52712a99b6b73458711a3af355c6b63a45457a9590964c835e08f6da84a09669

Analysis

max time kernel
41s
max time network
31s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
03/06/2023, 11:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XboxUpdate.exe
Size

2.4MB
MD5

9539d670b998aa46651b51d69123b909
SHA1

77c4912a7b67260c486fda2f93a3b98ecb5e7d65
SHA256

52712a99b6b73458711a3af355c6b63a45457a9590964c835e08f6da84a09669
SHA512

9352b2c5c3b7f19a9c80bd574bd376d1db67cfcb8284abbab81b43efa881591a59cb25de0ff843d54bb958a05dccd783d342316a504bf8528f5e7b2cc02ee1aa
SSDEEP

12288:j0t4Sb/JDZcAVeF8EGoBzFXe2iFi3R6I9VTnHdyFe2OAdnRC9oC5pZxsumiT:jG4GVZcXfiw8Wn9yFPxdnRC9oCr3

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1156	tmp1C19.tmp.exe
848	XboxUpdate.exe
1732	tmp842E.tmp.exe

Loads dropped DLL 6 IoCs

pid	Process
1840	WerFault.exe
1840	WerFault.exe
1840	WerFault.exe
1764	WerFault.exe
1764	WerFault.exe
1764	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1840	1156	WerFault.exe	28
1764	1732	WerFault.exe	36

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe
316	XboxUpdate.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	316	XboxUpdate.exe
Token: SeDebugPrivilege	916	powershell.exe
Token: SeDebugPrivilege	848	XboxUpdate.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 316 wrote to memory of 1156	316	XboxUpdate.exe	28
PID 316 wrote to memory of 1156	316	XboxUpdate.exe	28
PID 316 wrote to memory of 1156	316	XboxUpdate.exe	28
PID 316 wrote to memory of 1156	316	XboxUpdate.exe	28
PID 1156 wrote to memory of 1840	1156	tmp1C19.tmp.exe	30
PID 1156 wrote to memory of 1840	1156	tmp1C19.tmp.exe	30
PID 1156 wrote to memory of 1840	1156	tmp1C19.tmp.exe	30
PID 1156 wrote to memory of 1840	1156	tmp1C19.tmp.exe	30
PID 316 wrote to memory of 916	316	XboxUpdate.exe	32
PID 316 wrote to memory of 916	316	XboxUpdate.exe	32
PID 316 wrote to memory of 916	316	XboxUpdate.exe	32
PID 1084 wrote to memory of 848	1084	taskeng.exe	35
PID 1084 wrote to memory of 848	1084	taskeng.exe	35
PID 1084 wrote to memory of 848	1084	taskeng.exe	35
PID 848 wrote to memory of 1732	848	XboxUpdate.exe	36
PID 848 wrote to memory of 1732	848	XboxUpdate.exe	36
PID 848 wrote to memory of 1732	848	XboxUpdate.exe	36
PID 848 wrote to memory of 1732	848	XboxUpdate.exe	36
PID 1732 wrote to memory of 1764	1732	tmp842E.tmp.exe	38
PID 1732 wrote to memory of 1764	1732	tmp842E.tmp.exe	38
PID 1732 wrote to memory of 1764	1732	tmp842E.tmp.exe	38
PID 1732 wrote to memory of 1764	1732	tmp842E.tmp.exe	38

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\XboxUpdate.exe
"C:\Users\Admin\AppData\Local\Temp\XboxUpdate.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:316
- C:\Users\Admin\AppData\Local\Temp\tmp1C19.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp1C19.tmp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1156
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 96
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1840
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA7ACAAUwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAA==
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:916

C:\Windows\system32\taskeng.exe
taskeng.exe {E21E3EC5-0A33-4F50-BD35-0442E8B0E259} S-1-5-21-2647223082-2067913677-935928954-1000:BPOQNXYB\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1084
- C:\Users\Admin\AppData\Roaming\XboxUpdate.exe
  C:\Users\Admin\AppData\Roaming\XboxUpdate.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:848
- - C:\Users\Admin\AppData\Local\Temp\tmp842E.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp842E.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1732
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1732 -s 96
      4⤵
      Loads dropped DLL
      Program crash
      PID:1764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp1C19.tmp.exe

Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1C19.tmp.exe

Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp842E.tmp.exe

Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Roaming\XboxUpdate.exe

Filesize
2.4MB

MD5
9539d670b998aa46651b51d69123b909

SHA1
77c4912a7b67260c486fda2f93a3b98ecb5e7d65

SHA256
52712a99b6b73458711a3af355c6b63a45457a9590964c835e08f6da84a09669

SHA512
9352b2c5c3b7f19a9c80bd574bd376d1db67cfcb8284abbab81b43efa881591a59cb25de0ff843d54bb958a05dccd783d342316a504bf8528f5e7b2cc02ee1aa

Download Submit
C:\Users\Admin\AppData\Roaming\XboxUpdate.exe

Filesize
2.4MB

MD5
9539d670b998aa46651b51d69123b909

SHA1
77c4912a7b67260c486fda2f93a3b98ecb5e7d65

SHA256
52712a99b6b73458711a3af355c6b63a45457a9590964c835e08f6da84a09669

SHA512
9352b2c5c3b7f19a9c80bd574bd376d1db67cfcb8284abbab81b43efa881591a59cb25de0ff843d54bb958a05dccd783d342316a504bf8528f5e7b2cc02ee1aa

Download Submit
\Users\Admin\AppData\Local\Temp\tmp1C19.tmp.exe

Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
\Users\Admin\AppData\Local\Temp\tmp1C19.tmp.exe

Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
\Users\Admin\AppData\Local\Temp\tmp1C19.tmp.exe

Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
\Users\Admin\AppData\Local\Temp\tmp842E.tmp.exe

Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
\Users\Admin\AppData\Local\Temp\tmp842E.tmp.exe

Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
\Users\Admin\AppData\Local\Temp\tmp842E.tmp.exe

Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
memory/316-95-0x000000001B430000-0x000000001B4D2000-memory.dmp

Filesize
648KB

Download
memory/316-107-0x000000001B430000-0x000000001B4D2000-memory.dmp

Filesize
648KB

Download
memory/316-66-0x00000000020D0000-0x0000000002150000-memory.dmp

Filesize
512KB

Download
memory/316-69-0x000000001B430000-0x000000001B4D2000-memory.dmp

Filesize
648KB

Download
memory/316-67-0x000000001B430000-0x000000001B4D2000-memory.dmp

Filesize
648KB

Download
memory/316-71-0x000000001B430000-0x000000001B4D2000-memory.dmp

Filesize
648KB

Download
memory/316-73-0x000000001B430000-0x000000001B4D2000-memory.dmp

Filesize
648KB

Download
memory/316-79-0x000000001B430000-0x000000001B4D2000-memory.dmp

Filesize
648KB

Download
memory/316-77-0x000000001B430000-0x000000001B4D2000-memory.dmp

Filesize
648KB

Download
memory/316-75-0x000000001B430000-0x000000001B4D2000-memory.dmp

Filesize
648KB

Download
memory/316-85-0x000000001B430000-0x000000001B4D2000-memory.dmp

Filesize
648KB

Download
memory/316-83-0x000000001B430000-0x000000001B4D2000-memory.dmp

Filesize
648KB

Download
memory/316-81-0x000000001B430000-0x000000001B4D2000-memory.dmp

Filesize
648KB

Download
memory/316-87-0x000000001B430000-0x000000001B4D2000-memory.dmp

Filesize
648KB

Download
memory/316-89-0x000000001B430000-0x000000001B4D2000-memory.dmp

Filesize
648KB

Download
memory/316-91-0x000000001B430000-0x000000001B4D2000-memory.dmp

Filesize
648KB

Download
memory/316-97-0x000000001B430000-0x000000001B4D2000-memory.dmp

Filesize
648KB

Download
memory/316-64-0x000000001B430000-0x000000001B4D2000-memory.dmp

Filesize
648KB

Download
memory/316-93-0x000000001B430000-0x000000001B4D2000-memory.dmp

Filesize
648KB

Download
memory/316-99-0x000000001B430000-0x000000001B4D2000-memory.dmp

Filesize
648KB

Download
memory/316-101-0x000000001B430000-0x000000001B4D2000-memory.dmp

Filesize
648KB

Download
memory/316-103-0x000000001B430000-0x000000001B4D2000-memory.dmp

Filesize
648KB

Download
memory/316-105-0x000000001B430000-0x000000001B4D2000-memory.dmp

Filesize
648KB

Download
memory/316-62-0x000000001B430000-0x000000001B4D2000-memory.dmp

Filesize
648KB

Download
memory/316-109-0x000000001B430000-0x000000001B4D2000-memory.dmp

Filesize
648KB

Download
memory/316-111-0x000000001B430000-0x000000001B4D2000-memory.dmp

Filesize
648KB

Download
memory/316-113-0x000000001B430000-0x000000001B4D2000-memory.dmp

Filesize
648KB

Download
memory/316-115-0x000000001B430000-0x000000001B4D2000-memory.dmp

Filesize
648KB

Download
memory/316-121-0x000000001B430000-0x000000001B4D2000-memory.dmp

Filesize
648KB

Download
memory/316-119-0x000000001B430000-0x000000001B4D2000-memory.dmp

Filesize
648KB

Download
memory/316-117-0x000000001B430000-0x000000001B4D2000-memory.dmp

Filesize
648KB

Download
memory/316-1188-0x000000001ADE0000-0x000000001AE2E000-memory.dmp

Filesize
312KB

Download
memory/316-1189-0x00000000020D0000-0x0000000002150000-memory.dmp

Filesize
512KB

Download
memory/316-1190-0x000000001B020000-0x000000001B06C000-memory.dmp

Filesize
304KB

Download
memory/316-1191-0x000000001B080000-0x000000001B0D4000-memory.dmp

Filesize
336KB

Download
memory/316-54-0x0000000000A30000-0x0000000000CA0000-memory.dmp

Filesize
2.4MB

Download
memory/316-55-0x000000001A860000-0x000000001A8E6000-memory.dmp

Filesize
536KB

Download
memory/316-1200-0x00000000020D6000-0x000000000210D000-memory.dmp

Filesize
220KB

Download
memory/316-56-0x000000001B430000-0x000000001B4D6000-memory.dmp

Filesize
664KB

Download
memory/316-57-0x000000001B430000-0x000000001B4D2000-memory.dmp

Filesize
648KB

Download
memory/316-58-0x000000001B430000-0x000000001B4D2000-memory.dmp

Filesize
648KB

Download
memory/316-60-0x000000001B430000-0x000000001B4D2000-memory.dmp

Filesize
648KB

Download
memory/848-1206-0x0000000001360000-0x00000000015D0000-memory.dmp

Filesize
2.4MB

Download
memory/916-1202-0x0000000002940000-0x00000000029C0000-memory.dmp

Filesize
512KB

Download
memory/916-1201-0x0000000002940000-0x00000000029C0000-memory.dmp

Filesize
512KB

Download
memory/916-1199-0x0000000002940000-0x00000000029C0000-memory.dmp

Filesize
512KB

Download
memory/916-1198-0x00000000022F0000-0x00000000022F8000-memory.dmp

Filesize
32KB

Download
memory/916-1197-0x000000001B170000-0x000000001B452000-memory.dmp

Filesize
2.9MB

Download