Analysis
-
max time kernel
141s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
12-04-2023 02:14
Behavioral task
behavioral1
Sample
9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe
Resource
win10v2004-20230221-en
General
-
Target
9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe
-
Size
821KB
-
MD5
49f227f4711ee473da73cefa669d6e0e
-
SHA1
5af5186ee656020ee301c48dd92b9720d3ccf4ad
-
SHA256
9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e
-
SHA512
63abcd3ef56ecfa80fed804c7993a0e54ab9d0fdf7bd15c5379f6e16ccd56f230edcb0d6c559cd837a892ff50b4944aaaec9bf95a253460352dbb14fbbb7249f
-
SSDEEP
12288:TFLlJnnbWOtz6sVJhvaz1Qc/WdI//vfM4qwrbkniafLo6vUTyl0w/q9jJ:h3nbWmJVJFwSddIXvfhqbiaxvRxq9
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\windupdt\\winupdate.exe" 9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\windupdt\\winupdate.exe" 9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1500 1308 WerFault.exe 9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exedescription pid process Token: SeIncreaseQuotaPrivilege 1308 9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe Token: SeSecurityPrivilege 1308 9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe Token: SeTakeOwnershipPrivilege 1308 9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe Token: SeLoadDriverPrivilege 1308 9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe Token: SeSystemProfilePrivilege 1308 9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe Token: SeSystemtimePrivilege 1308 9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe Token: SeProfSingleProcessPrivilege 1308 9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe Token: SeIncBasePriorityPrivilege 1308 9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe Token: SeCreatePagefilePrivilege 1308 9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe Token: SeBackupPrivilege 1308 9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe Token: SeRestorePrivilege 1308 9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe Token: SeShutdownPrivilege 1308 9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe Token: SeDebugPrivilege 1308 9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe Token: SeSystemEnvironmentPrivilege 1308 9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe Token: SeChangeNotifyPrivilege 1308 9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe Token: SeRemoteShutdownPrivilege 1308 9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe Token: SeUndockPrivilege 1308 9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe Token: SeManageVolumePrivilege 1308 9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe Token: SeImpersonatePrivilege 1308 9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe Token: SeCreateGlobalPrivilege 1308 9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe Token: 33 1308 9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe Token: 34 1308 9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe Token: 35 1308 9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exedescription pid process target process PID 1308 wrote to memory of 584 1308 9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe cmd.exe PID 1308 wrote to memory of 584 1308 9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe cmd.exe PID 1308 wrote to memory of 584 1308 9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe cmd.exe PID 1308 wrote to memory of 584 1308 9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe cmd.exe PID 1308 wrote to memory of 1500 1308 9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe WerFault.exe PID 1308 wrote to memory of 1500 1308 9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe WerFault.exe PID 1308 wrote to memory of 1500 1308 9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe WerFault.exe PID 1308 wrote to memory of 1500 1308 9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe"C:\Users\Admin\AppData\Local\Temp\9ef45e8fc3c3333a7d2e95de498b82d09b11a3df6253fa172b7db084726a5c4e.exe"1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 6242⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpcmd.batFilesize
119B
MD53e8ac0bd466eee9c57c75a47a9e2ecaf
SHA19e989f33e24b591c896ac7abdf455282744c89ee
SHA256b4b8bca723141caee872820a83aa75d4cb2d8056a59d4fff3e3363bd2922140a
SHA512399aec5f1f256d734bf2a487d3fc3c6799388d9de4ba6ee9f32f76c28d40e1dcd5ca46b9bd9e0052b847a86d452a6b1f2ef7673bc5703c8d5aac02c1b1959896
-
memory/1308-65-0x0000000000260000-0x0000000000261000-memory.dmpFilesize
4KB
-
memory/1308-66-0x0000000000400000-0x00000000004DB000-memory.dmpFilesize
876KB