Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
20/01/2024, 21:25
Behavioral task
behavioral1
Sample
6b83823e49a39f298c15c3ff547fa406.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
6b83823e49a39f298c15c3ff547fa406.exe
Resource
win10v2004-20231215-en
General
-
Target
6b83823e49a39f298c15c3ff547fa406.exe
-
Size
746KB
-
MD5
6b83823e49a39f298c15c3ff547fa406
-
SHA1
87a6d44cfe44f3d452465ca8512b1a06041d92dd
-
SHA256
3f19fa1892210bd294995f2a1a35487161f1dc17ec665565cc30353a7c4f3966
-
SHA512
7aac8200aab701757e8bb05e2d2b49933f263e406f8782a8e9a94ba81a5763c088bee70a69db7720c6e1474ea1e1f6c470d00dd3e8f28449c921e0757dc34c99
-
SSDEEP
12288:B6A84PaHhfD/tV9sj5NKR0pau9XGyu2qBVGLQyTPfh3svv:kAmBpVKHu0Mu9Xo20VGLVP5cvv
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windupdt\\winupdate.exe" 6b83823e49a39f298c15c3ff547fa406.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation 6b83823e49a39f298c15c3ff547fa406.exe -
Executes dropped EXE 1 IoCs
pid Process 4476 winupdate.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe" 6b83823e49a39f298c15c3ff547fa406.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 632 PING.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4476 winupdate.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1932 6b83823e49a39f298c15c3ff547fa406.exe Token: SeSecurityPrivilege 1932 6b83823e49a39f298c15c3ff547fa406.exe Token: SeTakeOwnershipPrivilege 1932 6b83823e49a39f298c15c3ff547fa406.exe Token: SeLoadDriverPrivilege 1932 6b83823e49a39f298c15c3ff547fa406.exe Token: SeSystemProfilePrivilege 1932 6b83823e49a39f298c15c3ff547fa406.exe Token: SeSystemtimePrivilege 1932 6b83823e49a39f298c15c3ff547fa406.exe Token: SeProfSingleProcessPrivilege 1932 6b83823e49a39f298c15c3ff547fa406.exe Token: SeIncBasePriorityPrivilege 1932 6b83823e49a39f298c15c3ff547fa406.exe Token: SeCreatePagefilePrivilege 1932 6b83823e49a39f298c15c3ff547fa406.exe Token: SeBackupPrivilege 1932 6b83823e49a39f298c15c3ff547fa406.exe Token: SeRestorePrivilege 1932 6b83823e49a39f298c15c3ff547fa406.exe Token: SeShutdownPrivilege 1932 6b83823e49a39f298c15c3ff547fa406.exe Token: SeDebugPrivilege 1932 6b83823e49a39f298c15c3ff547fa406.exe Token: SeSystemEnvironmentPrivilege 1932 6b83823e49a39f298c15c3ff547fa406.exe Token: SeChangeNotifyPrivilege 1932 6b83823e49a39f298c15c3ff547fa406.exe Token: SeRemoteShutdownPrivilege 1932 6b83823e49a39f298c15c3ff547fa406.exe Token: SeUndockPrivilege 1932 6b83823e49a39f298c15c3ff547fa406.exe Token: SeManageVolumePrivilege 1932 6b83823e49a39f298c15c3ff547fa406.exe Token: SeImpersonatePrivilege 1932 6b83823e49a39f298c15c3ff547fa406.exe Token: SeCreateGlobalPrivilege 1932 6b83823e49a39f298c15c3ff547fa406.exe Token: 33 1932 6b83823e49a39f298c15c3ff547fa406.exe Token: 34 1932 6b83823e49a39f298c15c3ff547fa406.exe Token: 35 1932 6b83823e49a39f298c15c3ff547fa406.exe Token: 36 1932 6b83823e49a39f298c15c3ff547fa406.exe Token: SeIncreaseQuotaPrivilege 4476 winupdate.exe Token: SeSecurityPrivilege 4476 winupdate.exe Token: SeTakeOwnershipPrivilege 4476 winupdate.exe Token: SeLoadDriverPrivilege 4476 winupdate.exe Token: SeSystemProfilePrivilege 4476 winupdate.exe Token: SeSystemtimePrivilege 4476 winupdate.exe Token: SeProfSingleProcessPrivilege 4476 winupdate.exe Token: SeIncBasePriorityPrivilege 4476 winupdate.exe Token: SeCreatePagefilePrivilege 4476 winupdate.exe Token: SeBackupPrivilege 4476 winupdate.exe Token: SeRestorePrivilege 4476 winupdate.exe Token: SeShutdownPrivilege 4476 winupdate.exe Token: SeDebugPrivilege 4476 winupdate.exe Token: SeSystemEnvironmentPrivilege 4476 winupdate.exe Token: SeChangeNotifyPrivilege 4476 winupdate.exe Token: SeRemoteShutdownPrivilege 4476 winupdate.exe Token: SeUndockPrivilege 4476 winupdate.exe Token: SeManageVolumePrivilege 4476 winupdate.exe Token: SeImpersonatePrivilege 4476 winupdate.exe Token: SeCreateGlobalPrivilege 4476 winupdate.exe Token: 33 4476 winupdate.exe Token: 34 4476 winupdate.exe Token: 35 4476 winupdate.exe Token: 36 4476 winupdate.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4476 winupdate.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1932 wrote to memory of 4476 1932 6b83823e49a39f298c15c3ff547fa406.exe 86 PID 1932 wrote to memory of 4476 1932 6b83823e49a39f298c15c3ff547fa406.exe 86 PID 1932 wrote to memory of 4476 1932 6b83823e49a39f298c15c3ff547fa406.exe 86 PID 1932 wrote to memory of 1828 1932 6b83823e49a39f298c15c3ff547fa406.exe 87 PID 1932 wrote to memory of 1828 1932 6b83823e49a39f298c15c3ff547fa406.exe 87 PID 1932 wrote to memory of 1828 1932 6b83823e49a39f298c15c3ff547fa406.exe 87 PID 1828 wrote to memory of 632 1828 cmd.exe 90 PID 1828 wrote to memory of 632 1828 cmd.exe 90 PID 1828 wrote to memory of 632 1828 cmd.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\6b83823e49a39f298c15c3ff547fa406.exe"C:\Users\Admin\AppData\Local\Temp\6b83823e49a39f298c15c3ff547fa406.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windupdt\winupdate.exe"C:\Windupdt\winupdate.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4476
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Users\Admin\AppData\Local\Temp\6b83823e49a39f298c15c3ff547fa406.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- Runs ping.exe
PID:632
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
746KB
MD56b83823e49a39f298c15c3ff547fa406
SHA187a6d44cfe44f3d452465ca8512b1a06041d92dd
SHA2563f19fa1892210bd294995f2a1a35487161f1dc17ec665565cc30353a7c4f3966
SHA5127aac8200aab701757e8bb05e2d2b49933f263e406f8782a8e9a94ba81a5763c088bee70a69db7720c6e1474ea1e1f6c470d00dd3e8f28449c921e0757dc34c99
-
Filesize
569KB
MD5bf1de2ad20fb031ab0eb6e804dd78808
SHA154e9be2977fdc096fafeead48b01e7fa9be02521
SHA2565670bfc3cb11e85452ff8a1ab9ddf9ec943734c567c38c628d47c1a3adb16157
SHA5121c9455391a28149e173e7f0b3a43fedd41e05cc4441d2779b0862ab54c4d8b3d3dc4817a9f083ad0c48b25983b1a5dc36fa972db6578fd17228effe016008e11