213c5a44d670444ce221cfd2ea5af858b98dfae93196babee0640a687155e128

Analysis

max time kernel
175s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 05:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0fe6c77ff048ea00556bc134fec64922.exe
Size

528KB
MD5

0fe6c77ff048ea00556bc134fec64922
SHA1

8c3f67d5690972af67767280275b0a77672e7ef7
SHA256

213c5a44d670444ce221cfd2ea5af858b98dfae93196babee0640a687155e128
SHA512

ea71a3539edc55e5955ea414dcd0469a6b11ed00d8c97f1e7b8dc9867a2343c34b4b4db97abe04a4a554fe0036bd4df1bd58877c2d73eb9faaf61d306e3d5444
SSDEEP

12288:vk73FAXZG5KuVWxCqKwYHjdy9/VtiVh7J5r:M7VAXZGouYx1KwYDdG/iVh7J5r

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2184	winupdate.exe
1408	winupdate.exe
2908	winupdate.exe
1784	winupdate.exe
1520	winupdate.exe
2388	winupdate.exe

Loads dropped DLL 24 IoCs

pid	Process
2700	0fe6c77ff048ea00556bc134fec64922.exe
2184	winupdate.exe
2184	winupdate.exe
2184	winupdate.exe
2184	winupdate.exe
1408	winupdate.exe
1408	winupdate.exe
1408	winupdate.exe
1408	winupdate.exe
2908	winupdate.exe
2908	winupdate.exe
2908	winupdate.exe
2908	winupdate.exe
1784	winupdate.exe
1784	winupdate.exe
1784	winupdate.exe
1784	winupdate.exe
1520	winupdate.exe
1520	winupdate.exe
1520	winupdate.exe
1520	winupdate.exe
2388	winupdate.exe
2388	winupdate.exe
2388	winupdate.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\winupdate.exe	0fe6c77ff048ea00556bc134fec64922.exe
File opened for modification	C:\Windows\SysWOW64\winupdate.exe	0fe6c77ff048ea00556bc134fec64922.exe
File created	C:\Windows\SysWOW64\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\winupdate.exe	winupdate.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
2700	0fe6c77ff048ea00556bc134fec64922.exe
2700	0fe6c77ff048ea00556bc134fec64922.exe
2700	0fe6c77ff048ea00556bc134fec64922.exe
2700	0fe6c77ff048ea00556bc134fec64922.exe
2700	0fe6c77ff048ea00556bc134fec64922.exe
2700	0fe6c77ff048ea00556bc134fec64922.exe
2700	0fe6c77ff048ea00556bc134fec64922.exe
2184	winupdate.exe
2184	winupdate.exe
2184	winupdate.exe
2184	winupdate.exe
2184	winupdate.exe
2184	winupdate.exe
2184	winupdate.exe
2184	winupdate.exe
2184	winupdate.exe
2184	winupdate.exe
2184	winupdate.exe
2184	winupdate.exe
2184	winupdate.exe
1408	winupdate.exe
1408	winupdate.exe
1408	winupdate.exe
1408	winupdate.exe
1408	winupdate.exe
1408	winupdate.exe
1408	winupdate.exe
2908	winupdate.exe
2908	winupdate.exe
2908	winupdate.exe
2908	winupdate.exe
2908	winupdate.exe
2908	winupdate.exe
2908	winupdate.exe
1784	winupdate.exe
1784	winupdate.exe
1784	winupdate.exe
1784	winupdate.exe
1784	winupdate.exe
1784	winupdate.exe
1784	winupdate.exe
1520	winupdate.exe
1520	winupdate.exe
1520	winupdate.exe
1520	winupdate.exe
1520	winupdate.exe
1520	winupdate.exe
1520	winupdate.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 2184	2700	0fe6c77ff048ea00556bc134fec64922.exe	29
PID 2700 wrote to memory of 2184	2700	0fe6c77ff048ea00556bc134fec64922.exe	29
PID 2700 wrote to memory of 2184	2700	0fe6c77ff048ea00556bc134fec64922.exe	29
PID 2700 wrote to memory of 2184	2700	0fe6c77ff048ea00556bc134fec64922.exe	29
PID 2700 wrote to memory of 2184	2700	0fe6c77ff048ea00556bc134fec64922.exe	29
PID 2700 wrote to memory of 2184	2700	0fe6c77ff048ea00556bc134fec64922.exe	29
PID 2700 wrote to memory of 2184	2700	0fe6c77ff048ea00556bc134fec64922.exe	29
PID 2184 wrote to memory of 1408	2184	winupdate.exe	30
PID 2184 wrote to memory of 1408	2184	winupdate.exe	30
PID 2184 wrote to memory of 1408	2184	winupdate.exe	30
PID 2184 wrote to memory of 1408	2184	winupdate.exe	30
PID 2184 wrote to memory of 1408	2184	winupdate.exe	30
PID 2184 wrote to memory of 1408	2184	winupdate.exe	30
PID 2184 wrote to memory of 1408	2184	winupdate.exe	30
PID 1408 wrote to memory of 2908	1408	winupdate.exe	31
PID 1408 wrote to memory of 2908	1408	winupdate.exe	31
PID 1408 wrote to memory of 2908	1408	winupdate.exe	31
PID 1408 wrote to memory of 2908	1408	winupdate.exe	31
PID 1408 wrote to memory of 2908	1408	winupdate.exe	31
PID 1408 wrote to memory of 2908	1408	winupdate.exe	31
PID 1408 wrote to memory of 2908	1408	winupdate.exe	31
PID 2908 wrote to memory of 1784	2908	winupdate.exe	32
PID 2908 wrote to memory of 1784	2908	winupdate.exe	32
PID 2908 wrote to memory of 1784	2908	winupdate.exe	32
PID 2908 wrote to memory of 1784	2908	winupdate.exe	32
PID 2908 wrote to memory of 1784	2908	winupdate.exe	32
PID 2908 wrote to memory of 1784	2908	winupdate.exe	32
PID 2908 wrote to memory of 1784	2908	winupdate.exe	32
PID 1784 wrote to memory of 1520	1784	winupdate.exe	33
PID 1784 wrote to memory of 1520	1784	winupdate.exe	33
PID 1784 wrote to memory of 1520	1784	winupdate.exe	33
PID 1784 wrote to memory of 1520	1784	winupdate.exe	33
PID 1784 wrote to memory of 1520	1784	winupdate.exe	33
PID 1784 wrote to memory of 1520	1784	winupdate.exe	33
PID 1784 wrote to memory of 1520	1784	winupdate.exe	33
PID 1520 wrote to memory of 2388	1520	winupdate.exe	34
PID 1520 wrote to memory of 2388	1520	winupdate.exe	34
PID 1520 wrote to memory of 2388	1520	winupdate.exe	34
PID 1520 wrote to memory of 2388	1520	winupdate.exe	34
PID 1520 wrote to memory of 2388	1520	winupdate.exe	34
PID 1520 wrote to memory of 2388	1520	winupdate.exe	34
PID 1520 wrote to memory of 2388	1520	winupdate.exe	34

