Resubmissions
28-11-2022 09:53
221128-lwp4eaea33 1017-11-2022 04:28
221117-e328zsdf69 1007-11-2022 10:35
221107-mm272secgj 10Analysis
-
max time kernel
23s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
-
submitted
17-11-2022 04:28
General
-
Target
update.exe
-
Size
60.2MB
-
MD5
b77955061c0f46de8059c20128ebb156
-
SHA1
bd9ba700caec09387bfcf97bd9cc0a2e846836ca
-
SHA256
ca94c8bbbb10febb8187f8c709affaa91911f646cf0ac99e857bf45b3a709091
-
SHA512
83f07b66be1138e5f3f1c1f2504d3222bcc1bb1c1626a98e2346408cde7c771a64a998fa38c23ac66097f0b610f70c6309ea914e0c9c95ecff588a385aeb69aa
-
SSDEEP
1572864:DdjkMwgaV4gRNzu1zCcFA4o/UDDvX94UKfytNxZhDa:FJGuMzuHnXDKfeN5Da
Malware Config
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
-
UAC bypass 3 TTPs 2 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Blocks application from running via registry modification 27 IoCs
Adds application to list of disallowed applications.
-
Modifies Windows Firewall 1 TTPs 7 IoCs
-
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Themida packer 31 IoCs
Detects Themida, an advanced Windows software protection system.
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Modifies WinLogon 2 TTPs 3 IoCs
-
AutoIT Executable 16 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
-
System policy modification 1 TTPs 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\update.exe"C:\Users\Admin\AppData\Local\Temp\update.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Blocks application from running via registry modification
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies WinLogon
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc delete swprv2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc delete swprv3⤵
- Launches sc.exe
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AppModule" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes2⤵
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on2⤵
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AMD" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN2⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN3⤵
- Modifies Windows Firewall
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN2⤵
-
-
C:\ProgramData\Setup\Game.exeC:\ProgramData\Setup\Game.exe -pnaxui2⤵
-
C:\ProgramData\RealtekHD\GameGuard.exe"C:\ProgramData\RealtekHD\GameGuard.exe"3⤵
-
-
C:\ProgramData\RealtekHD\taskhost.exe"C:\ProgramData\RealtekHD\taskhost.exe"3⤵
-
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state on1⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="AppModule" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes1⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="AMD" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes1⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN1⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN1⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN1⤵
- Modifies Windows Firewall
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
Network
MITRE ATT&CK Enterprise v6
Persistence
Modify Existing Service
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Bypass User Account Control
1Disabling Security Tools
2Impair Defenses
1Modify Registry
5Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.0MB
MD532198d6a8e26f4e103885fc4eef3c2d7
SHA1f35a0abab275eececc6410f69c5d041d14f3684e
SHA256fc110064f6cee1dfb6793283a7bf1964347b1e6b29a0db8efc70dd77c15c85a1
SHA512d25eaad411040c4b3dc8892594c717d820a0e2dc2bc10d68217a52351764691c8e1e17bc55c1e67fe550e3ffde1e01ab60e6dae8f75b5e1c182733bbc950485e
-
Filesize
4.2MB
MD5fcdfefbc0f29afb1444ba648174b7182
SHA1dfeff4394896cd700e9364dd930c62e1744c30de
SHA256ce833f5fbcb230f6b7a4efdd97a7d44ddb5b530298473c10e2805b43d7d91977
