Analysis
-
max time kernel
13s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
20/01/2024, 11:41
Behavioral task
behavioral1
Sample
6a55e570c9897d5bcdb2da37c4d20e0b.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
6a55e570c9897d5bcdb2da37c4d20e0b.exe
Resource
win10v2004-20231215-en
General
-
Target
6a55e570c9897d5bcdb2da37c4d20e0b.exe
-
Size
649KB
-
MD5
6a55e570c9897d5bcdb2da37c4d20e0b
-
SHA1
2742f1c6b4881aa16f02910ec46ea77de4b194da
-
SHA256
3064890364e23210d8fa53391c004a4ad7a97d35bb20de13f12727b0a7398628
-
SHA512
52b9952288476b32918fca301465f24007dc29f1818227399d7df7e78ea8d61ae0ffb02f661f8275a735ce033a099b640283fb07599013c7b76422a13a21a0be
-
SSDEEP
12288:M6A84PaHhfD/tV9sj5NKR0pau9XGyu2qBVGLQyTPfhv:BAmBpVKHu0Mu9Xo20VGLVP5v
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windupdt\\winupdate.exe" 6a55e570c9897d5bcdb2da37c4d20e0b.exe -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" winupdate.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winupdate.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 2784 attrib.exe 2788 attrib.exe -
Executes dropped EXE 1 IoCs
pid Process 2852 winupdate.exe -
Loads dropped DLL 4 IoCs
pid Process 1648 6a55e570c9897d5bcdb2da37c4d20e0b.exe 2852 winupdate.exe 2852 winupdate.exe 2852 winupdate.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winupdate.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe" 6a55e570c9897d5bcdb2da37c4d20e0b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2568 PING.EXE -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1648 6a55e570c9897d5bcdb2da37c4d20e0b.exe Token: SeSecurityPrivilege 1648 6a55e570c9897d5bcdb2da37c4d20e0b.exe Token: SeTakeOwnershipPrivilege 1648 6a55e570c9897d5bcdb2da37c4d20e0b.exe Token: SeLoadDriverPrivilege 1648 6a55e570c9897d5bcdb2da37c4d20e0b.exe Token: SeSystemProfilePrivilege 1648 6a55e570c9897d5bcdb2da37c4d20e0b.exe Token: SeSystemtimePrivilege 1648 6a55e570c9897d5bcdb2da37c4d20e0b.exe Token: SeProfSingleProcessPrivilege 1648 6a55e570c9897d5bcdb2da37c4d20e0b.exe Token: SeIncBasePriorityPrivilege 1648 6a55e570c9897d5bcdb2da37c4d20e0b.exe Token: SeCreatePagefilePrivilege 1648 6a55e570c9897d5bcdb2da37c4d20e0b.exe Token: SeBackupPrivilege 1648 6a55e570c9897d5bcdb2da37c4d20e0b.exe Token: SeRestorePrivilege 1648 6a55e570c9897d5bcdb2da37c4d20e0b.exe Token: SeShutdownPrivilege 1648 6a55e570c9897d5bcdb2da37c4d20e0b.exe Token: SeDebugPrivilege 1648 6a55e570c9897d5bcdb2da37c4d20e0b.exe Token: SeSystemEnvironmentPrivilege 1648 6a55e570c9897d5bcdb2da37c4d20e0b.exe Token: SeChangeNotifyPrivilege 1648 6a55e570c9897d5bcdb2da37c4d20e0b.exe Token: SeRemoteShutdownPrivilege 1648 6a55e570c9897d5bcdb2da37c4d20e0b.exe Token: SeUndockPrivilege 1648 6a55e570c9897d5bcdb2da37c4d20e0b.exe Token: SeManageVolumePrivilege 1648 6a55e570c9897d5bcdb2da37c4d20e0b.exe Token: SeImpersonatePrivilege 1648 6a55e570c9897d5bcdb2da37c4d20e0b.exe Token: SeCreateGlobalPrivilege 1648 6a55e570c9897d5bcdb2da37c4d20e0b.exe Token: 33 1648 6a55e570c9897d5bcdb2da37c4d20e0b.exe Token: 34 1648 6a55e570c9897d5bcdb2da37c4d20e0b.exe Token: 35 1648 6a55e570c9897d5bcdb2da37c4d20e0b.exe Token: SeIncreaseQuotaPrivilege 2852 winupdate.exe Token: SeSecurityPrivilege 2852 winupdate.exe Token: SeTakeOwnershipPrivilege 2852 winupdate.exe Token: SeLoadDriverPrivilege 2852 winupdate.exe Token: SeSystemProfilePrivilege 2852 winupdate.exe Token: SeSystemtimePrivilege 2852 winupdate.exe Token: SeProfSingleProcessPrivilege 2852 winupdate.exe Token: SeIncBasePriorityPrivilege 2852 winupdate.exe Token: SeCreatePagefilePrivilege 2852 winupdate.exe Token: SeBackupPrivilege 2852 winupdate.exe Token: SeRestorePrivilege 2852 winupdate.exe Token: SeShutdownPrivilege 2852 winupdate.exe Token: SeDebugPrivilege 2852 winupdate.exe Token: SeSystemEnvironmentPrivilege 2852 winupdate.exe Token: SeChangeNotifyPrivilege 2852 winupdate.exe Token: SeRemoteShutdownPrivilege 2852 winupdate.exe Token: SeUndockPrivilege 2852 winupdate.exe Token: SeManageVolumePrivilege 2852 winupdate.exe Token: SeImpersonatePrivilege 2852 winupdate.exe Token: SeCreateGlobalPrivilege 2852 winupdate.exe Token: 33 2852 winupdate.exe Token: 34 2852 winupdate.exe Token: 35 2852 winupdate.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2852 winupdate.exe -
