Analysis
-
max time kernel
43s -
max time network
55s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
31-05-2022 04:10
Static task
static1
Behavioral task
behavioral1
Sample
06e47a3fb5ee958414663409671d17b084450ebb73b665b5b218beff32c5df38.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
06e47a3fb5ee958414663409671d17b084450ebb73b665b5b218beff32c5df38.exe
Resource
win10v2004-20220414-en
General
-
Target
06e47a3fb5ee958414663409671d17b084450ebb73b665b5b218beff32c5df38.exe
-
Size
4.0MB
-
MD5
dd5e7b36032fedfaa18bd02059a3bc10
-
SHA1
f4bf184ceda9830173b0196b77e13e6df57b25d5
-
SHA256
06e47a3fb5ee958414663409671d17b084450ebb73b665b5b218beff32c5df38
-
SHA512
04e7b8369057a3d49885d92cb166181f53d435c1ec0f2dae77d1d59531f13efda2c37831bb2df200f156a664edd38195cc4025490eb557a963f5da4e2b064685
Malware Config
Signatures
-
Drops file in System32 directory 4 IoCs
Processes:
06e47a3fb5ee958414663409671d17b084450ebb73b665b5b218beff32c5df38.exedescription ioc process File created C:\Windows\SysWOW64\GroupPolicy\gpt.ini 06e47a3fb5ee958414663409671d17b084450ebb73b665b5b218beff32c5df38.exe File created C:\Windows\SysWOW64\GroupPolicy\Machine\Scripts\scripts.ini 06e47a3fb5ee958414663409671d17b084450ebb73b665b5b218beff32c5df38.exe File created C:\Windows\SysWOW64\GroupPolicy\Machine\Scripts\Startup\update.exe 06e47a3fb5ee958414663409671d17b084450ebb73b665b5b218beff32c5df38.exe File created C:\Windows\SysWOW64\update.exe 06e47a3fb5ee958414663409671d17b084450ebb73b665b5b218beff32c5df38.exe -
Drops file in Windows directory 1 IoCs
Processes:
06e47a3fb5ee958414663409671d17b084450ebb73b665b5b218beff32c5df38.exedescription ioc process File created C:\Windows\WBEM\msupdate.mof 06e47a3fb5ee958414663409671d17b084450ebb73b665b5b218beff32c5df38.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
mofcomp.exewhoami.exedescription pid process Token: SeSecurityPrivilege 1448 mofcomp.exe Token: SeDebugPrivilege 940 whoami.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
06e47a3fb5ee958414663409671d17b084450ebb73b665b5b218beff32c5df38.execmd.execmd.exedescription pid process target process PID 1624 wrote to memory of 956 1624 06e47a3fb5ee958414663409671d17b084450ebb73b665b5b218beff32c5df38.exe cmd.exe PID 1624 wrote to memory of 956 1624 06e47a3fb5ee958414663409671d17b084450ebb73b665b5b218beff32c5df38.exe cmd.exe PID 1624 wrote to memory of 956 1624 06e47a3fb5ee958414663409671d17b084450ebb73b665b5b218beff32c5df38.exe cmd.exe PID 1624 wrote to memory of 956 1624 06e47a3fb5ee958414663409671d17b084450ebb73b665b5b218beff32c5df38.exe cmd.exe PID 956 wrote to memory of 1448 956 cmd.exe mofcomp.exe PID 956 wrote to memory of 1448 956 cmd.exe mofcomp.exe PID 956 wrote to memory of 1448 956 cmd.exe mofcomp.exe PID 956 wrote to memory of 1448 956 cmd.exe mofcomp.exe PID 1624 wrote to memory of 976 1624 06e47a3fb5ee958414663409671d17b084450ebb73b665b5b218beff32c5df38.exe cmd.exe PID 1624 wrote to memory of 976 1624 06e47a3fb5ee958414663409671d17b084450ebb73b665b5b218beff32c5df38.exe cmd.exe PID 1624 wrote to memory of 976 1624 06e47a3fb5ee958414663409671d17b084450ebb73b665b5b218beff32c5df38.exe cmd.exe PID 1624 wrote to memory of 976 1624 06e47a3fb5ee958414663409671d17b084450ebb73b665b5b218beff32c5df38.exe cmd.exe PID 976 wrote to memory of 940 976 cmd.exe whoami.exe PID 976 wrote to memory of 940 976 cmd.exe whoami.exe PID 976 wrote to memory of 940 976 cmd.exe whoami.exe PID 976 wrote to memory of 940 976 cmd.exe whoami.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\06e47a3fb5ee958414663409671d17b084450ebb73b665b5b218beff32c5df38.exe"C:\Users\Admin\AppData\Local\Temp\06e47a3fb5ee958414663409671d17b084450ebb73b665b5b218beff32c5df38.exe"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c "mofcomp C:\Windows\WBEM\msupdate.mof"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\mofcomp.exemofcomp C:\Windows\WBEM\msupdate.mof3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c whoami2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\whoami.exewhoami3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\WBEM\msupdate.mofFilesize
660B
MD5b70ae3f71fade0488b8b0f3779179dcb
SHA1bf54be0517821042c9137925e411f5522be7f7f9
SHA256459304c4f49ea4b4bc798bb9cc9b1722fa1ffe47ac887e8d2666fddfcdb6030c
SHA512f851d870e0d9d8639ca76e4eac3638f9bd1050186c1708583751eaefcaa6777e5eae8163b5c7fb2eb46944e365bdfc1e0abfbc9ab98858131b126e1488900ad6
-
memory/940-58-0x0000000000000000-mapping.dmp
-
memory/956-54-0x0000000000000000-mapping.dmp
-
memory/976-57-0x0000000000000000-mapping.dmp
-
memory/1448-55-0x0000000000000000-mapping.dmp