d972e967b79e3a5eaac3f2670c3022cfc85fdae953661093159866129fc36b31

Analysis

max time kernel
30s
max time network
78s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
15/06/2023, 15:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Windows10Upgrade9252.exe
Size

6.0MB
MD5

7da0f1dd7b0e8e883568b42f5184cbec
SHA1

fb9ec929827606da12fb3d7594be1837577a5993
SHA256

d972e967b79e3a5eaac3f2670c3022cfc85fdae953661093159866129fc36b31
SHA512

c8b8d4922754a1d1d54b2d03dd00daace8e3ef3bc593b7910f180f7d9e1cd976da5fb73c8bf8cd3cc91f27c6996e936feee29b9300c0d5360c76b0e5ab15efe3
SSDEEP

98304:9vGPYCQkTuGpNF4/E0bGz+KkfUHFJ3codBd9V0TomHzAzYkhxph7vH3Ckht5fDCK:9+PYC9qGp/4MmGz+K6QD9dBd9VKomkzb

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
892	Windows10UpgraderApp.exe

Loads dropped DLL 6 IoCs

pid	Process
2016	Windows10Upgrade9252.exe
2016	Windows10Upgrade9252.exe
2016	Windows10Upgrade9252.exe
2016	Windows10Upgrade9252.exe
2016	Windows10Upgrade9252.exe
892	Windows10UpgraderApp.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	Windows10UpgraderApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	Windows10UpgraderApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	Windows10UpgraderApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	Windows10UpgraderApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main	Windows10UpgraderApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Windows10UpgraderApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Windows10UpgraderApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Internet Explorer\International\CpMRU	Windows10UpgraderApp.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	1056	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1056	AUDIODG.EXE
Token: 33	1056	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1056	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
892	Windows10UpgraderApp.exe
892	Windows10UpgraderApp.exe
892	Windows10UpgraderApp.exe
892	Windows10UpgraderApp.exe
892	Windows10UpgraderApp.exe
892	Windows10UpgraderApp.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 892	2016	Windows10Upgrade9252.exe	28
PID 2016 wrote to memory of 892	2016	Windows10Upgrade9252.exe	28
PID 2016 wrote to memory of 892	2016	Windows10Upgrade9252.exe	28
PID 2016 wrote to memory of 892	2016	Windows10Upgrade9252.exe	28
PID 2016 wrote to memory of 892	2016	Windows10Upgrade9252.exe	28
PID 2016 wrote to memory of 892	2016	Windows10Upgrade9252.exe	28
PID 2016 wrote to memory of 892	2016	Windows10Upgrade9252.exe	28

C:\Users\Admin\AppData\Local\Temp\Windows10Upgrade9252.exe
"C:\Users\Admin\AppData\Local\Temp\Windows10Upgrade9252.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Windows10Upgrade\Windows10UpgraderApp.exe
  "C:\Windows10Upgrade\Windows10UpgraderApp.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:892

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x510
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1056

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3396.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\WXUFD72.tmp\2052\DWINTL20.DLL

Filesize
109KB

MD5
6ecb02e195cf345d72ff5eb73d250ec3

SHA1
2c5a797c406fa29bd19cecf6ea94abb8a11a1f10

SHA256
41a35d57a1ae29ae41a5150208363f7346d302ede90b3d0039e38a3d402c83b3

SHA512
f69372428d5a472d857317b72b90526fd40d7b53fe9070f34d3a5d870e8ffcbd69646ae2a38288a9672d397f6c393e0ddf906fdb596b8a46f8a82b0f68b3b15d

Download Submit
C:\Users\Admin\AppData\Local\Temp\WXUFD72.tmp\resources\i386\BiosBlocks.xml

