Analysis
-
max time kernel
144s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
29-12-2023 22:00
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
050d3585090271a412441834d89b3510.exe
Resource
win7-20231215-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
050d3585090271a412441834d89b3510.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
050d3585090271a412441834d89b3510.exe
-
Size
99KB
-
MD5
050d3585090271a412441834d89b3510
-
SHA1
78b499c098dd96aa3c6ebcb8625073717523fd41
-
SHA256
6e56a7bf575ebd85cc5a8f3e3297215a889687ca1a66deb29ee2f2c738907c2f
-
SHA512
2d5b22b4d06c71f6d7c1d7b673346c82450279ce5ef7434b7590486b9d6be0c8587527d61045b8c4ef1479cd6330218d648149e7a83d35d03adaa09fbc12d585
-
SSDEEP
768:flAJ3KkHzfUZFjsS2GMYNyPKF2qGrMQbl5O3eNWx/c3iFIqNo3rtaU8UdJail1Wa:BwzfUZpPtaiR04eNWB+wNJqj1P
Score
8/10
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\ActiveX Key WindowsUpdata.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\ActiveX Key\StubpatH = "C:\\Windows\\WindowsUpdata.exe" WindowsUpdata.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation 050d3585090271a412441834d89b3510.exe Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation WindowsUpdata.exe -
Deletes itself 1 IoCs
pid Process 2988 WindowsUpdata.exe -
Executes dropped EXE 2 IoCs
pid Process 2988 WindowsUpdata.exe 5008 WindowsUpdata.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\WindowsUpdata.exe 050d3585090271a412441834d89b3510.exe File opened for modification C:\Windows\WindowsUpdata.exe 050d3585090271a412441834d89b3510.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 5008 WindowsUpdata.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1924 wrote to memory of 2988 1924 050d3585090271a412441834d89b3510.exe 22 PID 1924 wrote to memory of 2988 1924 050d3585090271a412441834d89b3510.exe 22 PID 1924 wrote to memory of 2988 1924 050d3585090271a412441834d89b3510.exe 22 PID 2988 wrote to memory of 5008 2988 WindowsUpdata.exe 20 PID 2988 wrote to memory of 5008 2988 WindowsUpdata.exe 20 PID 2988 wrote to memory of 5008 2988 WindowsUpdata.exe 20 PID 5008 wrote to memory of 3500 5008 WindowsUpdata.exe 53 PID 5008 wrote to memory of 3500 5008 WindowsUpdata.exe 53 PID 5008 wrote to memory of 3500 5008 WindowsUpdata.exe 53 PID 5008 wrote to memory of 3500 5008 WindowsUpdata.exe 53 PID 5008 wrote to memory of 3500 5008 WindowsUpdata.exe 53 PID 5008 wrote to memory of 3500 5008 WindowsUpdata.exe 53 PID 5008 wrote to memory of 3500 5008 WindowsUpdata.exe 53 PID 5008 wrote to memory of 3500 5008 WindowsUpdata.exe 53 PID 5008 wrote to memory of 3500 5008 WindowsUpdata.exe 53 PID 5008 wrote to memory of 3500 5008 WindowsUpdata.exe 53 PID 5008 wrote to memory of 3500 5008 WindowsUpdata.exe 53 PID 5008 wrote to memory of 3500 5008 WindowsUpdata.exe 53 PID 5008 wrote to memory of 3500 5008 WindowsUpdata.exe 53 PID 5008 wrote to memory of 3500 5008 WindowsUpdata.exe 53 PID 5008 wrote to memory of 3500 5008 WindowsUpdata.exe 53 PID 5008 wrote to memory of 3500 5008 WindowsUpdata.exe 53 PID 5008 wrote