Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
19/10/2022, 14:20
Static task
static1
Behavioral task
behavioral1
Sample
a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe
Resource
win10v2004-20220901-en
General
-
Target
a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe
-
Size
1.0MB
-
MD5
90be4a2dc439e31bc2d16fd67ccdba15
-
SHA1
77f63baa6a331828f2a056d71b1f8719e91e0e15
-
SHA256
a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1
-
SHA512
5bd6c6431402552f5fe854379feb9168777a3b48c352747d5e3b30acf0d7998be597295158d9845e43b730ee612e4ddc4e6d99b0cdfa5eb122e28992ea2b296c
-
SSDEEP
24576:dZ8kT+HGGZYVi5svzlWs18WCf0EAAPb8YljYcHHMf8/:T8s+g4W71KAyIsYosf8
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\Minidump\\winupdate.exe" a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate explorer.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\Minidump\\winupdate.exe" a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\Minidump\\winupdate.exe" notepad.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2548 set thread context of 3800 2548 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 84 PID 3800 set thread context of 3988 3800 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 86 PID 3988 set thread context of 224 3988 explorer.exe 87 -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Minidump\winupdate.exe notepad.exe File created C:\Windows\Minidump\winupdate.exe a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe File opened for modification C:\Windows\Minidump\winupdate.exe a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe File opened for modification C:\Windows\Minidump\ a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier explorer.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3800 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe Token: SeSecurityPrivilege 3800 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe Token: SeTakeOwnershipPrivilege 3800 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe Token: SeLoadDriverPrivilege 3800 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe Token: SeSystemProfilePrivilege 3800 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe Token: SeSystemtimePrivilege 3800 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe Token: SeProfSingleProcessPrivilege 3800 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe Token: SeIncBasePriorityPrivilege 3800 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe Token: SeCreatePagefilePrivilege 3800 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe Token: SeBackupPrivilege 3800 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe Token: SeRestorePrivilege 3800 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe Token: SeShutdownPrivilege 3800 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe Token: SeDebugPrivilege 3800 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe Token: SeSystemEnvironmentPrivilege 3800 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe Token: SeChangeNotifyPrivilege 3800 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe Token: SeRemoteShutdownPrivilege 3800 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe Token: SeUndockPrivilege 3800 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe Token: SeManageVolumePrivilege 3800 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe Token: SeImpersonatePrivilege 3800 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe Token: SeCreateGlobalPrivilege 3800 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe Token: 33 3800 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe Token: 34 3800 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe Token: 35 3800 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe Token: 36 3800 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe Token: SeIncreaseQuotaPrivilege 224 explorer.exe Token: SeSecurityPrivilege 224 explorer.exe Token: SeTakeOwnershipPrivilege 224 explorer.exe Token: SeLoadDriverPrivilege 224 explorer.exe Token: SeSystemProfilePrivilege 224 explorer.exe Token: SeSystemtimePrivilege 224 explorer.exe Token: SeProfSingleProcessPrivilege 224 explorer.exe Token: SeIncBasePriorityPrivilege 224 explorer.exe Token: SeCreatePagefilePrivilege 224 explorer.exe Token: SeBackupPrivilege 224 explorer.exe Token: SeRestorePrivilege 224 explorer.exe Token: SeShutdownPrivilege 224 explorer.exe Token: SeDebugPrivilege 224 explorer.exe Token: SeSystemEnvironmentPrivilege 224 explorer.exe Token: SeChangeNotifyPrivilege 224 explorer.exe Token: SeRemoteShutdownPrivilege 224 explorer.exe Token: SeUndockPrivilege 224 explorer.exe Token: SeManageVolumePrivilege 224 explorer.exe Token: SeImpersonatePrivilege 224 explorer.exe Token: SeCreateGlobalPrivilege 224 explorer.exe Token: 33 224 explorer.exe Token: 34 224 explorer.exe Token: 35 224 explorer.exe Token: 36 224 explorer.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2548 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 3988 explorer.exe -
Suspicious use of WriteProcessMemory 56 IoCs