Filesize
89KB

MD5
016caf04ffc6c87ddac9e1c43b161ef4

SHA1
e8bcbe431c5b9c0ff5da08c55f103166072cb8ce

SHA256
46d77b5101ca947d1ddd4d1dd727bfec6db65cb2d84ccb8817426aa5bf949bc4

SHA512
38085d057a0f988da5a2b33b31675339e9ee7e335bfe0cacca0b1f0209231de0deae931e38c28df15e698e7871d57ec11c74dfa9680c705dd91d245027584b52

Download Submit
C:\Users\Admin\AppData\Local\Temp\WXUFD72.tmp\resources\i386\nxquery.inf

Filesize
1KB

MD5
ae8053b0e0ed71b40da08ec58a9fd95a

SHA1
9ca4b71eae874fb37554d7c8898722160b2eb183

SHA256
563dc06f3f4a15860c2107181f6660aeff256b587748b6ce9df72c3ae1118d04

SHA512
5042ba84216bb312dbb91f9cc1be4e376105fa1a608a4b99cd7495afb7088243dcc701944da48751416a290c37ff71a153cbd2561fb2bff04bb5361e5c335dc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\WXUFD72.tmp\resources\ux\EULA\EULA_en-us.htm

Filesize
57KB

MD5
7c109a8b0471d8e9e30cc79e6cb5924e

SHA1
f29901be4eadee321d2054a95b95cc6bb0d8d05f

SHA256
4d57b34f6a5b7f54222a4660985dfbd0085aec044d304c33d3f45bd51a5a4b38

SHA512
55fe987593b5536b0aad4f0d2e762464a76e1102e42b5cc1c86e0324158dd15f93125bff756243d4c511395bf1f5762c81c35940d59cea0dff84215560044e0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\WXUFD72.tmp\resources\ux\EULA\EULA_es-mx.htm

Filesize
68KB

MD5
0c51b01fbe3482e4b45971f0d3aeb50b

SHA1
4b747adbce3c297eaec01ad9978fd274bacba9ba

SHA256
2e1db75000aac4df4765a74d3f763e3b1e2ccfb7f2ff04894899de735fda459e

SHA512
ed8ee1dbf1bc6a801fdcd32ad61ec9b558b192cd519d2b10550c600dcf9a8107ce5f908ccf3f175314d33cc065fa9046fe212504c6252e2d6b526458b370a7fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\WXUFD72.tmp\resources\ux\EULA\EULA_fr-fr.htm

Filesize
67KB

MD5
d01ab717aeda0f9ce5d71797e08dfb47

SHA1
535196ade3ada94262020612fea2442701e6c78a

SHA256
0fdcb589ffe9926017123e53f5d453aac8df8d222901d25efa30b7d027c944bd

SHA512
957b26b79bfd28094060365ae42b46e6937d063c4bff34c2781938ba6b434f5af7182accbb00860b167b236ac4bf0e3ebcc4cebad5aa7fa8a431239319ef622e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WXUFD72.tmp\resources\ux\EULA\EULA_zh-tw.htm

Filesize
143KB

MD5
5a48a6e0569768bf3e27ea2afb7c5c93

SHA1
3cd66bc29ff79b79fddc41afc1be92efc7203ab7

SHA256
0e8d3db5a662ed19d4dafce5bca4ef399a637c705e226718e3804f9664a1deb9

SHA512
f0a622baad0e30c66ac3422c49aa7074654cb6c246ecd7d69d5a8c198bd55e9bccd4cc2f89a9adf5b5f485892dbad2cbb97d15dc4a110b37b5fdb09a00fd505d

Download Submit
C:\Users\Admin\AppData\Local\Temp\WXUFD72.tmp\resources\ux\Microsoft.WinJS\css\oobe-desktopRS2.css

Filesize
40KB

MD5
415d4bb726c52bd91be8f3afd81e50cc

SHA1
9732e1e6aeb13a6f180b21bb5bd8a4acf7d96dbd

SHA256
c6dd0940a263382fb735f1cdc8550234f9c081625bfe2e5363cb8bb65cc06440

SHA512
c7a8b805027906d8b67d50773a7e362f2e87d3af61b23fab33aec929e21f42610a35f857ede9a17772c5f2b42c1382f8daf7240b76f3996aa65988a87c367847

