Analysis
-
max time kernel
153s -
max time network
44s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
23-09-2021 07:12
Static task
static1
Behavioral task
behavioral1
Sample
8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe
Resource
win7v20210408
General
-
Target
8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe
-
Size
520KB
-
MD5
d683b4b96582e58a06ddc15284ea35c8
-
SHA1
2a9902159d8dabec02f9ee13e791fa298290fc81
-
SHA256
8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9
-
SHA512
a56674362d15ed66335b0a54449a658503a4346e58a066197c5665ab48da952b3c8bd3dc49cd0dee30b04208e7f97085ae74e332499f307700353de298331a19
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
winupd.exewinupd.exewinupd.exepid process 1280 winupd.exe 1468 winupd.exe 2024 winupd.exe -
Processes:
resource yara_rule behavioral1/memory/2024-80-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2024-92-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Loads dropped DLL 2 IoCs
Processes:
8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exepid process 1260 8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe 1260 8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\winupd.exe -notray" reg.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exewinupd.exedescription pid process target process PID 1120 set thread context of 1260 1120 8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe 8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe PID 1280 set thread context of 1468 1280 winupd.exe winupd.exe PID 1280 set thread context of 2024 1280 winupd.exe winupd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 1944 ipconfig.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
winupd.exedescription pid process Token: SeIncreaseQuotaPrivilege 2024 winupd.exe Token: SeSecurityPrivilege 2024 winupd.exe Token: SeTakeOwnershipPrivilege 2024 winupd.exe Token: SeLoadDriverPrivilege 2024 winupd.exe Token: SeSystemProfilePrivilege 2024 winupd.exe Token: SeSystemtimePrivilege 2024 winupd.exe Token: SeProfSingleProcessPrivilege 2024 winupd.exe Token: SeIncBasePriorityPrivilege 2024 winupd.exe Token: SeCreatePagefilePrivilege 2024 winupd.exe Token: SeBackupPrivilege 2024 winupd.exe Token: SeRestorePrivilege 2024 winupd.exe Token: SeShutdownPrivilege 2024 winupd.exe Token: SeDebugPrivilege 2024 winupd.exe Token: SeSystemEnvironmentPrivilege 2024 winupd.exe Token: SeChangeNotifyPrivilege 2024 winupd.exe Token: SeRemoteShutdownPrivilege 2024 winupd.exe Token: SeUndockPrivilege 2024 winupd.exe Token: SeManageVolumePrivilege 2024 winupd.exe Token: SeImpersonatePrivilege 2024 winupd.exe Token: SeCreateGlobalPrivilege 2024 winupd.exe Token: 33 2024 winupd.exe Token: 34 2024 winupd.exe Token: 35 2024 winupd.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exewinupd.exewinupd.exewinupd.exepid process 1120 8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe 1260 8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe 1280 winupd.exe 1468 winupd.exe 2024 winupd.exe -
Suspicious use of WriteProcessMemory 44 IoCs
Processes:
8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exewinupd.exewinupd.exeipconfig.execmd.exedescription pid process target process PID 1120 wrote to memory of 1260 1120 8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe 8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe PID 1120 wrote to memory of 1260 1120 8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe 8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe PID 1120 wrote to memory of 1260 1120 8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe 8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe PID 1120 wrote to memory of 1260 1120 8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe 8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe PID 1120 wrote to memory of 1260 1120 8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe 8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe PID 1120 wrote to memory of 1260 1120 8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe 8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe PID 1120 wrote to memory of 1260 1120 8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe 8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe PID 1120 wrote to memory of 1260 1120 8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe 8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe PID 1120 wrote to memory of 1260 1120 8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe 8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe PID 1260 wrote to memory of 1280 1260 8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe winupd.exe PID 1260 wrote to memory of 1280 1260 8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe winupd.exe PID 1260 wrote to memory of 1280 1260 8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe winupd.exe PID 1260 wrote to memory of 1280 1260 8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe winupd.exe PID 1280 wrote to memory of 1468 1280 winupd.exe winupd.exe PID 1280 wrote to memory of 1468 1280 winupd.exe winupd.exe PID 1280 wrote to memory of 1468 1280 winupd.exe winupd.exe PID 1280 wrote to memory of 1468 1280 winupd.exe winupd.exe PID 1280 wrote to memory of 1468 1280 winupd.exe winupd.exe PID 1280 wrote to memory of 1468 1280 winupd.exe winupd.exe PID 1280 wrote to memory of 1468 1280 winupd.exe winupd.exe PID 