52712a99b6b73458711a3af355c6b63a45457a9590964c835e08f6da84a09669

Analysis

max time kernel
41s
max time network
31s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
03-06-2023 11:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XboxUpdate.exe
Size

2.4MB
MD5

9539d670b998aa46651b51d69123b909
SHA1

77c4912a7b67260c486fda2f93a3b98ecb5e7d65
SHA256

52712a99b6b73458711a3af355c6b63a45457a9590964c835e08f6da84a09669
SHA512

9352b2c5c3b7f19a9c80bd574bd376d1db67cfcb8284abbab81b43efa881591a59cb25de0ff843d54bb958a05dccd783d342316a504bf8528f5e7b2cc02ee1aa
SSDEEP

12288:j0t4Sb/JDZcAVeF8EGoBzFXe2iFi3R6I9VTnHdyFe2OAdnRC9oC5pZxsumiT:jG4GVZcXfiw8Wn9yFPxdnRC9oCr3

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

tmp1C19.tmp.exeXboxUpdate.exetmp842E.tmp.exe

pid process

1156 tmp1C19.tmp.exe
848 XboxUpdate.exe
1732 tmp842E.tmp.exe
Loads dropped DLL 6 IoCs

Processes:

WerFault.exeWerFault.exe

pid process

1840 WerFault.exe
1840 WerFault.exe
1840 WerFault.exe
1764 WerFault.exe
1764 WerFault.exe
1764 WerFault.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1840 1156 WerFault.exe tmp1C19.tmp.exe
1764 1732 WerFault.exe tmp842E.tmp.exe

pid	process
1156	tmp1C19.tmp.exe
848	XboxUpdate.exe
1732	tmp842E.tmp.exe

pid	process
1840	WerFault.exe
1840	WerFault.exe
1840	WerFault.exe
1764	WerFault.exe
1764	WerFault.exe
1764	WerFault.exe

pid	pid_target	process	target process
1840	1156	WerFault.exe	tmp1C19.tmp.exe
1764	1732	WerFault.exe	tmp842E.tmp.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

XboxUpdate.exe

pid	process
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

XboxUpdate.exepowershell.exeXboxUpdate.exe

description pid process

Token: SeDebugPrivilege 316 XboxUpdate.exe
Token: SeDebugPrivilege 916 powershell.exe
Token: SeDebugPrivilege 848 XboxUpdate.exe

description	pid	process
Token: SeDebugPrivilege	316	XboxUpdate.exe
Token: SeDebugPrivilege	916	powershell.exe
Token: SeDebugPrivilege	848	XboxUpdate.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

XboxUpdate.exetmp1C19.tmp.exetaskeng.exeXboxUpdate.exetmp842E.tmp.exe

description	pid	process	target process
PID 316 wrote to memory of 1156	316	XboxUpdate.exe	tmp1C19.tmp.exe
PID 316 wrote to memory of 1156	316	XboxUpdate.exe	tmp1C19.tmp.exe
PID 316 wrote to memory of 1156	316	XboxUpdate.exe	tmp1C19.tmp.exe
PID 316 wrote to memory of 1156	316	XboxUpdate.exe	tmp1C19.tmp.exe
PID 1156 wrote to memory of 1840	1156	tmp1C19.tmp.exe	WerFault.exe
PID 1156 wrote to memory of 1840	1156	tmp1C19.tmp.exe	WerFault.exe
PID 1156 wrote to memory of 1840	1156	tmp1C19.tmp.exe	WerFault.exe
PID 1156 wrote to memory of 1840	1156	tmp1C19.tmp.exe	WerFault.exe
PID 316 wrote to memory of 916	316	XboxUpdate.exe	powershell.exe
PID 316 wrote to memory of 916	316	XboxUpdate.exe	powershell.exe
PID 316 wrote to memory of 916	316	XboxUpdate.exe	powershell.exe
PID 1084 wrote to memory of 848	1084	taskeng.exe	XboxUpdate.exe
PID 1084 wrote to memory of 848	1084	taskeng.exe	XboxUpdate.exe
PID 1084 wrote to memory of 848	1084	taskeng.exe	XboxUpdate.exe
PID 848 wrote to memory of 1732	848	XboxUpdate.exe	tmp842E.tmp.exe
PID 848 wrote to memory of 1732	848	XboxUpdate.exe	tmp842E.tmp.exe
PID 848 wrote to memory of 1732	848	XboxUpdate.exe	tmp842E.tmp.exe
PID 848 wrote to memory of 1732	848	XboxUpdate.exe	tmp842E.tmp.exe
PID 1732 wrote to memory of 1764	1732	tmp842E.tmp.exe	WerFault.exe
PID 1732 wrote to memory of 1764	1732	tmp842E.tmp.exe	WerFault.exe
PID 1732 wrote to memory of 1764	1732	tmp842E.tmp.exe	WerFault.exe
PID 1732 wrote to memory of 1764	1732	tmp842E.tmp.exe	WerFault.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\XboxUpdate.exe
"C:\Users\Admin\AppData\Local\Temp\XboxUpdate.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:316

