Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
21/01/2024, 01:34
Behavioral task
behavioral1
Sample
68aea9b1f4605cd58556c62ec72f1f36.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
68aea9b1f4605cd58556c62ec72f1f36.exe
Resource
win10v2004-20231215-en
General
-
Target
68aea9b1f4605cd58556c62ec72f1f36.exe
-
Size
648KB
-
MD5
68aea9b1f4605cd58556c62ec72f1f36
-
SHA1
1d5335563e6fb99d8656016f78dbad42503cf838
-
SHA256
2c518676f1c6d40841ba7669bddc5ce8e25f6d7cb8ec1598563e46a73b580923
-
SHA512
38e39e331481f06eb9ecaa55fdcab0dbbd1c99818ee658fd92e277273a45476ac071b46f4bbab4ae94e00baeff711f9ad69370128433f7824fc5552b1362f995
-
SSDEEP
12288:g6A84PaHhfD/tV9sj5NKR0pau9XGyu2qBVGLQyTPfhK:lAmBpVKHu0Mu9Xo20VGLVP5K
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windupdt\\winupdate.exe" 68aea9b1f4605cd58556c62ec72f1f36.exe -
Deletes itself 1 IoCs
pid Process 2364 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2924 winupdate.exe -
Loads dropped DLL 4 IoCs
pid Process 2512 68aea9b1f4605cd58556c62ec72f1f36.exe 2924 winupdate.exe 2924 winupdate.exe 2924 winupdate.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe" 68aea9b1f4605cd58556c62ec72f1f36.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2892 PING.EXE -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2512 68aea9b1f4605cd58556c62ec72f1f36.exe Token: SeSecurityPrivilege 2512 68aea9b1f4605cd58556c62ec72f1f36.exe Token: SeTakeOwnershipPrivilege 2512 68aea9b1f4605cd58556c62ec72f1f36.exe Token: SeLoadDriverPrivilege 2512 68aea9b1f4605cd58556c62ec72f1f36.exe Token: SeSystemProfilePrivilege 2512 68aea9b1f4605cd58556c62ec72f1f36.exe Token: SeSystemtimePrivilege 2512 68aea9b1f4605cd58556c62ec72f1f36.exe Token: SeProfSingleProcessPrivilege 2512 68aea9b1f4605cd58556c62ec72f1f36.exe Token: SeIncBasePriorityPrivilege 2512 68aea9b1f4605cd58556c62ec72f1f36.exe Token: SeCreatePagefilePrivilege 2512 68aea9b1f4605cd58556c62ec72f1f36.exe Token: SeBackupPrivilege 2512 68aea9b1f4605cd58556c62ec72f1f36.exe Token: SeRestorePrivilege 2512 68aea9b1f4605cd58556c62ec72f1f36.exe Token: SeShutdownPrivilege 2512 68aea9b1f4605cd58556c62ec72f1f36.exe Token: SeDebugPrivilege 2512 68aea9b1f4605cd58556c62ec72f1f36.exe Token: SeSystemEnvironmentPrivilege 2512 68aea9b1f4605cd58556c62ec72f1f36.exe Token: SeChangeNotifyPrivilege 2512 68aea9b1f4605cd58556c62ec72f1f36.exe Token: SeRemoteShutdownPrivilege 2512 68aea9b1f4605cd58556c62ec72f1f36.exe Token: SeUndockPrivilege 2512 68aea9b1f4605cd58556c62ec72f1f36.exe Token: SeManageVolumePrivilege 2512 68aea9b1f4605cd58556c62ec72f1f36.exe Token: SeImpersonatePrivilege 2512 68aea9b1f4605cd58556c62ec72f1f36.exe Token: SeCreateGlobalPrivilege 2512 68aea9b1f4605cd58556c62ec72f1f36.exe Token: 33 2512 68aea9b1f4605cd58556c62ec72f1f36.exe Token: 34 2512 68aea9b1f4605cd58556c62ec72f1f36.exe Token: 35 2512 68aea9b1f4605cd58556c62ec72f1f36.exe Token: SeIncreaseQuotaPrivilege 2924 winupdate.exe Token: SeSecurityPrivilege 2924 