Analysis
-
max time kernel
152s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
19/10/2022, 13:29
Behavioral task
behavioral1
Sample
617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe
Resource
win10v2004-20220901-en
General
-
Target
617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe
-
Size
666KB
-
MD5
90beb0c7bfc299c7461ac760e7e3c603
-
SHA1
6a3e7386a9463dcdb6b0ac5d72d0cd25dc1bd610
-
SHA256
617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652
-
SHA512
7594acb8c06a93648bc3f6c4655240e2e4acf6ca911d9718cbddfa347bb07a14888c53efc1f81316fb588787ccf2ee85a0a797b7ddc53aca2d0fc1ee07f91671
-
SSDEEP
12288:hpwABK90BOe/x9lPAYvxPQVjdsAY2XjWlnlpTMMXG91uhKIXn/6R:jwAcu99lPzvxP+Bsz2XjWTRMQckkIXn4
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\Windupdt\\winupdate.exe" 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" winupdate.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "1" winupdate.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winupdate.exe -
Disables Task Manager via registry modification
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe -
Executes dropped EXE 1 IoCs
pid Process 1664 winupdate.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winupdate.exe -
Loads dropped DLL 4 IoCs
pid Process 604 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe 1664 winupdate.exe 1664 winupdate.exe 1664 winupdate.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Users\\Admin\\AppData\\Roaming\\Windupdt\\winupdate.exe" 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run winupdate.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier winupdate.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winupdate.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winupdate.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1540 ping.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 604 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe Token: SeSecurityPrivilege 604 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe Token: SeTakeOwnershipPrivilege 604 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe Token: SeLoadDriverPrivilege 604 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe Token: SeSystemProfilePrivilege 604 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe Token: SeSystemtimePrivilege 604 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe Token: SeProfSingleProcessPrivilege 604 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe Token: SeIncBasePriorityPrivilege 604 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe Token: SeCreatePagefilePrivilege 604 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe Token: SeBackupPrivilege 604 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe Token: SeRestorePrivilege 604 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe Token: SeShutdownPrivilege 604 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe Token: SeDebugPrivilege 604 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe Token: SeSystemEnvironmentPrivilege 604 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe Token: SeChangeNotifyPrivilege 604 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe Token: SeRemoteShutdownPrivilege 604 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe Token: SeUndockPrivilege 604 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe Token: SeManageVolumePrivilege 604 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe Token: SeImpersonatePrivilege 604 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe Token: SeCreateGlobalPrivilege 604 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe Token: 33 604 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe Token: 34 604 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe Token: 35 604 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe Token: SeIncreaseQuotaPrivilege 1664 winupdate.exe Token: SeSecurityPrivilege 1664 winupdate.exe Token: SeTakeOwnershipPrivilege 1664 winupdate.exe Token: SeLoadDriverPrivilege 1664 winupdate.exe Token: SeSystemProfilePrivilege 1664 winupdate.exe Token: SeSystemtimePrivilege 1664 winupdate.exe Token: SeProfSingleProcessPrivilege 1664 winupdate.exe Token: SeIncBasePriorityPrivilege 1664 winupdate.exe Token: SeCreatePagefilePrivilege 1664 winupdate.exe Token: SeBackupPrivilege 1664 winupdate.exe Token: SeRestorePrivilege 1664 winupdate.exe Token: SeShutdownPrivilege 1664 winupdate.exe Token: SeDebugPrivilege 1664 winupdate.exe Token: SeSystemEnvironmentPrivilege 1664 winupdate.exe Token: SeChangeNotifyPrivilege 1664 winupdate.exe Token: SeRemoteShutdownPrivilege 1664 winupdate.exe Token: SeUndockPrivilege 1664 winupdate.exe Token: SeManageVolumePrivilege 1664 winupdate.exe Token: SeImpersonatePrivilege 1664 winupdate.exe Token: SeCreateGlobalPrivilege 1664 winupdate.exe Token: 33 1664 winupdate.exe Token: 34 1664 winupdate.exe Token: 35 1664 winupdate.