Analysis
-
max time kernel
195s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
23/02/2024, 23:08
Static task
static1
Behavioral task
behavioral1
Sample
a0944adca0738fef3c942b008d3646ee.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a0944adca0738fef3c942b008d3646ee.exe
Resource
win10v2004-20240221-en
General
-
Target
a0944adca0738fef3c942b008d3646ee.exe
-
Size
844KB
-
MD5
a0944adca0738fef3c942b008d3646ee
-
SHA1
039ed8aa1a7f2a9d16a246e245b388b64902f717
-
SHA256
82a9aa0fd8bd98de2279486644673dd85f492310074bd2c94a21558c87e98164
-
SHA512
cfb87fdf2eee241635a4078080546356ad7f1428bf385016d5aa7909b2e23923df28c685e43f38493bd6857ee64c1d57e00ab34bb5f59bea9a1db8a7183f31a1
-
SSDEEP
24576:70MgAAUnebGZYKulmSEuoJzsWdqWeKO0X:PFAUnYKunWIWx
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\WindowaUpdatet\\winupdate.exe" a0944adca0738fef3c942b008d3646ee.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winupdate.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate a0944adca0738fef3c942b008d3646ee.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winupdate.exe -
Deletes itself 1 IoCs
pid Process 2792 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 584 winupdate.exe 2164 winupdate.exe -
Loads dropped DLL 8 IoCs
pid Process 2584 a0944adca0738fef3c942b008d3646ee.exe 584 winupdate.exe 584 winupdate.exe 584 winupdate.exe 584 winupdate.exe 2164 winupdate.exe 2164 winupdate.exe 2164 winupdate.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winupdate.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\WindowaUpdatet\\winupdate.exe" a0944adca0738fef3c942b008d3646ee.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2804 set thread context of 2584 2804 a0944adca0738fef3c942b008d3646ee.exe 29 PID 584 set thread context of 2164 584 winupdate.exe 33 -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\WindowaUpdatet\winupdate.exe a0944adca0738fef3c942b008d3646ee.exe File opened for modification C:\Windows\WindowaUpdatet\winupdate.exe a0944adca0738fef3c942b008d3646ee.exe File opened for modification C:\Windows\WindowaUpdatet\ a0944adca0738fef3c942b008d3646ee.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 a0944adca0738fef3c942b008d3646ee.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString a0944adca0738fef3c942b008d3646ee.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier a0944adca0738fef3c942b008d3646ee.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier a0944adca0738fef3c942b008d3646ee.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier winupdate.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier a0944adca0738fef3c942b008d3646ee.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winupdate.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1992 PING.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2164 winupdate.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2584 a0944adca0738fef3c942b008d3646ee.exe Token: SeSecurityPrivilege 2584 a0944adca0738fef3c942b008d3646ee.exe Token: SeTakeOwnershipPrivilege 2584 a0944adca0738fef3c942b008d3646ee.exe Token: SeLoadDriverPrivilege 2584 a0944adca0738fef3c942b008d3646ee.exe Token: SeSystemProfilePrivilege 2584 a0944adca0738fef3c942b008d3646ee.exe Token: SeSystemtimePrivilege 2584 a0944adca0738fef3c942b008d3646ee.exe Token: SeProfSingleProcessPrivilege 2584 a0944adca0738fef3c942b008d3646ee.exe Token: SeIncBasePriorityPrivilege 2584 a0944adca0738fef3c942b008d3646ee.exe Token: SeCreatePagefilePrivilege 2584 a0944adca0738fef3c942b008d3646ee.exe Token: SeBackupPrivilege 2584 a0944adca0738fef3c942b008d3646ee.exe Token: SeRestorePrivilege 2584 a0944adca0738fef3c942b008d3646ee.exe Token: SeShutdownPrivilege 2584 a0944adca0738fef3c942b008d3646ee.exe Token: SeDebugPrivilege 2584 a0944adca0738fef3c942b008d3646ee.exe Token: SeSystemEnvironmentPrivilege 2584 a0944adca0738fef3c942b008d3646ee.exe Token: SeChangeNotifyPrivilege 2584 a0944adca0738fef3c942b008d3646ee.exe Token: SeRemoteShutdownPrivilege 2584 a0944adca0738fef3c942b008d3646ee.exe Token: SeUndockPrivilege 2584 a0944adca0738fef3c942b008d3646ee.exe Token: SeManageVolumePrivilege 2584 a0944adca0738fef3c942b008d3646ee.exe Token: SeImpersonatePrivilege 2584 a0944adca0738fef3c942b008d3646ee.exe Token: SeCreateGlobalPrivilege 2584 a0944adca0738fef3c942b008d3646ee.exe