Download Submit
C:\Users\Admin\AppData\Local\Temp\WXUFD72.tmp\resources\ux\default_tens.htm

Filesize
57KB

MD5
63a4229ad01dbd6226ed35ec402f33ec

SHA1
6c905a00856737fb53ccac3febe5716668b65960

SHA256
0cc9b5da1f665df4758b81878f0fe32c69d5566665958cd6b0a6e11ab68ee879

SHA512
01d1cdfbb9f537062944a4edcd43a9286c161f9cc9ba75505e7617f58317590f4fbd2717f0589db73c83e04301baf8df8a149aa4ba359c71dca764c52dea0312

Download Submit
C:\Windows10Upgrade\Configuration.ini

Filesize
27B

MD5
ca22263c7a6f965df18f5c601f5db7ce

SHA1
e4b1a401ed497523a583ae8613646b03778a33a6

SHA256
299fa3043627954c524b6171c26fcc3513790310aa2561e6f012eff15254381c

SHA512
3cd39b438f7cb34b38f32240b1ba6a5010f49e12123db770460cf74217bc6946e2032355376c203b68863ee85596d21aa7b2d77c94da48a54def111d147311f8

Download Submit
C:\Windows10Upgrade\Downloader.dll

Filesize
207KB

MD5
1326de2d29a53697c0ae274b05a90f69

SHA1
ebad0bb520631339f2a213da626527d452e4e1fc

SHA256
9e70d0bda80b060213d2c5d255d6b98016657d67f065bfd85042143a1171cc71

SHA512
ec0e1c9c48480b98206796865b6dc9583468fee9eb5dfa92e1648c4fb732f4996743108719e4e501372ebbfc090f2401501dcbca821c9d509b4303539fe02425

Download Submit
C:\Windows10Upgrade\Windows10UpgraderApp.exe

Filesize
1.9MB

MD5
895aca91dfc5e44feb233039d52aaea4

SHA1
5b6455fa89344bddb68180fadf2fff4ba484383d

SHA256
7a269ee93427bb9cf8f0059140958d6cdc0eeafcff92cff35f7fef753fd06075

SHA512
eeaf389e144403439ba5271816bba2cc98b5653f9ff1ce1bf82b0f0c26853bd8d3f1690c86bd20aa3205278e10007103f73ce767f0154c0a410a9ceba561bb01

Download Submit
C:\Windows10Upgrade\Windows10UpgraderApp.exe

Filesize
1.9MB

MD5
895aca91dfc5e44feb233039d52aaea4

SHA1
5b6455fa89344bddb68180fadf2fff4ba484383d

SHA256
7a269ee93427bb9cf8f0059140958d6cdc0eeafcff92cff35f7fef753fd06075

SHA512
eeaf389e144403439ba5271816bba2cc98b5653f9ff1ce1bf82b0f0c26853bd8d3f1690c86bd20aa3205278e10007103f73ce767f0154c0a410a9ceba561bb01

Download Submit
C:\Windows10Upgrade\Windows10UpgraderApp.exe

Filesize
1.9MB

MD5
895aca91dfc5e44feb233039d52aaea4

SHA1
5b6455fa89344bddb68180fadf2fff4ba484383d

SHA256
7a269ee93427bb9cf8f0059140958d6cdc0eeafcff92cff35f7fef753fd06075

SHA512
eeaf389e144403439ba5271816bba2cc98b5653f9ff1ce1bf82b0f0c26853bd8d3f1690c86bd20aa3205278e10007103f73ce767f0154c0a410a9ceba561bb01

Download Submit
C:\Windows10Upgrade\resources\ux\EULA.css

Filesize
82B

MD5
b81d1e97c529ac3d7f5a699afce27080

SHA1
0a981264db289afd71695b4d6849672187e8120f

SHA256
35c6e30c7954f7e4b806c883576218621e2620166c8940701b33157bdd0ba225

SHA512
e5a8c95d0e9f7464f7bd908cf2f76c89100e69d9bc2e9354c0519bf7da15c5665b3ed97cd676d960d48c024993de0e9eb6683352d902eb86b8af68692334e607

