Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
23-09-2021 07:12
Static task
static1
Behavioral task
behavioral1
Sample
a7c4aae68e13b16ed7d916ba7cde189381e597934b05a26d113a97c8ae8afdbf.exe
Resource
win7-en-20210920
General
-
Target
a7c4aae68e13b16ed7d916ba7cde189381e597934b05a26d113a97c8ae8afdbf.exe
-
Size
520KB
-
MD5
452b72638cf014d97a9b5a219e4685f9
-
SHA1
df7b8e92163dfe5bcfd1f1f8ea832d5c655d457c
-
SHA256
a7c4aae68e13b16ed7d916ba7cde189381e597934b05a26d113a97c8ae8afdbf
-
SHA512
a30e2cb3bbe1138bf148dcca0187c366f60b064115820b5848f2f177aafbfd97cc3ed2d301ff3dd53001e46337b97595f7df6a014aa3c3ebc69628f22d03623f
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 1156 created 4036 1156 WerFault.exe ipconfig.exe -
Executes dropped EXE 3 IoCs
Processes:
winupd.exewinupd.exewinupd.exepid process 3940 winupd.exe 3004 winupd.exe 512 winupd.exe -
Processes:
resource yara_rule behavioral2/memory/512-132-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/512-138-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Suspicious use of SetThreadContext 3 IoCs
Processes:
a7c4aae68e13b16ed7d916ba7cde189381e597934b05a26d113a97c8ae8afdbf.exewinupd.exedescription pid process target process PID 860 set thread context of 3176 860 a7c4aae68e13b16ed7d916ba7cde189381e597934b05a26d113a97c8ae8afdbf.exe a7c4aae68e13b16ed7d916ba7cde189381e597934b05a26d113a97c8ae8afdbf.exe PID 3940 set thread context of 3004 3940 winupd.exe winupd.exe PID 3940 set thread context of 512 3940 winupd.exe winupd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1156 4036 WerFault.exe ipconfig.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 4036 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 1156 WerFault.exe 1156 WerFault.exe 1156 WerFault.exe 1156 WerFault.exe 1156 WerFault.exe 1156 WerFault.exe 1156 WerFault.exe 1156 WerFault.exe 1156 WerFault.exe 1156 WerFault.exe 1156 WerFault.exe 1156 WerFault.exe 1156 WerFault.exe 1156 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 27 IoCs
Processes:
winupd.exeWerFault.exedescription pid process Token: SeIncreaseQuotaPrivilege 512 winupd.exe Token: SeSecurityPrivilege 512 winupd.exe Token: SeTakeOwnershipPrivilege 512 winupd.exe Token: SeLoadDriverPrivilege 512 winupd.exe Token: SeSystemProfilePrivilege 512 winupd.exe Token: SeSystemtimePrivilege 512 winupd.exe Token: SeProfSingleProcessPrivilege 512 winupd.exe Token: SeIncBasePriorityPrivilege 512 winupd.exe Token: SeCreatePagefilePrivilege 512 winupd.exe Token: SeBackupPrivilege 512 winupd.exe Token: SeRestorePrivilege 512 winupd.exe Token: SeShutdownPrivilege 512 winupd.exe Token: SeDebugPrivilege 512 winupd.exe Token: SeSystemEnvironmentPrivilege 512 winupd.exe Token: SeChangeNotifyPrivilege 512 winupd.exe Token: SeRemoteShutdownPrivilege 512 winupd.exe Token: SeUndockPrivilege 512 winupd.exe Token: SeManageVolumePrivilege 512 winupd.exe Token: SeImpersonatePrivilege 512 winupd.exe Token: SeCreateGlobalPrivilege 512 winupd.exe Token: 33 512 winupd.exe Token: 34 512 winupd.exe Token: 35 512 winupd.exe Token: 36 512 winupd.exe Token: SeRestorePrivilege 1156 WerFault.exe Token: SeBackupPrivilege 1156 WerFault.exe Token: SeDebugPrivilege 1156 WerFault.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
