Analysis
-
max time kernel
152s -
max time network
154s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
22-09-2021 13:23
Static task
static1
Behavioral task
behavioral1
Sample
5f02339f6ea514c24162fc3b22dc7fbd86a0166944280195cb931b00a39656ea.exe
Resource
win7-en-20210920
General
-
Target
5f02339f6ea514c24162fc3b22dc7fbd86a0166944280195cb931b00a39656ea.exe
-
Size
520KB
-
MD5
987a5d029c5c923724872bc013ba8eca
-
SHA1
97c2b943c9cd1625c273652f831860a72427bb5b
-
SHA256
5f02339f6ea514c24162fc3b22dc7fbd86a0166944280195cb931b00a39656ea
-
SHA512
bdccf49488488b67025a2c8a4d48c4ca9180ac93c5e3b3564d0e25cf0fc895c5296d08cee8febf825de5af37c44032fe7bfd094ec0994628acad19a0f129619d
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 4008 created 3636 4008 WerFault.exe ipconfig.exe -
Executes dropped EXE 3 IoCs
Processes:
winupd.exewinupd.exewinupd.exepid process 2732 winupd.exe 3488 winupd.exe 3844 winupd.exe -
Processes:
resource yara_rule behavioral2/memory/3844-133-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3844-139-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Suspicious use of SetThreadContext 3 IoCs
Processes:
5f02339f6ea514c24162fc3b22dc7fbd86a0166944280195cb931b00a39656ea.exewinupd.exedescription pid process target process PID 2160 set thread context of 2660 2160 5f02339f6ea514c24162fc3b22dc7fbd86a0166944280195cb931b00a39656ea.exe 5f02339f6ea514c24162fc3b22dc7fbd86a0166944280195cb931b00a39656ea.exe PID 2732 set thread context of 3488 2732 winupd.exe winupd.exe PID 2732 set thread context of 3844 2732 winupd.exe winupd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4008 3636 WerFault.exe ipconfig.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 3636 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 4008 WerFault.exe 4008 WerFault.exe 4008 WerFault.exe 4008 WerFault.exe 4008 WerFault.exe 4008 WerFault.exe 4008 WerFault.exe 4008 WerFault.exe 4008 WerFault.exe 4008 WerFault.exe 4008 WerFault.exe 4008 WerFault.exe 4008 WerFault.exe 4008 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 27 IoCs
Processes:
winupd.exeWerFault.exedescription pid process Token: SeIncreaseQuotaPrivilege 3844 winupd.exe Token: SeSecurityPrivilege 3844 winupd.exe Token: SeTakeOwnershipPrivilege 3844 winupd.exe Token: SeLoadDriverPrivilege 3844 winupd.exe Token: SeSystemProfilePrivilege 3844 winupd.exe Token: SeSystemtimePrivilege 3844 winupd.exe Token: SeProfSingleProcessPrivilege 3844 winupd.exe Token: SeIncBasePriorityPrivilege 3844 winupd.exe Token: SeCreatePagefilePrivilege 3844 winupd.exe Token: SeBackupPrivilege 3844 winupd.exe Token: SeRestorePrivilege 3844 winupd.exe Token: SeShutdownPrivilege 3844 winupd.exe Token: SeDebugPrivilege 3844 winupd.exe Token: SeSystemEnvironmentPrivilege 3844 winupd.exe Token: SeChangeNotifyPrivilege 3844 winupd.exe Token: SeRemoteShutdownPrivilege 3844 winupd.exe Token: SeUndockPrivilege 3844 winupd.exe Token: SeManageVolumePrivilege 3844 winupd.exe Token: SeImpersonatePrivilege 3844 winupd.exe Token: SeCreateGlobalPrivilege 3844 winupd.exe Token: 33 3844 winupd.exe Token: 34 3844 winupd.exe Token: 35 3844 winupd.exe Token: 36 3844 winupd.exe Token: SeRestorePrivilege 4008 WerFault.exe Token: SeBackupPrivilege 4008 WerFault.exe Token: SeDebugPrivilege 4008 WerFault.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
