Analysis
-
max time kernel
152s -
max time network
135s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
22-09-2021 13:23
Static task
static1
Behavioral task
behavioral1
Sample
c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe
Resource
win7-en-20210920
General
-
Target
c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe
-
Size
520KB
-
MD5
8cacb0a780eab8956b0d068f51f720d2
-
SHA1
f24f2b98db4bee8b0e5da51cb3d33ed6fd5c64c6
-
SHA256
c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded
-
SHA512
689e0c87bfff0698bf0fb88ee7129923ed619d6c1480d336f80e3de222e5f2f2ceb73ac3c50e456f7d8879e078868799cab7db30eafca89774c4bb0e0a5755b6
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
winupd.exewinupd.exewinupd.exepid process 1176 winupd.exe 1600 winupd.exe 1652 winupd.exe -
Processes:
resource yara_rule behavioral1/memory/1652-74-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1652-83-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Loads dropped DLL 2 IoCs
Processes:
c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exepid process 1516 c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe 1516 c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\winupd.exe -notray" reg.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exewinupd.exedescription pid process target process PID 1580 set thread context of 1516 1580 c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe PID 1176 set thread context of 1600 1176 winupd.exe winupd.exe PID 1176 set thread context of 1652 1176 winupd.exe winupd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 1852 ipconfig.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
winupd.exedescription pid process Token: SeIncreaseQuotaPrivilege 1652 winupd.exe Token: SeSecurityPrivilege 1652 winupd.exe Token: SeTakeOwnershipPrivilege 1652 winupd.exe Token: SeLoadDriverPrivilege 1652 winupd.exe Token: SeSystemProfilePrivilege 1652 winupd.exe Token: SeSystemtimePrivilege 1652 winupd.exe Token: SeProfSingleProcessPrivilege 1652 winupd.exe Token: SeIncBasePriorityPrivilege 1652 winupd.exe Token: SeCreatePagefilePrivilege 1652 winupd.exe Token: SeBackupPrivilege 1652 winupd.exe Token: SeRestorePrivilege 1652 winupd.exe Token: SeShutdownPrivilege 1652 winupd.exe Token: SeDebugPrivilege 1652 winupd.exe Token: SeSystemEnvironmentPrivilege 1652 winupd.exe Token: SeChangeNotifyPrivilege 1652 winupd.exe Token: SeRemoteShutdownPrivilege 1652 winupd.exe Token: SeUndockPrivilege 1652 winupd.exe Token: SeManageVolumePrivilege 1652 winupd.exe Token: SeImpersonatePrivilege 1652 winupd.exe Token: SeCreateGlobalPrivilege 1652 winupd.exe Token: 33 1652 winupd.exe Token: 34 1652 winupd.exe Token: 35 1652 winupd.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exec68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exewinupd.exewinupd.exewinupd.exepid process 1580 c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe 1516 c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe 1176 winupd.exe 1600 winupd.exe 1652 winupd.exe -
Suspicious use of WriteProcessMemory 44 IoCs
Processes:
c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exec68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exewinupd.exewinupd.exeipconfig.execmd.exedescription pid process target process PID 1580 wrote to memory of 1516 1580 c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe PID 1580 wrote to memory of 1516 1580 c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe PID 1580 wrote to memory of 1516 1580 c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe PID 1580 wrote to memory of 1516 1580 c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe PID 1580 wrote to memory of 1516 1580 c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe PID 1580 wrote to memory of 1516 1580 c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe PID 1580 wrote to memory of 1516 1580 c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe PID 1580 wrote to memory of 1516 1580 c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe PID 1580 wrote to memory of 1516 1580 c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe PID 1516 wrote to memory of 1176 1516 c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe winupd.exe PID 1516 wrote to memory of 1176 1516 c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe winupd.exe PID 1516 wrote to memory of 1176 1516 c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe winupd.exe PID 1516 wrote to memory of 1176 1516 c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe winupd.exe PID 1176 wrote to memory of 1600 1176 winupd.exe winupd.exe PID 1176 wrote to memory of 1600 1176 winupd.exe winupd.exe PID 1176 wrote to memory of 1600 1176 winupd.exe winupd.exe PID 1176 wrote to memory of 1600 1176 winupd.exe winupd.exe PID 1176 wrote to memory of 1600 1176 winupd.exe winupd.exe PID 1176 wrote to memory of 1600 1176 winupd.exe winupd.exe PID 1176 wrote to memory of 1600 1176 winupd.exe winupd.exe PID 1176 wrote to memory of 1600 1176 winupd.exe winupd.exe PID 1176 wrote to memory of 1600 1176 winupd.exe winupd.exe PID 1176 wrote to memory of 1652 1176 winupd.exe winupd.exe PID 1176 wrote to memory of 1652 1176 