Analysis
-
max time kernel
151s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
23-09-2021 07:12
Static task
static1
Behavioral task
behavioral1
Sample
8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe
Resource
win7v20210408
General
-
Target
8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe
-
Size
520KB
-
MD5
d683b4b96582e58a06ddc15284ea35c8
-
SHA1
2a9902159d8dabec02f9ee13e791fa298290fc81
-
SHA256
8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9
-
SHA512
a56674362d15ed66335b0a54449a658503a4346e58a066197c5665ab48da952b3c8bd3dc49cd0dee30b04208e7f97085ae74e332499f307700353de298331a19
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 1964 created 3624 1964 WerFault.exe ipconfig.exe -
Executes dropped EXE 3 IoCs
Processes:
winupd.exewinupd.exewinupd.exepid process 3852 winupd.exe 416 winupd.exe 2416 winupd.exe -
Processes:
resource yara_rule behavioral2/memory/2416-132-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/2416-139-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Suspicious use of SetThreadContext 3 IoCs
Processes:
8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exewinupd.exedescription pid process target process PID 640 set thread context of 3108 640 8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe 8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe PID 3852 set thread context of 416 3852 winupd.exe winupd.exe PID 3852 set thread context of 2416 3852 winupd.exe winupd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1964 3624 WerFault.exe ipconfig.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 3624 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 1964 WerFault.exe 1964 WerFault.exe 1964 WerFault.exe 1964 WerFault.exe 1964 WerFault.exe 1964 WerFault.exe 1964 WerFault.exe 1964 WerFault.exe 1964 WerFault.exe 1964 WerFault.exe 1964 WerFault.exe 1964 WerFault.exe 1964 WerFault.exe 1964 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 27 IoCs
Processes:
winupd.exeWerFault.exedescription pid process Token: SeIncreaseQuotaPrivilege 2416 winupd.exe Token: SeSecurityPrivilege 2416 winupd.exe Token: SeTakeOwnershipPrivilege 2416 winupd.exe Token: SeLoadDriverPrivilege 2416 winupd.exe Token: SeSystemProfilePrivilege 2416 winupd.exe Token: SeSystemtimePrivilege 2416 winupd.exe Token: SeProfSingleProcessPrivilege 2416 winupd.exe Token: SeIncBasePriorityPrivilege 2416 winupd.exe Token: SeCreatePagefilePrivilege 2416 winupd.exe Token: SeBackupPrivilege 2416 winupd.exe Token: SeRestorePrivilege 2416 winupd.exe Token: SeShutdownPrivilege 2416 winupd.exe Token: SeDebugPrivilege 2416 winupd.exe Token: SeSystemEnvironmentPrivilege 2416 winupd.exe Token: SeChangeNotifyPrivilege 2416 winupd.exe Token: SeRemoteShutdownPrivilege 2416 winupd.exe Token: SeUndockPrivilege 2416 winupd.exe Token: SeManageVolumePrivilege 2416 winupd.exe Token: SeImpersonatePrivilege 2416 winupd.exe Token: SeCreateGlobalPrivilege 2416 winupd.exe Token: 33 2416 winupd.exe Token: 34 2416 winupd.exe Token: 35 2416 winupd.exe Token: 36 2416 winupd.exe Token: SeRestorePrivilege 1964 WerFault.exe Token: SeBackupPrivilege 1964 WerFault.exe Token: SeDebugPrivilege 1964 WerFault.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exewinupd.exewinupd.exewinupd.exepid process 640 8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe 3108 8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe 3852 winupd.exe 416 winupd.exe 2416 winupd.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exewinupd.exewinupd.exedescription pid process target process PID 640 wrote to memory of 3108 640 8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe 8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe PID 640 wrote to memory of 3108 640 8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe 8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe PID 640 wrote to memory of 3108 640 8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe 8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe PID 640 wrote to memory of 3108 640 8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe 8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe PID 640 wrote to memory of 3108 640 8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe 8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe PID 640 wrote to memory of 3108 640 8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe 8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe PID 640 wrote to memory of 3108 640 8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe 