Analysis
-
max time kernel
155s -
max time network
154s -
platform
windows10_x64 -
resource
win10-en -
submitted
08-09-2021 09:09
Static task
static1
Behavioral task
behavioral1
Sample
d33390c1548497b6fad0f78111db2acf578ee41531336611c0b6cc6611a9cebc.exe
Resource
win7v20210408
General
-
Target
d33390c1548497b6fad0f78111db2acf578ee41531336611c0b6cc6611a9cebc.exe
-
Size
521KB
-
MD5
395fa99254a783e8592dcecdaa465140
-
SHA1
587f1cc23c522eb2d0be6ab62a03bdd23df423a3
-
SHA256
d33390c1548497b6fad0f78111db2acf578ee41531336611c0b6cc6611a9cebc
-
SHA512
3095d3f673ffcaf69193189ebc159bccce4e0ed1a3d8188d5424ed0251bcf95ac3d7a9555e84dbcb52de37f234f568764737da2dab7f5ea56dbd9a553b95a235
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 4684 created 2164 4684 WerFault.exe ipconfig.exe -
Executes dropped EXE 3 IoCs
Processes:
winupd.exewinupd.exewinupd.exepid process 4584 winupd.exe 4456 winupd.exe 3172 winupd.exe -
Processes:
resource yara_rule behavioral2/memory/3172-133-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3172-139-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Suspicious use of SetThreadContext 3 IoCs
Processes:
d33390c1548497b6fad0f78111db2acf578ee41531336611c0b6cc6611a9cebc.exewinupd.exedescription pid process target process PID 4736 set thread context of 1612 4736 d33390c1548497b6fad0f78111db2acf578ee41531336611c0b6cc6611a9cebc.exe d33390c1548497b6fad0f78111db2acf578ee41531336611c0b6cc6611a9cebc.exe PID 4584 set thread context of 4456 4584 winupd.exe winupd.exe PID 4584 set thread context of 3172 4584 winupd.exe winupd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4684 2164 WerFault.exe ipconfig.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 2164 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
WerFault.exepid process 4684 WerFault.exe 4684 WerFault.exe 4684 WerFault.exe 4684 WerFault.exe 4684 WerFault.exe 4684 WerFault.exe 4684 WerFault.exe 4684 WerFault.exe 4684 WerFault.exe 4684 WerFault.exe 4684 WerFault.exe 4684 WerFault.exe 4684 WerFault.exe 4684 WerFault.exe 4684 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 27 IoCs
Processes:
winupd.exeWerFault.exedescription pid process Token: SeIncreaseQuotaPrivilege 3172 winupd.exe Token: SeSecurityPrivilege 3172 winupd.exe Token: SeTakeOwnershipPrivilege 3172 winupd.exe Token: SeLoadDriverPrivilege 3172 winupd.exe Token: SeSystemProfilePrivilege 3172 winupd.exe Token: SeSystemtimePrivilege 3172 winupd.exe Token: SeProfSingleProcessPrivilege 3172 winupd.exe Token: SeIncBasePriorityPrivilege 3172 winupd.exe Token: SeCreatePagefilePrivilege 3172 winupd.exe Token: SeBackupPrivilege 3172 winupd.exe Token: SeRestorePrivilege 3172 winupd.exe Token: SeShutdownPrivilege 3172 winupd.exe Token: SeDebugPrivilege 3172 winupd.exe Token: SeSystemEnvironmentPrivilege 3172 winupd.exe Token: SeChangeNotifyPrivilege 3172 winupd.exe Token: SeRemoteShutdownPrivilege 3172 winupd.exe Token: SeUndockPrivilege 3172 winupd.exe Token: SeManageVolumePrivilege 3172 winupd.exe Token: SeImpersonatePrivilege 3172 winupd.exe Token: SeCreateGlobalPrivilege 3172 winupd.exe Token: 33 3172 winupd.exe Token: 34 3172 winupd.exe Token: 35 3172 winupd.exe Token: 36 3172 winupd.exe Token: SeRestorePrivilege 4684 WerFault.exe Token: SeBackupPrivilege 4684 WerFault.exe Token: SeDebugPrivilege 4684 WerFault.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
