3dc3ab0add514e0f2780a7d40b310d373fb84087060e16dcf1004f9e2b84de7c

Analysis

max time kernel
118s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 12:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

windowsupdateagent30-x86.exe
Size

5.9MB
MD5

dfdac865158c06068cc4f529e06eae19
SHA1

7413ab7a79be2286f8ff03a24fd353a0455bc81e
SHA256

3dc3ab0add514e0f2780a7d40b310d373fb84087060e16dcf1004f9e2b84de7c
SHA512

836ef54fffe73814730d9402683653d36dc005535b2af8bbd48adaa970f862b2064330981b2848b7e09be21fe9be853fa5590d46e0ef99cbd85f21346a2c9188
SSDEEP

98304:9SGsC0ReCbRU5wwWNUieSDDUwJ35dUgq6nr700jezucEZ8ZAy9ngTcR3pf6L:936eCGwwWNd5DDUwjdUhoHe9EZ8ZfgiE

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2068	wusetup.exe

Loads dropped DLL 3 IoCs

pid	Process
2844	windowsupdateagent30-x86.exe
2068	wusetup.exe
2068	wusetup.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WindowsUpdate.log	wusetup.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	2068	wusetup.exe
Token: SeRestorePrivilege	2068	wusetup.exe
Token: SeRestorePrivilege	2068	wusetup.exe
Token: SeRestorePrivilege	2068	wusetup.exe
Token: SeRestorePrivilege	2068	wusetup.exe
Token: SeRestorePrivilege	2068	wusetup.exe
Token: SeRestorePrivilege	2068	wusetup.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 2068	2844	windowsupdateagent30-x86.exe	28
PID 2844 wrote to memory of 2068	2844	windowsupdateagent30-x86.exe	28
PID 2844 wrote to memory of 2068	2844	windowsupdateagent30-x86.exe	28
PID 2844 wrote to memory of 2068	2844	windowsupdateagent30-x86.exe	28
PID 2844 wrote to memory of 2068	2844	windowsupdateagent30-x86.exe	28
PID 2844 wrote to memory of 2068	2844	windowsupdateagent30-x86.exe	28
PID 2844 wrote to memory of 2068	2844	windowsupdateagent30-x86.exe	28

C:\Users\Admin\AppData\Local\Temp\windowsupdateagent30-x86.exe
"C:\Users\Admin\AppData\Local\Temp\windowsupdateagent30-x86.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2844
- \??\c:\9125efcdfa002f835780\wusetup.exe
  c:\9125efcdfa002f835780\wusetup.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2068

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\9125efcdfa002f835780\el\wuau.adm

Filesize
61KB

MD5
8712c5232744ee36880368ea2387e34a

SHA1
a9b39b06047b72e21a3158b10c59351e8348ba48

SHA256
3a26e270e254be6c1bf7fb82cc1bc91f47f065d57bd3384304d98e6b15f76474

SHA512
f958d2315b2d9566751e11dd038457b570a9905515832f50d9277f2b1306ce37cd4c4b088fb8ea8c0d16e5d4a1bc558ef92f32aba20e123e657404a048d64707

Download Submit
C:\9125efcdfa002f835780\wusetup.exe

Filesize
155KB

MD5
1549e7d3e8beb993d37fa3719b8ba251

SHA1
ec60e15729a886774bf87e8280c8a70e1379ab86

SHA256
c8836005775f8ea08829f0ad29c77daa6f6997142c6dfb1a4971b9e9d24a403e

SHA512
98f13af3e15357533713aebc178ce41c93098eaa4d3e73b9345059318a86b9bbb485a2569f9d310a566b6aea4cb33e0186f0af4382dc1ca1937b39c85690154d

Download Submit
C:\Windows\WindowsUpdate.log

Filesize
17KB

MD5
a9c0f93add2cf25e51b1713783858f6f

SHA1
6cdffe827f4872e35c6f63cfc9bcb3afec9d05fc

SHA256
438fb91df76d651d041cc355bd7120622f241b46a3fb317214013f1eb97ea77f

SHA512
695d3adec357d5681655ff23a2e21bb564a5179259a1ab3fb3f479ed4fc14da58464aa64700b910b4bbe91feb19c2330da162b7b49ad6af878516083e03d1211

Download Submit
\??\c:\9125efcdfa002f835780\en\wusetup.exe.mui

Filesize
7KB

MD5
0a5fee37fb777365a3e3284256e7fdee

SHA1
7566c3f195b23fb7ff524a399e94d7f07b932006

SHA256
9aae1f2586c656d0ed41cf1f328006841d9bfe4daa15f5e0c30832d65f1996c9

SHA512
25ccea934beef3bda2969b47234e0bb0fee71e2c70f1c0b36172579630fd3a06719fb64df89156b37e0e1b22db84dc8d02f48068d714bb9a2027d548d141737c

Download Submit
\??\c:\9125efcdfa002f835780\wusetup.inf

Filesize
12KB

MD5
d81050eec9780aba3aef3cb41b0745f6

SHA1
9f13e9a94e5fff63fc6c5ae9a518d1f3ae57665b

SHA256
a7191a0f0c09e838e7a5ae288ab063d12bfd494862754f6482f0fa1c91f95cce

SHA512
5eec531b3e941181b712f29eaadfcf79d4f81edffeb74f60d21557cf361ede06361d968566ef1da047defcbb68015e3fa7a1a32035180d195304f4637b096735

Download Submit