1280 wrote to memory of 1468 1280 winupd.exe winupd.exe PID 1280 wrote to memory of 1468 1280 winupd.exe winupd.exe PID 1280 wrote to memory of 2024 1280 winupd.exe winupd.exe PID 1280 wrote to memory of 2024 1280 winupd.exe winupd.exe PID 1280 wrote to memory of 2024 1280 winupd.exe winupd.exe PID 1280 wrote to memory of 2024 1280 winupd.exe winupd.exe PID 1280 wrote to memory of 2024 1280 winupd.exe winupd.exe PID 1280 wrote to memory of 2024 1280 winupd.exe winupd.exe PID 1280 wrote to memory of 2024 1280 winupd.exe winupd.exe PID 1280 wrote to memory of 2024 1280 winupd.exe winupd.exe PID 1468 wrote to memory of 1944 1468 winupd.exe ipconfig.exe PID 1468 wrote to memory of 1944 1468 winupd.exe ipconfig.exe PID 1468 wrote to memory of 1944 1468 winupd.exe ipconfig.exe PID 1468 wrote to memory of 1944 1468 winupd.exe ipconfig.exe PID 1468 wrote to memory of 1944 1468 winupd.exe ipconfig.exe PID 1468 wrote to memory of 1944 1468 winupd.exe ipconfig.exe PID 1944 wrote to memory of 688 1944 ipconfig.exe cmd.exe PID 1944 wrote to memory of 688 1944 ipconfig.exe cmd.exe PID 1944 wrote to memory of 688 1944 ipconfig.exe cmd.exe PID 1944 wrote to memory of 688 1944 ipconfig.exe cmd.exe PID 688 wrote to memory of 1728 688 cmd.exe reg.exe PID 688 wrote to memory of 1728 688 cmd.exe reg.exe PID 688 wrote to memory of 1728 688 cmd.exe reg.exe PID 688 wrote to memory of 1728 688 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe"C:\Users\Admin\AppData\Local\Temp\8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe"C:\Users\Admin\AppData\Local\Temp\8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exeC:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe -notray3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\system32\ipconfig.exe"5⤵
- Gathers network information
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\IKWWAXSR.bat" "6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v WinUpdate /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe -notray" /f7⤵
- Adds Run key to start application
- Modifies registry key
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IKWWAXSR.batMD5
cac890d00365d07b9ca89def17cc3a36
SHA16fa99679ede791c16b5d3e6d243a98e8bbdb7eab
SHA2564f98ddee89760080a5c8a93666d2f5c97be52b741265ef4d1ce9aaebf05f12da
SHA512124dc0b18e13425bde43bcbbe2a99005928e398bffcb458d498aac9e754bc5b92b703270667800876c60b0801343f2de8c6b9a1eebafd80bb4f6d5dc295dd9f1
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exeMD5
eacdad3dde7f8d5cec59a89d0c33d1fb
SHA1b416e98080d6446d7d992f5393a00b18f0d40e8b
SHA2561d45f420751541dc06a04de925c8336bb48665d83d089c5abab194460f810cb2
SHA51252a211066237e8b1ed680cad751f5a18f35003011022739b477451489a8a3fbc8e496c12a30b41beb82fd7eed13db770779b65d319d614c4be92fe229985ef59
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exeMD5
eacdad3dde7f8d5cec59a89d0c33d1fb
SHA1b416e98080d6446d7d992f5393a00b18f0d40e8b
SHA2561d45f420751541dc06a04de925c8336bb48665d83d089c5abab194460f810cb2
SHA51252a211066237e8b1ed680cad751f5a18f35003011022739b477451489a8a3fbc8e496c12a30b41beb82fd7eed13db770779b65d319d614c4be92fe229985ef59
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exeMD5
eacdad3dde7f8d5cec59a89d0c33d1fb
SHA1b416e98080d6446d7d992f5393a00b18f0d40e8b
SHA2561d45f420751541dc06a04de925c8336bb48665d83d089c5abab194460f810cb2
SHA51252a211066237e8b1ed680cad751f5a18f35003011022739b477451489a8a3fbc8e496c12a30b41beb82fd7eed13db770779b65d319d614c4be92fe229985ef59
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exeMD5
eacdad3dde7f8d5cec59a89d0c33d1fb
SHA1b416e98080d6446d7d992f5393a00b18f0d40e8b
SHA2561d45f420751541dc06a04de925c8336bb48665d83d089c5abab194460f810cb2
SHA51252a211066237e8b1ed680cad751f5a18f35003011022739b477451489a8a3fbc8e496c12a30b41beb82fd7eed13db770779b65d319d614c4be92fe229985ef59
-
\Users\Admin\AppData\Roaming\Microsoft\winupd.exeMD5
eacdad3dde7f8d5cec59a89d0c33d1fb
SHA1b416e98080d6446d7d992f5393a00b18f0d40e8b
SHA2561d45f420751541dc06a04de925c8336bb48665d83d089c5abab194460f810cb2
SHA51252a211066237e8b1ed680cad751f5a18f35003011022739b477451489a8a3fbc8e496c12a30b41beb82fd7eed13db770779b65d319d614c4be92fe229985ef59
-
\Users\Admin\AppData\Roaming\Microsoft\winupd.exeMD5
eacdad3dde7f8d5cec59a89d0c33d1fb
SHA1b416e98080d6446d7d992f5393a00b18f0d40e8b
SHA2561d45f420751541dc06a04de925c8336bb48665d83d089c5abab194460f810cb2
SHA51252a211066237e8b1ed680cad751f5a18f35003011022739b477451489a8a3fbc8e496c12a30b41beb82fd7eed13db770779b65d319d614c4be92fe229985ef59
-
memory/688-90-0x0000000000000000-mapping.dmp
-
memory/1120-73-0x0000000000250000-0x0000000000252000-memory.dmpFilesize
8KB
-
memory/1120-74-0x0000000000370000-0x0000000000372000-memory.dmpFilesize
8KB
-
memory/1120-75-0x0000000000380000-0x0000000000382000-memory.dmpFilesize
8KB
-
memory/1260-62-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/1260-63-0x000000000040140C-mapping.dmp
-
memory/1260-66-0x0000000074D91000-0x0000000074D93000-memory.dmpFilesize
8KB
-
memory/1280-69-0x0000000000000000-mapping.dmp
-
memory/1468-78-0x000000000040140C-mapping.dmp
-
memory/1728-91-0x0000000000000000-mapping.dmp
-
memory/1944-87-0x0000000000000000-mapping.dmp
-
memory/2024-80-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/2024-82-0x00000000004B5670-mapping.dmp
-
memory/2024-93-0x0000000000250000-0x0000000000251000-memory.dmpFilesize
4KB
-
memory/2024-92-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB