Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
29/10/2022, 08:33
Static task
static1
Behavioral task
behavioral1
Sample
3333946afecebf58c7d4a0c4a6d55cdf40bf20a209cd31a7abe803042cc7eca0.exe
Resource
win7-20220901-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
3333946afecebf58c7d4a0c4a6d55cdf40bf20a209cd31a7abe803042cc7eca0.exe
Resource
win10v2004-20220901-en
windows10-2004-x64
11 signatures
150 seconds
General
-
Target
3333946afecebf58c7d4a0c4a6d55cdf40bf20a209cd31a7abe803042cc7eca0.exe
-
Size
904KB
-
MD5
4795b8ece18861e875923d3f3b797f6b
-
SHA1
03a40021d1c9f72ca38519cf6cb3001b49a8fef8
-
SHA256
3333946afecebf58c7d4a0c4a6d55cdf40bf20a209cd31a7abe803042cc7eca0
-
SHA512
d9369c8cf723158dd2aec959192f27a970e3f377db90fbc11441dd9f4caee251388ea71bb80be1e5c01ac82078dbdd11191916fb342e768b463ba8786ce8f1c7
-
SSDEEP
12288:d0mO7YrTeojkWYsZwQftO9ZxQQV2BbxkHO8ONFmByxYPAGEE23JB0EBHxn8uEJBV:dLtrTtzVZnfkZsRcAE2zdHxRmiE6Eh
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windupdt\\winupdate.exe" 3333946afecebf58c7d4a0c4a6d55cdf40bf20a209cd31a7abe803042cc7eca0.exe -
Executes dropped EXE 3 IoCs
pid Process 4988 winupdate.exe 3744 winupdate.exe 1304 winupdate.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 3333946afecebf58c7d4a0c4a6d55cdf40bf20a209cd31a7abe803042cc7eca0.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe" 3333946afecebf58c7d4a0c4a6d55cdf40bf20a209cd31a7abe803042cc7eca0.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 3333946afecebf58c7d4a0c4a6d55cdf40bf20a209cd31a7abe803042cc7eca0.exe File opened for modification \??\PhysicalDrive0 winupdate.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 4844 set thread context of 4860 4844 3333946afecebf58c7d4a0c4a6d55cdf40bf20a209cd31a7abe803042cc7eca0.exe 87 PID 4860 set thread context of 4632 4860 3333946afecebf58c7d4a0c4a6d55cdf40bf20a209cd31a7abe803042cc7eca0.exe 88 PID 4988 set thread context of 3744 4988 winupdate.exe 93 PID 3744 set thread context of 1304 3744 winupdate.exe 94 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 4632 3333946afecebf58c7d4a0c4a6d55cdf40bf20a209cd31a7abe803042cc7eca0.exe Token: SeSecurityPrivilege 4632 3333946afecebf58c7d4a0c4a6d55cdf40bf20a209cd31a7abe803042cc7eca0.exe Token: SeTakeOwnershipPrivilege 4632 3333946afecebf58c7d4a0c4a6d55cdf40bf20a209cd31a7abe803042cc7eca0.exe Token: SeLoadDriverPrivilege 4632 3333946afecebf58c7d4a0c4a6d55cdf40bf20a209cd31a7abe803042cc7eca0.exe Token: SeSystemProfilePrivilege 4632 3333946afecebf58c7d4a0c4a6d55cdf40bf20a209cd31a7abe803042cc7eca0.exe Token: SeSystemtimePrivilege 4632 3333946afecebf58c7d4a0c4a6d55cdf40bf20a209cd31a7abe803042cc7eca0.exe Token: SeProfSingleProcessPrivilege 4632 3333946afecebf58c7d4a0c4a6d55cdf40bf20a209cd31a7abe803042cc7eca0.exe Token: SeIncBasePriorityPrivilege 4632 3333946afecebf58c7d4a0c4a6d55cdf40bf20a209cd31a7abe803042cc7eca0.exe Token: SeCreatePagefilePrivilege 4632 3333946afecebf58c7d4a0c4a6d55cdf40bf20a209cd31a7abe803042cc7eca0.exe Token: SeBackupPrivilege 4632 3333946afecebf58c7d4a0c4a6d55cdf40bf20a209cd31a7abe803042cc7eca0.exe Token: SeRestorePrivilege 4632 3333946afecebf58c7d4a0c4a6d55cdf40bf20a209cd31a7abe803042cc7eca0.exe