C:\Users\Admin\AppData\Local\Temp\0fe6c77ff048ea00556bc134fec64922.exe
"C:\Users\Admin\AppData\Local\Temp\0fe6c77ff048ea00556bc134fec64922.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Windows\SysWOW64\winupdate.exe
  C:\Windows\system32\winupdate.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Windows\SysWOW64\winupdate.exe
    C:\Windows\system32\winupdate.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1408
  - - C:\Windows\SysWOW64\winupdate.exe
      C:\Windows\system32\winupdate.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2908
    - - C:\Windows\SysWOW64\winupdate.exe
        
        C:\Windows\system32\winupdate.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1784
      - C:\Windows\SysWOW64\winupdate.exe
        
        C:\Windows\system32\winupdate.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1520
        
        C:\Windows\SysWOW64\winupdate.exe
        
        C:\Windows\system32\winupdate.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2388

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\winupdate.exe

Filesize
7KB

MD5
48babb5c9cdd65504f67bac743fa8e26

SHA1
dcaddb9eece276ad56b134c7c5419a84675090b9

SHA256
8289882651414c0fd540a5bc10b28ced861fe7371a463db7439950a6f9a0168b

SHA512
57a98265523d43c89b4d0775bfffbda5e73db5dc5b0c0487c5703c669026e5b4b3e6a0ea905dfb5548d178bb62658f5578b7065c793bbbef894fa1eaccd9838c

Download Submit
C:\Windows\SysWOW64\winupdate.exe

Filesize
1KB

MD5
2fc8d1464bfb1f79b06987eb2e618b6f

SHA1
04570f0d23090b3a4f61c1bdcf83b26093c48a4f

SHA256
e6ce43f70573f99e42c8d94f1b344532fa128a2b1dba27eeecb18fcde0eab3a9

SHA512
f507bcbfe23d914d12f66f8aaa2da298fb0a465a73492375e8a1b2476dff03279e3fccf7b35c00fdcf3542e300415f89500fa9c4de8406f41769fd1077da6713

