Analysis
-
max time kernel
193s -
max time network
188s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 15:52
Behavioral task
behavioral1
Sample
154dec649855d624285779d75aac3fcdae916fc91f99a402dcebe9485041066b.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
154dec649855d624285779d75aac3fcdae916fc91f99a402dcebe9485041066b.exe
Resource
win10v2004-20221111-en
General
-
Target
154dec649855d624285779d75aac3fcdae916fc91f99a402dcebe9485041066b.exe
-
Size
308KB
-
MD5
4f0c4f7a2be67072665ac5f48c756da0
-
SHA1
5ed66fa081c0a07cc079b1548e91556a6b60b832
-
SHA256
154dec649855d624285779d75aac3fcdae916fc91f99a402dcebe9485041066b
-
SHA512
5c627141d716cff548f3b8fbb09b2edea7d23b0b04a3f9759e9e371aa85dd6f8082309b677c9bd1b119c5ad1011889cf72fa648b8077c5f596fa4b6c390d3a9e
-
SSDEEP
6144:YyAWbOUfseiFDyHqpzgxuHN6q9OM3ESNt84ULuFMtBZBmE6UTQVwoSu:KAO19oq1QI4y3H/8xxBZBmE6UTQuoSu
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 10 IoCs
Processes:
reg.exereg.exereg.exereg.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Windows Updater.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Updater.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Update\\winupdt.exe:*:Enabled:Windows Messanger" reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe -
Executes dropped EXE 2 IoCs
Processes:
winupdt.exewinupdt.exepid process 3952 winupdt.exe 4228 winupdt.exe -
Processes:
yara_rule upx behavioral2/memory/3824-132-0x0000000000400000-0x0000000000591000-memory.dmp upx behavioral2/memory/3824-135-0x0000000000400000-0x0000000000591000-memory.dmp upx C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe upx C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe upx behavioral2/memory/4228-145-0x0000000000400000-0x000000000045C000-memory.dmp upx C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe upx behavioral2/memory/4228-148-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/4228-149-0x0000000000400000-0x000000000045C000-memory.dmp upx behavioral2/memory/3952-150-0x0000000000400000-0x0000000000591000-memory.dmp upx behavioral2/memory/3824-153-0x0000000000400000-0x0000000000591000-memory.dmp upx behavioral2/memory/4228-163-0x0000000000400000-0x000000000045C000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
154dec649855d624285779d75aac3fcdae916fc91f99a402dcebe9485041066b.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation 154dec649855d624285779d75aac3fcdae916fc91f99a402dcebe9485041066b.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Window Updates = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Update\\winupdt.exe" reg.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
winupdt.exedescription pid process target process PID 3952 set thread context of 4228 3952 winupdt.exe winupdt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry key 1 TTPs 4 IoCs
Processes:
reg.exereg.exereg.exereg.exepid process 3432 reg.exe 4564 reg.exe 3940 reg.exe 4660 reg.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
winupdt.exedescription pid process Token: 1 4228 winupdt.exe Token: SeCreateTokenPrivilege 4228 winupdt.exe Token: SeAssignPrimaryTokenPrivilege 4228 winupdt.exe Token: SeLockMemoryPrivilege 4228 winupdt.exe Token: SeIncreaseQuotaPrivilege 4228 winupdt.exe Token: SeMachineAccountPrivilege 4228 winupdt.exe Token: SeTcbPrivilege 4228 winupdt.exe Token: SeSecurityPrivilege 4228 winupdt.exe Token: SeTakeOwnershipPrivilege 4228 winupdt.exe Token: SeLoadDriverPrivilege 4228 winupdt.exe Token: SeSystemProfilePrivilege 4228 winupdt.exe Token: SeSystemtimePrivilege 4228 winupdt.exe Token: SeProfSingleProcessPrivilege 4228 winupdt.exe Token: SeIncBasePriorityPrivilege 4228 winupdt.exe Token: SeCreatePagefilePrivilege 4228 winupdt.exe Token: SeCreatePermanentPrivilege 4228 winupdt.exe Token: SeBackupPrivilege 4228 winupdt.exe Token: SeRestorePrivilege 4228 winupdt.exe Token: SeShutdownPrivilege 4228 winupdt.exe Token: SeDebugPrivilege 4228 winupdt.exe Token: SeAuditPrivilege 4228 winupdt.exe Token: SeSystemEnvironmentPrivilege 4228 winupdt.exe Token: SeChangeNotifyPrivilege 4228 winupdt.exe Token: SeRemoteShutdownPrivilege 4228 winupdt.exe Token: SeUndockPrivilege 4228 winupdt.exe Token: SeSyncAgentPrivilege 4228 winupdt.exe Token: SeEnableDelegationPrivilege 4228 winupdt.exe Token: SeManageVolumePrivilege 4228 winupdt.exe Token: SeImpersonatePrivilege 4228 winupdt.exe Token: SeCreateGlobalPrivilege 4228 winupdt.exe Token: 31 4228 winupdt.exe Token: 32 4228 winupdt.exe Token: 33 4228 winupdt.exe Token: 34 4228 winupdt.exe Token: 35 4228 winupdt.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
154dec649855d624285779d75aac3fcdae916fc91f99a402dcebe9485041066b.exewinupdt.exewinupdt.exepid process 3824 154dec649855d624285779d75aac3fcdae916fc91f99a402dcebe9485041066b.exe 3952 winupdt.exe 4228 winupdt.exe 4228 winupdt.exe 4228 winupdt.exe -
Suspicious use of WriteProcessMemory 41 IoCs
Processes:
154dec649855d624285779d75aac3fcdae916fc91f99a402dcebe9485041066b.execmd.exewinupdt.exewinupdt.execmd.execmd.execmd.execmd.exedescription pid process target process PID 3824 wrote to memory of 4868 3824 154dec649855d624285779d75aac3fcdae916fc91f99a402dcebe9485041066b.exe cmd.exe PID 3824 wrote to memory of 4868 3824 154dec649855d624285779d75aac3fcdae916fc91f99a402dcebe9485041066b.exe cmd.exe PID 3824 wrote to memory of 4868 3824 154dec649855d624285779d75aac3fcdae916fc91f99a402dcebe9485041066b.exe cmd.exe PID 4868 wrote to memory of 4316 4868 cmd.exe reg.exe PID 4868 wrote to memory of 4316 4868 cmd.exe reg.exe PID 4868 wrote to memory of 4316 4868 cmd.exe reg.exe PID 3824 wrote to memory of 3952 3824 154dec649855d624285779d75aac3fcdae916fc91f99a402dcebe9485041066b.exe winupdt.exe PID 3824 wrote to memory of 3952 3824 154dec649855d624285779d75aac3fcdae916fc91f99a402dcebe9485041066b.exe winupdt.exe PID 3824 wrote to memory of 3952 3824 154dec649855d624285779d75aac3fcdae916fc91f99a402dcebe9485041066b.exe winupdt.exe PID 3952 wrote to memory of 4228 3952 winupdt.exe winupdt.exe PID 3952 wrote to memory of 4228 3952 winupdt.exe winupdt.exe PID 3952 wrote to memory of 4228 3952 winupdt.exe winupdt.exe PID 3952 wrote to memory of 4228 3952 winupdt.exe winupdt.exe PID 3952 wrote to memory of 4228 3952 winupdt.exe winupdt.exe PID 3952 wrote to memory of 4228 3952 winupdt.exe winupdt.exe PID 3952 wrote to memory of 4228 3952 winupdt.exe winupdt.exe PID 3952 wrote to memory of 4228 3952 winupdt.exe winupdt.exe PID 4228 wrote to memory of 4024 4228 winupdt.exe cmd.exe PID 4228 wrote to memory of 4024 4228 winupdt.exe cmd.exe PID 4228 wrote to memory of 4024 4228 winupdt.exe cmd.exe PID 4228 wrote to memory of 4312 4228 winupdt.exe cmd.exe PID 4228 wrote to memory of 4312 4228 winupdt.exe cmd.exe PID 4228 wrote to memory of 4312 4228 winupdt.exe cmd.exe PID 4228 wrote to memory of 3408 4228 winupdt.exe cmd.exe PID 4228 wrote to memory of 3408 4228 winupdt.exe cmd.exe PID 4228 wrote to memory of 3408 4228 winupdt.exe cmd.exe PID 4228 wrote to memory of 4128 4228 winupdt.exe cmd.exe PID 4228 wrote to memory of 4128 4228 winupdt.exe cmd.exe PID 4228 wrote to memory of 4128 4228 winupdt.exe cmd.exe PID 4024 wrote to memory of 3432 4024 cmd.exe reg.exe PID 4024 wrote to memory of 3432 4024 cmd.exe reg.exe PID 4024 wrote to memory of 3432 4024 cmd.exe reg.exe PID 4128 wrote to memory of 4564 4128 cmd.exe reg.exe PID 4128 wrote to memory of 4564 4128 cmd.exe reg.exe PID 4128 wrote to memory of 4564 4128 cmd.exe reg.exe PID 3408 wrote to memory of 3940 3408 cmd.exe reg.exe PID 3408 wrote to memory of 3940 3408 cmd.exe reg.exe PID 3408 wrote to memory of 3940 3408 cmd.exe reg.exe PID 4312 wrote to memory of 4660 4312 cmd.exe reg.exe PID 4312 wrote to memory of 4660 4312 cmd.exe reg.exe PID 4312 wrote to memory of 4660 4312 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\154dec649855d624285779d75aac3fcdae916fc91f99a402dcebe9485041066b.exe"C:\Users\Admin\AppData\Local\Temp\154dec649855d624285779d75aac3fcdae916fc91f99a402dcebe9485041066b.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VuxJT.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Window Updates" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe" /f3⤵
