6c1cc08ad53b3956d9a2f1896f435fc063635f705bb639d0191b7ed57f157007081bc

      Download Submit

    • memory/1144-114-0x0000000000000000-mapping.dmp

      Download

    • memory/1236-93-0x0000000000B50000-0x0000000000B51000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1236-107-0x0000000006220000-0x0000000006221000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1236-90-0x0000000000000000-mapping.dmp

      Download

    • memory/1236-94-0x0000000004CE0000-0x0000000004CE1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1236-95-0x0000000001200000-0x0000000001201000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1236-96-0x0000000004B30000-0x0000000004B31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1236-97-0x0000000004CA0000-0x0000000004CA1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1236-98-0x0000000004CA2000-0x0000000004CA3000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1684-109-0x0000000000000000-mapping.dmp

      Download

    • memory/1684-60-0x0000000075011000-0x0000000075013000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1684-61-0x0000000000400000-0x000000000044D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/1716-113-0x0000000004AA0000-0x0000000004AA1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1716-120-0x0000000000E82000-0x0000000000E83000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1716-140-0x00000000065B0000-0x00000000065B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1716-139-0x00000000065A0000-0x00000000065A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1716-136-0x000000007EF20000-0x000000007EF21000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1716-126-0x0000000005AF0000-0x0000000005AF1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1716-123-0x00000000059B0000-0x00000000059B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1716-112-0x0000000001000000-0x0000000001001000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1716-119-0x0000000000E80000-0x0000000000E81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1716-108-0x0000000000000000-mapping.dmp

      Download

    • memory/1716-115-0x0000000005420000-0x0000000005421000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1972-62-0x0000000000000000-mapping.dmp

      Download

    • memory/1972-68-0x0000000000400000-0x000000000044D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/1992-99-0x000007FEFBB51000-0x000007FEFBB53000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2036-72-0x0000000005360000-0x0000000005361000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2036-67-0x0000000004840000-0x0000000004841000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2036-66-0x0000000000F40000-0x0000000000F41000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2036-69-0x0000000004800000-0x0000000004801000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2036-70-0x0000000004802000-0x0000000004803000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2036-64-0x0000000000000000-mapping.dmp

      Download

    • memory/2036-71-0x0000000004720000-0x0000000004721000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2036-75-0x0000000005770000-0x0000000005771000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2036-80-0x0000000005810000-0x0000000005811000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2036-81-0x0000000006260000-0x0000000006261000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2036-82-0x000000007EF30000-0x000000007EF31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2036-89-0x0000000006360000-0x0000000006361000-memory.dmp

      Filesize

      4KB

      Download