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1664 winupdate.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 604 wrote to memory of 112 604 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe 26 PID 604 wrote to memory of 112 604 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe 26 PID 604 wrote to memory of 112 604 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe 26 PID 604 wrote to memory of 112 604 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe 26 PID 604 wrote to memory of 1664 604 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe 27 PID 604 wrote to memory of 1664 604 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe 27 PID 604 wrote to memory of 1664 604 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe 27 PID 604 wrote to memory of 1664 604 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe 27 PID 604 wrote to memory of 1664 604 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe 27 PID 604 wrote to memory of 1664 604 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe 27 PID 604 wrote to memory of 1664 604 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe 27 PID 604 wrote to memory of 1540 604 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe 28 PID 604 wrote to memory of 1540 604 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe 28 PID 604 wrote to memory of 1540 604 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe 28 PID 604 wrote to memory of 1540 604 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe 28 PID 1664 wrote to memory of 584 1664 winupdate.exe 30 PID 1664 wrote to memory of 584 1664 winupdate.exe 30 PID 1664 wrote to memory of 584 1664 winupdate.exe 30 PID 1664 wrote to memory of 584 1664 winupdate.exe 30 PID 1664 wrote to memory of 584 1664 winupdate.exe 30 PID 1664 wrote to memory of 584 1664 winupdate.exe 30 PID 1664 wrote to memory of 584 1664 winupdate.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe"C:\Users\Admin\AppData\Local\Temp\617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe"1⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:604 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵PID:112
-
-
C:\Users\Admin\AppData\Roaming\Windupdt\winupdate.exe"C:\Users\Admin\AppData\Roaming\Windupdt\winupdate.exe"2⤵
- Modifies firewall policy service
- Disables RegEdit via registry modification
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"3⤵PID:584
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Users\Admin\AppData\Local\Temp\617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe"2⤵
- Runs ping.exe
PID:1540
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
666KB
MD590beb0c7bfc299c7461ac760e7e3c603
SHA16a3e7386a9463dcdb6b0ac5d72d0cd25dc1bd610
SHA256617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652
SHA5127594acb8c06a93648bc3f6c4655240e2e4acf6ca911d9718cbddfa347bb07a14888c53efc1f81316fb588787ccf2ee85a0a797b7ddc53aca2d0fc1ee07f91671
-
Filesize
666KB
MD590beb0c7bfc299c7461ac760e7e3c603
SHA16a3e7386a9463dcdb6b0ac5d72d0cd25dc1bd610
SHA256617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652
SHA5127594acb8c06a93648bc3f6c4655240e2e4acf6ca911d9718cbddfa347bb07a14888c53efc1f81316fb588787ccf2ee85a0a797b7ddc53aca2d0fc1ee07f91671
-
Filesize
666KB
MD590beb0c7bfc299c7461ac760e7e3c603
SHA16a3e7386a9463dcdb6b0ac5d72d0cd25dc1bd610
SHA256617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652
SHA5127594acb8c06a93648bc3f6c4655240e2e4acf6ca911d9718cbddfa347bb07a14888c53efc1f81316fb588787ccf2ee85a0a797b7ddc53aca2d0fc1ee07f91671
-
Filesize
666KB
MD590beb0c7bfc299c7461ac760e7e3c603
SHA16a3e7386a9463dcdb6b0ac5d72d0cd25dc1bd610
SHA256617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652
SHA5127594acb8c06a93648bc3f6c4655240e2e4acf6ca911d9718cbddfa347bb07a14888c53efc1f81316fb588787ccf2ee85a0a797b7ddc53aca2d0fc1ee07f91671
-
Filesize
666KB
MD590beb0c7bfc299c7461ac760e7e3c603
SHA16a3e7386a9463dcdb6b0ac5d72d0cd25dc1bd610
SHA256617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652
SHA5127594acb8c06a93648bc3f6c4655240e2e4acf6ca911d9718cbddfa347bb07a14888c53efc1f81316fb588787ccf2ee85a0a797b7ddc53aca2d0fc1ee07f91671
-
Filesize
666KB
MD590beb0c7bfc299c7461ac760e7e3c603
SHA16a3e7386a9463dcdb6b0ac5d72d0cd25dc1bd610
SHA256617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652
SHA5127594acb8c06a93648bc3f6c4655240e2e4acf6ca911d9718cbddfa347bb07a14888c53efc1f81316fb588787ccf2ee85a0a797b7ddc53aca2d0fc1ee07f91671