a7c4aae68e13b16ed7d916ba7cde189381e597934b05a26d113a97c8ae8afdbf.exea7c4aae68e13b16ed7d916ba7cde189381e597934b05a26d113a97c8ae8afdbf.exewinupd.exewinupd.exewinupd.exepid process 860 a7c4aae68e13b16ed7d916ba7cde189381e597934b05a26d113a97c8ae8afdbf.exe 3176 a7c4aae68e13b16ed7d916ba7cde189381e597934b05a26d113a97c8ae8afdbf.exe 3940 winupd.exe 3004 winupd.exe 512 winupd.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
a7c4aae68e13b16ed7d916ba7cde189381e597934b05a26d113a97c8ae8afdbf.exea7c4aae68e13b16ed7d916ba7cde189381e597934b05a26d113a97c8ae8afdbf.exewinupd.exewinupd.exedescription pid process target process PID 860 wrote to memory of 3176 860 a7c4aae68e13b16ed7d916ba7cde189381e597934b05a26d113a97c8ae8afdbf.exe a7c4aae68e13b16ed7d916ba7cde189381e597934b05a26d113a97c8ae8afdbf.exe PID 860 wrote to memory of 3176 860 a7c4aae68e13b16ed7d916ba7cde189381e597934b05a26d113a97c8ae8afdbf.exe a7c4aae68e13b16ed7d916ba7cde189381e597934b05a26d113a97c8ae8afdbf.exe PID 860 wrote to memory of 3176 860 a7c4aae68e13b16ed7d916ba7cde189381e597934b05a26d113a97c8ae8afdbf.exe a7c4aae68e13b16ed7d916ba7cde189381e597934b05a26d113a97c8ae8afdbf.exe PID 860 wrote to memory of 3176 860 a7c4aae68e13b16ed7d916ba7cde189381e597934b05a26d113a97c8ae8afdbf.exe a7c4aae68e13b16ed7d916ba7cde189381e597934b05a26d113a97c8ae8afdbf.exe PID 860 wrote to memory of 3176 860 a7c4aae68e13b16ed7d916ba7cde189381e597934b05a26d113a97c8ae8afdbf.exe a7c4aae68e13b16ed7d916ba7cde189381e597934b05a26d113a97c8ae8afdbf.exe PID 860 wrote to memory of 3176 860 a7c4aae68e13b16ed7d916ba7cde189381e597934b05a26d113a97c8ae8afdbf.exe a7c4aae68e13b16ed7d916ba7cde189381e597934b05a26d113a97c8ae8afdbf.exe PID 860 wrote to memory of 3176 860 a7c4aae68e13b16ed7d916ba7cde189381e597934b05a26d113a97c8ae8afdbf.exe a7c4aae68e13b16ed7d916ba7cde189381e597934b05a26d113a97c8ae8afdbf.exe PID 860 wrote to memory of 3176 860 a7c4aae68e13b16ed7d916ba7cde189381e597934b05a26d113a97c8ae8afdbf.exe a7c4aae68e13b16ed7d916ba7cde189381e597934b05a26d113a97c8ae8afdbf.exe PID 3176 wrote to memory of 3940 3176 a7c4aae68e13b16ed7d916ba7cde189381e597934b05a26d113a97c8ae8afdbf.exe winupd.exe PID 3176 wrote to memory of 3940 3176 a7c4aae68e13b16ed7d916ba7cde189381e597934b05a26d113a97c8ae8afdbf.exe winupd.exe PID 3176 wrote to memory of 3940 3176 a7c4aae68e13b16ed7d916ba7cde189381e597934b05a26d113a97c8ae8afdbf.exe winupd.exe PID 3940 wrote to memory of 3004 3940 winupd.exe winupd.exe PID 3940 wrote to memory of 3004 3940 winupd.exe winupd.exe PID 3940 wrote to memory of 3004 3940 winupd.exe winupd.exe PID 3940 wrote to memory of 3004 3940 winupd.exe winupd.exe PID 3940 wrote to memory of 3004 3940 winupd.exe winupd.exe PID 3940 wrote to memory of 3004 3940 winupd.exe winupd.exe PID 3940 wrote to memory of 3004 3940 winupd.exe winupd.exe PID 3940 wrote to memory of 3004 3940 winupd.exe winupd.exe PID 3940 wrote to memory of 512 3940 winupd.exe winupd.exe PID 3940 wrote to memory of 512 3940 winupd.exe winupd.exe PID 3940 wrote to memory of 512 3940 winupd.exe winupd.exe PID 3940 wrote to memory of 512 3940 winupd.exe winupd.exe PID 3940 wrote to memory of 512 3940 winupd.exe winupd.exe PID 3940 wrote to memory of 512 3940 winupd.exe winupd.exe PID 3940 wrote to memory of 512 3940 winupd.exe winupd.exe PID 3940 wrote to memory of 512 3940 winupd.exe winupd.exe PID 3004 wrote to memory of 4036 3004 winupd.exe ipconfig.exe PID 3004 wrote to memory of 4036 3004 winupd.exe ipconfig.exe PID 3004 wrote to memory of 4036 3004 winupd.exe ipconfig.exe PID 3004 wrote to memory of 4036 3004 winupd.exe ipconfig.exe PID 3004 wrote to memory of 4036 3004 winupd.exe ipconfig.