Analysis
-
max time kernel
202s -
max time network
212s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
28-11-2022 11:39
Static task
static1
Behavioral task
behavioral1
Sample
4f9f1934dda720b8af44a52ad1b0b3db6c5ed324e051b65718ce75da79f57569.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
4f9f1934dda720b8af44a52ad1b0b3db6c5ed324e051b65718ce75da79f57569.exe
Resource
win10v2004-20221111-en
General
-
Target
4f9f1934dda720b8af44a52ad1b0b3db6c5ed324e051b65718ce75da79f57569.exe
-
Size
569KB
-
MD5
0eab2d9bc5d399eea1b7226ef901b7f9
-
SHA1
ef85ad30b9a0cb932594d55dc167df302735e980
-
SHA256
4f9f1934dda720b8af44a52ad1b0b3db6c5ed324e051b65718ce75da79f57569
-
SHA512
54b60964740f291ffae09053f77227873c707227274625e1b773f85ab727694f51bf47bfc67ecaf420bd4c0b3286ff75555d4ea31aeab4e7e3c61e23c21e13d3
-
SSDEEP
6144:N8bS/QTjhUqBfxrwEnuNcSsm7IoYGW0VvBXCAt6kihwE+VDpJYWmlwnx9zHk0:mQtqB5urTIoYWBQk1E+VF9mOx9Q0
Malware Config
Signatures
-
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Windows Update.exe MailPassView C:\Users\Admin\AppData\Roaming\Windows Update.exe MailPassView -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Windows Update.exe WebBrowserPassView C:\Users\Admin\AppData\Roaming\Windows Update.exe WebBrowserPassView -
Nirsoft 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Windows Update.exe Nirsoft C:\Users\Admin\AppData\Roaming\Windows Update.exe Nirsoft -
Executes dropped EXE 1 IoCs
Processes:
Windows Update.exepid process 4212 Windows Update.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
4f9f1934dda720b8af44a52ad1b0b3db6c5ed324e051b65718ce75da79f57569.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation 4f9f1934dda720b8af44a52ad1b0b3db6c5ed324e051b65718ce75da79f57569.exe -
Drops file in Windows directory 1 IoCs
Processes:
dw20.exedescription ioc process File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp dw20.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
dw20.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
dw20.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
dw20.exedescription pid process Token: SeRestorePrivilege 3700 dw20.exe Token: SeBackupPrivilege 3700 dw20.exe Token: SeBackupPrivilege 3700 dw20.exe Token: SeBackupPrivilege 3700 dw20.exe Token: SeBackupPrivilege 3700 dw20.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
4f9f1934dda720b8af44a52ad1b0b3db6c5ed324e051b65718ce75da79f57569.exeWindows Update.exedescription pid process target process PID 3512 wrote to memory of 4212 3512 4f9f1934dda720b8af44a52ad1b0b3db6c5ed324e051b65718ce75da79f57569.exe Windows Update.exe PID 3512 wrote to memory of 4212 3512 4f9f1934dda720b8af44a52ad1b0b3db6c5ed324e051b65718ce75da79f57569.exe Windows Update.exe PID 3512 wrote to memory of 4212 3512 4f9f1934dda720b8af44a52ad1b0b3db6c5ed324e051b65718ce75da79f57569.exe Windows Update.exe PID 4212 wrote to memory of 3700 4212 Windows Update.exe dw20.exe PID 4212 wrote to memory of 3700 4212 Windows Update.exe dw20.exe PID 4212 wrote to memory of 3700 4212 Windows Update.exe dw20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4f9f1934dda720b8af44a52ad1b0b3db6c5ed324e051b65718ce75da79f57569.exe"C:\Users\Admin\AppData\Local\Temp\4f9f1934dda720b8af44a52ad1b0b3db6c5ed324e051b65718ce75da79f57569.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 12763⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
569KB
MD50eab2d9bc5d399eea1b7226ef901b7f9
SHA1ef85ad30b9a0cb932594d55dc167df302735e980
SHA2564f9f1934dda720b8af44a52ad1b0b3db6c5ed324e051b65718ce75da79f57569
SHA51254b60964740f291ffae09053f77227873c707227274625e1b773f85ab727694f51bf47bfc67ecaf420bd4c0b3286ff75555d4ea31aeab4e7e3c61e23c21e13d3
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
569KB
MD50eab2d9bc5d399eea1b7226ef901b7f9
SHA1ef85ad30b9a0cb932594d55dc167df302735e980
SHA2564f9f1934dda720b8af44a52ad1b0b3db6c5ed324e051b65718ce75da79f57569
SHA51254b60964740f291ffae09053f77227873c707227274625e1b773f85ab727694f51bf47bfc67ecaf420bd4c0b3286ff75555d4ea31aeab4e7e3c61e23c21e13d3
-
memory/3512-132-0x0000000074AE0000-0x0000000075091000-memory.dmpFilesize
5.7MB
-
memory/3512-133-0x0000000074AE0000-0x0000000075091000-memory.dmpFilesize
5.7MB
-
memory/3512-138-0x0000000074AE0000-0x0000000075091000-memory.dmpFilesize
5.7MB
-
memory/3700-140-0x0000000000000000-mapping.dmp
-
memory/4212-134-0x0000000000000000-mapping.dmp
-
memory/4212-137-0x0000000074AE0000-0x0000000075091000-memory.dmpFilesize
5.7MB
-
memory/4212-139-0x0000000074AE0000-0x0000000075091000-memory.dmpFilesize
5.7MB
-
memory/4212-141-0x0000000074AE0000-0x0000000075091000-memory.dmpFilesize
5.7MB