Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
20/01/2024, 21:25
Behavioral task
behavioral1
Sample
6b83823e49a39f298c15c3ff547fa406.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
6b83823e49a39f298c15c3ff547fa406.exe
Resource
win10v2004-20231215-en
General
-
Target
6b83823e49a39f298c15c3ff547fa406.exe
-
Size
746KB
-
MD5
6b83823e49a39f298c15c3ff547fa406
-
SHA1
87a6d44cfe44f3d452465ca8512b1a06041d92dd
-
SHA256
3f19fa1892210bd294995f2a1a35487161f1dc17ec665565cc30353a7c4f3966
-
SHA512
7aac8200aab701757e8bb05e2d2b49933f263e406f8782a8e9a94ba81a5763c088bee70a69db7720c6e1474ea1e1f6c470d00dd3e8f28449c921e0757dc34c99
-
SSDEEP
12288:B6A84PaHhfD/tV9sj5NKR0pau9XGyu2qBVGLQyTPfh3svv:kAmBpVKHu0Mu9Xo20VGLVP5cvv
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windupdt\\winupdate.exe" 6b83823e49a39f298c15c3ff547fa406.exe -
Deletes itself 1 IoCs
pid Process 2708 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2076 winupdate.exe -
Loads dropped DLL 4 IoCs
pid Process 2440 6b83823e49a39f298c15c3ff547fa406.exe 2076 winupdate.exe 2076 winupdate.exe 2076 winupdate.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe" 6b83823e49a39f298c15c3ff547fa406.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2928 PING.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2076 winupdate.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2440 6b83823e49a39f298c15c3ff547fa406.exe Token: SeSecurityPrivilege 2440 6b83823e49a39f298c15c3ff547fa406.exe Token: SeTakeOwnershipPrivilege 2440 6b83823e49a39f298c15c3ff547fa406.exe Token: SeLoadDriverPrivilege 2440 6b83823e49a39f298c15c3ff547fa406.exe Token: SeSystemProfilePrivilege 2440 6b83823e49a39f298c15c3ff547fa406.exe Token: SeSystemtimePrivilege 2440 6b83823e49a39f298c15c3ff547fa406.exe Token: SeProfSingleProcessPrivilege 2440 6b83823e49a39f298c15c3ff547fa406.exe Token: SeIncBasePriorityPrivilege 2440 6b83823e49a39f298c15c3ff547fa406.exe Token: SeCreatePagefilePrivilege 2440 6b83823e49a39f298c15c3ff547fa406.exe Token: SeBackupPrivilege 2440 6b83823e49a39f298c15c3ff547fa406.exe Token: SeRestorePrivilege 2440 6b83823e49a39f298c15c3ff547fa406.exe Token: SeShutdownPrivilege 2440 6b83823e49a39f298c15c3ff547fa406.exe Token: SeDebugPrivilege 2440 6b83823e49a39f298c15c3ff547fa406.exe Token: SeSystemEnvironmentPrivilege 2440 6b83823e49a39f298c15c3ff547fa406.exe Token: SeChangeNotifyPrivilege 2440 6b83823e49a39f298c15c3ff547fa406.exe Token: SeRemoteShutdownPrivilege 2440 6b83823e49a39f298c15c3ff547fa406.exe Token: SeUndockPrivilege 2440 6b83823e49a39f298c15c3ff547fa406.exe Token: SeManageVolumePrivilege 2440 6b83823e49a39f298c15c3ff547fa406.exe Token: SeImpersonatePrivilege 2440 6b83823e49a39f298c15c3ff547fa406.exe Token: SeCreateGlobalPrivilege 2440 6b83823e49a39f298c15c3ff547fa406.exe Token: 33 2440 6b83823e49a39f298c15c3ff547fa406.exe Token: 34 2440 6b83823e49a39f298c15c3ff547fa406.exe Token: 35 2440 6b83823e49a39f298c15c3ff547fa406.exe Token: SeIncreaseQuotaPrivilege 2076 winupdate.exe Token: SeSecurityPrivilege 2076 winupdate.exe Token: SeTakeOwnershipPrivilege 2076 winupdate.exe Token: SeLoadDriverPrivilege 2076 winupdate.exe Token: SeSystemProfilePrivilege 2076 winupdate.exe Token: SeSystemtimePrivilege 2076 winupdate.exe Token: SeProfSingleProcessPrivilege 2076 winupdate.exe Token: SeIncBasePriorityPrivilege 2076 winupdate.exe Token: SeCreatePagefilePrivilege 2076 winupdate.exe Token: SeBackupPrivilege 2076 winupdate.exe Token: SeRestorePrivilege 2076 winupdate.exe Token: SeShutdownPrivilege 2076 winupdate.exe Token: SeDebugPrivilege 2076 winupdate.exe Token: SeSystemEnvironmentPrivilege 2076 winupdate.exe Token: SeChangeNotifyPrivilege 2076 winupdate.exe Token: SeRemoteShutdownPrivilege 2076 winupdate.exe Token: SeUndockPrivilege 2076 winupdate.exe Token: SeManageVolumePrivilege 2076 winupdate.exe Token: SeImpersonatePrivilege 2076 winupdate.exe Token: SeCreateGlobalPrivilege 2076 winupdate.exe Token: 33 2076 winupdate.exe Token: 34 2076 winupdate.exe Token: 35 2076 winupdate.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2076 winupdate.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2440 wrote to memory of 2076 2440 6b83823e49a39f298c15c3ff547fa406.exe 28 PID 2440 wrote to memory of 2076 2440 6b83823e49a39f298c15c3ff547fa406.exe 28 PID 2440 wrote to memory of 2076 2440 6b83823e49a39f298c15c3ff547fa406.exe 28 PID 2440 wrote to memory of 2076 2440 6b83823e49a39f298c15c3ff547fa406.exe 28 PID 2440 wrote to memory of 2076 2440 6b83823e49a39f298c15c3ff547fa406.exe 28 PID 2440 wrote to memory of 2076 2440 6b83823e49a39f298c15c3ff547fa406.exe 28 PID 2440 wrote to memory of 2076 2440 6b83823e49a39f298c15c3ff547fa406.exe 28 PID 2440 wrote to memory of 2708 2440 6b83823e49a39f298c15c3ff547fa406.exe 31 PID 2440 wrote to memory of 2708 2440 6b83823e49a39f298c15c3ff547fa406.exe 31 PID 2440 wrote to memory of 2708 2440 6b83823e49a39f298c15c3ff547fa406.exe 31 PID 2440 wrote to memory of 2708 2440 6b83823e49a39f298c15c3ff547fa406.exe 31 PID 2708 wrote to memory of 2928 2708 cmd.exe 30 PID 2708 wrote to memory of 2928 2708 cmd.exe 30 PID 2708 wrote to memory of 2928 2708 cmd.exe 30 PID 2708 wrote to memory of 2928 2708 cmd.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\6b83823e49a39f298c15c3ff547fa406.exe"C:\Users\Admin\AppData\Local\Temp\6b83823e49a39f298c15c3ff547fa406.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windupdt\winupdate.exe"C:\Windupdt\winupdate.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2076
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Users\Admin\AppData\Local\Temp\6b83823e49a39f298c15c3ff547fa406.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2708
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 51⤵
- Runs ping.exe
PID:2928
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
746KB
MD56b83823e49a39f298c15c3ff547fa406
SHA187a6d44cfe44f3d452465ca8512b1a06041d92dd
SHA2563f19fa1892210bd294995f2a1a35487161f1dc17ec665565cc30353a7c4f3966
SHA5127aac8200aab701757e8bb05e2d2b49933f263e406f8782a8e9a94ba81a5763c088bee70a69db7720c6e1474ea1e1f6c470d00dd3e8f28449c921e0757dc34c99