Download Submit
C:\Windows10Upgrade\resources\ux\EULA\EULA_en-us.htm

Filesize
57KB

MD5
7c109a8b0471d8e9e30cc79e6cb5924e

SHA1
f29901be4eadee321d2054a95b95cc6bb0d8d05f

SHA256
4d57b34f6a5b7f54222a4660985dfbd0085aec044d304c33d3f45bd51a5a4b38

SHA512
55fe987593b5536b0aad4f0d2e762464a76e1102e42b5cc1c86e0324158dd15f93125bff756243d4c511395bf1f5762c81c35940d59cea0dff84215560044e0d

Download Submit
C:\Windows10Upgrade\resources\ux\bullet.png

Filesize
221B

MD5
baaa93b2584336c8e2fd561ccaab5391

SHA1
0523f0a835781e2f499f166d405bcdaf48c89a3a

SHA256
d548b0a3da3f8aa61aa880b2af3ba7997304253d763de1b8b1e3906b9adb5363

SHA512
7ca20ee57a778ed02a1771a9b622aa7b0859cee55036ec323e00e0ab1f6be4defad45bd48aab62f54645fa13c3d49b30fd68c0318e3d83465b42e20d05f6c391

Download Submit
C:\Windows10Upgrade\resources\ux\default.css

Filesize
5KB

MD5
75dc1deb03880b98eea8c7aaa0290c48

SHA1
37e8ff2edb6a606c8455f2cef8d34e87c4ce22e0

SHA256
e5d182eb14246c3551bec763bfea90aaacb1338c3a41316502d4204eead79900

SHA512
09e2554785bf6494f64f6e0fe01ef048d8ed7ff9a6d88e9c490fb6815f934bb677880e8176b9131e037133840f96f157be7d226907fdc37142e7eee3f0f61125

Download Submit
C:\Windows10Upgrade\resources\ux\default.htm

Filesize
60KB

MD5
c2ae355a35fa5b9a521f47258a96275f

SHA1
f462df90222f164831345dd371fa5a60e16ebdcb

SHA256
702ce5c74e48ceebe13fe074df8f98a4ed6198a593b1fbaaa13fe726581f5fd7

SHA512
737cf240b4ea31e5c9b3788c3e7fc7b18a4efa902a5f0eb69237e5482b7ec336eb8cc1ae631ed54ae99bf4f34e2f1abb7188d089ea37bb22dd7541d79924aa45

Download Submit
C:\Windows10Upgrade\resources\ux\loading.gif

Filesize
16KB

MD5
1a276cb116bdece96adf8e32c4af4fee

SHA1
6bc30738fcd0c04370436f4d3340d460d25b788f

SHA256
9d9a156c6ca2929f0f22c310260723e28428cb38995c0f940f2617b25e15b618

SHA512
5b515b5975fda333a6d9ca0e7de81dbc70311f4ecd8be22770d31c5f159807f653c87acf9df4a72b2d0664f0ef3141088de7f5aa12efc6307715c1c31ba55bb6

Download Submit
C:\Windows10Upgrade\resources\ux\logo.png

Filesize
2KB

MD5
afeed45df4d74d93c260a86e71e09102

SHA1
2cc520e3d23f6b371c288645649a482a5db7ccd9

SHA256
f5fb1e3a7bca4e2778903e8299c63ab34894e810a174b0143b79183c0fa5072f

SHA512
778a6c494eab333c5bb00905adf556c019160c5ab858415c1dd918933f494faf3650e60845d557171c6e1370bcff687672d5af0f647302867b449a2cff9b925d

