Analysis
-
max time kernel
152s -
max time network
151s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
22-09-2021 13:23
Static task
static1
Behavioral task
behavioral1
Sample
345415dbeda848892a070803785da5a40db03b7800cfa726bfbe7fed3c4136a2.exe
Resource
win7v20210408
General
-
Target
345415dbeda848892a070803785da5a40db03b7800cfa726bfbe7fed3c4136a2.exe
-
Size
520KB
-
MD5
9dbffc041eb423abdbcc46e05d99899d
-
SHA1
9224ed9c8521441e787dd232e18e859c9d555e72
-
SHA256
345415dbeda848892a070803785da5a40db03b7800cfa726bfbe7fed3c4136a2
-
SHA512
dc6d503da7c0f9ae66438fe8fd6edd83556109cdba643e050dbe51b0dd9aaf594e78eb7b97a7d3bf13a47ca7b12b7e2893bbca640365f93dd4288a13cebe8128
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 1136 created 3732 1136 WerFault.exe ipconfig.exe -
Executes dropped EXE 3 IoCs
Processes:
winupd.exewinupd.exewinupd.exepid process 2744 winupd.exe 3132 winupd.exe 4052 winupd.exe -
Processes:
resource yara_rule behavioral2/memory/4052-133-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4052-139-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Suspicious use of SetThreadContext 3 IoCs
Processes:
345415dbeda848892a070803785da5a40db03b7800cfa726bfbe7fed3c4136a2.exewinupd.exedescription pid process target process PID 2300 set thread context of 2688 2300 345415dbeda848892a070803785da5a40db03b7800cfa726bfbe7fed3c4136a2.exe 345415dbeda848892a070803785da5a40db03b7800cfa726bfbe7fed3c4136a2.exe PID 2744 set thread context of 3132 2744 winupd.exe winupd.exe PID 2744 set thread context of 4052 2744 winupd.exe winupd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1136 3732 WerFault.exe ipconfig.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 3732 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 1136 WerFault.exe 1136 WerFault.exe 1136 WerFault.exe 1136 WerFault.exe 1136 WerFault.exe 1136 WerFault.exe 1136 WerFault.exe 1136 WerFault.exe 1136 WerFault.exe 1136 WerFault.exe 1136 WerFault.exe 1136 WerFault.exe 1136 WerFault.exe 1136 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 27 IoCs
Processes:
winupd.exeWerFault.exedescription pid process Token: SeIncreaseQuotaPrivilege 4052 winupd.exe Token: SeSecurityPrivilege 4052 winupd.exe Token: SeTakeOwnershipPrivilege 4052 winupd.exe Token: SeLoadDriverPrivilege 4052 winupd.exe Token: SeSystemProfilePrivilege 4052 winupd.exe Token: SeSystemtimePrivilege 4052 winupd.exe Token: SeProfSingleProcessPrivilege 4052 winupd.exe Token: SeIncBasePriorityPrivilege 4052 winupd.exe Token: SeCreatePagefilePrivilege 4052 winupd.exe Token: SeBackupPrivilege 4052 winupd.exe Token: SeRestorePrivilege 4052 winupd.exe Token: SeShutdownPrivilege 4052 winupd.exe Token: SeDebugPrivilege 4052 winupd.exe Token: SeSystemEnvironmentPrivilege 4052 winupd.exe Token: SeChangeNotifyPrivilege 4052 winupd.exe Token: SeRemoteShutdownPrivilege 4052 winupd.exe Token: SeUndockPrivilege 4052 winupd.exe Token: SeManageVolumePrivilege 4052 winupd.exe Token: SeImpersonatePrivilege 4052 winupd.exe Token: SeCreateGlobalPrivilege 4052 winupd.exe Token: 33 4052 winupd.exe Token: 34 4052 winupd.exe Token: 35 4052 winupd.exe Token: 36 4052 winupd.exe Token: SeRestorePrivilege 1136 WerFault.exe Token: SeBackupPrivilege 1136 WerFault.exe Token: SeDebugPrivilege 1136 WerFault.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
