7e41d5836a0268aaed0bbac7d3c0beb8aaaed34a7b22a691d4750e7aae3771ae

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2022 21:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e41d5836a0268aaed0bbac7d3c0beb8aaaed34a7b22a691d4750e7aae3771ae.exe
Size

312KB
MD5

29726fc9034dcb792b66752170fa49a3
SHA1

f164c91db8ca909f6f6e0e9c706b288dece944d6
SHA256

7e41d5836a0268aaed0bbac7d3c0beb8aaaed34a7b22a691d4750e7aae3771ae
SHA512

158531d6e4d431979761fb506bc0ebd876bdbe0287fd0da85c159d578b499be87f488afab6acd83a2b2426710cd6efb92093386af984d546e5f111e9adb1a80f
SSDEEP

6144:8NSKQMLdz5NpPrL88qwKUDkhu6b/jtevbST:+LrNqwKUIhEb

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
4768	winupdate.exe
4392	winupdate.exe
4892	winupdate.exe
764	winupdate.exe
2016	winupdate.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\winupdate.exe	7e41d5836a0268aaed0bbac7d3c0beb8aaaed34a7b22a691d4750e7aae3771ae.exe
File opened for modification	C:\Windows\SysWOW64\winupdate.exe	7e41d5836a0268aaed0bbac7d3c0beb8aaaed34a7b22a691d4750e7aae3771ae.exe
File created	C:\Windows\SysWOW64\winupdate.exe	winupdate.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4712	7e41d5836a0268aaed0bbac7d3c0beb8aaaed34a7b22a691d4750e7aae3771ae.exe
4712	7e41d5836a0268aaed0bbac7d3c0beb8aaaed34a7b22a691d4750e7aae3771ae.exe
4712	7e41d5836a0268aaed0bbac7d3c0beb8aaaed34a7b22a691d4750e7aae3771ae.exe
4712	7e41d5836a0268aaed0bbac7d3c0beb8aaaed34a7b22a691d4750e7aae3771ae.exe
4712	7e41d5836a0268aaed0bbac7d3c0beb8aaaed34a7b22a691d4750e7aae3771ae.exe
4712	7e41d5836a0268aaed0bbac7d3c0beb8aaaed34a7b22a691d4750e7aae3771ae.exe
4712	7e41d5836a0268aaed0bbac7d3c0beb8aaaed34a7b22a691d4750e7aae3771ae.exe
4712	7e41d5836a0268aaed0bbac7d3c0beb8aaaed34a7b22a691d4750e7aae3771ae.exe
4712	7e41d5836a0268aaed0bbac7d3c0beb8aaaed34a7b22a691d4750e7aae3771ae.exe
4712	7e41d5836a0268aaed0bbac7d3c0beb8aaaed34a7b22a691d4750e7aae3771ae.exe
4712	7e41d5836a0268aaed0bbac7d3c0beb8aaaed34a7b22a691d4750e7aae3771ae.exe
4712	7e41d5836a0268aaed0bbac7d3c0beb8aaaed34a7b22a691d4750e7aae3771ae.exe
4768	winupdate.exe
4768	winupdate.exe
4768	winupdate.exe
4768	winupdate.exe
4768	winupdate.exe
4768	winupdate.exe
4768	winupdate.exe
4768	winupdate.exe
4768	winupdate.exe
4768	winupdate.exe
4768	winupdate.exe
4768	winupdate.exe
4392	winupdate.exe
4392	winupdate.exe
4392	winupdate.exe
4392	winupdate.exe
4392	winupdate.exe
4392	winupdate.exe
4392	winupdate.exe
4392	winupdate.exe
4392	winupdate.exe
4392	winupdate.exe
4392	winupdate.exe
4392	winupdate.exe
4892	winupdate.exe
4892	winupdate.exe
4892	winupdate.exe
4892	winupdate.exe
4892	winupdate.exe
4892	winupdate.exe
4892	winupdate.exe
4892	winupdate.exe
4892	winupdate.exe
4892	winupdate.exe
4892	winupdate.exe
4892	winupdate.exe
764	winupdate.exe
764	winupdate.exe
764	winupdate.exe
764	winupdate.exe
764	winupdate.exe
764	winupdate.exe
764	winupdate.exe
764	winupdate.exe
764	winupdate.exe
764	winupdate.exe
764	winupdate.exe
764	winupdate.exe
2016	winupdate.exe
2016	winupdate.exe
2016	winupdate.exe
2016	winupdate.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4712 wrote to memory of 4768	4712	7e41d5836a0268aaed0bbac7d3c0beb8aaaed34a7b22a691d4750e7aae3771ae.exe	82
PID 4712 wrote to memory of 4768	4712	7e41d5836a0268aaed0bbac7d3c0beb8aaaed34a7b22a691d4750e7aae3771ae.exe	82
PID 4712 wrote to memory of 4768	4712	7e41d5836a0268aaed0bbac7d3c0beb8aaaed34a7b22a691d4750e7aae3771ae.exe	82
PID 4768 wrote to memory of 4392	4768	winupdate.exe	84
PID 4768 wrote to memory of 4392	4768	winupdate.exe	84
PID 4768 wrote to memory of 4392	4768	winupdate.exe	84
PID 4392 wrote to memory of 4892	4392	winupdate.exe	85
PID 4392 wrote to memory of 4892	4392	winupdate.exe	85
PID 4392 wrote to memory of 4892	4392	winupdate.exe	85
PID 4892 wrote to memory of 764	4892	winupdate.exe	86
PID 4892 wrote to memory of 764	4892	winupdate.exe	86
PID 4892 wrote to memory of 764	4892	winupdate.exe	86
PID 764 wrote to memory of 2016	764	winupdate.exe	87
PID 764 wrote to memory of 2016	764	winupdate.exe	87
PID 764 wrote to memory of 2016	764	winupdate.exe	87