Suspicious use of WriteProcessMemory 31 IoCs
description pid Process procid_target PID 1648 wrote to memory of 1996 1648 6a55e570c9897d5bcdb2da37c4d20e0b.exe 28 PID 1648 wrote to memory of 1996 1648 6a55e570c9897d5bcdb2da37c4d20e0b.exe 28 PID 1648 wrote to memory of 1996 1648 6a55e570c9897d5bcdb2da37c4d20e0b.exe 28 PID 1648 wrote to memory of 1996 1648 6a55e570c9897d5bcdb2da37c4d20e0b.exe 28 PID 1648 wrote to memory of 2680 1648 6a55e570c9897d5bcdb2da37c4d20e0b.exe 30 PID 1648 wrote to memory of 2680 1648 6a55e570c9897d5bcdb2da37c4d20e0b.exe 30 PID 1648 wrote to memory of 2680 1648 6a55e570c9897d5bcdb2da37c4d20e0b.exe 30 PID 1648 wrote to memory of 2680 1648 6a55e570c9897d5bcdb2da37c4d20e0b.exe 30 PID 1996 wrote to memory of 2784 1996 cmd.exe 32 PID 1996 wrote to memory of 2784 1996 cmd.exe 32 PID 1996 wrote to memory of 2784 1996 cmd.exe 32 PID 1996 wrote to memory of 2784 1996 cmd.exe 32 PID 2680 wrote to memory of 2788 2680 cmd.exe 33 PID 2680 wrote to memory of 2788 2680 cmd.exe 33 PID 2680 wrote to memory of 2788 2680 cmd.exe 33 PID 2680 wrote to memory of 2788 2680 cmd.exe 33 PID 1648 wrote to memory of 2852 1648 6a55e570c9897d5bcdb2da37c4d20e0b.exe 34 PID 1648 wrote to memory of 2852 1648 6a55e570c9897d5bcdb2da37c4d20e0b.exe 34 PID 1648 wrote to memory of 2852 1648 6a55e570c9897d5bcdb2da37c4d20e0b.exe 34 PID 1648 wrote to memory of 2852 1648 6a55e570c9897d5bcdb2da37c4d20e0b.exe 34 PID 1648 wrote to memory of 2852 1648 6a55e570c9897d5bcdb2da37c4d20e0b.exe 34 PID 1648 wrote to memory of 2852 1648 6a55e570c9897d5bcdb2da37c4d20e0b.exe 34 PID 1648 wrote to memory of 2852 1648 6a55e570c9897d5bcdb2da37c4d20e0b.exe 34 PID 1648 wrote to memory of 2800 1648 6a55e570c9897d5bcdb2da37c4d20e0b.exe 35 PID 1648 wrote to memory of 2800 1648 6a55e570c9897d5bcdb2da37c4d20e0b.exe 35 PID 1648 wrote to memory of 2800 1648 6a55e570c9897d5bcdb2da37c4d20e0b.exe 35 PID 1648 wrote to memory of 2800 1648 6a55e570c9897d5bcdb2da37c4d20e0b.exe 35 PID 2800 wrote to memory of 2568 2800 cmd.exe 37 PID 2800 wrote to memory of 2568 2800 cmd.exe 37 PID 2800 wrote to memory of 2568 2800 cmd.exe 37 PID 2800 wrote to memory of 2568 2800 cmd.exe 37 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion winupdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" winupdate.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 2784 attrib.exe 2788 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6a55e570c9897d5bcdb2da37c4d20e0b.exe"C:\Users\Admin\AppData\Local\Temp\6a55e570c9897d5bcdb2da37c4d20e0b.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\6a55e570c9897d5bcdb2da37c4d20e0b.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\6a55e570c9897d5bcdb2da37c4d20e0b.exe" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2784
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2788
-
-
-
C:\Windupdt\winupdate.exe"C:\Windupdt\winupdate.exe"2⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2852
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Users\Admin\AppData\Local\Temp\6a55e570c9897d5bcdb2da37c4d20e0b.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- Runs ping.exe
PID:2568
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
649KB
MD56a55e570c9897d5bcdb2da37c4d20e0b
SHA12742f1c6b4881aa16f02910ec46ea77de4b194da
SHA2563064890364e23210d8fa53391c004a4ad7a97d35bb20de13f12727b0a7398628
SHA51252b9952288476b32918fca301465f24007dc29f1818227399d7df7e78ea8d61ae0ffb02f661f8275a735ce033a099b640283fb07599013c7b76422a13a21a0be