5f02339f6ea514c24162fc3b22dc7fbd86a0166944280195cb931b00a39656ea.exe5f02339f6ea514c24162fc3b22dc7fbd86a0166944280195cb931b00a39656ea.exewinupd.exewinupd.exewinupd.exepid process 2160 5f02339f6ea514c24162fc3b22dc7fbd86a0166944280195cb931b00a39656ea.exe 2660 5f02339f6ea514c24162fc3b22dc7fbd86a0166944280195cb931b00a39656ea.exe 2732 winupd.exe 3488 winupd.exe 3844 winupd.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
5f02339f6ea514c24162fc3b22dc7fbd86a0166944280195cb931b00a39656ea.exe5f02339f6ea514c24162fc3b22dc7fbd86a0166944280195cb931b00a39656ea.exewinupd.exewinupd.exedescription pid process target process PID 2160 wrote to memory of 2660 2160 5f02339f6ea514c24162fc3b22dc7fbd86a0166944280195cb931b00a39656ea.exe 5f02339f6ea514c24162fc3b22dc7fbd86a0166944280195cb931b00a39656ea.exe PID 2160 wrote to memory of 2660 2160 5f02339f6ea514c24162fc3b22dc7fbd86a0166944280195cb931b00a39656ea.exe 5f02339f6ea514c24162fc3b22dc7fbd86a0166944280195cb931b00a39656ea.exe PID 2160 wrote to memory of 2660 2160 5f02339f6ea514c24162fc3b22dc7fbd86a0166944280195cb931b00a39656ea.exe 5f02339f6ea514c24162fc3b22dc7fbd86a0166944280195cb931b00a39656ea.exe PID 2160 wrote to memory of 2660 2160 5f02339f6ea514c24162fc3b22dc7fbd86a0166944280195cb931b00a39656ea.exe 5f02339f6ea514c24162fc3b22dc7fbd86a0166944280195cb931b00a39656ea.exe PID 2160 wrote to memory of 2660 2160 5f02339f6ea514c24162fc3b22dc7fbd86a0166944280195cb931b00a39656ea.exe 5f02339f6ea514c24162fc3b22dc7fbd86a0166944280195cb931b00a39656ea.exe PID 2160 wrote to memory of 2660 2160 5f02339f6ea514c24162fc3b22dc7fbd86a0166944280195cb931b00a39656ea.exe 5f02339f6ea514c24162fc3b22dc7fbd86a0166944280195cb931b00a39656ea.exe PID 2160 wrote to memory of 2660 2160 5f02339f6ea514c24162fc3b22dc7fbd86a0166944280195cb931b00a39656ea.exe 5f02339f6ea514c24162fc3b22dc7fbd86a0166944280195cb931b00a39656ea.exe PID 2160 wrote to memory of 2660 2160 5f02339f6ea514c24162fc3b22dc7fbd86a0166944280195cb931b00a39656ea.exe 5f02339f6ea514c24162fc3b22dc7fbd86a0166944280195cb931b00a39656ea.exe PID 2660 wrote to memory of 2732 2660 5f02339f6ea514c24162fc3b22dc7fbd86a0166944280195cb931b00a39656ea.exe winupd.exe PID 2660 wrote to memory of 2732 2660 5f02339f6ea514c24162fc3b22dc7fbd86a0166944280195cb931b00a39656ea.exe winupd.exe PID 2660 wrote to memory of 2732 2660 5f02339f6ea514c24162fc3b22dc7fbd86a0166944280195cb931b00a39656ea.exe winupd.exe PID 2732 wrote to memory of 3488 2732 winupd.exe winupd.exe PID 2732 wrote to memory of 3488 2732 winupd.exe winupd.exe PID 2732 wrote to memory of 3488 2732 winupd.exe winupd.exe PID 2732 wrote to memory of 3488 2732 winupd.exe winupd.exe PID 2732 wrote to memory of 3488 2732 winupd.exe winupd.exe PID 2732 wrote to memory of 3488 2732 winupd.exe winupd.exe PID 2732 wrote to memory of 3488 2732 winupd.exe winupd.exe PID 2732 wrote to memory of 3488 2732 winupd.exe winupd.exe PID 2732 wrote to memory of 3844 2732 winupd.exe winupd.exe PID 2732 wrote to memory of 3844 2732 winupd.exe winupd.exe PID 2732 wrote to memory of 3844 2732 winupd.exe winupd.exe PID 2732 wrote to memory of 3844 2732 winupd.exe winupd.exe PID 2732 wrote to memory of 3844 2732 winupd.exe winupd.exe PID 2732 wrote to memory of 3844 2732 winupd.exe winupd.exe PID 2732 wrote to memory of 3844 2732 winupd.exe winupd.exe PID 2732 wrote to memory of 3844 2732 winupd.exe winupd.exe PID 3488 wrote to memory of 3636 3488 winupd.exe ipconfig.exe PID 3488 wrote to memory of 3636 3488 winupd.exe ipconfig.exe PID 3488 wrote to memory of 3636 3488 winupd.exe ipconfig.exe PID 3488 wrote to memory of 3636 3488 winupd.exe ipconfig.exe PID 3488 wrote to memory of 3636 3488 winupd.exe ipconfig.