winupdate.exe Token: SeTakeOwnershipPrivilege 2924 winupdate.exe Token: SeLoadDriverPrivilege 2924 winupdate.exe Token: SeSystemProfilePrivilege 2924 winupdate.exe Token: SeSystemtimePrivilege 2924 winupdate.exe Token: SeProfSingleProcessPrivilege 2924 winupdate.exe Token: SeIncBasePriorityPrivilege 2924 winupdate.exe Token: SeCreatePagefilePrivilege 2924 winupdate.exe Token: SeBackupPrivilege 2924 winupdate.exe Token: SeRestorePrivilege 2924 winupdate.exe Token: SeShutdownPrivilege 2924 winupdate.exe Token: SeDebugPrivilege 2924 winupdate.exe Token: SeSystemEnvironmentPrivilege 2924 winupdate.exe Token: SeChangeNotifyPrivilege 2924 winupdate.exe Token: SeRemoteShutdownPrivilege 2924 winupdate.exe Token: SeUndockPrivilege 2924 winupdate.exe Token: SeManageVolumePrivilege 2924 winupdate.exe Token: SeImpersonatePrivilege 2924 winupdate.exe Token: SeCreateGlobalPrivilege 2924 winupdate.exe Token: 33 2924 winupdate.exe Token: 34 2924 winupdate.exe Token: 35 2924 winupdate.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2512 wrote to memory of 2924 2512 68aea9b1f4605cd58556c62ec72f1f36.exe 28 PID 2512 wrote to memory of 2924 2512 68aea9b1f4605cd58556c62ec72f1f36.exe 28 PID 2512 wrote to memory of 2924 2512 68aea9b1f4605cd58556c62ec72f1f36.exe 28 PID 2512 wrote to memory of 2924 2512 68aea9b1f4605cd58556c62ec72f1f36.exe 28 PID 2512 wrote to memory of 2924 2512 68aea9b1f4605cd58556c62ec72f1f36.exe 28 PID 2512 wrote to memory of 2924 2512 68aea9b1f4605cd58556c62ec72f1f36.exe 28 PID 2512 wrote to memory of 2924 2512 68aea9b1f4605cd58556c62ec72f1f36.exe 28 PID 2512 wrote to memory of 2364 2512 68aea9b1f4605cd58556c62ec72f1f36.exe 29 PID 2512 wrote to memory of 2364 2512 68aea9b1f4605cd58556c62ec72f1f36.exe 29 PID 2512 wrote to memory of 2364 2512 68aea9b1f4605cd58556c62ec72f1f36.exe 29 PID 2512 wrote to memory of 2364 2512 68aea9b1f4605cd58556c62ec72f1f36.exe 29 PID 2364 wrote to memory of 2892 2364 cmd.exe 31 PID 2364 wrote to memory of 2892 2364 cmd.exe 31 PID 2364 wrote to memory of 2892 2364 cmd.exe 31 PID 2364 wrote to memory of 2892 2364 cmd.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\68aea9b1f4605cd58556c62ec72f1f36.exe"C:\Users\Admin\AppData\Local\Temp\68aea9b1f4605cd58556c62ec72f1f36.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windupdt\winupdate.exe"C:\Windupdt\winupdate.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2924
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Users\Admin\AppData\Local\Temp\68aea9b1f4605cd58556c62ec72f1f36.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- Runs ping.exe
PID:2892
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
648KB
MD568aea9b1f4605cd58556c62ec72f1f36
SHA11d5335563e6fb99d8656016f78dbad42503cf838
SHA2562c518676f1c6d40841ba7669bddc5ce8e25f6d7cb8ec1598563e46a73b580923
SHA51238e39e331481f06eb9ecaa55fdcab0dbbd1c99818ee658fd92e277273a45476ac071b46f4bbab4ae94e00baeff711f9ad69370128433f7824fc5552b1362f995