Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
22-09-2021 13:23
Static task
static1
Behavioral task
behavioral1
Sample
02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe
Resource
win7-en-20210920
General
-
Target
02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe
-
Size
520KB
-
MD5
642a19d61f9d148344d263180d4e386a
-
SHA1
e5005eab11acaec13e0c6a2af0744d99727b1d07
-
SHA256
02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8
-
SHA512
2a337f1910cf046e6b0964430b029a2213d9966f9208df3a9614bc178c6743b48401ea9ee87886b404131c50449f82abdb0796c6c5c3344c5186e5fd877b57db
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 2020 created 3508 2020 WerFault.exe ipconfig.exe -
Executes dropped EXE 3 IoCs
Processes:
winupd.exewinupd.exewinupd.exepid process 2592 winupd.exe 3032 winupd.exe 412 winupd.exe -
Processes:
resource yara_rule behavioral2/memory/412-132-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/412-138-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Suspicious use of SetThreadContext 3 IoCs
Processes:
02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exewinupd.exedescription pid process target process PID 644 set thread context of 2148 644 02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe 02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe PID 2592 set thread context of 3032 2592 winupd.exe winupd.exe PID 2592 set thread context of 412 2592 winupd.exe winupd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2020 3508 WerFault.exe ipconfig.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 3508 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 2020 WerFault.exe 2020 WerFault.exe 2020 WerFault.exe 2020 WerFault.exe 2020 WerFault.exe 2020 WerFault.exe 2020 WerFault.exe 2020 WerFault.exe 2020 WerFault.exe 2020 WerFault.exe 2020 WerFault.exe 2020 WerFault.exe 2020 WerFault.exe 2020 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 27 IoCs
Processes:
winupd.exeWerFault.exedescription pid process Token: SeIncreaseQuotaPrivilege 412 winupd.exe Token: SeSecurityPrivilege 412 winupd.exe Token: SeTakeOwnershipPrivilege 412 winupd.exe Token: SeLoadDriverPrivilege 412 winupd.exe Token: SeSystemProfilePrivilege 412 winupd.exe Token: SeSystemtimePrivilege 412 winupd.exe Token: SeProfSingleProcessPrivilege 412 winupd.exe Token: SeIncBasePriorityPrivilege 412 winupd.exe Token: SeCreatePagefilePrivilege 412 winupd.exe Token: SeBackupPrivilege 412 winupd.exe Token: SeRestorePrivilege 412 winupd.exe Token: SeShutdownPrivilege 412 winupd.exe Token: SeDebugPrivilege 412 winupd.exe Token: SeSystemEnvironmentPrivilege 412 winupd.exe Token: SeChangeNotifyPrivilege 412 winupd.exe Token: SeRemoteShutdownPrivilege 412 winupd.exe Token: SeUndockPrivilege 412 winupd.exe Token: SeManageVolumePrivilege 412 winupd.exe Token: SeImpersonatePrivilege 412 winupd.exe Token: SeCreateGlobalPrivilege 412 winupd.exe Token: 33 412 winupd.exe Token: 34 412 winupd.exe Token: 35 412 winupd.exe Token: 36 412 winupd.exe Token: SeRestorePrivilege 2020 WerFault.exe Token: SeBackupPrivilege 2020 WerFault.exe Token: SeDebugPrivilege 2020 WerFault.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exewinupd.exewinupd.exewinupd.exepid process 644 02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe 2148 02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe 2592 winupd.exe 3032 winupd.exe 412 winupd.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exewinupd.exewinupd.exedescription pid process target process PID 644 wrote to memory of 2148 644 02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe 02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe PID 644 wrote to memory of 2148 644 02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe 02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe PID 644 wrote to memory of 2148 644 02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe 02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe PID 644 wrote to memory of 2148 644 02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe 02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe PID 644 wrote to memory of 2148 644 02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe 02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe PID 644 wrote to memory of 2148 644 02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe 02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe PID 644 wrote to memory of 2148 644 02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe 02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe PID 644 wrote to memory of 2148 644 02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe 02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe PID 2148 wrote to memory of 2592 2148 02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe winupd.exe PID 2148 wrote to memory of 2592 2148 02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe winupd.exe PID 2148 wrote to memory of 2592 2148 02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe winupd.exe PID 2592 wrote to memory of 3032 2592 winupd.exe winupd.exe PID 2592 wrote to memory of 3032 2592 winupd.exe winupd.exe PID 2592 wrote to memory of 3032 2592 winupd.exe winupd.exe PID 2592 wrote to memory of 3032 2592 winupd.exe winupd.exe PID 2592 wrote to memory of 3032 2592 winupd.exe winupd.exe PID 2592 wrote to memory of 3032 2592 winupd.exe winupd.exe PID 2592 wrote to memory of 3032 2592 winupd.exe winupd.exe PID 2592 wrote to memory of 3032 2592 winupd.exe winupd.exe PID 2592 wrote to memory of 412 2592 winupd.exe winupd.exe PID 2592 wrote to memory of 412 2592 winupd.exe winupd.exe PID 2592 wrote to memory of 412 2592 winupd.exe winupd.exe PID 2592 wrote to memory of 412 2592 winupd.exe winupd.exe PID 2592 wrote to memory of 412 2592 winupd.exe winupd.exe PID 2592 wrote to memory of 412 2592 winupd.exe winupd.exe PID 2592 wrote to memory of 412 2592 winupd.exe winupd.exe PID 2592 wrote to memory of 412 2592 winupd.exe winupd.exe PID 3032 wrote to memory of 3508 3032 winupd.exe ipconfig.exe PID 3032 wrote to memory of 3508 3032 winupd.exe ipconfig.exe PID 3032 wrote to memory of 3508 3032 winupd.exe ipconfig.exe PID 3032 wrote to memory of 3508 3032 winupd.exe ipconfig.exe PID 3032 wrote to memory of 3508 3032 winupd.exe ipconfig.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe"C:\Users\Admin\AppData\Local\Temp\02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe"C:\Users\Admin\AppData\Local\Temp\02811b25e52053553af9b1edf031e2e83cdc7a80b68e45fbca1617872dee55d8.exe"2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exeC:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe -notray3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\system32\ipconfig.exe"5⤵
- Gathers network information
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 2566⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exeMD5
19a55bf0754e7db600de78ade37f14a7
SHA1daa415378ca4e0d8d68a9dc9973044d08403bad8
SHA2564e3af6649a7aa865527370f09b7fb3adbd5bea98bf41c7d464fb70757d088f97
SHA5122b718606ee2bd2750f1ea70d1b41fcf668c092b71c2d051bfb1385bcc3d7732b225744a9bf4c2279671d554e6bacdeb4f56a9c7b02f7f7f66001db043976cce4
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exeMD5
19a55bf0754e7db600de78ade37f14a7
SHA1daa415378ca4e0d8d68a9dc9973044d08403bad8
SHA2564e3af6649a7aa865527370f09b7fb3adbd5bea98bf41c7d464fb70757d088f97
SHA5122b718606ee2bd2750f1ea70d1b41fcf668c092b71c2d051bfb1385bcc3d7732b225744a9bf4c2279671d554e6bacdeb4f56a9c7b02f7f7f66001db043976cce4
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exeMD5
19a55bf0754e7db600de78ade37f14a7
SHA1daa415378ca4e0d8d68a9dc9973044d08403bad8
SHA2564e3af6649a7aa865527370f09b7fb3adbd5bea98bf41c7d464fb70757d088f97
SHA5122b718606ee2bd2750f1ea70d1b41fcf668c092b71c2d051bfb1385bcc3d7732b225744a9bf4c2279671d554e6bacdeb4f56a9c7b02f7f7f66001db043976cce4
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exeMD5
19a55bf0754e7db600de78ade37f14a7
SHA1daa415378ca4e0d8d68a9dc9973044d08403bad8
SHA2564e3af6649a7aa865527370f09b7fb3adbd5bea98bf41c7d464fb70757d088f97
SHA5122b718606ee2bd2750f1ea70d1b41fcf668c092b71c2d051bfb1385bcc3d7732b225744a9bf4c2279671d554e6bacdeb4f56a9c7b02f7f7f66001db043976cce4
-
memory/412-132-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/412-139-0x0000000000690000-0x0000000000691000-memory.dmpFilesize
4KB
-
memory/412-138-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/412-133-0x00000000004B5670-mapping.dmp
-
memory/644-120-0x0000000002210000-0x0000000002212000-memory.dmpFilesize
8KB
-
memory/644-122-0x00000000022F0000-0x00000000022F2000-memory.dmpFilesize
8KB
-
memory/644-123-0x0000000002300000-0x0000000002302000-memory.dmpFilesize
8KB
-
memory/2148-126-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/2148-116-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/2148-117-0x000000000040140C-mapping.dmp
-
memory/2592-121-0x0000000000000000-mapping.dmp
-
memory/3032-130-0x000000000040140C-mapping.dmp
-
memory/3508-137-0x0000000000000000-mapping.dmp