Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
22-09-2021 13:23
Static task
static1
Behavioral task
behavioral1
Sample
c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe
Resource
win7-en-20210920
General
-
Target
c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe
-
Size
520KB
-
MD5
8cacb0a780eab8956b0d068f51f720d2
-
SHA1
f24f2b98db4bee8b0e5da51cb3d33ed6fd5c64c6
-
SHA256
c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded
-
SHA512
689e0c87bfff0698bf0fb88ee7129923ed619d6c1480d336f80e3de222e5f2f2ceb73ac3c50e456f7d8879e078868799cab7db30eafca89774c4bb0e0a5755b6
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 640 created 2844 640 WerFault.exe ipconfig.exe -
Executes dropped EXE 3 IoCs
Processes:
winupd.exewinupd.exewinupd.exepid process 3064 winupd.exe 848 winupd.exe 804 winupd.exe -
Processes:
resource yara_rule behavioral2/memory/804-132-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/804-138-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Suspicious use of SetThreadContext 3 IoCs
Processes:
c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exewinupd.exedescription pid process target process PID 856 set thread context of 2720 856 c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe PID 3064 set thread context of 848 3064 winupd.exe winupd.exe PID 3064 set thread context of 804 3064 winupd.exe winupd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 640 2844 WerFault.exe ipconfig.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 2844 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 640 WerFault.exe 640 WerFault.exe 640 WerFault.exe 640 WerFault.exe 640 WerFault.exe 640 WerFault.exe 640 WerFault.exe 640 WerFault.exe 640 WerFault.exe 640 WerFault.exe 640 WerFault.exe 640 WerFault.exe 640 WerFault.exe 640 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 27 IoCs
Processes:
winupd.exeWerFault.exedescription pid process Token: SeIncreaseQuotaPrivilege 804 winupd.exe Token: SeSecurityPrivilege 804 winupd.exe Token: SeTakeOwnershipPrivilege 804 winupd.exe Token: SeLoadDriverPrivilege 804 winupd.exe Token: SeSystemProfilePrivilege 804 winupd.exe Token: SeSystemtimePrivilege 804 winupd.exe Token: SeProfSingleProcessPrivilege 804 winupd.exe Token: SeIncBasePriorityPrivilege 804 winupd.exe Token: SeCreatePagefilePrivilege 804 winupd.exe Token: SeBackupPrivilege 804 winupd.exe Token: SeRestorePrivilege 804 winupd.exe Token: SeShutdownPrivilege 804 winupd.exe Token: SeDebugPrivilege 804 winupd.exe Token: SeSystemEnvironmentPrivilege 804 winupd.exe Token: SeChangeNotifyPrivilege 804 winupd.exe Token: SeRemoteShutdownPrivilege 804 winupd.exe Token: SeUndockPrivilege 804 winupd.exe Token: SeManageVolumePrivilege 804 winupd.exe Token: SeImpersonatePrivilege 804 winupd.exe Token: SeCreateGlobalPrivilege 804 winupd.exe Token: 33 804 winupd.exe Token: 34 804 winupd.exe Token: 35 804 winupd.exe Token: 36 804 winupd.exe Token: SeRestorePrivilege 640 WerFault.exe Token: SeBackupPrivilege 640 WerFault.exe Token: SeDebugPrivilege 640 WerFault.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exec68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exewinupd.exewinupd.exewinupd.exepid process 856 c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe 2720 c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe 3064 winupd.exe 848 winupd.exe 804 winupd.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exec68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exewinupd.exewinupd.exedescription pid process target process PID 856 wrote to memory of 2720 856 c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe PID 856 wrote to memory of 2720 856 c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe PID 856 wrote to memory of 2720 856 c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe PID 856 wrote to memory of 2720 856 c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe PID 856 wrote to memory of 2720 856 c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe PID 856 wrote to memory of 2720 856 c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe PID 856 wrote to memory of 2720 856 c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe PID 856 wrote to memory of 2720 856 c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe PID 