345415dbeda848892a070803785da5a40db03b7800cfa726bfbe7fed3c4136a2.exe345415dbeda848892a070803785da5a40db03b7800cfa726bfbe7fed3c4136a2.exewinupd.exewinupd.exewinupd.exepid process 2300 345415dbeda848892a070803785da5a40db03b7800cfa726bfbe7fed3c4136a2.exe 2688 345415dbeda848892a070803785da5a40db03b7800cfa726bfbe7fed3c4136a2.exe 2744 winupd.exe 3132 winupd.exe 4052 winupd.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
345415dbeda848892a070803785da5a40db03b7800cfa726bfbe7fed3c4136a2.exe345415dbeda848892a070803785da5a40db03b7800cfa726bfbe7fed3c4136a2.exewinupd.exewinupd.exedescription pid process target process PID 2300 wrote to memory of 2688 2300 345415dbeda848892a070803785da5a40db03b7800cfa726bfbe7fed3c4136a2.exe 345415dbeda848892a070803785da5a40db03b7800cfa726bfbe7fed3c4136a2.exe PID 2300 wrote to memory of 2688 2300 345415dbeda848892a070803785da5a40db03b7800cfa726bfbe7fed3c4136a2.exe 345415dbeda848892a070803785da5a40db03b7800cfa726bfbe7fed3c4136a2.exe PID 2300 wrote to memory of 2688 2300 345415dbeda848892a070803785da5a40db03b7800cfa726bfbe7fed3c4136a2.exe 345415dbeda848892a070803785da5a40db03b7800cfa726bfbe7fed3c4136a2.exe PID 2300 wrote to memory of 2688 2300 345415dbeda848892a070803785da5a40db03b7800cfa726bfbe7fed3c4136a2.exe 345415dbeda848892a070803785da5a40db03b7800cfa726bfbe7fed3c4136a2.exe PID 2300 wrote to memory of 2688 2300 345415dbeda848892a070803785da5a40db03b7800cfa726bfbe7fed3c4136a2.exe 345415dbeda848892a070803785da5a40db03b7800cfa726bfbe7fed3c4136a2.exe PID 2300 wrote to memory of 2688 2300 345415dbeda848892a070803785da5a40db03b7800cfa726bfbe7fed3c4136a2.exe 345415dbeda848892a070803785da5a40db03b7800cfa726bfbe7fed3c4136a2.exe PID 2300 wrote to memory of 2688 2300 345415dbeda848892a070803785da5a40db03b7800cfa726bfbe7fed3c4136a2.exe 345415dbeda848892a070803785da5a40db03b7800cfa726bfbe7fed3c4136a2.exe PID 2300 wrote to memory of 2688 2300 345415dbeda848892a070803785da5a40db03b7800cfa726bfbe7fed3c4136a2.exe 345415dbeda848892a070803785da5a40db03b7800cfa726bfbe7fed3c4136a2.exe PID 2688 wrote to memory of 2744 2688 345415dbeda848892a070803785da5a40db03b7800cfa726bfbe7fed3c4136a2.exe winupd.exe PID 2688 wrote to memory of 2744 2688 345415dbeda848892a070803785da5a40db03b7800cfa726bfbe7fed3c4136a2.exe winupd.exe PID 2688 wrote to memory of 2744 2688 345415dbeda848892a070803785da5a40db03b7800cfa726bfbe7fed3c4136a2.exe winupd.exe PID 2744 wrote to memory of 3132 2744 winupd.exe winupd.exe PID 2744 wrote to memory of 3132 2744 winupd.exe winupd.exe PID 2744 wrote to memory of 3132 2744 winupd.exe winupd.exe PID 2744 wrote to memory of 3132 2744 winupd.exe winupd.exe PID 2744 wrote to memory of 3132 2744 winupd.exe winupd.exe PID 2744 wrote to memory of 3132 2744 winupd.exe winupd.exe PID 2744 wrote to memory of 3132 2744 winupd.exe winupd.exe PID 2744 wrote to memory of 3132 2744 winupd.exe winupd.exe PID 2744 wrote to memory of 4052 2744 winupd.exe winupd.exe PID 2744 wrote to memory of 4052 2744 winupd.exe winupd.exe PID 2744 wrote to memory of 4052 2744 winupd.exe winupd.exe PID 2744 wrote to memory of 4052 2744 winupd.exe winupd.exe PID 2744 wrote to memory of 4052 2744 winupd.exe winupd.exe PID 2744 wrote to memory of 4052 2744 winupd.exe winupd.exe PID 2744 wrote to memory of 4052 2744 winupd.exe winupd.exe PID 2744 wrote to memory of 4052 2744 winupd.exe winupd.exe PID 3132 wrote to memory of 3732 3132 winupd.exe ipconfig.exe PID 3132 wrote to memory of 3732 3132 winupd.exe ipconfig.exe PID 3132 wrote to memory of 3732 3132 winupd.exe ipconfig.exe PID 3132 wrote to memory of 3732 3132 winupd.exe ipconfig.exe PID 3132 wrote to memory of 3732 3132 winupd.exe ipconfig.