Analysis
-
max time kernel
152s -
max time network
147s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
22-09-2021 13:23
Static task
static1
Behavioral task
behavioral1
Sample
02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe
Resource
win7-en-20210920
General
-
Target
02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe
-
Size
520KB
-
MD5
642a19d61f9d148344d263180d4e386a
-
SHA1
e5005eab11acaec13e0c6a2af0744d99727b1d07
-
SHA256
02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8
-
SHA512
2a337f1910cf046e6b0964430b029a2213d9966f9208df3a9614bc178c6743b48401ea9ee87886b404131c50449f82abdb0796c6c5c3344c5186e5fd877b57db
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
winupd.exewinupd.exewinupd.exepid process 756 winupd.exe 1328 winupd.exe 1696 winupd.exe -
Processes:
resource yara_rule behavioral1/memory/1696-74-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/1696-85-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Loads dropped DLL 2 IoCs
Processes:
02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exepid process 856 02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe 856 02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\winupd.exe -notray" reg.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exewinupd.exedescription pid process target process PID 1432 set thread context of 856 1432 02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe 02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe PID 756 set thread context of 1328 756 winupd.exe winupd.exe PID 756 set thread context of 1696 756 winupd.exe winupd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 1364 ipconfig.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
winupd.exedescription pid process Token: SeIncreaseQuotaPrivilege 1696 winupd.exe Token: SeSecurityPrivilege 1696 winupd.exe Token: SeTakeOwnershipPrivilege 1696 winupd.exe Token: SeLoadDriverPrivilege 1696 winupd.exe Token: SeSystemProfilePrivilege 1696 winupd.exe Token: SeSystemtimePrivilege 1696 winupd.exe Token: SeProfSingleProcessPrivilege 1696 winupd.exe Token: SeIncBasePriorityPrivilege 1696 winupd.exe Token: SeCreatePagefilePrivilege 1696 winupd.exe Token: SeBackupPrivilege 1696 winupd.exe Token: SeRestorePrivilege 1696 winupd.exe Token: SeShutdownPrivilege 1696 winupd.exe Token: SeDebugPrivilege 1696 winupd.exe Token: SeSystemEnvironmentPrivilege 1696 winupd.exe Token: SeChangeNotifyPrivilege 1696 winupd.exe Token: SeRemoteShutdownPrivilege 1696 winupd.exe Token: SeUndockPrivilege 1696 winupd.exe Token: SeManageVolumePrivilege 1696 winupd.exe Token: SeImpersonatePrivilege 1696 winupd.exe Token: SeCreateGlobalPrivilege 1696 winupd.exe Token: 33 1696 winupd.exe Token: 34 1696 winupd.exe Token: 35 1696 winupd.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exewinupd.exewinupd.exewinupd.exepid process 1432 02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe 856 02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe 756 winupd.exe 1328 winupd.exe 1696 winupd.exe -
Suspicious use of WriteProcessMemory 44 IoCs
Processes:
02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exewinupd.exewinupd.exeipconfig.execmd.exedescription pid process target process PID 1432 wrote to memory of 856 1432 02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe 02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe PID 1432 wrote to memory of 856 1432 02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe 02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe PID 1432 wrote to memory of 856 1432 02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe 02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe PID 1432 wrote to memory of 856 1432 02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe 02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe PID 1432 wrote to memory of 856 1432 02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe 02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe PID 1432 wrote to memory of 856 1432 02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe 02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe PID 1432 wrote to memory of 856 1432 02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe 02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe PID 1432 wrote to memory of 856 1432 02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe 02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe PID 1432 wrote to memory of 856 1432 02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe 02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe PID 856 wrote to memory of 756 856 02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe winupd.exe PID 856 wrote to memory of 756 856 02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe winupd.exe PID 856 wrote to memory of 756 856 02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe winupd.exe PID 856 wrote to memory of 756 856 02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe winupd.exe PID 756 wrote to memory of 1328 756 winupd.exe winupd.exe PID 756 wrote to memory of 1328 756 winupd.exe winupd.exe PID 756 wrote to memory of 1328 756 winupd.exe winupd.exe PID 756 wrote to memory of 1328 756 winupd.exe winupd.exe PID 756 wrote to memory of 1328 756 winupd.exe winupd.exe PID 756 wrote to memory of 1328 756 winupd.exe winupd.exe PID 756 wrote to memory of 1328 756 winupd.exe