8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe PID 640 wrote to memory of 3108 640 8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe 8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe PID 3108 wrote to memory of 3852 3108 8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe winupd.exe PID 3108 wrote to memory of 3852 3108 8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe winupd.exe PID 3108 wrote to memory of 3852 3108 8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe winupd.exe PID 3852 wrote to memory of 416 3852 winupd.exe winupd.exe PID 3852 wrote to memory of 416 3852 winupd.exe winupd.exe PID 3852 wrote to memory of 416 3852 winupd.exe winupd.exe PID 3852 wrote to memory of 416 3852 winupd.exe winupd.exe PID 3852 wrote to memory of 416 3852 winupd.exe winupd.exe PID 3852 wrote to memory of 416 3852 winupd.exe winupd.exe PID 3852 wrote to memory of 416 3852 winupd.exe winupd.exe PID 3852 wrote to memory of 416 3852 winupd.exe winupd.exe PID 3852 wrote to memory of 2416 3852 winupd.exe winupd.exe PID 3852 wrote to memory of 2416 3852 winupd.exe winupd.exe PID 3852 wrote to memory of 2416 3852 winupd.exe winupd.exe PID 3852 wrote to memory of 2416 3852 winupd.exe winupd.exe PID 3852 wrote to memory of 2416 3852 winupd.exe winupd.exe PID 3852 wrote to memory of 2416 3852 winupd.exe winupd.exe PID 3852 wrote to memory of 2416 3852 winupd.exe winupd.exe PID 3852 wrote to memory of 2416 3852 winupd.exe winupd.exe PID 416 wrote to memory of 3624 416 winupd.exe ipconfig.exe PID 416 wrote to memory of 3624 416 winupd.exe ipconfig.exe PID 416 wrote to memory of 3624 416 winupd.exe ipconfig.exe PID 416 wrote to memory of 3624 416 winupd.exe ipconfig.exe PID 416 wrote to memory of 3624 416 winupd.exe ipconfig.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe"C:\Users\Admin\AppData\Local\Temp\8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe"C:\Users\Admin\AppData\Local\Temp\8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe"2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exeC:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe -notray3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\system32\ipconfig.exe"5⤵
- Gathers network information
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 2566⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exeMD5
07d01fdd5c10422bdeb5f58fc9cbae97
SHA19957a399cbdca3bc6326eb96ac78c0fbb637c0f7
SHA2563f9f009d38cfd0b749c9da99521ff1be1314ba60d4289244466fc32345a94769
SHA512293a79d91ae0cfa0810dbfeac881879fcdac3657a944a4e6a0f2ae175baa0ee245b72afad6a29b7151cf367d206361baa6ddd38760005ee34c4d7f91d54d276b
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exeMD5
07d01fdd5c10422bdeb5f58fc9cbae97
SHA19957a399cbdca3bc6326eb96ac78c0fbb637c0f7
SHA2563f9f009d38cfd0b749c9da99521ff1be1314ba60d4289244466fc32345a94769
SHA512293a79d91ae0cfa0810dbfeac881879fcdac3657a944a4e6a0f2ae175baa0ee245b72afad6a29b7151cf367d206361baa6ddd38760005ee34c4d7f91d54d276b
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exeMD5
07d01fdd5c10422bdeb5f58fc9cbae97
SHA19957a399cbdca3bc6326eb96ac78c0fbb637c0f7
SHA2563f9f009d38cfd0b749c9da99521ff1be1314ba60d4289244466fc32345a94769
SHA512293a79d91ae0cfa0810dbfeac881879fcdac3657a944a4e6a0f2ae175baa0ee245b72afad6a29b7151cf367d206361baa6ddd38760005ee34c4d7f91d54d276b
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exeMD5
07d01fdd5c10422bdeb5f58fc9cbae97
SHA19957a399cbdca3bc6326eb96ac78c0fbb637c0f7
SHA2563f9f009d38cfd0b749c9da99521ff1be1314ba60d4289244466fc32345a94769
SHA512293a79d91ae0cfa0810dbfeac881879fcdac3657a944a4e6a0f2ae175baa0ee245b72afad6a29b7151cf367d206361baa6ddd38760005ee34c4d7f91d54d276b
-
memory/416-130-0x000000000040140C-mapping.dmp
-
memory/640-127-0x0000000002360000-0x0000000002362000-memory.dmpFilesize
8KB
-
memory/640-126-0x0000000002350000-0x0000000002352000-memory.dmpFilesize
8KB
-
memory/640-125-0x0000000002170000-0x0000000002172000-memory.dmpFilesize
8KB
-
memory/2416-132-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/2416-133-0x00000000004B5670-mapping.dmp
-
memory/2416-139-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/2416-140-0x0000000000B40000-0x0000000000B41000-memory.dmpFilesize
4KB
-
memory/3108-128-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/3108-116-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/3108-117-0x000000000040140C-mapping.dmp
-
memory/3624-137-0x0000000000000000-mapping.dmp
-
memory/3852-120-0x0000000000000000-mapping.dmp
-
memory/3852-138-0x0000000000560000-0x00000000006AA000-memory.dmpFilesize
1.3MB