d33390c1548497b6fad0f78111db2acf578ee41531336611c0b6cc6611a9cebc.exed33390c1548497b6fad0f78111db2acf578ee41531336611c0b6cc6611a9cebc.exewinupd.exewinupd.exewinupd.exepid process 4736 d33390c1548497b6fad0f78111db2acf578ee41531336611c0b6cc6611a9cebc.exe 1612 d33390c1548497b6fad0f78111db2acf578ee41531336611c0b6cc6611a9cebc.exe 4584 winupd.exe 4456 winupd.exe 3172 winupd.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
d33390c1548497b6fad0f78111db2acf578ee41531336611c0b6cc6611a9cebc.exed33390c1548497b6fad0f78111db2acf578ee41531336611c0b6cc6611a9cebc.exewinupd.exewinupd.exedescription pid process target process PID 4736 wrote to memory of 1612 4736 d33390c1548497b6fad0f78111db2acf578ee41531336611c0b6cc6611a9cebc.exe d33390c1548497b6fad0f78111db2acf578ee41531336611c0b6cc6611a9cebc.exe PID 4736 wrote to memory of 1612 4736 d33390c1548497b6fad0f78111db2acf578ee41531336611c0b6cc6611a9cebc.exe d33390c1548497b6fad0f78111db2acf578ee41531336611c0b6cc6611a9cebc.exe PID 4736 wrote to memory of 1612 4736 d33390c1548497b6fad0f78111db2acf578ee41531336611c0b6cc6611a9cebc.exe d33390c1548497b6fad0f78111db2acf578ee41531336611c0b6cc6611a9cebc.exe PID 4736 wrote to memory of 1612 4736 d33390c1548497b6fad0f78111db2acf578ee41531336611c0b6cc6611a9cebc.exe d33390c1548497b6fad0f78111db2acf578ee41531336611c0b6cc6611a9cebc.exe PID 4736 wrote to memory of 1612 4736 d33390c1548497b6fad0f78111db2acf578ee41531336611c0b6cc6611a9cebc.exe d33390c1548497b6fad0f78111db2acf578ee41531336611c0b6cc6611a9cebc.exe PID 4736 wrote to memory of 1612 4736 d33390c1548497b6fad0f78111db2acf578ee41531336611c0b6cc6611a9cebc.exe d33390c1548497b6fad0f78111db2acf578ee41531336611c0b6cc6611a9cebc.exe PID 4736 wrote to memory of 1612 4736 d33390c1548497b6fad0f78111db2acf578ee41531336611c0b6cc6611a9cebc.exe d33390c1548497b6fad0f78111db2acf578ee41531336611c0b6cc6611a9cebc.exe PID 4736 wrote to memory of 1612 4736 d33390c1548497b6fad0f78111db2acf578ee41531336611c0b6cc6611a9cebc.exe d33390c1548497b6fad0f78111db2acf578ee41531336611c0b6cc6611a9cebc.exe PID 1612 wrote to memory of 4584 1612 d33390c1548497b6fad0f78111db2acf578ee41531336611c0b6cc6611a9cebc.exe winupd.exe PID 1612 wrote to memory of 4584 1612 d33390c1548497b6fad0f78111db2acf578ee41531336611c0b6cc6611a9cebc.exe winupd.exe PID 1612 wrote to memory of 4584 1612 d33390c1548497b6fad0f78111db2acf578ee41531336611c0b6cc6611a9cebc.exe winupd.exe PID 4584 wrote to memory of 4456 4584 winupd.exe winupd.exe PID 4584 wrote to memory of 4456 4584 winupd.exe winupd.exe PID 4584 wrote to memory of 4456 4584 winupd.exe winupd.exe PID 4584 wrote to memory of 4456 4584 winupd.exe winupd.exe PID 4584 wrote to memory of 4456 4584 winupd.exe winupd.exe PID 4584 wrote to memory of 4456 4584 winupd.exe winupd.exe PID 4584 wrote to memory of 4456 4584 winupd.exe winupd.exe PID 4584 wrote to memory of 4456 4584 winupd.exe winupd.exe PID 4584 wrote to memory of 3172 4584 winupd.exe winupd.exe PID 4584 wrote to memory of 3172 4584 winupd.exe winupd.exe PID 4584 wrote to memory of 3172 4584 winupd.exe winupd.exe PID 4584 wrote to memory of 3172 4584 winupd.exe winupd.exe PID 4584 wrote to memory of 3172 4584 winupd.exe winupd.exe PID 4584 wrote to memory of 3172 4584 winupd.exe winupd.exe PID 4584 wrote to memory of 3172 4584 winupd.exe winupd.exe PID 4584 wrote to memory of 3172 4584 winupd.exe winupd.exe PID 4456 wrote to memory of 2164 4456 winupd.exe ipconfig.exe PID 4456 wrote to memory of 2164 4456 winupd.exe ipconfig.exe PID 4456 wrote to memory of 2164 4456 winupd.exe ipconfig.exe PID 4456 wrote to memory of 2164 4456 winupd.exe ipconfig.exe PID 4456 wrote to memory of 2164 4456 winupd.exe ipconfig.