Analysis
-
max time kernel
22s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
20/01/2024, 11:41
Behavioral task
behavioral1
Sample
6a55e570c9897d5bcdb2da37c4d20e0b.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
6a55e570c9897d5bcdb2da37c4d20e0b.exe
Resource
win10v2004-20231215-en
General
-
Target
6a55e570c9897d5bcdb2da37c4d20e0b.exe
-
Size
649KB
-
MD5
6a55e570c9897d5bcdb2da37c4d20e0b
-
SHA1
2742f1c6b4881aa16f02910ec46ea77de4b194da
-
SHA256
3064890364e23210d8fa53391c004a4ad7a97d35bb20de13f12727b0a7398628
-
SHA512
52b9952288476b32918fca301465f24007dc29f1818227399d7df7e78ea8d61ae0ffb02f661f8275a735ce033a099b640283fb07599013c7b76422a13a21a0be
-
SSDEEP
12288:M6A84PaHhfD/tV9sj5NKR0pau9XGyu2qBVGLQyTPfhv:BAmBpVKHu0Mu9Xo20VGLVP5v
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windupdt\\winupdate.exe" 6a55e570c9897d5bcdb2da37c4d20e0b.exe -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" winupdate.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winupdate.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 1332 attrib.exe 5100 attrib.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation 6a55e570c9897d5bcdb2da37c4d20e0b.exe -
Executes dropped EXE 1 IoCs
pid Process 2536 winupdate.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winupdate.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe" 6a55e570c9897d5bcdb2da37c4d20e0b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 6a55e570c9897d5bcdb2da37c4d20e0b.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2676 PING.EXE -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 4540 6a55e570c9897d5bcdb2da37c4d20e0b.exe Token: SeSecurityPrivilege 4540 6a55e570c9897d5bcdb2da37c4d20e0b.exe Token: SeTakeOwnershipPrivilege 4540 6a55e570c9897d5bcdb2da37c4d20e0b.exe Token: SeLoadDriverPrivilege 4540 6a55e570c9897d5bcdb2da37c4d20e0b.exe Token: SeSystemProfilePrivilege 4540 6a55e570c9897d5bcdb2da37c4d20e0b.exe Token: SeSystemtimePrivilege 4540 6a55e570c9897d5bcdb2da37c4d20e0b.exe Token: SeProfSingleProcessPrivilege 4540 6a55e570c9897d5bcdb2da37c4d20e0b.exe Token: SeIncBasePriorityPrivilege 4540 6a55e570c9897d5bcdb2da37c4d20e0b.exe Token: SeCreatePagefilePrivilege 4540 6a55e570c9897d5bcdb2da37c4d20e0b.exe Token: SeBackupPrivilege 4540 6a55e570c9897d5bcdb2da37c4d20e0b.exe Token: SeRestorePrivilege 4540 6a55e570c9897d5bcdb2da37c4d20e0b.exe Token: SeShutdownPrivilege 4540 6a55e570c9897d5bcdb2da37c4d20e0b.exe Token: SeDebugPrivilege 4540 6a55e570c9897d5bcdb2da37c4d20e0b.exe Token: SeSystemEnvironmentPrivilege 4540 6a55e570c9897d5bcdb2da37c4d20e0b.exe Token: SeChangeNotifyPrivilege 4540 6a55e570c9897d5bcdb2da37c4d20e0b.exe Token: SeRemoteShutdownPrivilege 4540 6a55e570c9897d5bcdb2da37c4d20e0b.exe Token: SeUndockPrivilege 4540 6a55e570c9897d5bcdb2da37c4d20e0b.exe Token: SeManageVolumePrivilege 4540 6a55e570c9897d5bcdb2da37c4d20e0b.exe Token: SeImpersonatePrivilege 4540 6a55e570c9897d5bcdb2da37c4d20e0b.exe Token: SeCreateGlobalPrivilege 4540 6a55e570c9897d5bcdb2da37c4d20e0b.exe Token: 33 4540 6a55e570c9897d5bcdb2da37c4d20e0b.exe Token: 34 4540 6a55e570c9897d5bcdb2da37c4d20e0b.exe Token: 35 4540 6a55e570c9897d5bcdb2da37c4d20e0b.exe Token: 36 4540 6a55e570c9897d5bcdb2da37c4d20e0b.exe Token: SeIncreaseQuotaPrivilege 2536 winupdate.exe Token: SeSecurityPrivilege 2536 winupdate.exe Token: SeTakeOwnershipPrivilege 2536 winupdate.exe Token: SeLoadDriverPrivilege 2536 winupdate.exe Token: SeSystemProfilePrivilege 2536 winupdate.exe Token: SeSystemtimePrivilege 2536 winupdate.exe Token: SeProfSingleProcessPrivilege 2536 winupdate.exe Token: SeIncBasePriorityPrivilege 2536 winupdate.exe Token: SeCreatePagefilePrivilege 2536 winupdate.exe Token: SeBackupPrivilege 2536 winupdate.exe Token: SeRestorePrivilege 2536 winupdate.exe Token: SeShutdownPrivilege 2536 winupdate.exe Token: SeDebugPrivilege 2536 winupdate.exe Token: SeSystemEnvironmentPrivilege 2536 winupdate.exe Token: SeChangeNotifyPrivilege 2536 winupdate.exe Token: SeRemoteShutdownPrivilege 2536 winupdate.exe Token: SeUndockPrivilege 2536 winupdate.exe Token: SeManageVolumePrivilege 2536 winupdate.exe Token: SeImpersonatePrivilege 2536 winupdate.exe Token: SeCreateGlobalPrivilege 2536 winupdate.exe Token: 33 2536 winupdate.exe Token: 34 2536 winupdate.exe Token: 35 2536 winupdate.exe Token: 36 2536 winupdate.