Analysis
-
max time kernel
153s -
max time network
108s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
24-09-2021 06:12
Static task
static1
Behavioral task
behavioral1
Sample
735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe
Resource
win7v20210408
General
-
Target
735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe
-
Size
520KB
-
MD5
2fc861e62742e8c9e534979d1aa3db9e
-
SHA1
195d8fcf006e93b5c46b3a4ce4d3d12d62818201
-
SHA256
735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779
-
SHA512
b299df8b0b18940f66e50ad17a30f779e2bbfd92781d7d9acc5d91522880b9d407a1d7952ebfdd92954df7187683e87b3eb81eb8d8a440d24cf39b0330039f62
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
winupd.exewinupd.exewinupd.exepid process 2032 winupd.exe 1252 winupd.exe 2016 winupd.exe -
Processes:
resource yara_rule behavioral1/memory/2016-80-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2016-88-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Loads dropped DLL 2 IoCs
Processes:
735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exepid process 1328 735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe 1328 735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\winupd.exe -notray" reg.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exewinupd.exedescription pid process target process PID 1528 set thread context of 1328 1528 735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe 735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe PID 2032 set thread context of 1252 2032 winupd.exe winupd.exe PID 2032 set thread context of 2016 2032 winupd.exe winupd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 1944 ipconfig.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
winupd.exedescription pid process Token: SeIncreaseQuotaPrivilege 2016 winupd.exe Token: SeSecurityPrivilege 2016 winupd.exe Token: SeTakeOwnershipPrivilege 2016 winupd.exe Token: SeLoadDriverPrivilege 2016 winupd.exe Token: SeSystemProfilePrivilege 2016 winupd.exe Token: SeSystemtimePrivilege 2016 winupd.exe Token: SeProfSingleProcessPrivilege 2016 winupd.exe Token: SeIncBasePriorityPrivilege 2016 winupd.exe Token: SeCreatePagefilePrivilege 2016 winupd.exe Token: SeBackupPrivilege 2016 winupd.exe Token: SeRestorePrivilege 2016 winupd.exe Token: SeShutdownPrivilege 2016 winupd.exe Token: SeDebugPrivilege 2016 winupd.exe Token: SeSystemEnvironmentPrivilege 2016 winupd.exe Token: SeChangeNotifyPrivilege 2016 winupd.exe Token: SeRemoteShutdownPrivilege 2016 winupd.exe Token: SeUndockPrivilege 2016 winupd.exe Token: SeManageVolumePrivilege 2016 winupd.exe Token: SeImpersonatePrivilege 2016 winupd.exe Token: SeCreateGlobalPrivilege 2016 winupd.exe Token: 33 2016 winupd.exe Token: 34 2016 winupd.exe Token: 35 2016 winupd.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exewinupd.exewinupd.exewinupd.exepid process 1528 735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe 1328 735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe 2032 winupd.exe 1252 winupd.exe 2016 winupd.exe -
Suspicious use of WriteProcessMemory 44 IoCs
Processes:
735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exewinupd.exewinupd.exeipconfig.execmd.exedescription pid process target process PID 1528 wrote to memory of 1328 1528 735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe 735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe PID 1528 wrote to memory of 1328 1528 735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe 735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe PID 1528 wrote to memory of 1328 1528 735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe 735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe PID 1528 wrote to memory of 1328 1528 735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe 735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe PID 1528 wrote to memory of 1328 1528 735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe 735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe PID 1528 wrote to memory of 1328 1528 735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe 735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe PID 1528 wrote to memory of 1328 1528 735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe 735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe PID 1528 wrote to memory of 1328 1528 735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe 735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe PID 1528 wrote to memory of 1328 1528 735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe 735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe PID 1328 wrote to memory of 2032 1328 735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe winupd.exe PID 1328 wrote to memory of 2032 1328 735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe winupd.exe PID 1328 wrote to memory of 2032 1328 735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe winupd.exe PID 1328 wrote to memory of 2032 1328 735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe winupd.exe PID 2032 wrote to memory of 1252 2032 winupd.exe winupd.exe PID 2032 wrote to memory of 1252 2032 winupd.exe winupd.exe PID 2032 wrote to memory of 1252 2032 winupd.exe winupd.exe PID 2032 wrote to memory of 1252 2032 winupd.exe winupd.exe PID 2032 wrote to memory of 1252 2032 winupd.exe winupd.exe PID 2032 wrote to memory of 1252 2032 winupd.exe winupd.exe PID 2032 wrote to memory of 1252 