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5f02339f6ea514c24162fc3b22dc7fbd86a0166944280195cb931b00a39656ea.exe"C:\Users\Admin\AppData\Local\Temp\5f02339f6ea514c24162fc3b22dc7fbd86a0166944280195cb931b00a39656ea.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5f02339f6ea514c24162fc3b22dc7fbd86a0166944280195cb931b00a39656ea.exe"C:\Users\Admin\AppData\Local\Temp\5f02339f6ea514c24162fc3b22dc7fbd86a0166944280195cb931b00a39656ea.exe"2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exeC:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe -notray3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\system32\ipconfig.exe"5⤵
- Gathers network information
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 2686⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exeMD5
0b05ba1ca26b8f6316f5df8de9183d24
SHA1269dcea4fb830c1a4b7a1a5aafd84377f58112d3
SHA256406c29dad85429215dba37c02e99a0ed4998c1b3f9e989dbe6a59db24c812e29
SHA512034e81d9beb5c5930de83396fd0ea9cd6734129f3605cf8b7e78a1187c2abb43f60c14014a80122a30718263b99b397fd3d32f1a0642b150e23e7db78f82af10
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exeMD5
0b05ba1ca26b8f6316f5df8de9183d24
SHA1269dcea4fb830c1a4b7a1a5aafd84377f58112d3
SHA256406c29dad85429215dba37c02e99a0ed4998c1b3f9e989dbe6a59db24c812e29
SHA512034e81d9beb5c5930de83396fd0ea9cd6734129f3605cf8b7e78a1187c2abb43f60c14014a80122a30718263b99b397fd3d32f1a0642b150e23e7db78f82af10
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exeMD5
0b05ba1ca26b8f6316f5df8de9183d24
SHA1269dcea4fb830c1a4b7a1a5aafd84377f58112d3
SHA256406c29dad85429215dba37c02e99a0ed4998c1b3f9e989dbe6a59db24c812e29
SHA512034e81d9beb5c5930de83396fd0ea9cd6734129f3605cf8b7e78a1187c2abb43f60c14014a80122a30718263b99b397fd3d32f1a0642b150e23e7db78f82af10
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exeMD5
0b05ba1ca26b8f6316f5df8de9183d24
SHA1269dcea4fb830c1a4b7a1a5aafd84377f58112d3
SHA256406c29dad85429215dba37c02e99a0ed4998c1b3f9e989dbe6a59db24c812e29
SHA512034e81d9beb5c5930de83396fd0ea9cd6734129f3605cf8b7e78a1187c2abb43f60c14014a80122a30718263b99b397fd3d32f1a0642b150e23e7db78f82af10
-
memory/2160-127-0x0000000002230000-0x0000000002232000-memory.dmpFilesize
8KB
-
memory/2160-128-0x0000000002250000-0x0000000002252000-memory.dmpFilesize
8KB
-
memory/2160-126-0x00000000021E0000-0x00000000021E2000-memory.dmpFilesize
8KB
-
memory/2660-117-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/2660-129-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/2660-118-0x000000000040140C-mapping.dmp
-
memory/2732-121-0x0000000000000000-mapping.dmp
-
memory/3488-131-0x000000000040140C-mapping.dmp
-
memory/3636-138-0x0000000000000000-mapping.dmp
-
memory/3844-134-0x00000000004B5670-mapping.dmp
-
memory/3844-133-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/3844-139-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/3844-140-0x0000000002370000-0x0000000002371000-memory.dmpFilesize
4KB