Analysis
-
max time kernel
89s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
25-01-2024 16:33
Static task
static1
Behavioral task
behavioral1
Sample
74fa6cc9bd0b8114c1ae4114c5b791fd.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
74fa6cc9bd0b8114c1ae4114c5b791fd.exe
Resource
win10v2004-20231222-en
General
-
Target
74fa6cc9bd0b8114c1ae4114c5b791fd.exe
-
Size
72KB
-
MD5
74fa6cc9bd0b8114c1ae4114c5b791fd
-
SHA1
5de7dca6672143effef4f155e6b7b495aa8ff324
-
SHA256
8480d4458deba8783d8fe333a237d054912f32db57bfb3cf9d8a3a8eec82fcba
-
SHA512
d20901ff775b043e338b6e03ec210879ed65e264465bf27fc425a5a47ce31c0e49ad9ccbd68a02a4b7145b0b853a0ffdff9f03d70bd4ce8d4afbc318515dd7cb
-
SSDEEP
768:/xOF7BDPn/w/27buebsN8x/CSPEEUyxwczwFj:/wF1Lw/2GebY8kSsEUg6j
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
winUpdate32Login.exepid process 784 winUpdate32Login.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
winUpdate32Login.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winUpdateStngs = "C:\\Windows\\winUpdate32Login.exe" winUpdate32Login.exe -
Drops file in Windows directory 1 IoCs
Processes:
74fa6cc9bd0b8114c1ae4114c5b791fd.exedescription ioc process File opened for modification C:\Windows\winUpdate32Login.exe 74fa6cc9bd0b8114c1ae4114c5b791fd.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
74fa6cc9bd0b8114c1ae4114c5b791fd.exewinUpdate32Login.exepid process 2876 74fa6cc9bd0b8114c1ae4114c5b791fd.exe 784 winUpdate32Login.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
74fa6cc9bd0b8114c1ae4114c5b791fd.exedescription pid process target process PID 2876 wrote to memory of 784 2876 74fa6cc9bd0b8114c1ae4114c5b791fd.exe winUpdate32Login.exe PID 2876 wrote to memory of 784 2876 74fa6cc9bd0b8114c1ae4114c5b791fd.exe winUpdate32Login.exe PID 2876 wrote to memory of 784 2876 74fa6cc9bd0b8114c1ae4114c5b791fd.exe winUpdate32Login.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\74fa6cc9bd0b8114c1ae4114c5b791fd.exe"C:\Users\Admin\AppData\Local\Temp\74fa6cc9bd0b8114c1ae4114c5b791fd.exe"1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\winUpdate32Login.exeC:\Windows\winUpdate32Login.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:784
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\winUpdate32Login.exeFilesize
40KB
MD502af082939dd0dc7e2c5e7e446186158
SHA13f55312e34d7e1d9366df8225dcea1b7339d52a0
SHA25660b1d0955a58b7f83856b9a8b4f83402ad873b3ad3be0a78860a8e1f76ac91dc
SHA512c517480c70b5dd583322de4f2bdb60865ff07b8fd78f0afd50109fadc9386da13b0277ac4b0e7b455c4fe4effee19f7be7c5a720e9e043e6dc44054c858b9c3d