Download Submit
C:\Windows\SysWOW64\winupdate.exe

Filesize
47KB

MD5
53c89c7f3280c251a17c2e9c8a8d987d

SHA1
a9026a09a540556a0ac5467953f2573887b78c6a

SHA256
537fce7def5b560df32779052840f37e9137bff5bc474c4a9be0d54c1e7db790

SHA512
f00e8720dc3aa251242fc4a4617d1f15abc04faff90c2a586b33f19b206ca13e445b22ae423e8c2ef8f044cba08fde5c7b2657fe8b85fd56bc5f8b7bf186a2b2

Download Submit
C:\Windows\SysWOW64\winupdate.exe

Filesize
10KB

MD5
e9a7b403d6ebd87a96f4e4770c3ebdbf

SHA1
a7c37e2b4440153fd4db3565016f3bf1ae20d044

SHA256
dbb59d12e9a7e28284426a6c14d1362fd0ea46d955c1e6a59b2726855c4f9e9c

SHA512
ce7496eecee8847d35d8a0f78ab232a59780bebf4418b98a00402af1a171487a315a23803153330cc91bf7d48e333e6f316bc2712c2d466a90ead2b7dd9e37af

Download Submit
C:\Windows\SysWOW64\winupdate.exe

Filesize
36KB

MD5
0398be45be0eed9798c4746e41d8a68a

SHA1
4e7f81b1e7e3a812d7a3459b4b30ff07af7e2fb4

SHA256
4e9cc915a05618a35389e7152a1d022908afcd023bef745d59958b23d36deef7

SHA512
e7e97544c727ae9e977807ff71abcf2b606397c3154f07717f1a719d2547cd114f703be8d8345973f581525528ac9d186dc0cb96c60180e2fbf4d1caeb7f44dc

Download Submit
C:\Windows\SysWOW64\winupdate.exe

Filesize
26KB

MD5
d6ead08d05ef6fa916a6211e16227d59

SHA1
7f4add17a53315a1359c14b6628173e8e79d0661

SHA256
8b2e7a232747324da528eaaa2e80d08ca32738aeaec09de95bdb596f45fc3460

SHA512
d6030583a81a383eb37ab958a5e96892d41a7e54f14f80812c0a3138bd855628e2aafed4beb2254ff8ce3c28494fb1af641092891385c8fceff32b1fec0e47d7

Download Submit
\Windows\SysWOW64\winupdate.exe

Filesize
6KB

MD5
49862357963a519f33bfe85df6584ed9

SHA1
3767034e2efab1702151a13db4e84b1311b1547f

SHA256
303c2381e778c07469eaa2a40d305071dd41a9252946ccd9eb61d284b9d7038b

SHA512
36e2e6d6c03f64dc009eb521af737b5cf85deeb18fba375001f579d565c58073c72cf023d1a12cf2eb6041df314fd2d37b6f671787e7906dc6c5778203a2e4da

Download Submit
\Windows\SysWOW64\winupdate.exe

Filesize
27KB

MD5
53b27e9ed2a443884867139d5e5ac894

SHA1
d81faccba3c739670bf485d20a1e4e1f5d39806f

SHA256
caa38d4b37e1a045d4e52bc7aa50d330894258da295987a87e191ff4df498753

SHA512
66d41da3bae969678fe1a305c200226aa39430b540f6c15345cf697dcfda9bb5a901f39a7711c685cb0ce1ce4f9e834597afbc2daafcdf5eeb32e52d589c6270

Download Submit
\Windows\SysWOW64\winupdate.exe

Filesize
12KB

MD5
63ba4eb75974f2790f77bc7e746b740b

SHA1
a8398dce696bf550565e703eea9e990d5e1d9b0f

SHA256
5ca437a0261b26970999c3ff053c1df2c1221af9c2bd8057867279e5e8df562a

SHA512
09ced35b69db0d08b40454789bb3754613c902702a0e907526acaf57c813db6bb0dcbb6c8086f6a1d998aa0ce2cfff95a53ff003d1a546d528ee559c573f3f4a

Download Submit
\Windows\SysWOW64\winupdate.exe

Filesize
6KB

MD5
93c6d1cbf44dbdad87fe8af077c25332

SHA1
ad429435c5502e0e795fe8ee9e9d55dca44e9781

SHA256
8745fdf2cf7e7ecb3558ed966560ef608a7adb24a0c189b5509874423603df14

SHA512
4fec7e42e2dcabecbc5cfbb0b0a4f3800962e1a703d1780494844c33558602f2f0a3046400bed28fdda51b2640e9bca0025c43f447c4809ce32f6bc2748860bb