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe"C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe"C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe:*:Enabled:Windows Messanger" /f4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Windows Updater.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Updater.exe:*:Enabled:Windows Messanger" /f4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Windows Updater.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Updater.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- Modifies registry key
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\VuxJT.batFilesize
158B
MD51954c7e666c5b4d1117ef07bc0c9b8ec
SHA1559e3c0273c1463e9184027b749bdaad0a372681
SHA25635e0dbc8b455ca38976157ce9d0293fd6cdca20f46f1cb69058a1e0f0af6f693
SHA5123939de8d0ab7e67b59ff8bebed5580dafd38d8785193fd42a289728500761a68b9e6660605e19e10d4278dd106fea4b273a208f25485e7389c8f19b2958c926a
-
C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exeFilesize
308KB
MD591a9e22c1045c21f649efb6895708db6
SHA1bcd642a4b248764a9642885458f8ebd5048fef61
SHA256ee22e20ca2b5ffd6825cc8bf37ceed6babd1e930affc134485d8be8e32fbebec
SHA512512a8a43d850b1271ef7c76d1ad4d7b72d477292bff5b131dd20462a27a68485246cf39fe7a7455e867c8ae414784528dd8751207090c6d0c628a1ee2571d66c
-
C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exeFilesize
308KB
MD591a9e22c1045c21f649efb6895708db6
SHA1bcd642a4b248764a9642885458f8ebd5048fef61
SHA256ee22e20ca2b5ffd6825cc8bf37ceed6babd1e930affc134485d8be8e32fbebec
SHA512512a8a43d850b1271ef7c76d1ad4d7b72d477292bff5b131dd20462a27a68485246cf39fe7a7455e867c8ae414784528dd8751207090c6d0c628a1ee2571d66c
-
C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exeFilesize
308KB
MD591a9e22c1045c21f649efb6895708db6
SHA1bcd642a4b248764a9642885458f8ebd5048fef61
SHA256ee22e20ca2b5ffd6825cc8bf37ceed6babd1e930affc134485d8be8e32fbebec
SHA512512a8a43d850b1271ef7c76d1ad4d7b72d477292bff5b131dd20462a27a68485246cf39fe7a7455e867c8ae414784528dd8751207090c6d0c628a1ee2571d66c
-
memory/3408-157-0x0000000000000000-mapping.dmp
-
memory/3432-159-0x0000000000000000-mapping.dmp
-
memory/3824-132-0x0000000000400000-0x0000000000591000-memory.dmpFilesize
1.6MB
-
memory/3824-135-0x0000000000400000-0x0000000000591000-memory.dmpFilesize
1.6MB
-
memory/3824-153-0x0000000000400000-0x0000000000591000-memory.dmpFilesize
1.6MB
-
memory/3940-161-0x0000000000000000-mapping.dmp
-
memory/3952-150-0x0000000000400000-0x0000000000591000-memory.dmpFilesize
1.6MB
-
memory/3952-139-0x0000000000000000-mapping.dmp
-
memory/4024-155-0x0000000000000000-mapping.dmp
-
memory/4128-158-0x0000000000000000-mapping.dmp
-
memory/4228-149-0x0000000000400000-0x000000000045C000-memory.dmpFilesize
368KB
-
memory/4228-148-0x0000000000400000-0x000000000045C000-memory.dmpFilesize
368KB
-
memory/4228-145-0x0000000000400000-0x000000000045C000-memory.dmpFilesize
368KB
-
memory/4228-144-0x0000000000000000-mapping.dmp
-
memory/4228-163-0x0000000000400000-0x000000000045C000-memory.dmpFilesize
368KB
-
memory/4312-156-0x0000000000000000-mapping.dmp
-
memory/4316-138-0x0000000000000000-mapping.dmp
-
memory/4564-160-0x0000000000000000-mapping.dmp
-
memory/4660-162-0x0000000000000000-mapping.dmp
-
memory/4868-136-0x0000000000000000-mapping.dmp