Analysis
-
max time kernel
151s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
23-09-2021 08:18
Static task
static1
Behavioral task
behavioral1
Sample
8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe
Resource
win7-en-20210920
General
-
Target
8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe
-
Size
520KB
-
MD5
d683b4b96582e58a06ddc15284ea35c8
-
SHA1
2a9902159d8dabec02f9ee13e791fa298290fc81
-
SHA256
8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9
-
SHA512
a56674362d15ed66335b0a54449a658503a4346e58a066197c5665ab48da952b3c8bd3dc49cd0dee30b04208e7f97085ae74e332499f307700353de298331a19
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 3872 created 3228 3872 WerFault.exe ipconfig.exe -
Executes dropped EXE 3 IoCs
Processes:
winupd.exewinupd.exewinupd.exepid process 2884 winupd.exe 816 winupd.exe 3888 winupd.exe -
Processes:
resource yara_rule behavioral2/memory/3888-132-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3888-139-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Suspicious use of SetThreadContext 3 IoCs
Processes:
8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exewinupd.exedescription pid process target process PID 912 set thread context of 3276 912 8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe 8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe PID 2884 set thread context of 816 2884 winupd.exe winupd.exe PID 2884 set thread context of 3888 2884 winupd.exe winupd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3872 3228 WerFault.exe ipconfig.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 3228 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 3872 WerFault.exe 3872 WerFault.exe 3872 WerFault.exe 3872 WerFault.exe 3872 WerFault.exe 3872 WerFault.exe 3872 WerFault.exe 3872 WerFault.exe 3872 WerFault.exe 3872 WerFault.exe 3872 WerFault.exe 3872 WerFault.exe 3872 WerFault.exe 3872 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 27 IoCs
Processes:
winupd.exeWerFault.exedescription pid process Token: SeIncreaseQuotaPrivilege 3888 winupd.exe Token: SeSecurityPrivilege 3888 winupd.exe Token: SeTakeOwnershipPrivilege 3888 winupd.exe Token: SeLoadDriverPrivilege 3888 winupd.exe Token: SeSystemProfilePrivilege 3888 winupd.exe Token: SeSystemtimePrivilege 3888 winupd.exe Token: SeProfSingleProcessPrivilege 3888 winupd.exe Token: SeIncBasePriorityPrivilege 3888 winupd.exe Token: SeCreatePagefilePrivilege 3888 winupd.exe Token: SeBackupPrivilege 3888 winupd.exe Token: SeRestorePrivilege 3888 winupd.exe Token: SeShutdownPrivilege 3888 winupd.exe Token: SeDebugPrivilege 3888 winupd.exe Token: SeSystemEnvironmentPrivilege 3888 winupd.exe Token: SeChangeNotifyPrivilege 3888 winupd.exe Token: SeRemoteShutdownPrivilege 3888 winupd.exe Token: SeUndockPrivilege 3888 winupd.exe Token: SeManageVolumePrivilege 3888 winupd.exe Token: SeImpersonatePrivilege 3888 winupd.exe Token: SeCreateGlobalPrivilege 3888 winupd.exe Token: 33 3888 winupd.exe Token: 34 3888 winupd.exe Token: 35 3888 winupd.exe Token: 36 3888 winupd.exe Token: SeRestorePrivilege 3872 WerFault.exe Token: SeBackupPrivilege 3872 WerFault.exe Token: SeDebugPrivilege 3872 WerFault.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exewinupd.exewinupd.exewinupd.exepid process 912 8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe 3276 8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe 2884 winupd.exe 816 winupd.exe 3888 winupd.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exewinupd.exewinupd.exedescription pid process target process PID 912 wrote to memory of 3276 912 8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe 8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe PID 912 wrote to memory of 3276 912 8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe 8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe PID 912 wrote to memory of 3276 912 8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe 8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe PID 912 wrote to memory of 3276 912 8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe 8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe PID 912 wrote to memory of 3276 912 8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe 8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe PID 912 wrote to memory of 3276 912 8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe 8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe PID 912 wrote to memory of 3276 912 8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe 8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe PID 912 wrote to memory of 3276 912 8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe 8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe PID 3276 wrote to memory of 2884 3276 8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe winupd.exe PID 3276 wrote to memory of 2884 3276 8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe winupd.exe PID 3276 wrote to memory of 2884 3276 8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe winupd.exe PID 2884 wrote to memory of 816 2884 winupd.exe winupd.exe PID 2884 wrote to memory of 816 2884 winupd.exe winupd.exe PID 2884 wrote to memory of 816 2884 winupd.exe winupd.exe PID 2884 wrote to memory of 816 2884 winupd.exe winupd.exe PID 2884 wrote to memory of 816 2884 winupd.exe winupd.exe PID 2884 wrote to memory of 816 2884 winupd.exe winupd.exe PID 2884 wrote to memory of 816 2884 winupd.exe winupd.exe PID 2884 wrote to memory of 816 2884 winupd.exe winupd.exe PID 2884 wrote to memory of 3888 2884 winupd.exe winupd.exe PID 2884 wrote to memory of 3888 2884 winupd.exe winupd.exe PID 2884 wrote to memory of 3888 2884 winupd.exe winupd.exe PID 2884 wrote to memory of 3888 2884 winupd.exe winupd.exe PID 2884 wrote to memory of 3888 2884 winupd.exe winupd.exe PID 2884 wrote to memory of 3888 2884 winupd.exe winupd.exe PID 2884 wrote to memory of 3888 2884 winupd.exe winupd.exe PID 2884 wrote to memory of 3888 2884 winupd.exe winupd.exe PID 816 wrote to memory of 3228 816 winupd.exe ipconfig.exe PID 816 wrote to memory of 3228 816 winupd.exe ipconfig.exe PID 816 wrote to memory of 3228 816 winupd.exe ipconfig.exe PID 816 wrote to memory of 3228 816 winupd.exe ipconfig.exe PID 816 wrote to memory of 3228 816 winupd.exe ipconfig.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe"C:\Users\Admin\AppData\Local\Temp\8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe"C:\Users\Admin\AppData\Local\Temp\8889fcdf809af0798c84c0e94bd7643a6b3d4fe40c6c99702a787617fb816cf9.exe"2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exeC:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe -notray3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\system32\ipconfig.exe"5⤵
- Gathers network information
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3228 -s 2566⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exeMD5
f6ed76809535eb35f20a4d92603a015c
SHA15d34945e8efbf966e83e109f4bfb17d35d8df0ba
SHA2564fbaa52705410aa33e19e5ea07cee4babde6a2c725858ca36ca5645e9ed7a0d1
SHA51286eb2b94b654b026e6f1511c634ec4397c74a5e12a3e8a197b783ad3a2dcfb018b8d7ad857297a9c32b0bf7037ed7b61a3f490f927a438f8e84f40fabc011667
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exeMD5
f6ed76809535eb35f20a4d92603a015c
SHA15d34945e8efbf966e83e109f4bfb17d35d8df0ba
SHA2564fbaa52705410aa33e19e5ea07cee4babde6a2c725858ca36ca5645e9ed7a0d1
SHA51286eb2b94b654b026e6f1511c634ec4397c74a5e12a3e8a197b783ad3a2dcfb018b8d7ad857297a9c32b0bf7037ed7b61a3f490f927a438f8e84f40fabc011667
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exeMD5
f6ed76809535eb35f20a4d92603a015c
SHA15d34945e8efbf966e83e109f4bfb17d35d8df0ba
SHA2564fbaa52705410aa33e19e5ea07cee4babde6a2c725858ca36ca5645e9ed7a0d1
SHA51286eb2b94b654b026e6f1511c634ec4397c74a5e12a3e8a197b783ad3a2dcfb018b8d7ad857297a9c32b0bf7037ed7b61a3f490f927a438f8e84f40fabc011667
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exeMD5
f6ed76809535eb35f20a4d92603a015c
SHA15d34945e8efbf966e83e109f4bfb17d35d8df0ba
SHA2564fbaa52705410aa33e19e5ea07cee4babde6a2c725858ca36ca5645e9ed7a0d1
SHA51286eb2b94b654b026e6f1511c634ec4397c74a5e12a3e8a197b783ad3a2dcfb018b8d7ad857297a9c32b0bf7037ed7b61a3f490f927a438f8e84f40fabc011667
-
memory/816-130-0x000000000040140C-mapping.dmp
-
memory/912-125-0x0000000000740000-0x0000000000742000-memory.dmpFilesize
8KB
-
memory/912-127-0x0000000002A60000-0x0000000002A62000-memory.dmpFilesize
8KB
-
memory/912-126-0x0000000002A50000-0x0000000002A52000-memory.dmpFilesize
8KB
-
memory/2884-133-0x0000000000590000-0x00000000006DA000-memory.dmpFilesize
1.3MB
-
memory/2884-120-0x0000000000000000-mapping.dmp
-
memory/3228-138-0x0000000000000000-mapping.dmp
-
memory/3276-128-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/3276-116-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/3276-117-0x000000000040140C-mapping.dmp
-
memory/3888-134-0x00000000004B5670-mapping.dmp
-
memory/3888-132-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/3888-139-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/3888-140-0x0000000000940000-0x0000000000941000-memory.dmpFilesize
4KB