Download Submit
\Windows\SysWOW64\winupdate.exe

Filesize
15KB

MD5
e66a631ba8c5af70860888c2366313e7

SHA1
310dba00b0e0dad452835b211c165c79b1e35097

SHA256
575a165d1b7d9540f5dabf3eb82633c224537b46819ed1a5cbe4e4690a7be84b

SHA512
8ed2977ca96fe8d30d78234c46ce7de7107d19a06277f46743ffe3c1b9396e609eb0b75da20555eab25239322a243c8558f66f37bb946d76c7335b74446274ae

Download Submit
\Windows\SysWOW64\winupdate.exe

Filesize
33KB

MD5
7c0d64158f297035b6654d68b4fa82a9

SHA1
c6673c19c79a57d044b562ffc5f6ad4ac113e16b

SHA256
124b7e3c62ca6a362bd1f4e70266ddd073db6b8cbfca2ae649438f7a29f31803

SHA512
e574e4667b242af5efbc87e16d0a489b263d9c3323ca7a4d6b2bc50c1a7c7e35aa54439ee84d885fbdce57c27da9657011787aee5e4dbd9a4175b06c342f50fc

Download Submit
\Windows\SysWOW64\winupdate.exe

Filesize
92KB

MD5
e96868f3606c86a387d7fa4c53ed7849

SHA1
dad036fdc725caee8ca6f2f7450720797ef758b3

SHA256
387682527ec14cfdb05c0745f2975eca73ad59dbb128fcf73d60061c107fb874

SHA512
efb1137c97254de9118b641cd5b6237b7be8f96bee878403fca1dff9f63afae8e1d9effbf275efdc2bc8c8e72f362cec6621c6b1a33be0c9eab21598781ebcd1

Download Submit
\Windows\SysWOW64\winupdate.exe

Filesize
32KB

MD5
bf9f5c2b43bea03e712edb8d0a048c8f

SHA1
a1621e188962f5d2add544ab06fed3555f6c6112

SHA256
252730ae9a0d279aeb3482148cf60f2dcc0c36da3c962b25f540944661addd9e

SHA512
e16b1132ec23d4316a656c7ff5dfbc5a45fa2b14042b2ef2a0446c23ba64ec63b9f502bf60c053b59690ad8f04439659187ade3d9472afa0f450ec048c75b49d

Download Submit
\Windows\SysWOW64\winupdate.exe

Filesize
14KB

MD5
eb42cf7c287886631b5a49e688d2b4ce

SHA1
737dbee35f9cff7aa7fa9f844a947111ed12f2d4

SHA256
31f9f6cec8bed94e4779d1e07da8371388a1dcd7eb49dd49296be8b3643c8c80

SHA512
6d156b430228c7a26b4b05fcef4e55dd4e65fa1962f02a503a00178ab52eef77a2706a50b91e56aaf64ee4ef401a576be490b4ce9f1e103b30ff69f614f51994

Download Submit
\Windows\SysWOW64\winupdate.exe

Filesize
9KB

MD5
95acf70168892d25463a7d205cb58b46

SHA1
b0201badf2144d283f8a8eb0d90665d2c34776b1

SHA256
1da5f5aec61efb6530cbb209cb76010e51415b71ea33f43c8aa6d10984b14316

SHA512
15e02b2eb4a2c619576df6cc97607e19853a27411efb466b3a1fc50fd88f0a431471f6407e68f0a564be7e1b5dda44b1c9c20ee4d41ee660a0ce706d284d8ab0

Download Submit
\Windows\SysWOW64\winupdate.exe

Filesize
17KB

MD5
9c41ccdc48a1c83263969e3d6b5645cf

SHA1
ce6806bd75aee50a815e58c72ffcef06b6d7988b

SHA256
a75316602d90df780d6d12c254e41a1c1a2c3a3aac309256c0a3302cbf867610

SHA512
1b54b295aec87cf6999cab9def63ee2f665add33c90c7431a557238a7c2577ce7fe8914aebeab918e84e2b9b549fb4f9fe9e4ccd3b46254e86d7899f02362aad

