Analysis
-
max time kernel
144s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 04:23
Static task
static1
Behavioral task
behavioral1
Sample
20dc5831bc55ea4f98fadcb1dac74be04eb1c01acb067c51a7fa5f9bd517bec6.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
20dc5831bc55ea4f98fadcb1dac74be04eb1c01acb067c51a7fa5f9bd517bec6.exe
Resource
win10v2004-20220812-en
General
-
Target
20dc5831bc55ea4f98fadcb1dac74be04eb1c01acb067c51a7fa5f9bd517bec6.exe
-
Size
151KB
-
MD5
cf6fc1e354a33219ba6d20704cffacc4
-
SHA1
3d773feb44fc8097adc8dcddadb20ebda6c0942d
-
SHA256
20dc5831bc55ea4f98fadcb1dac74be04eb1c01acb067c51a7fa5f9bd517bec6
-
SHA512
169b365b651638722401210cd406593cd2052cf22071aa238ef4e500b3adbee4c91af8be8d6c056371914774ae6a2490036ea7601d2d861ac3d80db46d61925e
-
SSDEEP
3072:bWbrBJVY2Cy+pHdrk0fb7GNUmfYQp/IRLsqd1pIecT3:bdHdo0T7PgYDs4pW
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
winup.exepid process 4632 winup.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
20dc5831bc55ea4f98fadcb1dac74be04eb1c01acb067c51a7fa5f9bd517bec6.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 20dc5831bc55ea4f98fadcb1dac74be04eb1c01acb067c51a7fa5f9bd517bec6.exe -
Drops startup file 2 IoCs
Processes:
winup.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0908d40f6c983932f9a545580d2dbfff.exe winup.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0908d40f6c983932f9a545580d2dbfff.exe winup.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
winup.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0908d40f6c983932f9a545580d2dbfff = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\winup.exe\" .." winup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\0908d40f6c983932f9a545580d2dbfff = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\winup.exe\" .." winup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 25 IoCs
Processes:
winup.exepid process 4632 winup.exe 4632 winup.exe 4632 winup.exe 4632 winup.exe 4632 winup.exe 4632 winup.exe 4632 winup.exe 4632 winup.exe 4632 winup.exe 4632 winup.exe 4632 winup.exe 4632 winup.exe 4632 winup.exe 4632 winup.exe 4632 winup.exe 4632 winup.exe 4632 winup.exe 4632 winup.exe 4632 winup.exe 4632 winup.exe 4632 winup.exe 4632 winup.exe 4632 winup.exe 4632 winup.exe 4632 winup.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
winup.exedescription pid process Token: SeDebugPrivilege 4632 winup.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
20dc5831bc55ea4f98fadcb1dac74be04eb1c01acb067c51a7fa5f9bd517bec6.exewinup.exedescription pid process target process PID 3060 wrote to memory of 4632 3060 20dc5831bc55ea4f98fadcb1dac74be04eb1c01acb067c51a7fa5f9bd517bec6.exe winup.exe PID 3060 wrote to memory of 4632 3060 20dc5831bc55ea4f98fadcb1dac74be04eb1c01acb067c51a7fa5f9bd517bec6.exe winup.exe PID 3060 wrote to memory of 4632 3060 20dc5831bc55ea4f98fadcb1dac74be04eb1c01acb067c51a7fa5f9bd517bec6.exe winup.exe PID 4632 wrote to memory of 4984 4632 winup.exe netsh.exe PID 4632 wrote to memory of 4984 4632 winup.exe netsh.exe PID 4632 wrote to memory of 4984 4632 winup.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\20dc5831bc55ea4f98fadcb1dac74be04eb1c01acb067c51a7fa5f9bd517bec6.exe"C:\Users\Admin\AppData\Local\Temp\20dc5831bc55ea4f98fadcb1dac74be04eb1c01acb067c51a7fa5f9bd517bec6.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\winup.exe"C:\Users\Admin\AppData\Local\Temp\winup.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\winup.exe" "winup.exe" ENABLE3⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\winup.exeFilesize
151KB
MD5cf6fc1e354a33219ba6d20704cffacc4
SHA13d773feb44fc8097adc8dcddadb20ebda6c0942d
SHA25620dc5831bc55ea4f98fadcb1dac74be04eb1c01acb067c51a7fa5f9bd517bec6
SHA512169b365b651638722401210cd406593cd2052cf22071aa238ef4e500b3adbee4c91af8be8d6c056371914774ae6a2490036ea7601d2d861ac3d80db46d61925e
-
C:\Users\Admin\AppData\Local\Temp\winup.exeFilesize
151KB
MD5cf6fc1e354a33219ba6d20704cffacc4
SHA13d773feb44fc8097adc8dcddadb20ebda6c0942d
SHA25620dc5831bc55ea4f98fadcb1dac74be04eb1c01acb067c51a7fa5f9bd517bec6
SHA512169b365b651638722401210cd406593cd2052cf22071aa238ef4e500b3adbee4c91af8be8d6c056371914774ae6a2490036ea7601d2d861ac3d80db46d61925e
-
memory/3060-132-0x0000000074C70000-0x0000000075221000-memory.dmpFilesize
5.7MB
-
memory/3060-137-0x0000000074C70000-0x0000000075221000-memory.dmpFilesize
5.7MB
-
memory/4632-133-0x0000000000000000-mapping.dmp
-
memory/4632-138-0x0000000074C70000-0x0000000075221000-memory.dmpFilesize
5.7MB
-
memory/4632-139-0x0000000074C70000-0x0000000075221000-memory.dmpFilesize
5.7MB
-
memory/4984-136-0x0000000000000000-mapping.dmp