Download Submit
C:\Windows10Upgrade\resources\ux\marketing.png

Filesize
493B

MD5
1c53c2d567ba6050d9a23d86cfba84cc

SHA1
3bc38656cadf574c377ec39733ebce9e8de75138

SHA256
81f5372b0875476184f7c4d04eb4c805706e41bd979a9acd1f1d55105e17e530

SHA512
3ed2dd645af7d3bd0026a253ac2c5a0503b04f88629012dd479d8068a8e6c07a916350f8ce54c0e21faf97b27a9e607eafe86edd28976b168914e3379bf272df

Download Submit
\Windows10Upgrade\Windows10UpgraderApp.exe

Filesize
1.9MB

MD5
895aca91dfc5e44feb233039d52aaea4

SHA1
5b6455fa89344bddb68180fadf2fff4ba484383d

SHA256
7a269ee93427bb9cf8f0059140958d6cdc0eeafcff92cff35f7fef753fd06075

SHA512
eeaf389e144403439ba5271816bba2cc98b5653f9ff1ce1bf82b0f0c26853bd8d3f1690c86bd20aa3205278e10007103f73ce767f0154c0a410a9ceba561bb01

Download Submit
\Windows10Upgrade\Windows10UpgraderApp.exe

Filesize
1.9MB

MD5
895aca91dfc5e44feb233039d52aaea4

SHA1
5b6455fa89344bddb68180fadf2fff4ba484383d

SHA256
7a269ee93427bb9cf8f0059140958d6cdc0eeafcff92cff35f7fef753fd06075

SHA512
eeaf389e144403439ba5271816bba2cc98b5653f9ff1ce1bf82b0f0c26853bd8d3f1690c86bd20aa3205278e10007103f73ce767f0154c0a410a9ceba561bb01

Download Submit
\Windows10Upgrade\Windows10UpgraderApp.exe

Filesize
1.9MB

MD5
895aca91dfc5e44feb233039d52aaea4

SHA1
5b6455fa89344bddb68180fadf2fff4ba484383d

SHA256
7a269ee93427bb9cf8f0059140958d6cdc0eeafcff92cff35f7fef753fd06075

SHA512
eeaf389e144403439ba5271816bba2cc98b5653f9ff1ce1bf82b0f0c26853bd8d3f1690c86bd20aa3205278e10007103f73ce767f0154c0a410a9ceba561bb01

Download Submit
\Windows10Upgrade\Windows10UpgraderApp.exe

Filesize
1.9MB

MD5
895aca91dfc5e44feb233039d52aaea4

SHA1
5b6455fa89344bddb68180fadf2fff4ba484383d

SHA256
7a269ee93427bb9cf8f0059140958d6cdc0eeafcff92cff35f7fef753fd06075

SHA512
eeaf389e144403439ba5271816bba2cc98b5653f9ff1ce1bf82b0f0c26853bd8d3f1690c86bd20aa3205278e10007103f73ce767f0154c0a410a9ceba561bb01

Download Submit
\Windows10Upgrade\Windows10UpgraderApp.exe

Filesize
1.9MB

MD5
895aca91dfc5e44feb233039d52aaea4

SHA1
5b6455fa89344bddb68180fadf2fff4ba484383d

SHA256
7a269ee93427bb9cf8f0059140958d6cdc0eeafcff92cff35f7fef753fd06075

SHA512
eeaf389e144403439ba5271816bba2cc98b5653f9ff1ce1bf82b0f0c26853bd8d3f1690c86bd20aa3205278e10007103f73ce767f0154c0a410a9ceba561bb01

Download Submit
\Windows10Upgrade\downloader.dll

Filesize
207KB

MD5
1326de2d29a53697c0ae274b05a90f69

SHA1
ebad0bb520631339f2a213da626527d452e4e1fc

SHA256
9e70d0bda80b060213d2c5d255d6b98016657d67f065bfd85042143a1171cc71

SHA512
ec0e1c9c48480b98206796865b6dc9583468fee9eb5dfa92e1648c4fb732f4996743108719e4e501372ebbfc090f2401501dcbca821c9d509b4303539fe02425

Download Submit