SHA512779bc54bb72ccfebc7b5f9845f56108f7f017c32baf45c91bbefcdc570684991c0049a96d893228288573a422504d31cb69442dcb002429f80eea5f5d48e643e
-
Filesize
6.2MB
MD52522b6629f0462e8a1a3f6dda6bdc031
SHA1b5f298a26a9625b5babd496b34703fed2736f2b6
SHA2568e05ed626d21b7157490a92be742d4687d2b7f534fb13ca2eebeb979c9cd39aa
SHA5124ac0e8e2d7c467d114514e39eac21f503edd9d685b05baed206e27a64d77d34ba0fd41ec7c0045a6f1565213d06a362fe1b1d1d875846e9a6288bace562c3b79
-
Filesize
6.0MB
MD52defe16d485c9b891454cbf1dc40b412
SHA175cb67662073745b08ef2aa2146c838e21d0c63f
SHA2562f7fda1049c4748336f3e2c4011e0ec1a62ba83bc9786b3069335ba487d606fd
SHA512ad076bdc2196683f970aa8846c4cd9dd9c6bf0c8500ba23a467575ef6f52e6390b170109e08dfeb2d3e1ef795522c8ee80e661e9aa4c9cb96eeaa1d2af76b8d5
-
Filesize
8.4MB
MD5b1c1f1f7654212a26c820bb8d98b060c
SHA118a48261a0c2c38fdc249905f72efe7f65ad2c57
SHA256f4e81f05aa5c0371231b60210f42afe6ffe9fdde05a1bf5c6609fa95c61d40b7
SHA512c965553aff374d9f839186abcc3682996f3628682bf548bfc49151b82da8d297fc91a957150969b656d0c41170bd42fb0d38f1b3b1bf83e02065dfc8b07838b2
-
Filesize
8.1MB
MD585c2020cb64c507c0a7fa9d5b2e966a6
SHA12d984e00bd3f9823276102de26d11b8db8ca23f6
SHA25658b7adda1858eb651ff030bda70a613d03a5a69ed137cfa77acbf309bbcb659f
SHA5120809172753be193f5811bfe675bd0b79f6d6a0d3831e06a1f78476b3ddb54633e9399594da8c74405193a5abc29b3dfbc241e58f705c50df504280d3245216ec
-
Filesize
5.0MB
MD532198d6a8e26f4e103885fc4eef3c2d7
SHA1f35a0abab275eececc6410f69c5d041d14f3684e
SHA256fc110064f6cee1dfb6793283a7bf1964347b1e6b29a0db8efc70dd77c15c85a1
SHA512d25eaad411040c4b3dc8892594c717d820a0e2dc2bc10d68217a52351764691c8e1e17bc55c1e67fe550e3ffde1e01ab60e6dae8f75b5e1c182733bbc950485e
-
Filesize
5.0MB
MD532198d6a8e26f4e103885fc4eef3c2d7
SHA1f35a0abab275eececc6410f69c5d041d14f3684e
SHA256fc110064f6cee1dfb6793283a7bf1964347b1e6b29a0db8efc70dd77c15c85a1
SHA512d25eaad411040c4b3dc8892594c717d820a0e2dc2bc10d68217a52351764691c8e1e17bc55c1e67fe550e3ffde1e01ab60e6dae8f75b5e1c182733bbc950485e
-
Filesize
4.0MB
MD531513526b143dfeee251948797984ea1
SHA12123bb1d02088b69cabcc554fb1fa531d660eb29
SHA256c12c07ec3b48481e5c8a5f3505ac288c0a6a5b3627299af3175372e391346e20
SHA512571c2b87aa97e0dc1f032b3e54548d406f57c665e87280f59d1edfeee3a2a32e74df68a5b5a322061fb288440fe996c921407272496d80eb711a6031bad698b2
-
Filesize
5.5MB
MD5e851bc9b590b9eef91122a475da8e8ec
SHA18ded89b8a184b029422637c68a9d985d070c16d7
SHA256b92d212ae2193ee5f8bf70d9830c7009f51c232419a21c88ed696921097f9a01
SHA51206ff884db6c7576d6e3df569b26a80cd70e7a808bccb3535e7760ca4c7ff07357d88835609ba653d70e6af2dc9ae86f2a1026eb96f46516a09c19cb9d10c8720
-
Filesize
5.4MB
MD5374f4aad40de8f1ca2d97d1304d469ee
SHA14ba1b3b1f5e3d641bbd1484dc6d00bdc11af68a0
SHA2561ad53cb03047dcc99a368f82029e01ad7795bce8504b315aa78851f18e4f9520
SHA512a521369eaeb52fa3d3182b54591216a5270cfc0ad53e5c8beee0d69c47b05c290ad340befe4b6346464c3d163660424501577127ff9273227f645cc925e40b89
-
Filesize
6.4MB
MD5aa4796c6f97290be934849bdd782fcda
SHA13388340def67668cbb64ab01be0c6d80c618399b
SHA256ef5114a20d122583ae6ccc2b19fee23bad302190a2f0883e558e36cd786f5e99
SHA512154319605ea28613b7edc881cfa9a74f197406691ab110fbbf54aee16e0edbb5b73e562a969beb6e256c44f75f7b6189973c9fcb342257975e9531c0a737006f
-
Filesize
51.1MB
-
Filesize
51.1MB
-
Filesize
1.7MB
-
Filesize
8KB
-
Filesize
66.8MB
-
Filesize
1.7MB
-
Filesize
66.8MB
-
Filesize
1.7MB
-
Filesize
66.8MB
-
Filesize
66.8MB
-
Filesize
66.8MB
-
Filesize
66.8MB
-
Filesize
8KB
-
Filesize
66.8MB
-
Filesize
66.8MB
-
Filesize
66.8MB
-
Filesize
66.8MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
66.8MB
-
Filesize
66.8MB
-
Filesize
11.8MB
-
Filesize
11.8MB
-
Filesize
11.8MB
-
Filesize
1.7MB
-
Filesize
11.8MB
-
Filesize
11.8MB
-
Filesize
11.8MB
-
Filesize
11.8MB
-
Filesize
11.8MB
-
Filesize
11.8MB