winupd.exe PID 756 wrote to memory of 1328 756 winupd.exe winupd.exe PID 756 wrote to memory of 1328 756 winupd.exe winupd.exe PID 756 wrote to memory of 1696 756 winupd.exe winupd.exe PID 756 wrote to memory of 1696 756 winupd.exe winupd.exe PID 756 wrote to memory of 1696 756 winupd.exe winupd.exe PID 756 wrote to memory of 1696 756 winupd.exe winupd.exe PID 756 wrote to memory of 1696 756 winupd.exe winupd.exe PID 756 wrote to memory of 1696 756 winupd.exe winupd.exe PID 756 wrote to memory of 1696 756 winupd.exe winupd.exe PID 756 wrote to memory of 1696 756 winupd.exe winupd.exe PID 1328 wrote to memory of 1364 1328 winupd.exe ipconfig.exe PID 1328 wrote to memory of 1364 1328 winupd.exe ipconfig.exe PID 1328 wrote to memory of 1364 1328 winupd.exe ipconfig.exe PID 1328 wrote to memory of 1364 1328 winupd.exe ipconfig.exe PID 1328 wrote to memory of 1364 1328 winupd.exe ipconfig.exe PID 1328 wrote to memory of 1364 1328 winupd.exe ipconfig.exe PID 1364 wrote to memory of 1108 1364 ipconfig.exe cmd.exe PID 1364 wrote to memory of 1108 1364 ipconfig.exe cmd.exe PID 1364 wrote to memory of 1108 1364 ipconfig.exe cmd.exe PID 1364 wrote to memory of 1108 1364 ipconfig.exe cmd.exe PID 1108 wrote to memory of 1820 1108 cmd.exe reg.exe PID 1108 wrote to memory of 1820 1108 cmd.exe reg.exe PID 1108 wrote to memory of 1820 1108 cmd.exe reg.exe PID 1108 wrote to memory of 1820 1108 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe"C:\Users\Admin\AppData\Local\Temp\02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe"C:\Users\Admin\AppData\Local\Temp\02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exeC:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe -notray3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\system32\ipconfig.exe"5⤵
- Gathers network information
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\VPINUGGA.bat" "6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v WinUpdate /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe -notray" /f7⤵
- Adds Run key to start application
- Modifies registry key
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\VPINUGGA.batMD5
cac890d00365d07b9ca89def17cc3a36
SHA16fa99679ede791c16b5d3e6d243a98e8bbdb7eab
SHA2564f98ddee89760080a5c8a93666d2f5c97be52b741265ef4d1ce9aaebf05f12da
SHA512124dc0b18e13425bde43bcbbe2a99005928e398bffcb458d498aac9e754bc5b92b703270667800876c60b0801343f2de8c6b9a1eebafd80bb4f6d5dc295dd9f1
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exeMD5
830019c39cc8de4190362db921eed918
SHA11ed946fadb55a84a4de3894618fa57831082b3d6
SHA2569ae263183a85c03773a03d3f9a56e0173ba81f6a90c6d119700ad5cae44d54e6
SHA512a91a4d97733a5e03a5d170513f48d7f4be438e18e48ccf03bd18baa728a4553430a99a91f5fb955510c682962c2677f4a8637ae4904a4c3e2eeadd0bcc5b3b36
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exeMD5
830019c39cc8de4190362db921eed918
SHA11ed946fadb55a84a4de3894618fa57831082b3d6
SHA2569ae263183a85c03773a03d3f9a56e0173ba81f6a90c6d119700ad5cae44d54e6
SHA512a91a4d97733a5e03a5d170513f48d7f4be438e18e48ccf03bd18baa728a4553430a99a91f5fb955510c682962c2677f4a8637ae4904a4c3e2eeadd0bcc5b3b36
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exeMD5
830019c39cc8de4190362db921eed918
SHA11ed946fadb55a84a4de3894618fa57831082b3d6
SHA2569ae263183a85c03773a03d3f9a56e0173ba81f6a90c6d119700ad5cae44d54e6
SHA512a91a4d97733a5e03a5d170513f48d7f4be438e18e48ccf03bd18baa728a4553430a99a91f5fb955510c682962c2677f4a8637ae4904a4c3e2eeadd0bcc5b3b36
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exeMD5
830019c39cc8de4190362db921eed918
SHA11ed946fadb55a84a4de3894618fa57831082b3d6
SHA2569ae263183a85c03773a03d3f9a56e0173ba81f6a90c6d119700ad5cae44d54e6
SHA512a91a4d97733a5e03a5d170513f48d7f4be438e18e48ccf03bd18baa728a4553430a99a91f5fb955510c682962c2677f4a8637ae4904a4c3e2eeadd0bcc5b3b36
-
\Users\Admin\AppData\Roaming\Microsoft\winupd.exeMD5
830019c39cc8de4190362db921eed918
SHA11ed946fadb55a84a4de3894618fa57831082b3d6
SHA2569ae263183a85c03773a03d3f9a56e0173ba81f6a90c6d119700ad5cae44d54e6
SHA512a91a4d97733a5e03a5d170513f48d7f4be438e18e48ccf03bd18baa728a4553430a99a91f5fb955510c682962c2677f4a8637ae4904a4c3e2eeadd0bcc5b3b36
-
\Users\Admin\AppData\Roaming\Microsoft\winupd.exeMD5
830019c39cc8de4190362db921eed918
SHA11ed946fadb55a84a4de3894618fa57831082b3d6
SHA2569ae263183a85c03773a03d3f9a56e0173ba81f6a90c6d119700ad5cae44d54e6
SHA512a91a4d97733a5e03a5d170513f48d7f4be438e18e48ccf03bd18baa728a4553430a99a91f5fb955510c682962c2677f4a8637ae4904a4c3e2eeadd0bcc5b3b36
-
memory/756-63-0x0000000000000000-mapping.dmp
-
memory/856-57-0x000000000040140C-mapping.dmp
-
memory/856-60-0x00000000768C1000-0x00000000768C3000-memory.dmpFilesize
8KB
-
memory/856-56-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/1108-84-0x0000000000000000-mapping.dmp
-
memory/1328-72-0x000000000040140C-mapping.dmp
-
memory/1364-81-0x0000000000000000-mapping.dmp
-
memory/1432-67-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/1432-69-0x00000000003C0000-0x00000000003C2000-memory.dmpFilesize
8KB
-
memory/1432-68-0x00000000002B0000-0x00000000002B2000-memory.dmpFilesize
8KB
-
memory/1696-74-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/1696-76-0x00000000004B5670-mapping.dmp
-
memory/1696-86-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/1696-85-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/1820-87-0x0000000000000000-mapping.dmp