Token: SeShutdownPrivilege 4632 3333946afecebf58c7d4a0c4a6d55cdf40bf20a209cd31a7abe803042cc7eca0.exe Token: SeDebugPrivilege 4632 3333946afecebf58c7d4a0c4a6d55cdf40bf20a209cd31a7abe803042cc7eca0.exe Token: SeSystemEnvironmentPrivilege 4632 3333946afecebf58c7d4a0c4a6d55cdf40bf20a209cd31a7abe803042cc7eca0.exe Token: SeChangeNotifyPrivilege 4632 3333946afecebf58c7d4a0c4a6d55cdf40bf20a209cd31a7abe803042cc7eca0.exe Token: SeRemoteShutdownPrivilege 4632 3333946afecebf58c7d4a0c4a6d55cdf40bf20a209cd31a7abe803042cc7eca0.exe Token: SeUndockPrivilege 4632 3333946afecebf58c7d4a0c4a6d55cdf40bf20a209cd31a7abe803042cc7eca0.exe Token: SeManageVolumePrivilege 4632 3333946afecebf58c7d4a0c4a6d55cdf40bf20a209cd31a7abe803042cc7eca0.exe Token: SeImpersonatePrivilege 4632 3333946afecebf58c7d4a0c4a6d55cdf40bf20a209cd31a7abe803042cc7eca0.exe Token: SeCreateGlobalPrivilege 4632 3333946afecebf58c7d4a0c4a6d55cdf40bf20a209cd31a7abe803042cc7eca0.exe Token: 33 4632 3333946afecebf58c7d4a0c4a6d55cdf40bf20a209cd31a7abe803042cc7eca0.exe Token: 34 4632 3333946afecebf58c7d4a0c4a6d55cdf40bf20a209cd31a7abe803042cc7eca0.exe Token: 35 4632 3333946afecebf58c7d4a0c4a6d55cdf40bf20a209cd31a7abe803042cc7eca0.exe Token: 36 4632 3333946afecebf58c7d4a0c4a6d55cdf40bf20a209cd31a7abe803042cc7eca0.exe Token: SeIncreaseQuotaPrivilege 1304 winupdate.exe Token: SeSecurityPrivilege 1304 winupdate.exe Token: SeTakeOwnershipPrivilege 1304 winupdate.exe Token: SeLoadDriverPrivilege 1304 winupdate.exe Token: SeSystemProfilePrivilege 1304 winupdate.exe Token: SeSystemtimePrivilege 1304 winupdate.exe Token: SeProfSingleProcessPrivilege 1304 winupdate.exe Token: SeIncBasePriorityPrivilege 1304 winupdate.exe Token: SeCreatePagefilePrivilege 1304 winupdate.exe Token: SeBackupPrivilege 1304 winupdate.exe Token: SeRestorePrivilege 1304 winupdate.exe Token: SeShutdownPrivilege 1304 winupdate.exe Token: SeDebugPrivilege 1304 winupdate.exe Token: SeSystemEnvironmentPrivilege 1304 winupdate.exe Token: SeChangeNotifyPrivilege 1304 winupdate.exe Token: SeRemoteShutdownPrivilege 1304 winupdate.exe Token: SeUndockPrivilege 1304 winupdate.exe Token: SeManageVolumePrivilege 1304 winupdate.exe Token: SeImpersonatePrivilege 1304 winupdate.exe Token: SeCreateGlobalPrivilege 1304 winupdate.exe Token: 33 1304 winupdate.exe Token: 34 1304 winupdate.exe Token: 35 1304 winupdate.exe Token: 36 1304 winupdate.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 4844 3333946afecebf58c7d4a0c4a6d55cdf40bf20a209cd31a7abe803042cc7eca0.exe 4860 3333946afecebf58c7d4a0c4a6d55cdf40bf20a209cd31a7abe803042cc7eca0.exe 4988 winupdate.exe 3744 winupdate.exe 1304 winupdate.exe -
Suspicious use of WriteProcessMemory 52 IoCs