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\345415dbeda848892a070803785da5a40db03b7800cfa726bfbe7fed3c4136a2.exe"C:\Users\Admin\AppData\Local\Temp\345415dbeda848892a070803785da5a40db03b7800cfa726bfbe7fed3c4136a2.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\345415dbeda848892a070803785da5a40db03b7800cfa726bfbe7fed3c4136a2.exe"C:\Users\Admin\AppData\Local\Temp\345415dbeda848892a070803785da5a40db03b7800cfa726bfbe7fed3c4136a2.exe"2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exeC:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe -notray3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\system32\ipconfig.exe"5⤵
- Gathers network information
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3732 -s 2686⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exeMD5
2ecda47adfb8ff3544a7aebe0fb7005c
SHA18f2ae2fa16adcca0d7798cf36c616e4d8ab49548
SHA256a6ccbdd9fe3a6c7ac3061d95b1f876acd5332ac1c9df0c8375b3bd0db4b0e89e
SHA512c70d4d1d4734db20aa7ffa62f430711c09125e7627078bb49ce2def7afee7f09893ada3c8518fa10c68cf8f5ff5cec7f292ab2fcbb442c3a0ae422d429e433fd
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exeMD5
2ecda47adfb8ff3544a7aebe0fb7005c
SHA18f2ae2fa16adcca0d7798cf36c616e4d8ab49548
SHA256a6ccbdd9fe3a6c7ac3061d95b1f876acd5332ac1c9df0c8375b3bd0db4b0e89e
SHA512c70d4d1d4734db20aa7ffa62f430711c09125e7627078bb49ce2def7afee7f09893ada3c8518fa10c68cf8f5ff5cec7f292ab2fcbb442c3a0ae422d429e433fd
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exeMD5
2ecda47adfb8ff3544a7aebe0fb7005c
SHA18f2ae2fa16adcca0d7798cf36c616e4d8ab49548
SHA256a6ccbdd9fe3a6c7ac3061d95b1f876acd5332ac1c9df0c8375b3bd0db4b0e89e
SHA512c70d4d1d4734db20aa7ffa62f430711c09125e7627078bb49ce2def7afee7f09893ada3c8518fa10c68cf8f5ff5cec7f292ab2fcbb442c3a0ae422d429e433fd
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exeMD5
2ecda47adfb8ff3544a7aebe0fb7005c
SHA18f2ae2fa16adcca0d7798cf36c616e4d8ab49548
SHA256a6ccbdd9fe3a6c7ac3061d95b1f876acd5332ac1c9df0c8375b3bd0db4b0e89e
SHA512c70d4d1d4734db20aa7ffa62f430711c09125e7627078bb49ce2def7afee7f09893ada3c8518fa10c68cf8f5ff5cec7f292ab2fcbb442c3a0ae422d429e433fd
-
memory/2300-127-0x0000000002590000-0x0000000002592000-memory.dmpFilesize
8KB
-
memory/2300-128-0x00000000025A0000-0x00000000025A2000-memory.dmpFilesize
8KB
-
memory/2300-126-0x00000000023A0000-0x00000000023A2000-memory.dmpFilesize
8KB
-
memory/2688-117-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/2688-129-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/2688-118-0x000000000040140C-mapping.dmp
-
memory/2744-121-0x0000000000000000-mapping.dmp
-
memory/3132-131-0x000000000040140C-mapping.dmp
-
memory/3732-138-0x0000000000000000-mapping.dmp
-
memory/4052-134-0x00000000004B5670-mapping.dmp
-
memory/4052-133-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/4052-139-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/4052-140-0x00000000007B0000-0x00000000007B1000-memory.dmpFilesize
4KB