to memory of 3500 5008 WindowsUpdata.exe 53 PID 5008 wrote to memory of 3500 5008 WindowsUpdata.exe 53 PID 5008 wrote to memory of 3500 5008 WindowsUpdata.exe 53 PID 5008 wrote to memory of 3500 5008 WindowsUpdata.exe 53 PID 5008 wrote to memory of 3500 5008 WindowsUpdata.exe 53 PID 5008 wrote to memory of 3500 5008 WindowsUpdata.exe 53 PID 5008 wrote to memory of 3500 5008 WindowsUpdata.exe 53 PID 5008 wrote to memory of 3500 5008 WindowsUpdata.exe 53 PID 5008 wrote to memory of 3500 5008 WindowsUpdata.exe 53 PID 5008 wrote to memory of 3500 5008 WindowsUpdata.exe 53 PID 5008 wrote to memory of 3500 5008 WindowsUpdata.exe 53 PID 5008 wrote to memory of 3500 5008 WindowsUpdata.exe 53 PID 5008 wrote to memory of 3500 5008 WindowsUpdata.exe 53 PID 5008 wrote to memory of 3500 5008 WindowsUpdata.exe 53 PID 5008 wrote to memory of 3500 5008 WindowsUpdata.exe 53 PID 5008 wrote to memory of 3500 5008 WindowsUpdata.exe 53 PID 5008 wrote to memory of 3500 5008 WindowsUpdata.exe 53 PID 5008 wrote to memory of 3500 5008 WindowsUpdata.exe 53 PID 5008 wrote to memory of 3500 5008 WindowsUpdata.exe 53 PID 5008 wrote to memory of 3500 5008 WindowsUpdata.exe 53 PID 5008 wrote to memory of 3500 5008 WindowsUpdata.exe 53 PID 5008 wrote to memory of 3500 5008 WindowsUpdata.exe 53 PID 5008 wrote to memory of 3500 5008 WindowsUpdata.exe 53 PID 5008 wrote to memory of 3500 5008 WindowsUpdata.exe 53 PID 5008 wrote to memory of 3500 5008 WindowsUpdata.exe 53 PID 5008 wrote to memory of 3500 5008 WindowsUpdata.exe 53 PID 5008 wrote to memory of 3500 5008 WindowsUpdata.exe 53 PID 5008 wrote to memory of 3500 5008 WindowsUpdata.exe 53 PID 5008 wrote to memory of 3500 5008 WindowsUpdata.exe 53 PID 5008 wrote to memory of 3500 5008 WindowsUpdata.exe 53 PID 5008 wrote to memory of 3500 5008 WindowsUpdata.exe 53 PID 5008 wrote to memory of 3500 5008 WindowsUpdata.exe 53 PID 5008 wrote to memory of 3500 5008 WindowsUpdata.exe 53 PID 5008 wrote to memory of 3500 5008 WindowsUpdata.exe 53 PID 5008 wrote to memory of 3500 5008 WindowsUpdata.exe 53 PID 5008 wrote to memory of 3500 5008 WindowsUpdata.exe 53 PID 5008 wrote to memory of 3500 5008 WindowsUpdata.exe 53 PID 5008 wrote to memory of 3500 5008 WindowsUpdata.exe 53 PID 5008 wrote to memory of 3500 5008 WindowsUpdata.exe 53 PID 5008 wrote to memory of 3500 5008 WindowsUpdata.exe 53 PID 5008 wrote to memory of 3500 5008 WindowsUpdata.exe 53 PID 5008 wrote to memory of 3500 5008 WindowsUpdata.exe 53
Processes
-
C:\Users\Admin\AppData\Local\Temp\050d3585090271a412441834d89b3510.exe"C:\Users\Admin\AppData\Local\Temp\050d3585090271a412441834d89b3510.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\WindowsUpdata.exe"C:\Windows\WindowsUpdata.exe" "C:\Users\Admin\AppData\Local\Temp\050d3585090271a412441834d89b3510.exe"2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2988
-
-
C:\Windows\WindowsUpdata.exe"C:\Windows\WindowsUpdata.exe" stm1⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5008
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3500