Download Submit
\Windows\SysWOW64\winupdate.exe

Filesize
45KB

MD5
c6f77efc82c3433600fa671bb65ac428

SHA1
3a963c3d6b990fd1ab5b0476aa3f544fb7ce8ff9

SHA256
e661c91ab29e8950a86c833231108eeeaf8b659b5da661fad6c481340dafec8d

SHA512
0b40472cb05caa78db250d17f6e3a026b9b806bc7095a86647eff0263e5a34ffac8d2c06ada2bcdb769c70c4319362d5ca24f90206c4a997d7827b4b12dc67ff

Download Submit
\Windows\SysWOW64\winupdate.exe

Filesize
73KB

MD5
ea04ae48d22cada6e607f3767c710d6e

SHA1
36c31e96587b6d0e3a74e08de4d207ab7dcb24e5

SHA256
fa878930b8160c581553889e2fae00203bd0e52f2f6d76115b690e94a1182858

SHA512
93858c7e6a1d4a0b33785108a9a51205c1b4cc5f1ca5261857720aed918aa4ae597b2b91fcc5b3fa090e49504bf5e93afc06a328221d8bb776783e1c0f5814f3

Download Submit
\Windows\SysWOW64\winupdate.exe

Filesize
113KB

MD5
d5cfb62d499ba2cafb49a70e2ce478f0

SHA1
9ff2563b35e718e03f106f00b7cd1496163cb4a3

SHA256
5dfe29364729d7847390dec2dbf802a3921f275711decbe761ab47ba60cc47c3

SHA512
aa3ffa6f205822cb8f691bbd7731f641c3c45fea807c6c17af1d576268ed2d454d763a49afb9b7804943d0a97c0567ef29cf7c4044fc6ae8cbc5119b8329e7c2

Download Submit
\Windows\SysWOW64\winupdate.exe

Filesize
49KB

MD5
c9f78946e67c748b75f8067b68ffceaf

SHA1
f88e25058ddc7bc39f3b7dc9e80ad55f3eb8fc63

SHA256
8e66d75bbf02fa87a2bdc10caf9d1923783446d8ceade1734c5c8ea54e341ecd

SHA512
64888bdfe3cc0051038d8b6985061c6ea3d7f0a9384139ac82f73dc3b56241e99c370839c7de8cda486e851ff0bcb1c22dddf3df35054f7d21cb2aa4f88e2985

Download Submit
\Windows\SysWOW64\winupdate.exe

Filesize
22KB

MD5
2af293a88dd926470cdbef197d578952

SHA1
d9e6fa729a7e0b8629541d098cda1f2e6d56c85c

SHA256
19a3048bb512fc7d3af5012504da1b16b2dbac3bcc0402b3270b1c0b5fd384fb

SHA512
e69053f2b66746ede8a105fd001d45b85cea02b46ab52177a9ca1a77786537ba8339a7642cf47df26fcdbc5ddbe36b24f973db139a4fd7dc4b0bdfcec2e5eb5d

Download Submit
\Windows\SysWOW64\winupdate.exe

Filesize
7KB

MD5
8880f29935c773b4b763200adc1832fb

SHA1
bfbb1f2b96395db38869b577998283587afe6421

SHA256
63d66569c464aaebddf3527ce343cfcb245dc50ea2ce61d8e5dc83e1b8ca78ca

SHA512
353ce496a6dde3eeaa93a0a4c4c3d54682fc384b1986647e816b6305ca9494254ad95b3ec642471c26e4c69b164ae6458c523b54ac30bbef90dcda6122fd7b73

Download Submit
\Windows\SysWOW64\winupdate.exe

Filesize
8KB

MD5
1d177b4d772e1245e5705452cd9027ee

SHA1
c284564722bc0c282ccdff70e16998dc86c0865e

SHA256
7944f585848ff97f69efa3c7e8f2d7e15c0493d31bad46994a68cc7b53eebbb9

SHA512
aae927a53bcb28d4c40f81704de6ffb6a2c1f264fe483b5655bf30c84bc4f6a0cfcdd6918188da9fcf28aa5d174d4e19135ba3a005bf65a1712ad868a5a0ee9b

Download Submit
\Windows\SysWOW64\winupdate.exe

Filesize
14KB

MD5
0b85cc7a2413aca8e4c02a639c67bc82

SHA1
197ccf455edb44edb5a44f4f018d160f2699f036

SHA256
7f27188ae6473760e8d24c4650a39bbff3dfbb488e990e2729db818f0f841f08

SHA512
8f2145f464e7c081a2785afe994f1d96f0d9bb41d1ee7b95026bb6aae5fd57e86bd39e4537c3c3aae3d1c4e1de1e0f441afb8c72af7d31292e45ddbfea90c24b

Download Submit