2032 winupd.exe winupd.exe PID 2032 wrote to memory of 1252 2032 winupd.exe winupd.exe PID 2032 wrote to memory of 1252 2032 winupd.exe winupd.exe PID 2032 wrote to memory of 2016 2032 winupd.exe winupd.exe PID 2032 wrote to memory of 2016 2032 winupd.exe winupd.exe PID 2032 wrote to memory of 2016 2032 winupd.exe winupd.exe PID 2032 wrote to memory of 2016 2032 winupd.exe winupd.exe PID 2032 wrote to memory of 2016 2032 winupd.exe winupd.exe PID 2032 wrote to memory of 2016 2032 winupd.exe winupd.exe PID 2032 wrote to memory of 2016 2032 winupd.exe winupd.exe PID 2032 wrote to memory of 2016 2032 winupd.exe winupd.exe PID 1252 wrote to memory of 1944 1252 winupd.exe ipconfig.exe PID 1252 wrote to memory of 1944 1252 winupd.exe ipconfig.exe PID 1252 wrote to memory of 1944 1252 winupd.exe ipconfig.exe PID 1252 wrote to memory of 1944 1252 winupd.exe ipconfig.exe PID 1252 wrote to memory of 1944 1252 winupd.exe ipconfig.exe PID 1252 wrote to memory of 1944 1252 winupd.exe ipconfig.exe PID 1944 wrote to memory of 1756 1944 ipconfig.exe cmd.exe PID 1944 wrote to memory of 1756 1944 ipconfig.exe cmd.exe PID 1944 wrote to memory of 1756 1944 ipconfig.exe cmd.exe PID 1944 wrote to memory of 1756 1944 ipconfig.exe cmd.exe PID 1756 wrote to memory of 1428 1756 cmd.exe reg.exe PID 1756 wrote to memory of 1428 1756 cmd.exe reg.exe PID 1756 wrote to memory of 1428 1756 cmd.exe reg.exe PID 1756 wrote to memory of 1428 1756 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe"C:\Users\Admin\AppData\Local\Temp\735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe"C:\Users\Admin\AppData\Local\Temp\735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exeC:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe -notray3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\system32\ipconfig.exe"5⤵
- Gathers network information
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\MIWULVON.bat" "6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v WinUpdate /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe -notray" /f7⤵
- Adds Run key to start application
- Modifies registry key
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MIWULVON.batMD5
cac890d00365d07b9ca89def17cc3a36
SHA16fa99679ede791c16b5d3e6d243a98e8bbdb7eab
SHA2564f98ddee89760080a5c8a93666d2f5c97be52b741265ef4d1ce9aaebf05f12da
SHA512124dc0b18e13425bde43bcbbe2a99005928e398bffcb458d498aac9e754bc5b92b703270667800876c60b0801343f2de8c6b9a1eebafd80bb4f6d5dc295dd9f1
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exeMD5
7777032ccffb4c38685fea6400716a58
SHA1b1edb664fe6a90f8973cc01c23c364e4ca5edc76
SHA256e803a733db95da5f53d690a7b83f1e789863ef693161af3ddf83a590e27160b2
SHA5124348cd36c5d410d4179a88a15297a47824dafd4c2cb03b7f2b1baf1560e2e409716446db3d83029dd289a26dc07f51bca66a6e97f8492115ff27f36f0aa780af
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exeMD5
7777032ccffb4c38685fea6400716a58
SHA1b1edb664fe6a90f8973cc01c23c364e4ca5edc76
SHA256e803a733db95da5f53d690a7b83f1e789863ef693161af3ddf83a590e27160b2
SHA5124348cd36c5d410d4179a88a15297a47824dafd4c2cb03b7f2b1baf1560e2e409716446db3d83029dd289a26dc07f51bca66a6e97f8492115ff27f36f0aa780af
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exeMD5
7777032ccffb4c38685fea6400716a58
SHA1b1edb664fe6a90f8973cc01c23c364e4ca5edc76
SHA256e803a733db95da5f53d690a7b83f1e789863ef693161af3ddf83a590e27160b2
SHA5124348cd36c5d410d4179a88a15297a47824dafd4c2cb03b7f2b1baf1560e2e409716446db3d83029dd289a26dc07f51bca66a6e97f8492115ff27f36f0aa780af
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exeMD5
7777032ccffb4c38685fea6400716a58
SHA1b1edb664fe6a90f8973cc01c23c364e4ca5edc76
SHA256e803a733db95da5f53d690a7b83f1e789863ef693161af3ddf83a590e27160b2
SHA5124348cd36c5d410d4179a88a15297a47824dafd4c2cb03b7f2b1baf1560e2e409716446db3d83029dd289a26dc07f51bca66a6e97f8492115ff27f36f0aa780af
-
\Users\Admin\AppData\Roaming\Microsoft\winupd.exeMD5
7777032ccffb4c38685fea6400716a58
SHA1b1edb664fe6a90f8973cc01c23c364e4ca5edc76
SHA256e803a733db95da5f53d690a7b83f1e789863ef693161af3ddf83a590e27160b2
SHA5124348cd36c5d410d4179a88a15297a47824dafd4c2cb03b7f2b1baf1560e2e409716446db3d83029dd289a26dc07f51bca66a6e97f8492115ff27f36f0aa780af
-
\Users\Admin\AppData\Roaming\Microsoft\winupd.exeMD5
7777032ccffb4c38685fea6400716a58
SHA1b1edb664fe6a90f8973cc01c23c364e4ca5edc76
SHA256e803a733db95da5f53d690a7b83f1e789863ef693161af3ddf83a590e27160b2
SHA5124348cd36c5d410d4179a88a15297a47824dafd4c2cb03b7f2b1baf1560e2e409716446db3d83029dd289a26dc07f51bca66a6e97f8492115ff27f36f0aa780af
-
memory/1252-78-0x000000000040140C-mapping.dmp
-
memory/1328-63-0x000000000040140C-mapping.dmp
-
memory/1328-66-0x0000000075801000-0x0000000075803000-memory.dmpFilesize
8KB
-
memory/1328-62-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/1428-93-0x0000000000000000-mapping.dmp
-
memory/1528-67-0x0000000000250000-0x0000000000252000-memory.dmpFilesize
8KB
-
memory/1528-68-0x0000000000330000-0x0000000000332000-memory.dmpFilesize
8KB
-
memory/1528-69-0x00000000003D0000-0x00000000003D2000-memory.dmpFilesize
8KB
-
memory/1756-92-0x0000000000000000-mapping.dmp
-
memory/1944-87-0x0000000000000000-mapping.dmp
-
memory/2016-82-0x00000000004B5670-mapping.dmp
-
memory/2016-89-0x00000000003D0000-0x00000000003D1000-memory.dmpFilesize
4KB
-
memory/2016-88-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/2016-80-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/2032-72-0x0000000000000000-mapping.dmp