2720 wrote to memory of 3064 2720 c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe winupd.exe PID 2720 wrote to memory of 3064 2720 c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe winupd.exe PID 2720 wrote to memory of 3064 2720 c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe winupd.exe PID 3064 wrote to memory of 848 3064 winupd.exe winupd.exe PID 3064 wrote to memory of 848 3064 winupd.exe winupd.exe PID 3064 wrote to memory of 848 3064 winupd.exe winupd.exe PID 3064 wrote to memory of 848 3064 winupd.exe winupd.exe PID 3064 wrote to memory of 848 3064 winupd.exe winupd.exe PID 3064 wrote to memory of 848 3064 winupd.exe winupd.exe PID 3064 wrote to memory of 848 3064 winupd.exe winupd.exe PID 3064 wrote to memory of 848 3064 winupd.exe winupd.exe PID 3064 wrote to memory of 804 3064 winupd.exe winupd.exe PID 3064 wrote to memory of 804 3064 winupd.exe winupd.exe PID 3064 wrote to memory of 804 3064 winupd.exe winupd.exe PID 3064 wrote to memory of 804 3064 winupd.exe winupd.exe PID 3064 wrote to memory of 804 3064 winupd.exe winupd.exe PID 3064 wrote to memory of 804 3064 winupd.exe winupd.exe PID 3064 wrote to memory of 804 3064 winupd.exe winupd.exe PID 3064 wrote to memory of 804 3064 winupd.exe winupd.exe PID 848 wrote to memory of 2844 848 winupd.exe ipconfig.exe PID 848 wrote to memory of 2844 848 winupd.exe ipconfig.exe PID 848 wrote to memory of 2844 848 winupd.exe ipconfig.exe PID 848 wrote to memory of 2844 848 winupd.exe ipconfig.exe PID 848 wrote to memory of 2844 848 winupd.exe ipconfig.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe"C:\Users\Admin\AppData\Local\Temp\c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe"C:\Users\Admin\AppData\Local\Temp\c68d0ea47c9991b37b938c0d2635f2755668e185abcf937dc46b42758b600ded.exe"2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exeC:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe -notray3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\system32\ipconfig.exe"5⤵
- Gathers network information
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 2766⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exeMD5
95e4be95a17419287e571bba390baa80
SHA1c7179e5d14414ba2448c06fdb3f5dd3b3dd39dff
SHA256a27452515b1bf848ff088adcaaf4347a555c65d7e2ed699f57e277196e58f4f2
SHA512d58cd503e7206cb3eff423591db2d896c64568a7d5208dc80f2d399552c60360b144abf25a2296e8bc6d2fe27ecfb51064b7899a4d59724e37c14c0ed502d568
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exeMD5
95e4be95a17419287e571bba390baa80
SHA1c7179e5d14414ba2448c06fdb3f5dd3b3dd39dff
SHA256a27452515b1bf848ff088adcaaf4347a555c65d7e2ed699f57e277196e58f4f2
SHA512d58cd503e7206cb3eff423591db2d896c64568a7d5208dc80f2d399552c60360b144abf25a2296e8bc6d2fe27ecfb51064b7899a4d59724e37c14c0ed502d568
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exeMD5
95e4be95a17419287e571bba390baa80
SHA1c7179e5d14414ba2448c06fdb3f5dd3b3dd39dff
SHA256a27452515b1bf848ff088adcaaf4347a555c65d7e2ed699f57e277196e58f4f2
SHA512d58cd503e7206cb3eff423591db2d896c64568a7d5208dc80f2d399552c60360b144abf25a2296e8bc6d2fe27ecfb51064b7899a4d59724e37c14c0ed502d568
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exeMD5
95e4be95a17419287e571bba390baa80
SHA1c7179e5d14414ba2448c06fdb3f5dd3b3dd39dff
SHA256a27452515b1bf848ff088adcaaf4347a555c65d7e2ed699f57e277196e58f4f2
SHA512d58cd503e7206cb3eff423591db2d896c64568a7d5208dc80f2d399552c60360b144abf25a2296e8bc6d2fe27ecfb51064b7899a4d59724e37c14c0ed502d568
-
memory/804-133-0x00000000004B5670-mapping.dmp
-
memory/804-132-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/804-138-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/804-139-0x0000000000A80000-0x0000000000A81000-memory.dmpFilesize
4KB
-
memory/848-130-0x000000000040140C-mapping.dmp
-
memory/856-125-0x00000000020E0000-0x00000000020E2000-memory.dmpFilesize
8KB
-
memory/856-126-0x0000000002AE0000-0x0000000002AE2000-memory.dmpFilesize
8KB
-
memory/856-127-0x0000000002AF0000-0x0000000002AF2000-memory.dmpFilesize
8KB
-
memory/2720-128-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/2720-117-0x000000000040140C-mapping.dmp
-
memory/2720-116-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/2844-137-0x0000000000000000-mapping.dmp
-
memory/3064-120-0x0000000000000000-mapping.dmp