Analysis
-
max time kernel
229s -
max time network
302s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
27-11-2022 14:37
Static task
static1
Behavioral task
behavioral1
Sample
f19338d724c0e6b14325ce3b6d38d17dc60c7a70e8d460e2353bd624a16cf81f.exe
Resource
win7-20221111-en
General
-
Target
f19338d724c0e6b14325ce3b6d38d17dc60c7a70e8d460e2353bd624a16cf81f.exe
-
Size
540KB
-
MD5
c340b545e167371f71a21251f16980f7
-
SHA1
546efcf9a52b1efa0351e71d1e17becfc6a08250
-
SHA256
f19338d724c0e6b14325ce3b6d38d17dc60c7a70e8d460e2353bd624a16cf81f
-
SHA512
314b30fe3068aaf54a6547f706508929ab91a008ac0a6fdc5443b63b7848007538ea14a7b24185c436182af5a32aa32681b681c3ac5492035fef3120f742139e
-
SSDEEP
6144:ku9GDrsbS/QTjhUqBfxrwEnuNcSsm7IoYGW0VvBXCAt6kihwE+VDpJYWmlwnx9DK:zQtqB5urTIoYWBQk1E+VF9mOx9Dw3
Malware Config
Signatures
-
NirSoft MailPassView 3 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\Windows Update.exe MailPassView C:\Users\Admin\AppData\Roaming\Windows Update.exe MailPassView C:\Users\Admin\AppData\Roaming\Windows Update.exe MailPassView -
NirSoft WebBrowserPassView 3 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\Windows Update.exe WebBrowserPassView C:\Users\Admin\AppData\Roaming\Windows Update.exe WebBrowserPassView C:\Users\Admin\AppData\Roaming\Windows Update.exe WebBrowserPassView -
Nirsoft 3 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\Windows Update.exe Nirsoft C:\Users\Admin\AppData\Roaming\Windows Update.exe Nirsoft C:\Users\Admin\AppData\Roaming\Windows Update.exe Nirsoft -
Executes dropped EXE 1 IoCs
Processes:
Windows Update.exepid process 1984 Windows Update.exe -
Deletes itself 1 IoCs
Processes:
Windows Update.exepid process 1984 Windows Update.exe -
Loads dropped DLL 1 IoCs
Processes:
f19338d724c0e6b14325ce3b6d38d17dc60c7a70e8d460e2353bd624a16cf81f.exepid process 700 f19338d724c0e6b14325ce3b6d38d17dc60c7a70e8d460e2353bd624a16cf81f.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Windows Update.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" Windows Update.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 whatismyipaddress.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Windows Update.exepid process 1984 Windows Update.exe 1984 Windows Update.exe 1984 Windows Update.exe 1984 Windows Update.exe 1984 Windows Update.exe 1984 Windows Update.exe 1984 Windows Update.exe 1984 Windows Update.exe 1984 Windows Update.exe 1984 Windows Update.exe 1984 Windows Update.exe 1984 Windows Update.exe 1984 Windows Update.exe 1984 Windows Update.exe 1984 Windows Update.exe 1984 Windows Update.exe 1984 Windows Update.exe 1984 Windows Update.exe 1984 Windows Update.exe 1984 Windows Update.exe 1984 Windows Update.exe 1984 Windows Update.exe 1984 Windows Update.exe 1984 Windows Update.exe 1984 Windows Update.exe 1984 Windows Update.exe 1984 Windows Update.exe 1984 Windows Update.exe 1984 Windows Update.exe 1984 Windows Update.exe 1984 Windows Update.exe 1984 Windows Update.exe 1984 Windows Update.exe 1984 Windows Update.exe 1984 Windows Update.exe 1984 Windows Update.exe 1984 Windows Update.exe 1984 Windows Update.exe 1984 Windows Update.exe 1984 Windows Update.exe 1984 Windows Update.exe 1984 Windows Update.exe 1984 Windows Update.exe 1984 Windows Update.exe 1984 Windows Update.exe 1984 Windows Update.exe 1984 Windows Update.exe 1984 Windows Update.exe 1984 Windows Update.exe 1984 Windows Update.exe 1984 Windows Update.exe 1984 Windows Update.exe 1984 Windows Update.exe 1984 Windows Update.exe 1984 Windows Update.exe 1984 Windows Update.exe 1984 Windows Update.exe 1984 Windows Update.exe 1984 Windows Update.exe 1984 Windows Update.exe 1984 Windows Update.exe 1984 Windows Update.exe 1984 Windows Update.exe 1984 Windows Update.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Windows Update.exedescription pid process Token: SeDebugPrivilege 1984 Windows Update.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Windows Update.exepid process 1984 Windows Update.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
