Analysis
-
max time kernel
206s -
max time network
212s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
28-11-2022 18:19
Behavioral task
behavioral1
Sample
4fff64c207d1d0ebe4073f120bb99720a90b79a8b9558e316f80b926c56ebf3b.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
4fff64c207d1d0ebe4073f120bb99720a90b79a8b9558e316f80b926c56ebf3b.exe
Resource
win10v2004-20220812-en
General
-
Target
4fff64c207d1d0ebe4073f120bb99720a90b79a8b9558e316f80b926c56ebf3b.exe
-
Size
325KB
-
MD5
8bbb3b4c01554e0ff1a618554c067dc3
-
SHA1
294d26f917ed996c1f8aae3a57f723666cc49843
-
SHA256
4fff64c207d1d0ebe4073f120bb99720a90b79a8b9558e316f80b926c56ebf3b
-
SHA512
5454ae34b4bd6dfbe896a91a7d41197dcad048ed4b2aa8286dad5f2ed70fd41e5799815175aba059c4ca96997dd0e11ed30a48adb0f0486d7e656a560dab428c
-
SSDEEP
6144:XuIlWqB+ihabs7Ch9KwyF5LeLodp2D1Mmakda0qLcnSR51yB3l1G:e6Wq4aaE6KwyF5L0Y2D1PqLt5sBvG
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
WinUpdat.exesvchost.exepid process 1044 WinUpdat.exe 516 svchost.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Processes:
resource yara_rule behavioral1/memory/1152-60-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral1/memory/1152-62-0x0000000000400000-0x00000000004BA000-memory.dmp upx -
Drops startup file 4 IoCs
Processes:
WScript.exesvchost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinUpdat.vbs WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinUpdat.vbs WScript.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8cc5db40eb97299bd658a6eaa7488f79.exe svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8cc5db40eb97299bd658a6eaa7488f79.exe svchost.exe -
Loads dropped DLL 1 IoCs
Processes:
4fff64c207d1d0ebe4073f120bb99720a90b79a8b9558e316f80b926c56ebf3b.exepid process 1152 4fff64c207d1d0ebe4073f120bb99720a90b79a8b9558e316f80b926c56ebf3b.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
WScript.exesvchost.exeWinUpdat.exedescription ioc process Key created \REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run WScript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinUpdat = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WinUpdat.vbs\"" WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\Users\\Admin\\AppData\\Local\\10.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\8cc5db40eb97299bd658a6eaa7488f79 = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\" .." svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8cc5db40eb97299bd658a6eaa7488f79 = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\" .." svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\Users\\Admin\\AppData\\Local\\10.exe" WinUpdat.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\software\microsoft\windows\currentversion\run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinUpdat = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WinUpdat.vbs\"" WScript.exe -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/memory/1152-60-0x0000000000400000-0x00000000004BA000-memory.dmp autoit_exe behavioral1/memory/1152-62-0x0000000000400000-0x00000000004BA000-memory.dmp autoit_exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 17 IoCs
Processes:
svchost.exedescription pid process Token: SeDebugPrivilege 516 svchost.exe Token: 33 516 svchost.exe Token: SeIncBasePriorityPrivilege 516 svchost.exe Token: 33 516 svchost.exe Token: SeIncBasePriorityPrivilege 516 svchost.exe Token: 33 516 svchost.exe Token: SeIncBasePriorityPrivilege 516 svchost.exe Token: 33 516 svchost.exe Token: SeIncBasePriorityPrivilege 516 svchost.exe Token: 33 516 svchost.exe Token: SeIncBasePriorityPrivilege 516 svchost.exe Token: 33 516 svchost.exe Token: SeIncBasePriorityPrivilege 516 svchost.exe Token: 33 516 svchost.exe Token: SeIncBasePriorityPrivilege 516 svchost.exe Token: 33 516 svchost.exe Token: SeIncBasePriorityPrivilege 516 svchost.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