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2536 winupdate.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 4540 wrote to memory of 3620 4540 6a55e570c9897d5bcdb2da37c4d20e0b.exe 66 PID 4540 wrote to memory of 3620 4540 6a55e570c9897d5bcdb2da37c4d20e0b.exe 66 PID 4540 wrote to memory of 3620 4540 6a55e570c9897d5bcdb2da37c4d20e0b.exe 66 PID 4540 wrote to memory of 3692 4540 6a55e570c9897d5bcdb2da37c4d20e0b.exe 65 PID 4540 wrote to memory of 3692 4540 6a55e570c9897d5bcdb2da37c4d20e0b.exe 65 PID 4540 wrote to memory of 3692 4540 6a55e570c9897d5bcdb2da37c4d20e0b.exe 65 PID 3620 wrote to memory of 5100 3620 cmd.exe 71 PID 3620 wrote to memory of 5100 3620 cmd.exe 71 PID 3620 wrote to memory of 5100 3620 cmd.exe 71 PID 3692 wrote to memory of 1332 3692 cmd.exe 70 PID 3692 wrote to memory of 1332 3692 cmd.exe 70 PID 3692 wrote to memory of 1332 3692 cmd.exe 70 PID 4540 wrote to memory of 2536 4540 6a55e570c9897d5bcdb2da37c4d20e0b.exe 77 PID 4540 wrote to memory of 2536 4540 6a55e570c9897d5bcdb2da37c4d20e0b.exe 77 PID 4540 wrote to memory of 2536 4540 6a55e570c9897d5bcdb2da37c4d20e0b.exe 77 PID 4540 wrote to memory of 1860 4540 6a55e570c9897d5bcdb2da37c4d20e0b.exe 80 PID 4540 wrote to memory of 1860 4540 6a55e570c9897d5bcdb2da37c4d20e0b.exe 80 PID 4540 wrote to memory of 1860 4540 6a55e570c9897d5bcdb2da37c4d20e0b.exe 80 PID 1860 wrote to memory of 2676 1860 cmd.exe 79 PID 1860 wrote to memory of 2676 1860 cmd.exe 79 PID 1860 wrote to memory of 2676 1860 cmd.exe 79 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion winupdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern winupdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" winupdate.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 1332 attrib.exe 5100 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6a55e570c9897d5bcdb2da37c4d20e0b.exe"C:\Users\Admin\AppData\Local\Temp\6a55e570c9897d5bcdb2da37c4d20e0b.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1332
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\6a55e570c9897d5bcdb2da37c4d20e0b.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
PID:3620 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\6a55e570c9897d5bcdb2da37c4d20e0b.exe" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:5100
-
-
-
C:\Windupdt\winupdate.exe"C:\Windupdt\winupdate.exe"2⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2536
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Users\Admin\AppData\Local\Temp\6a55e570c9897d5bcdb2da37c4d20e0b.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1860
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 51⤵
- Runs ping.exe
PID:2676
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
384KB
MD54096999cdf78123c8099e51f5d668fb8
SHA1910f2fa6caa58000ae2f9687ddb91a2d5ac164e6
SHA2564e6e178dc4cc7880c466beb4d09396d8bec815fb92202f0a5744d12c54462223
SHA512cfc0e79d3b50e340f0850fc72e30f35c3ee3c6eec7e23eacbd1ae532c3bdedbba45875a05ca7710cacbe39b52fc85dcf4fe26ea41397167179e6e7e678a62bb5
-
Filesize
304KB
MD50c4112280c62a793909828d06acf32d2
SHA1eb9540bad25b6e8d1577fea84a15526ad2a44bf6
SHA2568c13d9f495cff0cc9bb4a46f96479db3d69c2e895a311028f106e51a8b95d53e
SHA5128b967a900296714bfeea8e737cbca368f7e8a849f25bf6e4f0cd6c59faab85bab47b451667946148916f0d57527c83d1b375161040404d7feb3d051ace735059
-
Filesize
308KB
MD51c8a0fd90dedb1ab5342ed2084ac161a
SHA1847f16daa4def68f7b872188bf65b7d713c2b72d
SHA256643d4b35db818a64260e5167d5cafebb5217320fb07b54618088a46930762031
SHA5128bdbc74f10d35f9f13c8c42340f172a3696105dcceb797c399ea97108f442c823760375ae0d4a7291b20160306878cf356fa91dc29e968e77eb45378ed1e8761