f19338d724c0e6b14325ce3b6d38d17dc60c7a70e8d460e2353bd624a16cf81f.exedescription pid process target process PID 700 wrote to memory of 1984 700 f19338d724c0e6b14325ce3b6d38d17dc60c7a70e8d460e2353bd624a16cf81f.exe Windows Update.exe PID 700 wrote to memory of 1984 700 f19338d724c0e6b14325ce3b6d38d17dc60c7a70e8d460e2353bd624a16cf81f.exe Windows Update.exe PID 700 wrote to memory of 1984 700 f19338d724c0e6b14325ce3b6d38d17dc60c7a70e8d460e2353bd624a16cf81f.exe Windows Update.exe PID 700 wrote to memory of 1984 700 f19338d724c0e6b14325ce3b6d38d17dc60c7a70e8d460e2353bd624a16cf81f.exe Windows Update.exe PID 700 wrote to memory of 1984 700 f19338d724c0e6b14325ce3b6d38d17dc60c7a70e8d460e2353bd624a16cf81f.exe Windows Update.exe PID 700 wrote to memory of 1984 700 f19338d724c0e6b14325ce3b6d38d17dc60c7a70e8d460e2353bd624a16cf81f.exe Windows Update.exe PID 700 wrote to memory of 1984 700 f19338d724c0e6b14325ce3b6d38d17dc60c7a70e8d460e2353bd624a16cf81f.exe Windows Update.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f19338d724c0e6b14325ce3b6d38d17dc60c7a70e8d460e2353bd624a16cf81f.exe"C:\Users\Admin\AppData\Local\Temp\f19338d724c0e6b14325ce3b6d38d17dc60c7a70e8d460e2353bd624a16cf81f.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"2⤵
- Executes dropped EXE
- Deletes itself
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\SysInfo.txtFilesize
102B
MD5464ba472cde35baf02d5bcb42b52a3ab
SHA1eb03712aacc701a1d7f6f99a3c5ce9f1c9a27df0
SHA256fe993cc04866d632f36eb3b7e8e64fd6aed5d16b4e089002b9e12d07385c4e19
SHA5126b95f51130bd439ed076c88e3d57f5cc65d684c8e8915364b1e6ba95290613ae9c07e16a3a83ad2c3f00a8a1806f168ed4a9a6fbc90325e29676583258cce5f5
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
540KB
MD5c340b545e167371f71a21251f16980f7
SHA1546efcf9a52b1efa0351e71d1e17becfc6a08250
SHA256f19338d724c0e6b14325ce3b6d38d17dc60c7a70e8d460e2353bd624a16cf81f
SHA512314b30fe3068aaf54a6547f706508929ab91a008ac0a6fdc5443b63b7848007538ea14a7b24185c436182af5a32aa32681b681c3ac5492035fef3120f742139e
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
540KB
MD5c340b545e167371f71a21251f16980f7
SHA1546efcf9a52b1efa0351e71d1e17becfc6a08250
SHA256f19338d724c0e6b14325ce3b6d38d17dc60c7a70e8d460e2353bd624a16cf81f
SHA512314b30fe3068aaf54a6547f706508929ab91a008ac0a6fdc5443b63b7848007538ea14a7b24185c436182af5a32aa32681b681c3ac5492035fef3120f742139e
-
\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
540KB
MD5c340b545e167371f71a21251f16980f7
SHA1546efcf9a52b1efa0351e71d1e17becfc6a08250
SHA256f19338d724c0e6b14325ce3b6d38d17dc60c7a70e8d460e2353bd624a16cf81f
SHA512314b30fe3068aaf54a6547f706508929ab91a008ac0a6fdc5443b63b7848007538ea14a7b24185c436182af5a32aa32681b681c3ac5492035fef3120f742139e
-
memory/700-54-0x0000000075FF1000-0x0000000075FF3000-memory.dmpFilesize
8KB
-
memory/700-55-0x0000000074E40000-0x00000000753EB000-memory.dmpFilesize
5.7MB
-
memory/700-61-0x0000000074E40000-0x00000000753EB000-memory.dmpFilesize
5.7MB
-
memory/1984-57-0x0000000000000000-mapping.dmp
-
memory/1984-63-0x0000000074E40000-0x00000000753EB000-memory.dmpFilesize
5.7MB
-
memory/1984-64-0x0000000074E40000-0x00000000753EB000-memory.dmpFilesize
5.7MB