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d33390c1548497b6fad0f78111db2acf578ee41531336611c0b6cc6611a9cebc.exe"C:\Users\Admin\AppData\Local\Temp\d33390c1548497b6fad0f78111db2acf578ee41531336611c0b6cc6611a9cebc.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\d33390c1548497b6fad0f78111db2acf578ee41531336611c0b6cc6611a9cebc.exe"C:\Users\Admin\AppData\Local\Temp\d33390c1548497b6fad0f78111db2acf578ee41531336611c0b6cc6611a9cebc.exe"2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exeC:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe -notray3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\system32\ipconfig.exe"5⤵
- Gathers network information
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2164 -s 2566⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exeMD5
ba02c9938dd1324ae3e1b4dda7592c9f
SHA13e970295f1b191bbac372770862f92607f5feebd
SHA256d034aaa4a24bd5068bae6cb2cfe77238af90453ae33cddfbb1532e4e34ccbcda
SHA51270529f6a98f22c71540e6d64085b28f8e36f8ae55984320d48ef44232c0d72de3f4280174fdd7d960ba3409966ab4d20843d223efeb38110d79e0ae775c585fa
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exeMD5
ba02c9938dd1324ae3e1b4dda7592c9f
SHA13e970295f1b191bbac372770862f92607f5feebd
SHA256d034aaa4a24bd5068bae6cb2cfe77238af90453ae33cddfbb1532e4e34ccbcda
SHA51270529f6a98f22c71540e6d64085b28f8e36f8ae55984320d48ef44232c0d72de3f4280174fdd7d960ba3409966ab4d20843d223efeb38110d79e0ae775c585fa
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exeMD5
ba02c9938dd1324ae3e1b4dda7592c9f
SHA13e970295f1b191bbac372770862f92607f5feebd
SHA256d034aaa4a24bd5068bae6cb2cfe77238af90453ae33cddfbb1532e4e34ccbcda
SHA51270529f6a98f22c71540e6d64085b28f8e36f8ae55984320d48ef44232c0d72de3f4280174fdd7d960ba3409966ab4d20843d223efeb38110d79e0ae775c585fa
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exeMD5
ba02c9938dd1324ae3e1b4dda7592c9f
SHA13e970295f1b191bbac372770862f92607f5feebd
SHA256d034aaa4a24bd5068bae6cb2cfe77238af90453ae33cddfbb1532e4e34ccbcda
SHA51270529f6a98f22c71540e6d64085b28f8e36f8ae55984320d48ef44232c0d72de3f4280174fdd7d960ba3409966ab4d20843d223efeb38110d79e0ae775c585fa
-
memory/1612-118-0x000000000040140C-mapping.dmp
-
memory/1612-117-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/1612-124-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/2164-138-0x0000000000000000-mapping.dmp
-
memory/3172-134-0x00000000004B5670-mapping.dmp
-
memory/3172-133-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/3172-139-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/3172-140-0x0000000000560000-0x000000000060E000-memory.dmpFilesize
696KB
-
memory/4456-131-0x000000000040140C-mapping.dmp
-
memory/4584-125-0x0000000000000000-mapping.dmp
-
memory/4736-123-0x0000000002FC0000-0x0000000002FC2000-memory.dmpFilesize
8KB
-
memory/4736-121-0x00000000020F0000-0x00000000020F2000-memory.dmpFilesize
8KB
-
memory/4736-122-0x0000000002240000-0x0000000002242000-memory.dmpFilesize
8KB