Analysis
-
max time kernel
223s -
max time network
210s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
01-12-2022 02:04
Static task
static1
Behavioral task
behavioral1
Sample
87585830c648948e8a4f0721714b1dc7c5c32ab208a70f04eadcd472a5c89586.exe
Resource
win7-20221111-en
General
-
Target
87585830c648948e8a4f0721714b1dc7c5c32ab208a70f04eadcd472a5c89586.exe
-
Size
228KB
-
MD5
329f6bbcb2a52df13d255d25dc1bce10
-
SHA1
455e863b1af3e738abdc6c1d5a2743071a75b584
-
SHA256
87585830c648948e8a4f0721714b1dc7c5c32ab208a70f04eadcd472a5c89586
-
SHA512
2dd4ab27b676bf157988795e50c066d1d24628ebe477471e9ac3849619f85088b9afd29c078953222d26a28c06303f971ed6877a39a2911e4f616fcb98914e8d
-
SSDEEP
6144:WpIWTqzmgoJlS5Oz4BS9sqLFuV8G0BjH8K:Wh4mgoJlS5OsGQ8d
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Windows Update.exepid process 1812 Windows Update.exe -
Deletes itself 1 IoCs
Processes:
Windows Update.exepid process 1812 Windows Update.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Windows Update.exepid process 1812 Windows Update.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Windows Update.exedescription pid process Token: SeDebugPrivilege 1812 Windows Update.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Windows Update.exepid process 1812 Windows Update.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
87585830c648948e8a4f0721714b1dc7c5c32ab208a70f04eadcd472a5c89586.exeWindows Update.exedescription pid process target process PID 1120 wrote to memory of 1812 1120 87585830c648948e8a4f0721714b1dc7c5c32ab208a70f04eadcd472a5c89586.exe Windows Update.exe PID 1120 wrote to memory of 1812 1120 87585830c648948e8a4f0721714b1dc7c5c32ab208a70f04eadcd472a5c89586.exe Windows Update.exe PID 1120 wrote to memory of 1812 1120 87585830c648948e8a4f0721714b1dc7c5c32ab208a70f04eadcd472a5c89586.exe Windows Update.exe PID 1812 wrote to memory of 1692 1812 Windows Update.exe dw20.exe PID 1812 wrote to memory of 1692 1812 Windows Update.exe dw20.exe PID 1812 wrote to memory of 1692 1812 Windows Update.exe dw20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\87585830c648948e8a4f0721714b1dc7c5c32ab208a70f04eadcd472a5c89586.exe"C:\Users\Admin\AppData\Local\Temp\87585830c648948e8a4f0721714b1dc7c5c32ab208a70f04eadcd472a5c89586.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"2⤵
- Executes dropped EXE
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 12803⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\SysInfo.txtFilesize
102B
MD5f309ad2dda993483bdff07a679c6e674
SHA19871564c9a24a31b9fca7bcb6ec1d6a6f5e60d8b
SHA256b86f228978df92a45cefd086e4d07a96d7a571bda00d955b75f9d41e28c17b37
SHA51247d1776638d92328c15f4d2a1cb9ec324b1890a6c96909ba6890cc3b23c91e095c5868f28f69cc83c29cfd47f1a7ce1731e0de93b4f0916324d2f4b914fcc6b1
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
228KB
MD5329f6bbcb2a52df13d255d25dc1bce10
SHA1455e863b1af3e738abdc6c1d5a2743071a75b584
SHA25687585830c648948e8a4f0721714b1dc7c5c32ab208a70f04eadcd472a5c89586
SHA5122dd4ab27b676bf157988795e50c066d1d24628ebe477471e9ac3849619f85088b9afd29c078953222d26a28c06303f971ed6877a39a2911e4f616fcb98914e8d
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
228KB
MD5329f6bbcb2a52df13d255d25dc1bce10
SHA1455e863b1af3e738abdc6c1d5a2743071a75b584
SHA25687585830c648948e8a4f0721714b1dc7c5c32ab208a70f04eadcd472a5c89586
SHA5122dd4ab27b676bf157988795e50c066d1d24628ebe477471e9ac3849619f85088b9afd29c078953222d26a28c06303f971ed6877a39a2911e4f616fcb98914e8d
-
memory/1120-55-0x000007FEF2CB0000-0x000007FEF3D46000-memory.dmpFilesize
16.6MB
-
memory/1120-56-0x000007FEFC251000-0x000007FEFC253000-memory.dmpFilesize
8KB
-
memory/1120-54-0x000007FEF3D50000-0x000007FEF4773000-memory.dmpFilesize
10.1MB
-
memory/1692-64-0x0000000000000000-mapping.dmp
-
memory/1812-60-0x000007FEF3320000-0x000007FEF3D43000-memory.dmpFilesize
10.1MB
-
memory/1812-61-0x000007FEEE0D0000-0x000007FEEF166000-memory.dmpFilesize
16.6MB
-
memory/1812-63-0x0000000002016000-0x0000000002035000-memory.dmpFilesize
124KB
-
memory/1812-57-0x0000000000000000-mapping.dmp
-
memory/1812-66-0x0000000002016000-0x0000000002035000-memory.dmpFilesize
124KB
-
memory/1812-67-0x000000001F8A0000-0x000000001FB9F000-memory.dmpFilesize
3.0MB