C:\Users\Admin\AppData\Local\Temp\tmp1C19.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp1C19.tmp.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 96
3⤵
- Loads dropped DLL
- Program crash
PID:1840

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA7ACAAUwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAA==
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:916

C:\Windows\system32\taskeng.exe
taskeng.exe {E21E3EC5-0A33-4F50-BD35-0442E8B0E259} S-1-5-21-2647223082-2067913677-935928954-1000:BPOQNXYB\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1084

C:\Users\Admin\AppData\Roaming\XboxUpdate.exe
C:\Users\Admin\AppData\Roaming\XboxUpdate.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:848

C:\Users\Admin\AppData\Local\Temp\tmp842E.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp842E.tmp.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1732 -s 96
4⤵
- Loads dropped DLL
- Program crash
PID:1764

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1C19.tmp.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1C19.tmp.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp842E.tmp.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Roaming\XboxUpdate.exe
Filesize
2.4MB

MD5
9539d670b998aa46651b51d69123b909

SHA1
77c4912a7b67260c486fda2f93a3b98ecb5e7d65

SHA256
52712a99b6b73458711a3af355c6b63a45457a9590964c835e08f6da84a09669

SHA512
9352b2c5c3b7f19a9c80bd574bd376d1db67cfcb8284abbab81b43efa881591a59cb25de0ff843d54bb958a05dccd783d342316a504bf8528f5e7b2cc02ee1aa

Download Submit
C:\Users\Admin\AppData\Roaming\XboxUpdate.exe
Filesize
2.4MB

MD5
9539d670b998aa46651b51d69123b909

SHA1
77c4912a7b67260c486fda2f93a3b98ecb5e7d65

SHA256
52712a99b6b73458711a3af355c6b63a45457a9590964c835e08f6da84a09669

SHA512
9352b2c5c3b7f19a9c80bd574bd376d1db67cfcb8284abbab81b43efa881591a59cb25de0ff843d54bb958a05dccd783d342316a504bf8528f5e7b2cc02ee1aa

Download Submit
\Users\Admin\AppData\Local\Temp\tmp1C19.tmp.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
\Users\Admin\AppData\Local\Temp\tmp1C19.tmp.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
\Users\Admin\AppData\Local\Temp\tmp1C19.tmp.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
\Users\Admin\AppData\Local\Temp\tmp842E.tmp.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
\Users\Admin\AppData\Local\Temp\tmp842E.tmp.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
\Users\Admin\AppData\Local\Temp\tmp842E.tmp.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
memory/316-95-0x000000001B430000-0x000000001B4D2000-memory.dmp

Filesize
648KB

Download
memory/316-107-0x000000001B430000-0x000000001B4D2000-memory.dmp

Filesize
648KB

Download
memory/316-66-0x00000000020D0000-0x0000000002150000-memory.dmp

Filesize
512KB

Download
memory/316-69-0x000000001B430000-0x000000001B4D2000-memory.dmp

Filesize
648KB

Download
memory/316-67-0x000000001B430000-0x000000001B4D2000-memory.dmp

Filesize
648KB

Download
memory/316-71-0x000000001B430000-0x000000001B4D2000-memory.dmp

Filesize
648KB

Download
memory/316-73-0x000000001B430000-0x000000001B4D2000-memory.dmp

Filesize
648KB

Download
memory/316-79-0x000000001B430000-0x000000001B4D2000-memory.dmp

Filesize
648KB

Download
memory/316-77-0x000000001B430000-0x000000001B4D2000-memory.dmp

Filesize
648KB

Download
memory/316-75-0x000000001B430000-0x000000001B4D2000-memory.dmp

Filesize
648KB

Download
memory/316-85-0x000000001B430000-0x000000001B4D2000-memory.dmp

Filesize
648KB

Download
memory/316-83-0x000000001B430000-0x000000001B4D2000-memory.dmp

Filesize
648KB

Download
memory/316-81-0x000000001B430000-0x000000001B4D2000-memory.dmp

Filesize
648KB

Download
memory/316-87-0x000000001B430000-0x000000001B4D2000-memory.dmp

Filesize
648KB

Download
memory/316-89-0x000000001B430000-0x000000001B4D2000-memory.dmp

Filesize
648KB

Download
memory/316-91-0x000000001B430000-0x000000001B4D2000-memory.dmp

Filesize
648KB

Download
memory/316-97-0x000000001B430000-0x000000001B4D2000-memory.dmp

Filesize
648KB

Download
memory/316-64-0x000000001B430000-0x000000001B4D2000-memory.dmp

Filesize
648KB

Download
memory/316-93-0x000000001B430000-0x000000001B4D2000-memory.dmp

Filesize
648KB

Download
memory/316-99-0x000000001B430000-0x000000001B4D2000-memory.dmp

Filesize
648KB

Download
memory/316-101-0x000000001B430000-0x000000001B4D2000-memory.dmp

Filesize
648KB

Download
memory/316-103-0x000000001B430000-0x000000001B4D2000-memory.dmp

Filesize
648KB

Download
memory/316-105-0x000000001B430000-0x000000001B4D2000-memory.dmp

Filesize
648KB

Download
memory/316-62-0x000000001B430000-0x000000001B4D2000-memory.dmp

Filesize
648KB

Download
memory/316-109-0x000000001B430000-0x000000001B4D2000-memory.dmp

Filesize
648KB

Download
memory/316-111-0x000000001B430000-0x000000001B4D2000-memory.dmp

Filesize
648KB

Download
memory/316-113-0x000000001B430000-0x000000001B4D2000-memory.dmp

Filesize
648KB

Download
memory/316-115-0x000000001B430000-0x000000001B4D2000-memory.dmp

Filesize
648KB

Download
memory/316-121-0x000000001B430000-0x000000001B4D2000-memory.dmp

Filesize
648KB

Download
memory/316-119-0x000000001B430000-0x000000001B4D2000-memory.dmp

Filesize
648KB

Download
memory/316-117-0x000000001B430000-0x000000001B4D2000-memory.dmp

Filesize
648KB

Download
memory/316-1188-0x000000001ADE0000-0x000000001AE2E000-memory.dmp

Filesize
312KB

Download
memory/316-1189-0x00000000020D0000-0x0000000002150000-memory.dmp

Filesize
512KB

Download
memory/316-1190-0x000000001B020000-0x000000001B06C000-memory.dmp

Filesize
304KB

Download
memory/316-1191-0x000000001B080000-0x000000001B0D4000-memory.dmp

Filesize
336KB

Download
memory/316-54-0x0000000000A30000-0x0000000000CA0000-memory.dmp

Filesize
2.4MB

Download
memory/316-55-0x000000001A860000-0x000000001A8E6000-memory.dmp

Filesize
536KB

Download
memory/316-1200-0x00000000020D6000-0x000000000210D000-memory.dmp

Filesize
220KB

Download
memory/316-56-0x000000001B430000-0x000000001B4D6000-memory.dmp

Filesize
664KB

Download
memory/316-57-0x000000001B430000-0x000000001B4D2000-memory.dmp

Filesize
648KB

Download
memory/316-58-0x000000001B430000-0x000000001B4D2000-memory.dmp

Filesize
648KB

Download
memory/316-60-0x000000001B430000-0x000000001B4D2000-memory.dmp

Filesize
648KB

Download
memory/848-1206-0x0000000001360000-0x00000000015D0000-memory.dmp

Filesize
2.4MB

Download
memory/916-1202-0x0000000002940000-0x00000000029C0000-memory.dmp

Filesize
512KB

Download
memory/916-1201-0x0000000002940000-0x00000000029C0000-memory.dmp

Filesize
512KB

Download
memory/916-1199-0x0000000002940000-0x00000000029C0000-memory.dmp

Filesize
512KB

Download
memory/916-1198-0x00000000022F0000-0x00000000022F8000-memory.dmp

Filesize
32KB

Download
memory/916-1197-0x000000001B170000-0x000000001B452000-memory.dmp

Filesize
2.9MB

Download