81db46218234e0e2f2775a3bf6a3a7d84f08fe1a7ec850416081661a99b4bd4a

Analysis

max time kernel
148s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01/10/2022, 20:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

81db46218234e0e2f2775a3bf6a3a7d84f08fe1a7ec850416081661a99b4bd4a.exe
Size

586KB
MD5

6bb120841af30f80875246803d304eb0
SHA1

1ece12d52cf863dea42063189496f6b5e7afe0ca
SHA256

81db46218234e0e2f2775a3bf6a3a7d84f08fe1a7ec850416081661a99b4bd4a
SHA512

1d84169d91d34dfe7345925b3705b79b0d1b22b249128e08ec470b7a50abfd07e4e4adacc32f246a3b2d4e42c52f0fdec20a3dd19eb936249a6f6f8fb84cdbaa
SSDEEP

12288:7zW1+SJyCOnEv9I8VPHLHznPe7N/7XNRYhTbKTcdxuUB+4mfTR9l7ej/O:3WESJUU9I8V/LHzmZDN+J8LTde

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2084	WindowsUpdate.exe

Loads dropped DLL 3 IoCs

pid	Process
2084	WindowsUpdate.exe
2084	WindowsUpdate.exe
2084	WindowsUpdate.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WindowsUpdate\.MLVMOD	WindowsUpdate.exe
File created	C:\Windows\WindowsUpdate\malevolence.db	WindowsUpdate.exe
File opened for modification	C:\Windows\WindowsUpdate\malevolence.db	WindowsUpdate.exe
File opened for modification	C:\Windows\WindowsUpdate\malevolence.db-journal	WindowsUpdate.exe
File opened for modification	C:\Windows\WindowsUpdate	81db46218234e0e2f2775a3bf6a3a7d84f08fe1a7ec850416081661a99b4bd4a.exe
File created	C:\Windows\WindowsUpdate\WindowsUpdate.exe	81db46218234e0e2f2775a3bf6a3a7d84f08fe1a7ec850416081661a99b4bd4a.exe
File opened for modification	C:\Windows\WindowsUpdate\WindowsUpdate.exe	81db46218234e0e2f2775a3bf6a3a7d84f08fe1a7ec850416081661a99b4bd4a.exe
File created	C:\Windows\WindowsUpdate\System.Data.SQLite.dll	WindowsUpdate.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4384	81db46218234e0e2f2775a3bf6a3a7d84f08fe1a7ec850416081661a99b4bd4a.exe
Token: SeDebugPrivilege	2084	WindowsUpdate.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4384 wrote to memory of 2084	4384	81db46218234e0e2f2775a3bf6a3a7d84f08fe1a7ec850416081661a99b4bd4a.exe	85
PID 4384 wrote to memory of 2084	4384	81db46218234e0e2f2775a3bf6a3a7d84f08fe1a7ec850416081661a99b4bd4a.exe	85
PID 4384 wrote to memory of 2084	4384	81db46218234e0e2f2775a3bf6a3a7d84f08fe1a7ec850416081661a99b4bd4a.exe	85

C:\Users\Admin\AppData\Local\Temp\81db46218234e0e2f2775a3bf6a3a7d84f08fe1a7ec850416081661a99b4bd4a.exe
"C:\Users\Admin\AppData\Local\Temp\81db46218234e0e2f2775a3bf6a3a7d84f08fe1a7ec850416081661a99b4bd4a.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4384
- C:\Windows\WindowsUpdate\WindowsUpdate.exe
  "C:\Windows\WindowsUpdate\WindowsUpdate.exe" launchPayload
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2084

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\WindowsUpdate\System.Data.SQLite.dll

Filesize
1.0MB

MD5
5d8c745bffc141ff35f8caad8ef73a92

SHA1
c0e93b53c4a259a7563dc790ed47e35ac8e8559c

SHA256
8e91824eddad541c1dbd0ef0b3771e297bc542a63d02f54fd17f810c49d5939e

SHA512
5bd6fe1b227d11b1ed4b4f08eefe5624b866bfa148436418e64c48546c91d45c12fcd4edb54d7ce63694f72a065cc74ec61630ee53fb929491a9c5497c8034b4

Download Submit
C:\Windows\WindowsUpdate\System.Data.SQLite.dll

Filesize
1.0MB

MD5
5d8c745bffc141ff35f8caad8ef73a92

SHA1
c0e93b53c4a259a7563dc790ed47e35ac8e8559c

SHA256
8e91824eddad541c1dbd0ef0b3771e297bc542a63d02f54fd17f810c49d5939e

SHA512
5bd6fe1b227d11b1ed4b4f08eefe5624b866bfa148436418e64c48546c91d45c12fcd4edb54d7ce63694f72a065cc74ec61630ee53fb929491a9c5497c8034b4

Download Submit
C:\Windows\WindowsUpdate\System.Data.SQLite.dll

Filesize
1.0MB

MD5
5d8c745bffc141ff35f8caad8ef73a92

SHA1
c0e93b53c4a259a7563dc790ed47e35ac8e8559c

SHA256
8e91824eddad541c1dbd0ef0b3771e297bc542a63d02f54fd17f810c49d5939e

SHA512
5bd6fe1b227d11b1ed4b4f08eefe5624b866bfa148436418e64c48546c91d45c12fcd4edb54d7ce63694f72a065cc74ec61630ee53fb929491a9c5497c8034b4

Download Submit
C:\Windows\WindowsUpdate\WindowsUpdate.exe

Filesize
586KB

MD5
6bb120841af30f80875246803d304eb0

SHA1
1ece12d52cf863dea42063189496f6b5e7afe0ca

SHA256
81db46218234e0e2f2775a3bf6a3a7d84f08fe1a7ec850416081661a99b4bd4a

SHA512
1d84169d91d34dfe7345925b3705b79b0d1b22b249128e08ec470b7a50abfd07e4e4adacc32f246a3b2d4e42c52f0fdec20a3dd19eb936249a6f6f8fb84cdbaa

Download Submit
C:\Windows\WindowsUpdate\WindowsUpdate.exe

Filesize
586KB

MD5
6bb120841af30f80875246803d304eb0

SHA1
1ece12d52cf863dea42063189496f6b5e7afe0ca

SHA256
81db46218234e0e2f2775a3bf6a3a7d84f08fe1a7ec850416081661a99b4bd4a

SHA512
1d84169d91d34dfe7345925b3705b79b0d1b22b249128e08ec470b7a50abfd07e4e4adacc32f246a3b2d4e42c52f0fdec20a3dd19eb936249a6f6f8fb84cdbaa

Download Submit
memory/2084-139-0x000000000BD00000-0x000000000BD3C000-memory.dmp

Filesize
240KB

Download
memory/2084-140-0x000000000C450000-0x000000000C4B6000-memory.dmp

Filesize
408KB

Download
memory/4384-132-0x0000000000560000-0x00000000005FC000-memory.dmp

Filesize
624KB

Download