Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
03-12-2022 06:00
Static task
static1
Behavioral task
behavioral1
Sample
bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae.exe
Resource
win10v2004-20220901-en
General
-
Target
bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae.exe
-
Size
788KB
-
MD5
80ef70dc4d72c8e9b52410ee7338c9ae
-
SHA1
8679b445bfee7382a7ea7ec70331077ecea9d94b
-
SHA256
bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae
-
SHA512
03488e16a34d6439c5dcde8726a2359ee9a997295c1bf3dff3a8734238272688a2bf749e03cf72d09d15139e81fbf418673a00fb24b2b4b09514f4e6eece0977
-
SSDEEP
12288:s0vdICiZcqd87ONMZ+UWAAFSPiOob2pLLCMjOoUS+uMqiK0NE8/b:xCcIJXUpPiOA2xLCMjuHueKAb
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windupdt\\winupdate.exe" bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae.exe -
Executes dropped EXE 2 IoCs
Processes:
winupdate.exewinupdate.exepid process 628 winupdate.exe 1696 winupdate.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae.exewinupdate.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe" bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae.exe Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe" winupdate.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae.exewinupdate.exedescription pid process target process PID 616 set thread context of 4912 616 bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae.exe bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae.exe PID 628 set thread context of 1696 628 winupdate.exe winupdate.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae.exewinupdate.exedescription pid process Token: SeIncreaseQuotaPrivilege 4912 bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae.exe Token: SeSecurityPrivilege 4912 bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae.exe Token: SeTakeOwnershipPrivilege 4912 bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae.exe Token: SeLoadDriverPrivilege 4912 bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae.exe Token: SeSystemProfilePrivilege 4912 bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae.exe Token: SeSystemtimePrivilege 4912 bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae.exe Token: SeProfSingleProcessPrivilege 4912 bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae.exe Token: SeIncBasePriorityPrivilege 4912 bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae.exe Token: SeCreatePagefilePrivilege 4912 bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae.exe Token: SeBackupPrivilege 4912 bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae.exe Token: SeRestorePrivilege 4912 bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae.exe Token: SeShutdownPrivilege 4912 bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae.exe Token: SeDebugPrivilege 4912 bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae.exe Token: SeSystemEnvironmentPrivilege 4912 bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae.exe Token: SeChangeNotifyPrivilege 4912 bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae.exe Token: SeRemoteShutdownPrivilege 4912 bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae.exe Token: SeUndockPrivilege 4912 bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae.exe Token: SeManageVolumePrivilege 4912 bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae.exe Token: SeImpersonatePrivilege 4912 bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae.exe Token: SeCreateGlobalPrivilege 4912 bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae.exe Token: 33 4912 bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae.exe Token: 34 4912 bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae.exe Token: 35 4912 bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae.exe Token: 36 4912 bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae.exe Token: SeIncreaseQuotaPrivilege 1696 winupdate.exe Token: SeSecurityPrivilege 1696 winupdate.exe Token: SeTakeOwnershipPrivilege 1696 winupdate.exe Token: SeLoadDriverPrivilege 1696 winupdate.exe Token: SeSystemProfilePrivilege 1696 winupdate.exe Token: SeSystemtimePrivilege 1696 winupdate.exe Token: SeProfSingleProcessPrivilege 1696 winupdate.exe Token: SeIncBasePriorityPrivilege 1696 winupdate.exe Token: SeCreatePagefilePrivilege 1696 winupdate.exe Token: SeBackupPrivilege 1696 winupdate.exe Token: SeRestorePrivilege 1696 winupdate.exe Token: SeShutdownPrivilege 1696 winupdate.exe Token: SeDebugPrivilege 1696 winupdate.exe Token: SeSystemEnvironmentPrivilege 1696 winupdate.exe Token: SeChangeNotifyPrivilege 1696 winupdate.exe Token: SeRemoteShutdownPrivilege 1696 winupdate.exe Token: SeUndockPrivilege 1696 winupdate.exe Token: SeManageVolumePrivilege 1696 winupdate.exe Token: SeImpersonatePrivilege 1696 winupdate.exe Token: SeCreateGlobalPrivilege 1696 winupdate.exe Token: 33 1696 winupdate.exe Token: 34 1696 winupdate.exe Token: 35 1696 winupdate.exe Token: 36 1696 winupdate.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae.exewinupdate.exewinupdate.exepid process 616 bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae.exe 628 winupdate.exe 1696 winupdate.exe -
Suspicious use of WriteProcessMemory 37 IoCs
Processes:
bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae.exebfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae.execmd.exewinupdate.exedescription pid process target process PID 616 wrote to memory of 4912 616 bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae.exe bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae.exe PID 616 wrote to memory of 4912 616 bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae.exe bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae.exe PID 616 wrote to memory of 4912 616 bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae.exe bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae.exe PID 616 wrote to memory of 4912 616 bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae.exe bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae.exe PID 616 wrote to memory of 4912 616 bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae.exe bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae.exe PID 616 wrote to memory of 4912 616 bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae.exe bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae.exe PID 616 wrote to memory of 4912 616 bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae.exe bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae.exe PID 616 wrote to memory of 4912 616 bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae.exe bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae.exe PID 616 wrote to memory of 4912 616 bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae.exe bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae.exe PID 616 wrote to memory of 4912 616 bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae.exe bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae.exe PID 616 wrote to memory of 4912 616 bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae.exe bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae.exe PID 616 wrote to memory of 4912 616 bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae.exe bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae.exe PID 616 wrote to memory of 4912 616 bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae.exe bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae.exe PID 616 wrote to memory of 4912 616 bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae.exe bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae.exe PID 4912 wrote to memory of 628 4912 bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae.exe winupdate.exe PID 4912 wrote to memory of 628 4912 bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae.exe winupdate.exe PID 4912 wrote to memory of 628 4912 bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae.exe winupdate.exe PID 4912 wrote to memory of 620 4912 bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae.exe cmd.exe PID 4912 wrote to memory of 620 4912 bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae.exe cmd.exe PID 4912 wrote to memory of 620 4912 bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae.exe cmd.exe PID 620 wrote to memory of 1996 620 cmd.exe PING.EXE PID 620 wrote to memory of 1996 620 cmd.exe PING.EXE PID 620 wrote to memory of 1996 620 cmd.exe PING.EXE PID 628 wrote to memory of 1696 628 winupdate.exe winupdate.exe PID 628 wrote to memory of 1696 628 winupdate.exe winupdate.exe PID 628 wrote to memory of 1696 628 winupdate.exe winupdate.exe PID 628 wrote to memory of 1696 628 winupdate.exe winupdate.exe PID 628 wrote to memory of 1696 628 winupdate.exe winupdate.exe PID 628 wrote to memory of 1696 628 winupdate.exe winupdate.exe PID 628 wrote to memory of 1696 628 winupdate.exe winupdate.exe PID 628 wrote to memory of 1696 628 winupdate.exe winupdate.exe PID 628 wrote to memory of 1696 628 winupdate.exe winupdate.exe PID 628 wrote to memory of 1696 628 winupdate.exe winupdate.exe PID 628 wrote to memory of 1696 628 winupdate.exe winupdate.exe PID 628 wrote to memory of 1696 628 winupdate.exe winupdate.exe PID 628 wrote to memory of 1696 628 winupdate.exe winupdate.exe PID 628 wrote to memory of 1696 628 winupdate.exe winupdate.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae.exe"C:\Users\Admin\AppData\Local\Temp\bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae.exeC:\Users\Admin\AppData\Local\Temp\bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae.exe2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windupdt\winupdate.exe"C:\Windupdt\winupdate.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windupdt\winupdate.exeC:\Windupdt\winupdate.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Users\Admin\AppData\Local\Temp\bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 54⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windupdt\winupdate.exeFilesize
788KB
MD580ef70dc4d72c8e9b52410ee7338c9ae
SHA18679b445bfee7382a7ea7ec70331077ecea9d94b
SHA256bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae
SHA51203488e16a34d6439c5dcde8726a2359ee9a997295c1bf3dff3a8734238272688a2bf749e03cf72d09d15139e81fbf418673a00fb24b2b4b09514f4e6eece0977
-
C:\Windupdt\winupdate.exeFilesize
788KB
MD580ef70dc4d72c8e9b52410ee7338c9ae
SHA18679b445bfee7382a7ea7ec70331077ecea9d94b
SHA256bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae
SHA51203488e16a34d6439c5dcde8726a2359ee9a997295c1bf3dff3a8734238272688a2bf749e03cf72d09d15139e81fbf418673a00fb24b2b4b09514f4e6eece0977
-
C:\Windupdt\winupdate.exeFilesize
788KB
MD580ef70dc4d72c8e9b52410ee7338c9ae
SHA18679b445bfee7382a7ea7ec70331077ecea9d94b
SHA256bfef082320559626427dc5f25be803c912e154e01705d163595877695210fcae
SHA51203488e16a34d6439c5dcde8726a2359ee9a997295c1bf3dff3a8734238272688a2bf749e03cf72d09d15139e81fbf418673a00fb24b2b4b09514f4e6eece0977
-
memory/620-143-0x0000000000000000-mapping.dmp
-
memory/628-139-0x0000000000000000-mapping.dmp
-
memory/1696-147-0x0000000000000000-mapping.dmp
-
memory/1696-151-0x0000000000400000-0x00000000004B3000-memory.dmpFilesize
716KB
-
memory/1696-152-0x0000000000400000-0x00000000004B3000-memory.dmpFilesize
716KB
-
memory/1696-153-0x0000000000400000-0x00000000004B3000-memory.dmpFilesize
716KB
-
memory/1996-146-0x0000000000000000-mapping.dmp
-
memory/4912-138-0x0000000000400000-0x00000000004B3000-memory.dmpFilesize
716KB
-
memory/4912-137-0x0000000000400000-0x00000000004B3000-memory.dmpFilesize
716KB
-
memory/4912-136-0x0000000000400000-0x00000000004B3000-memory.dmpFilesize
716KB
-
memory/4912-134-0x0000000000000000-mapping.dmp
-
memory/4912-145-0x0000000000400000-0x00000000004B3000-memory.dmpFilesize
716KB
-
memory/4912-135-0x0000000000400000-0x00000000004B3000-memory.dmpFilesize
716KB