82d4c31b741a633f3eaaf8f6c361b99e5de14060d26457ac1be57bb0f8a1d3bf

Analysis

max time kernel
146s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
13-05-2023 20:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb1e9db6d9b4b5a858987999a1c8b68ea3610382968c36771da27a6625eba776.exe
Size

5.8MB
MD5

27124a76fe1a7d01090183e7eb646b0e
SHA1

9612c76890e70d63298e674601921cc3a9bbc00c
SHA256

bb1e9db6d9b4b5a858987999a1c8b68ea3610382968c36771da27a6625eba776
SHA512

1e218f3b9acdc19dc9d915bbe0cf8afd4b4a0804f2a105aaf063a149cc78995a0948327b4086f6b97d35a213ae951a29e6a5bd91e5438b37585e54b8f6fbdda2
SSDEEP

98304:FuAXqhdxBaSbIzxiEXUfcZYU5XiG0Yq9VaEZns3VpUCpBx4Yfq8WwnwPNq3HZQ:0AWbNbIzxibcZYDFYXjHBq8WwC8Q

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4144	WinSec.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Security Update = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Windows Security Update\\WinSec.exe"	powershell.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	bb1e9db6d9b4b5a858987999a1c8b68ea3610382968c36771da27a6625eba776.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	bb1e9db6d9b4b5a858987999a1c8b68ea3610382968c36771da27a6625eba776.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
4144	WinSec.exe
4144	WinSec.exe
4144	WinSec.exe
4144	WinSec.exe
4144	WinSec.exe
4144	WinSec.exe
4144	WinSec.exe
4144	WinSec.exe
4144	WinSec.exe
4144	WinSec.exe
4144	WinSec.exe
4144	WinSec.exe
4144	WinSec.exe
4144	WinSec.exe
4144	WinSec.exe
4144	WinSec.exe
4144	WinSec.exe
4144	WinSec.exe
2024	powershell.exe
4204	powershell.exe
4284	powershell.exe
4284	powershell.exe
4204	powershell.exe
2024	powershell.exe
4144	WinSec.exe
4144	WinSec.exe
4144	WinSec.exe
4144	WinSec.exe
4144	WinSec.exe
4144	WinSec.exe
3836	powershell.exe
3836	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4144	WinSec.exe
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeDebugPrivilege	4204	powershell.exe
Token: SeDebugPrivilege	4284	powershell.exe
Token: SeDebugPrivilege	3836	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 3992 wrote to memory of 4144	3992	bb1e9db6d9b4b5a858987999a1c8b68ea3610382968c36771da27a6625eba776.exe	82
PID 3992 wrote to memory of 4144	3992	bb1e9db6d9b4b5a858987999a1c8b68ea3610382968c36771da27a6625eba776.exe	82
PID 4144 wrote to memory of 2024	4144	WinSec.exe	83
PID 4144 wrote to memory of 2024	4144	WinSec.exe	83
PID 4144 wrote to memory of 4204	4144	WinSec.exe	85
PID 4144 wrote to memory of 4204	4144	WinSec.exe	85
PID 4144 wrote to memory of 4284	4144	WinSec.exe	84
PID 4144 wrote to memory of 4284	4144	WinSec.exe	84
PID 4144 wrote to memory of 3836	4144	WinSec.exe	89
PID 4144 wrote to memory of 3836	4144	WinSec.exe	89

C:\Users\Admin\AppData\Local\Temp\bb1e9db6d9b4b5a858987999a1c8b68ea3610382968c36771da27a6625eba776.exe
"C:\Users\Admin\AppData\Local\Temp\bb1e9db6d9b4b5a858987999a1c8b68ea3610382968c36771da27a6625eba776.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3992
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4144
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Set-MpPreference -PUAProtection 1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2024
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Set-ItemProperty -Path 'HKLM:\\SOFTWARE\\Microsoft\\Windows Defender Security Center\\Notifications' -Name DisableNotifications -Value 1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4284
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Add-MpPreference -ExclusionPath C:\
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4204
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Windows Security Update';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Windows Security Update' -Value '"C:\Users\Admin\AppData\Local\Temp\Windows Security Update\WinSec.exe"' -PropertyType 'String'
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3836

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
3a1e249212d4af8ee7f335a5dfd075ba

SHA1
8ab2019e5d1376124bd79b822b9b1d4a794de076

SHA256
046de684b024a7e2bcb771c259e58a1a3e7f2a920579290747bec845dcd419fa

SHA512
8a463062e497760c41159b71480d1562e959969051e88d09be4f0ee9bed64805090021c1bb82c6eafba310cf471dc8879418fe512078d6e26c9a88575c78223b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe

Filesize
5.7MB

MD5
a419d5d9882f43143818df7122c684a1

SHA1
63a5ae4680d40c7c87d3b5b96317a8afbf42d071

SHA256
594fcf39f956a9e3c7563d0a5ba815ccba997568160008b82065474d62c1a9b7

SHA512
3d6fe541beffebb25c0bc5980a7b279c86d279b0ffbfcf5605535ec97be5b84ea6d7f0b7229fdb129dd6332e215c683e4853cf1306190489ef35f77580fea66a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WinSec.exe

Filesize
5.7MB

MD5
a419d5d9882f43143818df7122c684a1

SHA1
63a5ae4680d40c7c87d3b5b96317a8afbf42d071

SHA256
594fcf39f956a9e3c7563d0a5ba815ccba997568160008b82065474d62c1a9b7

SHA512
3d6fe541beffebb25c0bc5980a7b279c86d279b0ffbfcf5605535ec97be5b84ea6d7f0b7229fdb129dd6332e215c683e4853cf1306190489ef35f77580fea66a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_y3ufyrxx.ft1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2024-151-0x0000026451360000-0x0000026451382000-memory.dmp

Filesize
136KB

Download
memory/4144-140-0x0000013417560000-0x0000013417B0E000-memory.dmp

Filesize
5.7MB

Download
memory/4144-141-0x0000013417E90000-0x0000013417E9A000-memory.dmp

Filesize
40KB

Download
memory/4144-189-0x00000134197D0000-0x00000134197E0000-memory.dmp

Filesize
64KB

Download
memory/4144-190-0x00000134197D0000-0x00000134197E0000-memory.dmp

Filesize
64KB

Download