description pid Process procid_target PID 4844 wrote to memory of 4860 4844 3333946afecebf58c7d4a0c4a6d55cdf40bf20a209cd31a7abe803042cc7eca0.exe 87 PID 4844 wrote to memory of 4860 4844 3333946afecebf58c7d4a0c4a6d55cdf40bf20a209cd31a7abe803042cc7eca0.exe 87 PID 4844 wrote to memory of 4860 4844 3333946afecebf58c7d4a0c4a6d55cdf40bf20a209cd31a7abe803042cc7eca0.exe 87 PID 4844 wrote to memory of 4860 4844 3333946afecebf58c7d4a0c4a6d55cdf40bf20a209cd31a7abe803042cc7eca0.exe 87 PID 4844 wrote to memory of 4860 4844 3333946afecebf58c7d4a0c4a6d55cdf40bf20a209cd31a7abe803042cc7eca0.exe 87 PID 4844 wrote to memory of 4860 4844 3333946afecebf58c7d4a0c4a6d55cdf40bf20a209cd31a7abe803042cc7eca0.exe 87 PID 4844 wrote to memory of 4860 4844 3333946afecebf58c7d4a0c4a6d55cdf40bf20a209cd31a7abe803042cc7eca0.exe 87 PID 4844 wrote to memory of 4860 4844 3333946afecebf58c7d4a0c4a6d55cdf40bf20a209cd31a7abe803042cc7eca0.exe 87 PID 4860 wrote to memory of 4632 4860 3333946afecebf58c7d4a0c4a6d55cdf40bf20a209cd31a7abe803042cc7eca0.exe 88 PID 4860 wrote to memory of 4632 4860 3333946afecebf58c7d4a0c4a6d55cdf40bf20a209cd31a7abe803042cc7eca0.exe 88 PID 4860 wrote to memory of 4632 4860 3333946afecebf58c7d4a0c4a6d55cdf40bf20a209cd31a7abe803042cc7eca0.exe 88 PID 4860 wrote to memory of 4632 4860 3333946afecebf58c7d4a0c4a6d55cdf40bf20a209cd31a7abe803042cc7eca0.exe 88 PID 4860 wrote to memory of 4632 4860 3333946afecebf58c7d4a0c4a6d55cdf40bf20a209cd31a7abe803042cc7eca0.exe 88 PID 4860 wrote to memory of 4632 4860 3333946afecebf58c7d4a0c4a6d55cdf40bf20a209cd31a7abe803042cc7eca0.exe 88 PID 4860 wrote to memory of 4632 4860 3333946afecebf58c7d4a0c4a6d55cdf40bf20a209cd31a7abe803042cc7eca0.exe 88 PID 4860 wrote to memory of 4632 4860 3333946afecebf58c7d4a0c4a6d55cdf40bf20a209cd31a7abe803042cc7eca0.exe 88 PID 4860 wrote to memory of 4632 4860 3333946afecebf58c7d4a0c4a6d55cdf40bf20a209cd31a7abe803042cc7eca0.exe 88 PID 4860 wrote to memory of 4632 4860 3333946afecebf58c7d4a0c4a6d55cdf40bf20a209cd31a7abe803042cc7eca0.exe 88 PID 4860 wrote to memory of 4632 4860 3333946afecebf58c7d4a0c4a6d55cdf40bf20a209cd31a7abe803042cc7eca0.exe 88 PID 4860 wrote to memory of 4632 4860 3333946afecebf58c7d4a0c4a6d55cdf40bf20a209cd31a7abe803042cc7eca0.exe 88 PID 4860 wrote to memory of 4632 4860 3333946afecebf58c7d4a0c4a6d55cdf40bf20a209cd31a7abe803042cc7eca0.exe 88 PID 4860 wrote to memory of 4632 4860 3333946afecebf58c7d4a0c4a6d55cdf40bf20a209cd31a7abe803042cc7eca0.exe 88 PID 4632 wrote to memory of 4988 4632 3333946afecebf58c7d4a0c4a6d55cdf40bf20a209cd31a7abe803042cc7eca0.exe 90 PID 4632 wrote to memory of 4988 4632 3333946afecebf58c7d4a0c4a6d55cdf40bf20a209cd31a7abe803042cc7eca0.exe 90 PID 4632 wrote to memory of 4988 4632 3333946afecebf58c7d4a0c4a6d55cdf40bf20a209cd31a7abe803042cc7eca0.exe 90 PID 4988 wrote to memory of 3744 4988 winupdate.exe 93 PID 4988 wrote to memory of 3744 4988 winupdate.exe 93 PID 4988 wrote to memory of 3744 4988 winupdate.exe 93 PID 4988 wrote to memory of 3744 4988 winupdate.exe 93 PID 4988 wrote to memory of 3744 4988 winupdate.exe 93 PID 4988 wrote to memory of 3744 4988 winupdate.exe 93 PID 4988 wrote to memory of 3744 4988 winupdate.exe 93 PID 4988 wrote to memory of 3744 4988 winupdate.exe 93 PID 3744 wrote to memory of 1304 3744 winupdate.exe 94 PID 3744 wrote to memory of 1304 3744 winupdate.exe 94 PID 3744 wrote to memory of 1304 3744 winupdate.exe 94 PID 3744 wrote to memory of 1304 3744 winupdate.exe 94 PID 3744 wrote to memory of 1304 3744 winupdate.exe 94 PID 3744 wrote to memory of 1304 3744 winupdate.exe 94 PID 3744 wrote