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a7c4aae68e13b16ed7d916ba7cde189381e597934b05a26d113a97c8ae8afdbf.exe"C:\Users\Admin\AppData\Local\Temp\a7c4aae68e13b16ed7d916ba7cde189381e597934b05a26d113a97c8ae8afdbf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\a7c4aae68e13b16ed7d916ba7cde189381e597934b05a26d113a97c8ae8afdbf.exe"C:\Users\Admin\AppData\Local\Temp\a7c4aae68e13b16ed7d916ba7cde189381e597934b05a26d113a97c8ae8afdbf.exe"2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exeC:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe -notray3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\system32\ipconfig.exe"5⤵
- Gathers network information
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 2566⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exeMD5
198d4a0108a5fc1e5a16c10746dd75dc
SHA1997037c6ed2f43b809ecc10d166a393c822d89b8
SHA256fb292ed96fc6df729ed6a604954bc8a83e79c5990fb00f59dc1e52886eefeae3
SHA5123f34f576b128e702e92da40d8d8aff667e6040bd95d82b25fccff3b5a3efea58c01f387cd3c4c23fab1908da2f1287b21b3c7ab7c5af0e1fe6d1f83e4c4284c1
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exeMD5
198d4a0108a5fc1e5a16c10746dd75dc
SHA1997037c6ed2f43b809ecc10d166a393c822d89b8
SHA256fb292ed96fc6df729ed6a604954bc8a83e79c5990fb00f59dc1e52886eefeae3
SHA5123f34f576b128e702e92da40d8d8aff667e6040bd95d82b25fccff3b5a3efea58c01f387cd3c4c23fab1908da2f1287b21b3c7ab7c5af0e1fe6d1f83e4c4284c1
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exeMD5
198d4a0108a5fc1e5a16c10746dd75dc
SHA1997037c6ed2f43b809ecc10d166a393c822d89b8
SHA256fb292ed96fc6df729ed6a604954bc8a83e79c5990fb00f59dc1e52886eefeae3
SHA5123f34f576b128e702e92da40d8d8aff667e6040bd95d82b25fccff3b5a3efea58c01f387cd3c4c23fab1908da2f1287b21b3c7ab7c5af0e1fe6d1f83e4c4284c1
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exeMD5
198d4a0108a5fc1e5a16c10746dd75dc
SHA1997037c6ed2f43b809ecc10d166a393c822d89b8
SHA256fb292ed96fc6df729ed6a604954bc8a83e79c5990fb00f59dc1e52886eefeae3
SHA5123f34f576b128e702e92da40d8d8aff667e6040bd95d82b25fccff3b5a3efea58c01f387cd3c4c23fab1908da2f1287b21b3c7ab7c5af0e1fe6d1f83e4c4284c1
-
memory/512-133-0x00000000004B5670-mapping.dmp
-
memory/512-139-0x00000000007A0000-0x00000000007A1000-memory.dmpFilesize
4KB
-
memory/512-138-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/512-132-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/860-127-0x0000000000810000-0x0000000000812000-memory.dmpFilesize
8KB
-
memory/860-126-0x0000000000800000-0x0000000000802000-memory.dmpFilesize
8KB
-
memory/860-125-0x0000000000630000-0x0000000000632000-memory.dmpFilesize
8KB
-
memory/3004-130-0x000000000040140C-mapping.dmp
-
memory/3176-116-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/3176-117-0x000000000040140C-mapping.dmp
-
memory/3176-128-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/3940-120-0x0000000000000000-mapping.dmp
-
memory/4036-137-0x0000000000000000-mapping.dmp