Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
24-09-2021 06:12
Static task
static1
Behavioral task
behavioral1
Sample
735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe
Resource
win7v20210408
General
-
Target
735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe
-
Size
520KB
-
MD5
2fc861e62742e8c9e534979d1aa3db9e
-
SHA1
195d8fcf006e93b5c46b3a4ce4d3d12d62818201
-
SHA256
735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779
-
SHA512
b299df8b0b18940f66e50ad17a30f779e2bbfd92781d7d9acc5d91522880b9d407a1d7952ebfdd92954df7187683e87b3eb81eb8d8a440d24cf39b0330039f62
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 992 created 1260 992 WerFault.exe ipconfig.exe -
Executes dropped EXE 3 IoCs
Processes:
winupd.exewinupd.exewinupd.exepid process 2564 winupd.exe 4024 winupd.exe 3612 winupd.exe -
Processes:
resource yara_rule behavioral2/memory/3612-133-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3612-139-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Suspicious use of SetThreadContext 3 IoCs
Processes:
735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exewinupd.exedescription pid process target process PID 2068 set thread context of 3728 2068 735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe 735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe PID 2564 set thread context of 4024 2564 winupd.exe winupd.exe PID 2564 set thread context of 3612 2564 winupd.exe winupd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 992 1260 WerFault.exe ipconfig.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 1260 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 992 WerFault.exe 992 WerFault.exe 992 WerFault.exe 992 WerFault.exe 992 WerFault.exe 992 WerFault.exe 992 WerFault.exe 992 WerFault.exe 992 WerFault.exe 992 WerFault.exe 992 WerFault.exe 992 WerFault.exe 992 WerFault.exe 992 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 27 IoCs
Processes:
winupd.exeWerFault.exedescription pid process Token: SeIncreaseQuotaPrivilege 3612 winupd.exe Token: SeSecurityPrivilege 3612 winupd.exe Token: SeTakeOwnershipPrivilege 3612 winupd.exe Token: SeLoadDriverPrivilege 3612 winupd.exe Token: SeSystemProfilePrivilege 3612 winupd.exe Token: SeSystemtimePrivilege 3612 winupd.exe Token: SeProfSingleProcessPrivilege 3612 winupd.exe Token: SeIncBasePriorityPrivilege 3612 winupd.exe Token: SeCreatePagefilePrivilege 3612 winupd.exe Token: SeBackupPrivilege 3612 winupd.exe Token: SeRestorePrivilege 3612 winupd.exe Token: SeShutdownPrivilege 3612 winupd.exe Token: SeDebugPrivilege 3612 winupd.exe Token: SeSystemEnvironmentPrivilege 3612 winupd.exe Token: SeChangeNotifyPrivilege 3612 winupd.exe Token: SeRemoteShutdownPrivilege 3612 winupd.exe Token: SeUndockPrivilege 3612 winupd.exe Token: SeManageVolumePrivilege 3612 winupd.exe Token: SeImpersonatePrivilege 3612 winupd.exe Token: SeCreateGlobalPrivilege 3612 winupd.exe Token: 33 3612 winupd.exe Token: 34 3612 winupd.exe Token: 35 3612 winupd.exe Token: 36 3612 winupd.exe Token: SeRestorePrivilege 992 WerFault.exe Token: SeBackupPrivilege 992 WerFault.exe Token: SeDebugPrivilege 992 WerFault.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exewinupd.exewinupd.exewinupd.exepid process 2068 735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe 3728 735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe 2564 winupd.exe 4024 winupd.exe 3612 winupd.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exewinupd.exewinupd.exedescription pid process target process PID 2068 wrote to memory of 3728 2068 735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe 735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe PID 2068 wrote to memory of 3728 2068 735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe 735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe PID 2068 wrote to memory of 3728 2068 735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe 735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe PID 2068 wrote to memory of 3728 2068 735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe 735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe PID 2068 wrote to memory of 3728 2068 735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe 735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe PID 2068 wrote to memory of 3728 2068 735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe 735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe PID 2068 wrote to memory of 3728 2068 735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe 735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe PID 2068 wrote to memory of 3728 2068 735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe 735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe PID 3728 wrote to memory of 2564 3728 735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe winupd.exe PID 3728 wrote to memory of 2564 3728 735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe winupd.exe PID 3728 wrote to memory of 2564 3728 735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe winupd.exe PID 2564 wrote to memory of 4024 2564 winupd.exe winupd.exe PID 2564 wrote to memory of 4024 2564 winupd.exe winupd.exe PID 2564 wrote to memory of 4024 2564 winupd.exe winupd.exe PID 2564 wrote to memory of 4024 2564 winupd.exe winupd.exe PID 2564 wrote to memory of 4024 2564 winupd.exe winupd.exe PID 2564 wrote to memory of 4024 2564 winupd.exe winupd.exe PID 2564 wrote to memory of 4024 2564 winupd.exe winupd.exe PID 2564 wrote to memory of 4024 2564 winupd.exe winupd.exe PID 2564 wrote to memory of 3612 2564 winupd.exe winupd.exe PID 2564 wrote to memory of 3612 2564 winupd.exe winupd.exe PID 2564 wrote to memory of 3612 2564 winupd.exe winupd.exe PID 2564 wrote to memory of 3612 2564 winupd.exe winupd.exe PID 2564 wrote to memory of 3612 2564 winupd.exe winupd.exe PID 2564 wrote to memory of 3612 2564 winupd.exe winupd.exe PID 2564 wrote to memory of 3612 2564 winupd.exe winupd.exe PID 2564 wrote to memory of 3612 2564 winupd.exe winupd.exe PID 4024 wrote to memory of 1260 4024 winupd.exe ipconfig.exe PID 4024 wrote to memory of 1260 4024 winupd.exe ipconfig.exe PID 4024 wrote to memory of 1260 4024 winupd.exe ipconfig.exe PID 4024 wrote to memory of 1260 4024 winupd.exe ipconfig.exe PID 4024 wrote to memory of 1260 4024 winupd.exe ipconfig.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe"C:\Users\Admin\AppData\Local\Temp\735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe"C:\Users\Admin\AppData\Local\Temp\735d4dea1378e1735df51023397ba337eb72d3fc9ec806f04d47b182ba4b4779.exe"2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exeC:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe -notray3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\system32\ipconfig.exe"5⤵
- Gathers network information
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1260 -s 1926⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exeMD5
9b5cd0481cee83e309fe3e7eeced58c1
SHA11ee3f4d5945a367268591ea02864b75f338ba7f1
SHA25684a63a2fe40855eb9c22e0ab2128fcc0e34556305c094430d82f948064aa5052
SHA5126416586fbb41a4a6d8bdaa945f2d3df6d02886a9d7ad9b4522ea0995719093cb2e0081c4a6bafa713d252c48337a8b0decf89970079fff002d2965121a182abb
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exeMD5
9b5cd0481cee83e309fe3e7eeced58c1
SHA11ee3f4d5945a367268591ea02864b75f338ba7f1
SHA25684a63a2fe40855eb9c22e0ab2128fcc0e34556305c094430d82f948064aa5052
SHA5126416586fbb41a4a6d8bdaa945f2d3df6d02886a9d7ad9b4522ea0995719093cb2e0081c4a6bafa713d252c48337a8b0decf89970079fff002d2965121a182abb
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exeMD5
9b5cd0481cee83e309fe3e7eeced58c1
SHA11ee3f4d5945a367268591ea02864b75f338ba7f1
SHA25684a63a2fe40855eb9c22e0ab2128fcc0e34556305c094430d82f948064aa5052
SHA5126416586fbb41a4a6d8bdaa945f2d3df6d02886a9d7ad9b4522ea0995719093cb2e0081c4a6bafa713d252c48337a8b0decf89970079fff002d2965121a182abb
-
C:\Users\Admin\AppData\Roaming\Microsoft\winupd.exeMD5
9b5cd0481cee83e309fe3e7eeced58c1
SHA11ee3f4d5945a367268591ea02864b75f338ba7f1
SHA25684a63a2fe40855eb9c22e0ab2128fcc0e34556305c094430d82f948064aa5052
SHA5126416586fbb41a4a6d8bdaa945f2d3df6d02886a9d7ad9b4522ea0995719093cb2e0081c4a6bafa713d252c48337a8b0decf89970079fff002d2965121a182abb
-
memory/1260-138-0x0000000000000000-mapping.dmp
-
memory/2068-127-0x0000000002230000-0x0000000002232000-memory.dmpFilesize
8KB
-
memory/2068-126-0x0000000000630000-0x0000000000632000-memory.dmpFilesize
8KB
-
memory/2068-128-0x0000000002240000-0x0000000002242000-memory.dmpFilesize
8KB
-
memory/2564-121-0x0000000000000000-mapping.dmp
-
memory/3612-135-0x00000000004B5670-mapping.dmp
-
memory/3612-133-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/3612-139-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/3612-140-0x0000000000C10000-0x0000000000C11000-memory.dmpFilesize
4KB
-
memory/3728-117-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/3728-129-0x0000000000400000-0x0000000000407000-memory.dmpFilesize
28KB
-
memory/3728-118-0x000000000040140C-mapping.dmp
-
memory/4024-131-0x000000000040140C-mapping.dmp