Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
21/01/2024, 01:34
Behavioral task
behavioral1
Sample
68aea9b1f4605cd58556c62ec72f1f36.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
68aea9b1f4605cd58556c62ec72f1f36.exe
Resource
win10v2004-20231215-en
General
-
Target
68aea9b1f4605cd58556c62ec72f1f36.exe
-
Size
648KB
-
MD5
68aea9b1f4605cd58556c62ec72f1f36
-
SHA1
1d5335563e6fb99d8656016f78dbad42503cf838
-
SHA256
2c518676f1c6d40841ba7669bddc5ce8e25f6d7cb8ec1598563e46a73b580923
-
SHA512
38e39e331481f06eb9ecaa55fdcab0dbbd1c99818ee658fd92e277273a45476ac071b46f4bbab4ae94e00baeff711f9ad69370128433f7824fc5552b1362f995
-
SSDEEP
12288:g6A84PaHhfD/tV9sj5NKR0pau9XGyu2qBVGLQyTPfhK:lAmBpVKHu0Mu9Xo20VGLVP5K
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windupdt\\winupdate.exe" 68aea9b1f4605cd58556c62ec72f1f36.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation 68aea9b1f4605cd58556c62ec72f1f36.exe -
Executes dropped EXE 1 IoCs
pid Process 4272 winupdate.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windupdt\\winupdate.exe" 68aea9b1f4605cd58556c62ec72f1f36.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2308 PING.EXE -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3056 68aea9b1f4605cd58556c62ec72f1f36.exe Token: SeSecurityPrivilege 3056 68aea9b1f4605cd58556c62ec72f1f36.exe Token: SeTakeOwnershipPrivilege 3056 68aea9b1f4605cd58556c62ec72f1f36.exe Token: SeLoadDriverPrivilege 3056 68aea9b1f4605cd58556c62ec72f1f36.exe Token: SeSystemProfilePrivilege 3056 68aea9b1f4605cd58556c62ec72f1f36.exe Token: SeSystemtimePrivilege 3056 68aea9b1f4605cd58556c62ec72f1f36.exe Token: SeProfSingleProcessPrivilege 3056 68aea9b1f4605cd58556c62ec72f1f36.exe Token: SeIncBasePriorityPrivilege 3056 68aea9b1f4605cd58556c62ec72f1f36.exe Token: SeCreatePagefilePrivilege 3056 68aea9b1f4605cd58556c62ec72f1f36.exe Token: SeBackupPrivilege 3056 68aea9b1f4605cd58556c62ec72f1f36.exe Token: SeRestorePrivilege 3056 68aea9b1f4605cd58556c62ec72f1f36.exe Token: SeShutdownPrivilege 3056 68aea9b1f4605cd58556c62ec72f1f36.exe Token: SeDebugPrivilege 3056 68aea9b1f4605cd58556c62ec72f1f36.exe Token: SeSystemEnvironmentPrivilege 3056 68aea9b1f4605cd58556c62ec72f1f36.exe Token: SeChangeNotifyPrivilege 3056 68aea9b1f4605cd58556c62ec72f1f36.exe Token: SeRemoteShutdownPrivilege 3056 68aea9b1f4605cd58556c62ec72f1f36.exe Token: SeUndockPrivilege 3056 68aea9b1f4605cd58556c62ec72f1f36.exe Token: SeManageVolumePrivilege 3056 68aea9b1f4605cd58556c62ec72f1f36.exe Token: SeImpersonatePrivilege 3056 68aea9b1f4605cd58556c62ec72f1f36.exe Token: SeCreateGlobalPrivilege 3056 68aea9b1f4605cd58556c62ec72f1f36.exe Token: 33 3056 68aea9b1f4605cd58556c62ec72f1f36.exe Token: 34 3056 68aea9b1f4605cd58556c62ec72f1f36.exe Token: 35 3056 68aea9b1f4605cd58556c62ec72f1f36.exe Token: 36 3056 68aea9b1f4605cd58556c62ec72f1f36.exe Token: SeIncreaseQuotaPrivilege 4272 winupdate.exe Token: SeSecurityPrivilege 4272 winupdate.exe Token: SeTakeOwnershipPrivilege 4272 winupdate.exe Token: SeLoadDriverPrivilege 4272 winupdate.exe Token: SeSystemProfilePrivilege 4272 winupdate.exe Token: SeSystemtimePrivilege 4272 winupdate.exe Token: SeProfSingleProcessPrivilege 4272 winupdate.exe Token: SeIncBasePriorityPrivilege 4272 winupdate.exe Token: SeCreatePagefilePrivilege 4272 winupdate.exe Token: SeBackupPrivilege 4272 winupdate.exe Token: SeRestorePrivilege 4272 winupdate.exe Token: SeShutdownPrivilege 4272 winupdate.exe Token: SeDebugPrivilege 4272 winupdate.exe Token: SeSystemEnvironmentPrivilege 4272 winupdate.exe Token: SeChangeNotifyPrivilege 4272 winupdate.exe Token: SeRemoteShutdownPrivilege 4272 winupdate.exe Token: SeUndockPrivilege 4272 winupdate.exe Token: SeManageVolumePrivilege 4272 winupdate.exe Token: SeImpersonatePrivilege 4272 winupdate.exe Token: SeCreateGlobalPrivilege 4272 winupdate.exe Token: 33 4272 winupdate.exe Token: 34 4272 winupdate.exe Token: 35 4272 winupdate.exe Token: 36 4272 winupdate.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3056 wrote to memory of 4272 3056 68aea9b1f4605cd58556c62ec72f1f36.exe 87 PID 3056 wrote to memory of 4272 3056 68aea9b1f4605cd58556c62ec72f1f36.exe 87 PID 3056 wrote to memory of 4272 3056 68aea9b1f4605cd58556c62ec72f1f36.exe 87 PID 3056 wrote to memory of 3820 3056 68aea9b1f4605cd58556c62ec72f1f36.exe 88 PID 3056 wrote to memory of 3820 3056 68aea9b1f4605cd58556c62ec72f1f36.exe 88 PID 3056 wrote to memory of 3820 3056 68aea9b1f4605cd58556c62ec72f1f36.exe 88 PID 3820 wrote to memory of 2308 3820 cmd.exe 90 PID 3820 wrote to memory of 2308 3820 cmd.exe 90 PID 3820 wrote to memory of 2308 3820 cmd.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\68aea9b1f4605cd58556c62ec72f1f36.exe"C:\Users\Admin\AppData\Local\Temp\68aea9b1f4605cd58556c62ec72f1f36.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windupdt\winupdate.exe"C:\Windupdt\winupdate.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4272
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Users\Admin\AppData\Local\Temp\68aea9b1f4605cd58556c62ec72f1f36.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3820 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- Runs ping.exe
PID:2308
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
648KB
MD568aea9b1f4605cd58556c62ec72f1f36
SHA11d5335563e6fb99d8656016f78dbad42503cf838
SHA2562c518676f1c6d40841ba7669bddc5ce8e25f6d7cb8ec1598563e46a73b580923
SHA51238e39e331481f06eb9ecaa55fdcab0dbbd1c99818ee658fd92e277273a45476ac071b46f4bbab4ae94e00baeff711f9ad69370128433f7824fc5552b1362f995