Analysis
-
max time kernel
164s -
max time network
104s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
29-01-2023 22:57
Static task
static1
Behavioral task
behavioral1
Sample
90f5a9256f9effd26cb7793b8e71a3c232d64ddac33c25bcf18fcb8ae4e84a04.exe
Resource
win7-20221111-en
General
-
Target
90f5a9256f9effd26cb7793b8e71a3c232d64ddac33c25bcf18fcb8ae4e84a04.exe
-
Size
194KB
-
MD5
0b601c8e85e66b573c24d2ac6846a001
-
SHA1
80e90c3b91ac845e9c57df24f6de206bff0ba2b8
-
SHA256
90f5a9256f9effd26cb7793b8e71a3c232d64ddac33c25bcf18fcb8ae4e84a04
-
SHA512
305c1d46f620b7d94fb575ddd32dbe0a2527e198c49013c4ba4976bddda778f71fc03dfc916ce5cee015ea4b80bf38e397bd6b2c62fce944f3933bf26b976150
-
SSDEEP
3072:leoj6QTDgiEIDL5ntDnj/rlIudpB8gkgqXEoqGxTsiqX5G9:Y+hvg8DL5ntb7hBkgXoZxTsid
Malware Config
Extracted
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
mastaex2@gmail.com - Password:
fh6113887
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Windows Update.exepid process 892 Windows Update.exe -
Deletes itself 1 IoCs
Processes:
Windows Update.exepid process 892 Windows Update.exe -
Drops startup file 2 IoCs
Processes:
Windows Update.exedescription ioc process File created C:\users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdate.exe Windows Update.exe File opened for modification C:\users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdate.exe Windows Update.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Windows Update.exepid process 892 Windows Update.exe 892 Windows Update.exe 892 Windows Update.exe 892 Windows Update.exe 892 Windows Update.exe 892 Windows Update.exe 892 Windows Update.exe 892 Windows Update.exe 892 Windows Update.exe 892 Windows Update.exe 892 Windows Update.exe 892 Windows Update.exe 892 Windows Update.exe 892 Windows Update.exe 892 Windows Update.exe 892 Windows Update.exe 892 Windows Update.exe 892 Windows Update.exe 892 Windows Update.exe 892 Windows Update.exe 892 Windows Update.exe 892 Windows Update.exe 892 Windows Update.exe 892 Windows Update.exe 892 Windows Update.exe 892 Windows Update.exe 892 Windows Update.exe 892 Windows Update.exe 892 Windows Update.exe 892 Windows Update.exe 892 Windows Update.exe 892 Windows Update.exe 892 Windows Update.exe 892 Windows Update.exe 892 Windows Update.exe 892 Windows Update.exe 892 Windows Update.exe 892 Windows Update.exe 892 Windows Update.exe 892 Windows Update.exe 892 Windows Update.exe 892 Windows Update.exe 892 Windows Update.exe 892 Windows Update.exe 892 Windows Update.exe 892 Windows Update.exe 892 Windows Update.exe 892 Windows Update.exe 892 Windows Update.exe 892 Windows Update.exe 892 Windows Update.exe 892 Windows Update.exe 892 Windows Update.exe 892 Windows Update.exe 892 Windows Update.exe 892 Windows Update.exe 892 Windows Update.exe 892 Windows Update.exe 892 Windows Update.exe 892 Windows Update.exe 892 Windows Update.exe 892 Windows Update.exe 892 Windows Update.exe 892 Windows Update.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Windows Update.exedescription pid process Token: SeDebugPrivilege 892 Windows Update.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Windows Update.exepid process 892 Windows Update.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
90f5a9256f9effd26cb7793b8e71a3c232d64ddac33c25bcf18fcb8ae4e84a04.exedescription pid process target process PID 1344 wrote to memory of 892 1344 90f5a9256f9effd26cb7793b8e71a3c232d64ddac33c25bcf18fcb8ae4e84a04.exe Windows Update.exe PID 1344 wrote to memory of 892 1344 90f5a9256f9effd26cb7793b8e71a3c232d64ddac33c25bcf18fcb8ae4e84a04.exe Windows Update.exe PID 1344 wrote to memory of 892 1344 90f5a9256f9effd26cb7793b8e71a3c232d64ddac33c25bcf18fcb8ae4e84a04.exe Windows Update.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\90f5a9256f9effd26cb7793b8e71a3c232d64ddac33c25bcf18fcb8ae4e84a04.exe"C:\Users\Admin\AppData\Local\Temp\90f5a9256f9effd26cb7793b8e71a3c232d64ddac33c25bcf18fcb8ae4e84a04.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"2⤵
- Executes dropped EXE
- Deletes itself
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\SysInfo.txtFilesize
102B
MD5ee5cb40de19805c456427b884ed7c441
SHA156ded944e2d02beebd92ddf941ca54b439bfe537
SHA25636abd9dd6f59ee1e9be37db29e12c704ae7707103df4894ca1572e75a6311bf4
SHA512470140e1b7afbffd3f26f858a5c029a7edc57016e860d9219ef47c651a08537c4fe53146ce0c1fac8d58ab05b8918239c0a025ee7bd1b0f7dfa7b86aa8416d11
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
194KB
MD50b601c8e85e66b573c24d2ac6846a001
SHA180e90c3b91ac845e9c57df24f6de206bff0ba2b8
SHA25690f5a9256f9effd26cb7793b8e71a3c232d64ddac33c25bcf18fcb8ae4e84a04
SHA512305c1d46f620b7d94fb575ddd32dbe0a2527e198c49013c4ba4976bddda778f71fc03dfc916ce5cee015ea4b80bf38e397bd6b2c62fce944f3933bf26b976150
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
194KB
MD50b601c8e85e66b573c24d2ac6846a001
SHA180e90c3b91ac845e9c57df24f6de206bff0ba2b8
SHA25690f5a9256f9effd26cb7793b8e71a3c232d64ddac33c25bcf18fcb8ae4e84a04
SHA512305c1d46f620b7d94fb575ddd32dbe0a2527e198c49013c4ba4976bddda778f71fc03dfc916ce5cee015ea4b80bf38e397bd6b2c62fce944f3933bf26b976150
-
memory/892-57-0x0000000000000000-mapping.dmp
-
memory/892-60-0x000007FEF32D0000-0x000007FEF3CF3000-memory.dmpFilesize
10.1MB
-
memory/892-61-0x000007FEF2230000-0x000007FEF32C6000-memory.dmpFilesize
16.6MB
-
memory/892-63-0x00000000009E6000-0x0000000000A05000-memory.dmpFilesize
124KB
-
memory/892-64-0x000000001D690000-0x000000001D98F000-memory.dmpFilesize
3.0MB
-
memory/892-65-0x00000000009E6000-0x0000000000A05000-memory.dmpFilesize
124KB
-
memory/1344-54-0x000007FEF32D0000-0x000007FEF3CF3000-memory.dmpFilesize
10.1MB
-
memory/1344-55-0x000007FEF2230000-0x000007FEF32C6000-memory.dmpFilesize
16.6MB
-
memory/1344-56-0x000007FEFB731000-0x000007FEFB733000-memory.dmpFilesize
8KB