C:\Users\Admin\AppData\Local\Temp\7e41d5836a0268aaed0bbac7d3c0beb8aaaed34a7b22a691d4750e7aae3771ae.exe
"C:\Users\Admin\AppData\Local\Temp\7e41d5836a0268aaed0bbac7d3c0beb8aaaed34a7b22a691d4750e7aae3771ae.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4712
- C:\Windows\SysWOW64\winupdate.exe
  C:\Windows\system32\winupdate.exe -bai C:\Users\Admin\AppData\Local\Temp\7e41d5836a0268aaed0bbac7d3c0beb8aaaed34a7b22a691d4750e7aae3771ae.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4768
- - C:\Windows\SysWOW64\winupdate.exe
    C:\Windows\system32\winupdate.exe -bai C:\Windows\SysWOW64\winupdate.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4392
  - - C:\Windows\SysWOW64\winupdate.exe
      C:\Windows\system32\winupdate.exe -bai C:\Windows\SysWOW64\winupdate.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4892
    - - C:\Windows\SysWOW64\winupdate.exe
        
        C:\Windows\system32\winupdate.exe -bai C:\Windows\SysWOW64\winupdate.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:764
      - C:\Windows\SysWOW64\winupdate.exe
        
        C:\Windows\system32\winupdate.exe -bai C:\Windows\SysWOW64\winupdate.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2016

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\winupdate.exe

Filesize
312KB

MD5
29726fc9034dcb792b66752170fa49a3

SHA1
f164c91db8ca909f6f6e0e9c706b288dece944d6

SHA256
7e41d5836a0268aaed0bbac7d3c0beb8aaaed34a7b22a691d4750e7aae3771ae

SHA512
158531d6e4d431979761fb506bc0ebd876bdbe0287fd0da85c159d578b499be87f488afab6acd83a2b2426710cd6efb92093386af984d546e5f111e9adb1a80f

Download Submit
C:\Windows\SysWOW64\winupdate.exe

Filesize
312KB

MD5
29726fc9034dcb792b66752170fa49a3

SHA1
f164c91db8ca909f6f6e0e9c706b288dece944d6

SHA256
7e41d5836a0268aaed0bbac7d3c0beb8aaaed34a7b22a691d4750e7aae3771ae

SHA512
158531d6e4d431979761fb506bc0ebd876bdbe0287fd0da85c159d578b499be87f488afab6acd83a2b2426710cd6efb92093386af984d546e5f111e9adb1a80f

Download Submit
C:\Windows\SysWOW64\winupdate.exe

Filesize
312KB

MD5
29726fc9034dcb792b66752170fa49a3

SHA1
f164c91db8ca909f6f6e0e9c706b288dece944d6

SHA256
7e41d5836a0268aaed0bbac7d3c0beb8aaaed34a7b22a691d4750e7aae3771ae

SHA512
158531d6e4d431979761fb506bc0ebd876bdbe0287fd0da85c159d578b499be87f488afab6acd83a2b2426710cd6efb92093386af984d546e5f111e9adb1a80f

Download Submit
C:\Windows\SysWOW64\winupdate.exe

Filesize
312KB

MD5
29726fc9034dcb792b66752170fa49a3

SHA1
f164c91db8ca909f6f6e0e9c706b288dece944d6

SHA256
7e41d5836a0268aaed0bbac7d3c0beb8aaaed34a7b22a691d4750e7aae3771ae

SHA512
158531d6e4d431979761fb506bc0ebd876bdbe0287fd0da85c159d578b499be87f488afab6acd83a2b2426710cd6efb92093386af984d546e5f111e9adb1a80f

Download Submit
C:\Windows\SysWOW64\winupdate.exe

Filesize
312KB

MD5
29726fc9034dcb792b66752170fa49a3

SHA1
f164c91db8ca909f6f6e0e9c706b288dece944d6

SHA256
7e41d5836a0268aaed0bbac7d3c0beb8aaaed34a7b22a691d4750e7aae3771ae

SHA512
158531d6e4d431979761fb506bc0ebd876bdbe0287fd0da85c159d578b499be87f488afab6acd83a2b2426710cd6efb92093386af984d546e5f111e9adb1a80f

Download Submit
C:\Windows\SysWOW64\winupdate.exe

Filesize
312KB

MD5
29726fc9034dcb792b66752170fa49a3

SHA1
f164c91db8ca909f6f6e0e9c706b288dece944d6

SHA256
7e41d5836a0268aaed0bbac7d3c0beb8aaaed34a7b22a691d4750e7aae3771ae

SHA512
158531d6e4d431979761fb506bc0ebd876bdbe0287fd0da85c159d578b499be87f488afab6acd83a2b2426710cd6efb92093386af984d546e5f111e9adb1a80f

Download Submit
memory/764-139-0x0000000000000000-mapping.dmp

Download
memory/2016-141-0x0000000000000000-mapping.dmp

Download
memory/4392-135-0x0000000000000000-mapping.dmp

Download
memory/4768-132-0x0000000000000000-mapping.dmp

Download
memory/4892-137-0x0000000000000000-mapping.dmp

Download