4fff64c207d1d0ebe4073f120bb99720a90b79a8b9558e316f80b926c56ebf3b.exeWinUpdat.exesvchost.exedescription pid process target process PID 1152 wrote to memory of 1044 1152 4fff64c207d1d0ebe4073f120bb99720a90b79a8b9558e316f80b926c56ebf3b.exe WinUpdat.exe PID 1152 wrote to memory of 1044 1152 4fff64c207d1d0ebe4073f120bb99720a90b79a8b9558e316f80b926c56ebf3b.exe WinUpdat.exe PID 1152 wrote to memory of 1044 1152 4fff64c207d1d0ebe4073f120bb99720a90b79a8b9558e316f80b926c56ebf3b.exe WinUpdat.exe PID 1152 wrote to memory of 1044 1152 4fff64c207d1d0ebe4073f120bb99720a90b79a8b9558e316f80b926c56ebf3b.exe WinUpdat.exe PID 1152 wrote to memory of 1308 1152 4fff64c207d1d0ebe4073f120bb99720a90b79a8b9558e316f80b926c56ebf3b.exe WScript.exe PID 1152 wrote to memory of 1308 1152 4fff64c207d1d0ebe4073f120bb99720a90b79a8b9558e316f80b926c56ebf3b.exe WScript.exe PID 1152 wrote to memory of 1308 1152 4fff64c207d1d0ebe4073f120bb99720a90b79a8b9558e316f80b926c56ebf3b.exe WScript.exe PID 1152 wrote to memory of 1308 1152 4fff64c207d1d0ebe4073f120bb99720a90b79a8b9558e316f80b926c56ebf3b.exe WScript.exe PID 1044 wrote to memory of 516 1044 WinUpdat.exe svchost.exe PID 1044 wrote to memory of 516 1044 WinUpdat.exe svchost.exe PID 1044 wrote to memory of 516 1044 WinUpdat.exe svchost.exe PID 516 wrote to memory of 1320 516 svchost.exe netsh.exe PID 516 wrote to memory of 1320 516 svchost.exe netsh.exe PID 516 wrote to memory of 1320 516 svchost.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4fff64c207d1d0ebe4073f120bb99720a90b79a8b9558e316f80b926c56ebf3b.exe"C:\Users\Admin\AppData\Local\Temp\4fff64c207d1d0ebe4073f120bb99720a90b79a8b9558e316f80b926c56ebf3b.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\WinUpdat.exeC:\Users\Admin\AppData\Local\Temp\WinUpdat.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\svchost.exe" "svchost.exe" ENABLE4⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\WinUpdat.vbs"2⤵
- Drops startup file
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\WinUpdat.exeFilesize
34KB
MD51a6459624ba5b71bcf976bf8373c21ea
SHA1fdc3cfdefae69381f9593bbe0a80f06081ee8562
SHA25665194990e7fea29c62b454d28db89df2eb106db4e796b74360720d08c3b387da
SHA512b64294ea997fef20818f14b3bfd86b1bc4c2f916d8c1a3e6eef3a8ad483985a1ca2877cabe15fe26000e190c38d52b57c41e02e0323bd51461cfb208c8c42cda
-
C:\Users\Admin\AppData\Local\Temp\WinUpdat.exeFilesize
34KB
MD51a6459624ba5b71bcf976bf8373c21ea
SHA1fdc3cfdefae69381f9593bbe0a80f06081ee8562
SHA25665194990e7fea29c62b454d28db89df2eb106db4e796b74360720d08c3b387da
SHA512b64294ea997fef20818f14b3bfd86b1bc4c2f916d8c1a3e6eef3a8ad483985a1ca2877cabe15fe26000e190c38d52b57c41e02e0323bd51461cfb208c8c42cda
-
C:\Users\Admin\AppData\Local\Temp\WinUpdat.vbsFilesize
41KB
MD542d2072ef26e5e85b3eefd7913797d17
SHA13d9440e20655e9afb8bcbce247f239f52f615392
SHA256f7b68b8fa35ee0b28b40f2a207a276a3d0e7307e9ac74109fc7979585f3e33ca
SHA51273e2c5715c7106f298bfd6d4fb875c04a5d97e92c765daaa5cbf61a15a447496c4b6e1113e0860a4b07fea1cc687f9e55c698990d23bf4ace2814e96a6328210
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
34KB
MD51a6459624ba5b71bcf976bf8373c21ea
SHA1fdc3cfdefae69381f9593bbe0a80f06081ee8562
SHA25665194990e7fea29c62b454d28db89df2eb106db4e796b74360720d08c3b387da
SHA512b64294ea997fef20818f14b3bfd86b1bc4c2f916d8c1a3e6eef3a8ad483985a1ca2877cabe15fe26000e190c38d52b57c41e02e0323bd51461cfb208c8c42cda
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
34KB
MD51a6459624ba5b71bcf976bf8373c21ea
SHA1fdc3cfdefae69381f9593bbe0a80f06081ee8562
SHA25665194990e7fea29c62b454d28db89df2eb106db4e796b74360720d08c3b387da
SHA512b64294ea997fef20818f14b3bfd86b1bc4c2f916d8c1a3e6eef3a8ad483985a1ca2877cabe15fe26000e190c38d52b57c41e02e0323bd51461cfb208c8c42cda
-
\Users\Admin\AppData\Local\Temp\WinUpdat.exeFilesize
34KB
MD51a6459624ba5b71bcf976bf8373c21ea
SHA1fdc3cfdefae69381f9593bbe0a80f06081ee8562
SHA25665194990e7fea29c62b454d28db89df2eb106db4e796b74360720d08c3b387da
SHA512b64294ea997fef20818f14b3bfd86b1bc4c2f916d8c1a3e6eef3a8ad483985a1ca2877cabe15fe26000e190c38d52b57c41e02e0323bd51461cfb208c8c42cda
-
memory/516-71-0x00000000011B0000-0x00000000011BE000-memory.dmpFilesize
56KB
-
memory/516-68-0x0000000000000000-mapping.dmp
-
memory/1044-67-0x000007FEFC291000-0x000007FEFC293000-memory.dmpFilesize
8KB
-
memory/1044-65-0x0000000000250000-0x000000000025E000-memory.dmpFilesize
56KB
-
memory/1044-66-0x0000000000450000-0x000000000045C000-memory.dmpFilesize
48KB
-
memory/1044-59-0x0000000001260000-0x000000000126E000-memory.dmpFilesize
56KB
-
memory/1044-56-0x0000000000000000-mapping.dmp
-
memory/1152-62-0x0000000000400000-0x00000000004BA000-memory.dmpFilesize
744KB
-
memory/1152-54-0x0000000075ED1000-0x0000000075ED3000-memory.dmpFilesize
8KB
-
memory/1152-60-0x0000000000400000-0x00000000004BA000-memory.dmpFilesize
744KB
-
memory/1308-61-0x0000000000000000-mapping.dmp
-
memory/1320-72-0x0000000000000000-mapping.dmp