winupd.exe winupd.exe PID 1176 wrote to memory of 1652 1176 winupd.exe winupd.exe PID 1176 wrote to memory of 1652 1176 winupd.exe winupd.exe PID 1176 wrote to memory of 1652 1176 winupd.exe winupd.exe PID 1176 wrote to memory of 1652 1176 winupd.exe winupd.exe PID 1176 wrote to memory of 1652 1176 winupd.exe winupd.exe PID 1176 wrote to memory of 1652 1176 winupd.exe winupd.exe PID 1600 wrote to memory of 1852 1600 winupd.exe ipconfig.exe PID 1600 wrote to memory of 1852 1600 winupd.exe ipconfig.exe PID 1600 wrote to memory of 1852 1600 winupd.exe ipconfig.exe PID 1600 wrote to memory of 1852 1600 winupd.exe ipconfig.exe PID 1600 wrote to memory of 1852 1600 winupd.exe ipconfig.exe PID 1600 wrote to memory of 1852 1600 winupd.exe ipconfig.exe PID 1852 wrote to memory of 1012 1852 ipconfig.exe cmd.exe PID 1852 wrote to memory of 1012 1852 ipconfig.exe cmd.exe PID 1852 wrote to memory of 1012 1852 ipconfig.exe cmd.exe PID 1852 wrote to memory of 1012 1852 ipconfig.exe cmd.exe PID 1012 wrote to memory of 1752 1012 cmd.exe reg.exe PID 1012 wrote to memory of 1752 1012 cmd.exe reg.exe PID 1012 wrote to memory of 1752 1012 cmd.exe reg.exe PID 1012 wrote to memory of 1752 1012 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe"C:\Users\Admin\AppData\Local\Temp\c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe"C:\Users\Admin\AppData\Local\Temp\c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exeC:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe -notray3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\system32\ipconfig.exe"5⤵
- Gathers network information
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\FBWPVNEO.bat" "6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v WinUpdate /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe -notray" /f7⤵
- Adds Run key to start application
- Modifies registry key
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\FBWPVNEO.batMD5
cac890d00365d07b9ca89def17cc3a36
SHA16fa99679ede791c16b5d3e6d243a98e8bbdb7eab
SHA2564f98ddee89760080a5c8a93666d2f5c97be52b741265ef4d1ce9aaebf05f12da
SHA512124dc0b18e13425bde43bcbbe2a99005928e398bffcb458d498aac9e754bc5b92b703270667800876c60b0801343f2de8c6b9a1eebafd80bb4f6d5dc295dd9f1
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exeMD5
fb7eec42daceb4cbe5f5e87125e1d6cc
SHA17f8d7b6e01ef36a895806a892a7364a29f4498e7
SHA256eb13f8b7d63ccef3caa34dba36ada9d036de8565f3a41f14b1ef38e583617c97
SHA51258586297af07327e62514f85d6c94ab88fbe1b227c0e9378e3dd8a112b8ea7104983df4fc67f935248ac4d81276787defd75ab927d6b9385b7c6efce5b72aaa3
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exeMD5
fb7eec42daceb4cbe5f5e87125e1d6cc
SHA17f8d7b6e01ef36a895806a892a7364a29f4498e7
SHA256eb13f8b7d63ccef3caa34dba36ada9d036de8565f3a41f14b1ef38e583617c97
SHA51258586297af07327e62514f85d6c94ab88fbe1b227c0e9378e3dd8a112b8ea7104983df4fc67f935248ac4d81276787defd75ab927d6b9385b7c6efce5b72aaa3
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exeMD5
fb7eec42daceb4cbe5f5e87125e1d6cc
SHA17f8d7b6e01ef36a895806a892a7364a29f4498e7
SHA256eb13f8b7d63ccef3caa34dba36ada9d036de8565f3a41f14b1ef38e583617c97
SHA51258586297af07327e62514f85d6c94ab88fbe1b227c0e9378e3dd8a112b8ea7104983df4fc67f935248ac4d81276787defd75ab927d6b9385b7c6efce5b72aaa3
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exeMD5
fb7eec42daceb4cbe5f5e87125e1d6cc
SHA17f8d7b6e01ef36a895806a892a7364a29f4498e7
SHA256eb13f8b7d63ccef3caa34dba36ada9d036de8565f3a41f14b1ef38e583617c97
SHA51258586297af07327e62514f85d6c94ab88fbe1b227c0e9378e3dd8a112b8ea7104983df4fc67f935248ac4d81276787defd75ab927d6b9385b7c6efce5b72aaa3
-
\Users\Admin\AppData\Roaming\Microsoft\winupd.exeMD5
fb7eec42daceb4cbe5f5e87125e1d6cc
SHA17f8d7b6e01ef36a895806a892a7364a29f4498e7
SHA256eb13f8b7d63ccef3caa34dba36ada9d036de8565f3a41f14b1ef38e583617c97
SHA51258586297af07327e62514f85d6c94ab88fbe1b227c0e9378e3dd8a112b8ea7104983df4fc67f935248ac4d81276787defd75ab927d6b9385b7c6efce5b72aaa3
-
\Users\Admin\AppData\Roaming\Microsoft\winupd.exeMD5
fb7eec42daceb4cbe5f5e87125e1d6cc
SHA17f8d7b6e01ef36a895806a892a7364a29f4498e7
SHA256eb13f8b7d63ccef3caa34dba36ada9d036de8565f3a41f14b1ef38e583617c97
SHA51258586297af07327e62514f85d6c94ab88fbe1b227c0e9378e3dd8a112b8ea7104983df4fc67f935248ac4d81276787defd75ab927d6b9385b7c6efce5b72aaa3
-
memory/1012-86-0x0000000000000000-mapping.dmp
-
memory/1176-63-0x0000000000000000-mapping.dmp
-
memory/1516-57-0x000000000040140C-mapping.dmp
-
memory/1516-60-0x0000000076B61000-0x0000000076B63000-memory.dmpFilesize
8KB
-
memory/1516-56-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/1580-67-0x00000000001E0000-0x00000000001E2000-memory.dmpFilesize
8KB
-
memory/1580-68-0x00000000003F0000-0x00000000003F2000-memory.dmpFilesize
8KB
-
memory/1580-69-0x0000000001D00000-0x0000000001D02000-memory.dmpFilesize
8KB
-
memory/1600-72-0x000000000040140C-mapping.dmp
-
memory/1652-74-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/1652-83-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/1652-84-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/1652-75-0x00000000004B5670-mapping.dmp
-
memory/1752-87-0x0000000000000000-mapping.dmp
-
memory/1852-81-0x0000000000000000-mapping.dmp