to memory of 1304 3744 winupdate.exe 94 PID 3744 wrote to memory of 1304 3744 winupdate.exe 94 PID 3744 wrote to memory of 1304 3744 winupdate.exe 94 PID 3744 wrote to memory of 1304 3744 winupdate.exe 94 PID 3744 wrote to memory of 1304 3744 winupdate.exe 94 PID 3744 wrote to memory of 1304 3744 winupdate.exe 94 PID 3744 wrote to memory of 1304 3744 winupdate.exe 94 PID 3744 wrote to memory of 1304 3744 winupdate.exe 94 PID 1304 wrote to memory of 5032 1304 winupdate.exe 95 PID 1304 wrote to memory of 5032 1304 winupdate.exe 95 PID 1304 wrote to memory of 5032 1304 winupdate.exe 95 PID 1304 wrote to memory of 4712 1304 winupdate.exe 96 PID 1304 wrote to memory of 4712 1304 winupdate.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\3333946afecebf58c7d4a0c4a6d55cdf40bf20a209cd31a7abe803042cc7eca0.exe"C:\Users\Admin\AppData\Local\Temp\3333946afecebf58c7d4a0c4a6d55cdf40bf20a209cd31a7abe803042cc7eca0.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Users\Admin\AppData\Local\Temp\3333946afecebf58c7d4a0c4a6d55cdf40bf20a209cd31a7abe803042cc7eca0.exe"C:\Users\Admin\AppData\Local\Temp\3333946afecebf58c7d4a0c4a6d55cdf40bf20a209cd31a7abe803042cc7eca0.exe"2⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Users\Admin\AppData\Local\Temp\3333946afecebf58c7d4a0c4a6d55cdf40bf20a209cd31a7abe803042cc7eca0.exe"C:\Users\Admin\AppData\Local\Temp\3333946afecebf58c7d4a0c4a6d55cdf40bf20a209cd31a7abe803042cc7eca0.exe"3⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Windupdt\winupdate.exe"C:\Windupdt\winupdate.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Windupdt\winupdate.exe"C:\Windupdt\winupdate.exe"5⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3744 -
C:\Windupdt\winupdate.exe"C:\Windupdt\winupdate.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"7⤵PID:5032
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"7⤵PID:4712
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
904KB
MD54795b8ece18861e875923d3f3b797f6b
SHA103a40021d1c9f72ca38519cf6cb3001b49a8fef8
SHA2563333946afecebf58c7d4a0c4a6d55cdf40bf20a209cd31a7abe803042cc7eca0
SHA512d9369c8cf723158dd2aec959192f27a970e3f377db90fbc11441dd9f4caee251388ea71bb80be1e5c01ac82078dbdd11191916fb342e768b463ba8786ce8f1c7
-
Filesize
904KB
MD54795b8ece18861e875923d3f3b797f6b
SHA103a40021d1c9f72ca38519cf6cb3001b49a8fef8
SHA2563333946afecebf58c7d4a0c4a6d55cdf40bf20a209cd31a7abe803042cc7eca0
SHA512d9369c8cf723158dd2aec959192f27a970e3f377db90fbc11441dd9f4caee251388ea71bb80be1e5c01ac82078dbdd11191916fb342e768b463ba8786ce8f1c7
-
Filesize
904KB
MD54795b8ece18861e875923d3f3b797f6b
SHA103a40021d1c9f72ca38519cf6cb3001b49a8fef8
SHA2563333946afecebf58c7d4a0c4a6d55cdf40bf20a209cd31a7abe803042cc7eca0
SHA512d9369c8cf723158dd2aec959192f27a970e3f377db90fbc11441dd9f4caee251388ea71bb80be1e5c01ac82078dbdd11191916fb342e768b463ba8786ce8f1c7
-
Filesize
904KB
MD54795b8ece18861e875923d3f3b797f6b
SHA103a40021d1c9f72ca38519cf6cb3001b49a8fef8
SHA2563333946afecebf58c7d4a0c4a6d55cdf40bf20a209cd31a7abe803042cc7eca0
SHA512d9369c8cf723158dd2aec959192f27a970e3f377db90fbc11441dd9f4caee251388ea71bb80be1e5c01ac82078dbdd11191916fb342e768b463ba8786ce8f1c7