Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
19/10/2022, 13:29
Behavioral task
behavioral1
Sample
617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe
Resource
win10v2004-20220901-en
General
-
Target
617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe
-
Size
666KB
-
MD5
90beb0c7bfc299c7461ac760e7e3c603
-
SHA1
6a3e7386a9463dcdb6b0ac5d72d0cd25dc1bd610
-
SHA256
617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652
-
SHA512
7594acb8c06a93648bc3f6c4655240e2e4acf6ca911d9718cbddfa347bb07a14888c53efc1f81316fb588787ccf2ee85a0a797b7ddc53aca2d0fc1ee07f91671
-
SSDEEP
12288:hpwABK90BOe/x9lPAYvxPQVjdsAY2XjWlnlpTMMXG91uhKIXn/6R:jwAcu99lPzvxP+Bsz2XjWTRMQckkIXn4
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\Windupdt\\winupdate.exe" 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "1" winupdate.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" winupdate.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winupdate.exe -
Disables Task Manager via registry modification
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe -
Executes dropped EXE 1 IoCs
pid Process 2376 winupdate.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winupdate.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Users\\Admin\\AppData\\Roaming\\Windupdt\\winupdate.exe" 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run winupdate.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier winupdate.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4072 ping.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3368 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe Token: SeSecurityPrivilege 3368 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe Token: SeTakeOwnershipPrivilege 3368 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe Token: SeLoadDriverPrivilege 3368 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe Token: SeSystemProfilePrivilege 3368 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe Token: SeSystemtimePrivilege 3368 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe Token: SeProfSingleProcessPrivilege 3368 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe Token: SeIncBasePriorityPrivilege 3368 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe Token: SeCreatePagefilePrivilege 3368 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe Token: SeBackupPrivilege 3368 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe Token: SeRestorePrivilege 3368 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe Token: SeShutdownPrivilege 3368 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe Token: SeDebugPrivilege 3368 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe Token: SeSystemEnvironmentPrivilege 3368 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe Token: SeChangeNotifyPrivilege 3368 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe Token: SeRemoteShutdownPrivilege 3368 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe Token: SeUndockPrivilege 3368 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe Token: SeManageVolumePrivilege 3368 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe Token: SeImpersonatePrivilege 3368 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe Token: SeCreateGlobalPrivilege 3368 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe Token: 33 3368 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe Token: 34 3368 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe Token: 35 3368 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe Token: 36 3368 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe Token: SeIncreaseQuotaPrivilege 2376 winupdate.exe Token: SeSecurityPrivilege 2376 winupdate.exe Token: SeTakeOwnershipPrivilege 2376 winupdate.exe Token: SeLoadDriverPrivilege 2376 winupdate.exe Token: SeSystemProfilePrivilege 2376 winupdate.exe Token: SeSystemtimePrivilege 2376 winupdate.exe Token: SeProfSingleProcessPrivilege 2376 winupdate.exe Token: SeIncBasePriorityPrivilege 2376 winupdate.exe Token: SeCreatePagefilePrivilege 2376 winupdate.exe Token: SeBackupPrivilege 2376 winupdate.exe Token: SeRestorePrivilege 2376 winupdate.exe Token: SeShutdownPrivilege 2376 winupdate.exe Token: SeDebugPrivilege 2376 winupdate.exe Token: SeSystemEnvironmentPrivilege 2376 winupdate.exe Token: SeChangeNotifyPrivilege 2376 winupdate.exe Token: SeRemoteShutdownPrivilege 2376 winupdate.exe Token: SeUndockPrivilege 2376 winupdate.exe Token: SeManageVolumePrivilege 2376 winupdate.exe Token: SeImpersonatePrivilege 2376 winupdate.exe Token: SeCreateGlobalPrivilege 2376 winupdate.exe Token: 33 2376 winupdate.exe Token: 34 2376 winupdate.exe Token: 35 2376 winupdate.exe Token: 36 2376 winupdate.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2376 winupdate.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3368 wrote to memory of 1552 3368 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe 85 PID 3368 wrote to memory of 1552 3368 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe 85 PID 3368 wrote to memory of 1552 3368 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe 85 PID 3368 wrote to memory of 2376 3368 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe 86 PID 3368 wrote to memory of 2376 3368 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe 86 PID 3368 wrote to memory of 2376 3368 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe 86 PID 3368 wrote to memory of 4072 3368 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe 87 PID 3368 wrote to memory of 4072 3368 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe 87 PID 3368 wrote to memory of 4072 3368 617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe 87 PID 2376 wrote to memory of 2968 2376 winupdate.exe 89 PID 2376 wrote to memory of 2968 2376 winupdate.exe 89 PID 2376 wrote to memory of 2968 2376 winupdate.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe"C:\Users\Admin\AppData\Local\Temp\617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe"1⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3368 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵PID:1552
-
-
C:\Users\Admin\AppData\Roaming\Windupdt\winupdate.exe"C:\Users\Admin\AppData\Roaming\Windupdt\winupdate.exe"2⤵
- Modifies firewall policy service
- Disables RegEdit via registry modification
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"3⤵PID:2968
-
-
-
C:\Windows\SysWOW64\ping.exeping 127.0.0.1 -n 5 > NUL del "C:\Users\Admin\AppData\Local\Temp\617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652.exe"2⤵
- Runs ping.exe
PID:4072
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
666KB
MD590beb0c7bfc299c7461ac760e7e3c603
SHA16a3e7386a9463dcdb6b0ac5d72d0cd25dc1bd610
SHA256617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652
SHA5127594acb8c06a93648bc3f6c4655240e2e4acf6ca911d9718cbddfa347bb07a14888c53efc1f81316fb588787ccf2ee85a0a797b7ddc53aca2d0fc1ee07f91671
-
Filesize
666KB
MD590beb0c7bfc299c7461ac760e7e3c603
SHA16a3e7386a9463dcdb6b0ac5d72d0cd25dc1bd610
SHA256617f3805bc495e2bf705d44cdbb6d8a6fd79bf5e3b552e0f6fb6143bf7bb8652
SHA5127594acb8c06a93648bc3f6c4655240e2e4acf6ca911d9718cbddfa347bb07a14888c53efc1f81316fb588787ccf2ee85a0a797b7ddc53aca2d0fc1ee07f91671