description pid Process procid_target PID 2548 wrote to memory of 3800 2548 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 84 PID 2548 wrote to memory of 3800 2548 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 84 PID 2548 wrote to memory of 3800 2548 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 84 PID 2548 wrote to memory of 3800 2548 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 84 PID 2548 wrote to memory of 3800 2548 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 84 PID 2548 wrote to memory of 3800 2548 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 84 PID 2548 wrote to memory of 3800 2548 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 84 PID 2548 wrote to memory of 3800 2548 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 84 PID 2548 wrote to memory of 3800 2548 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 84 PID 2548 wrote to memory of 3800 2548 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 84 PID 2548 wrote to memory of 3800 2548 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 84 PID 2548 wrote to memory of 3800 2548 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 84 PID 2548 wrote to memory of 3800 2548 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 84 PID 2548 wrote to memory of 3800 2548 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 84 PID 3800 wrote to memory of 2844 3800 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 85 PID 3800 wrote to memory of 2844 3800 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 85 PID 3800 wrote to memory of 2844 3800 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 85 PID 3800 wrote to memory of 2844 3800 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 85 PID 3800 wrote to memory of 2844 3800 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 85 PID 3800 wrote to memory of 2844 3800 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 85 PID 3800 wrote to memory of 2844 3800 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 85 PID 3800 wrote to memory of 2844 3800 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 85 PID 3800 wrote to memory of 2844 3800 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 85 PID 3800 wrote to memory of 2844 3800 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 85 PID 3800 wrote to memory of 2844 3800 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 85 PID 3800 wrote to memory of 2844 3800 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 85 PID 3800 wrote to memory of 2844 3800 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 85 PID 3800 wrote to memory of 2844 3800 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 85 PID 3800 wrote to memory of 2844 3800 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 85 PID 3800 wrote to memory of 2844 3800 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 85 PID 3800 wrote to memory of 2844 3800 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 85 PID 3800 wrote to memory of 2844 3800 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 85 PID 3800 wrote to memory of 2844 3800 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 85 PID 3800 wrote to memory of 2844 3800 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 85 PID 3800 wrote to memory of 2844 3800 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 85 PID 3800 wrote to memory of 2844 3800 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 85 PID 3800 wrote to memory of 2844 3800 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 85 PID 3800 wrote to memory of 3988 3800 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 86 PID 3800 wrote to memory of 3988 3800 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 86 PID 3800 wrote to memory of 3988 3800 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 86 PID 3800 wrote to memory of 3988 3800 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 86 PID 3800 wrote to memory of 3988 3800 a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe 86 PID 3988 wrote to memory of 224 3988 explorer.exe 87 PID 3988 wrote to memory of 224 3988 explorer.exe 87 PID 3988 wrote to memory of 224 3988 explorer.exe 87 PID 3988 wrote to memory of 224 3988 explorer.exe 87 PID 3988 wrote to memory of 224 3988 explorer.exe 87 PID 3988 wrote to memory of 224 3988 explorer.exe 87 PID 3988 wrote to memory of 224 3988 explorer.exe 87 PID 3988 wrote to memory of 224 3988 explorer.exe 87 PID 3988 wrote to memory of 224 3988 explorer.exe 87 PID 3988 wrote to memory of 224 3988 explorer.exe 87 PID 3988 wrote to memory of 224 3988 explorer.exe 87 PID 3988 wrote to memory of 224 3988 explorer.exe 87 PID 3988 wrote to memory of 224 3988 explorer.exe 87 PID 3988 wrote to memory of 224 3988 explorer.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe"C:\Users\Admin\AppData\Local\Temp\a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Users\Admin\AppData\Local\Temp\a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exeC:\Users\Admin\AppData\Local\Temp\a6d76883d5738a91a8e9c9d6761bc378abccebc864eaf0ec986905add29b8aa1.exe2⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3800 -
C:\Windows\SysWOW64\notepad.exenotepad3⤵
- Adds Run key to start application
- Drops file in Windows directory
PID:2844
-
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3988 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe4⤵
- Checks BIOS information in registry
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:224
-
-
-