Token: 33 2584 a0944adca0738fef3c942b008d3646ee.exe Token: 34 2584 a0944adca0738fef3c942b008d3646ee.exe Token: 35 2584 a0944adca0738fef3c942b008d3646ee.exe Token: SeIncreaseQuotaPrivilege 2164 winupdate.exe Token: SeSecurityPrivilege 2164 winupdate.exe Token: SeTakeOwnershipPrivilege 2164 winupdate.exe Token: SeLoadDriverPrivilege 2164 winupdate.exe Token: SeSystemProfilePrivilege 2164 winupdate.exe Token: SeSystemtimePrivilege 2164 winupdate.exe Token: SeProfSingleProcessPrivilege 2164 winupdate.exe Token: SeIncBasePriorityPrivilege 2164 winupdate.exe Token: SeCreatePagefilePrivilege 2164 winupdate.exe Token: SeBackupPrivilege 2164 winupdate.exe Token: SeRestorePrivilege 2164 winupdate.exe Token: SeShutdownPrivilege 2164 winupdate.exe Token: SeDebugPrivilege 2164 winupdate.exe Token: SeSystemEnvironmentPrivilege 2164 winupdate.exe Token: SeChangeNotifyPrivilege 2164 winupdate.exe Token: SeRemoteShutdownPrivilege 2164 winupdate.exe Token: SeUndockPrivilege 2164 winupdate.exe Token: SeManageVolumePrivilege 2164 winupdate.exe Token: SeImpersonatePrivilege 2164 winupdate.exe Token: SeCreateGlobalPrivilege 2164 winupdate.exe Token: 33 2164 winupdate.exe Token: 34 2164 winupdate.exe Token: 35 2164 winupdate.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2804 a0944adca0738fef3c942b008d3646ee.exe 584 winupdate.exe 2164 winupdate.exe -
Suspicious use of WriteProcessMemory 44 IoCs
description pid Process procid_target PID 2804 wrote to memory of 2584 2804 a0944adca0738fef3c942b008d3646ee.exe 29 PID 2804 wrote to memory of 2584 2804 a0944adca0738fef3c942b008d3646ee.exe 29 PID 2804 wrote to memory of 2584 2804 a0944adca0738fef3c942b008d3646ee.exe 29 PID 2804 wrote to memory of 2584 2804 a0944adca0738fef3c942b008d3646ee.exe 29 PID 2804 wrote to memory of 2584 2804 a0944adca0738fef3c942b008d3646ee.exe 29 PID 2804 wrote to memory of 2584 2804 a0944adca0738fef3c942b008d3646ee.exe 29 PID 2804 wrote to memory of 2584 2804 a0944adca0738fef3c942b008d3646ee.exe 29 PID 2804 wrote to memory of 2584 2804 a0944adca0738fef3c942b008d3646ee.exe 29 PID 2804 wrote to memory of 2584 2804 a0944adca0738fef3c942b008d3646ee.exe 29 PID 2804 wrote to memory of 2584 2804 a0944adca0738fef3c942b008d3646ee.exe 29 PID 2804 wrote to memory of 2584 2804 a0944adca0738fef3c942b008d3646ee.exe 29 PID 2804 wrote to memory of 2584 2804 a0944adca0738fef3c942b008d3646ee.exe 29 PID 2804 wrote to memory of 2584 2804 a0944adca0738fef3c942b008d3646ee.exe 29 PID 2584 wrote to memory of 584 2584 a0944adca0738fef3c942b008d3646ee.exe 30 PID 2584 wrote to memory of 584 2584 a0944adca0738fef3c942b008d3646ee.exe 30 PID 2584 wrote to memory of 584 2584 a0944adca0738fef3c942b008d3646ee.exe 30 PID 2584 wrote to memory of 584 2584 a0944adca0738fef3c942b008d3646ee.exe 30 PID 2584 wrote to memory of 584 2584 a0944adca0738fef3c942b008d3646ee.exe 30 PID 2584 wrote to memory of 584 2584 a0944adca0738fef3c942b008d3646ee.exe 30 PID 2584 wrote to memory of 584 2584 a0944adca0738fef3c942b008d3646ee.exe 30 PID 2584 wrote to memory of 2792 2584 a0944adca0738fef3c942b008d3646ee.exe 32 PID 2584 wrote to memory of 2792 2584 a0944adca0738fef3c942b008d3646ee.exe 32 PID 2584 wrote to memory of 2792 2584 a0944adca0738fef3c942b008d3646ee.exe 32 PID 2584 wrote to memory of 2792 2584 a0944adca0738fef3c942b008d3646ee.exe 32 PID 584 wrote to memory of 2164 584 winupdate.exe 33 PID 584 wrote to memory of 2164 584 winupdate.exe 33 PID 584 wrote to memory of 2164 584 winupdate.exe 33 PID 584 wrote to memory of 2164 584 winupdate.exe 33 PID 584 wrote to memory of 2164 584 winupdate.exe 33 PID 584 wrote to memory of 2164 584 winupdate.exe 33 PID 584 wrote to memory of 2164 584 winupdate.exe 33 PID 584 wrote to memory of 2164 584 winupdate.exe 33 PID 584 wrote to memory of 2164 584 winupdate.exe 33 PID 584 wrote to memory of 2164 584 winupdate.exe 33 PID 584 wrote to memory of 2164 584 winupdate.exe 33 PID 584 wrote to memory of 2164 584 winupdate.exe 33 PID 584 wrote to memory of 2164 584 winupdate.exe 33 PID 584 wrote to memory of 2164 584 winupdate.exe 33 PID 584 wrote to memory of 2164 584 winupdate.exe 33 PID 584 wrote to memory of 2164 584 winupdate.exe 33 PID 2792 wrote to memory of 1992 2792 cmd.exe 34 PID 2792 wrote to memory of 1992 2792 cmd.exe 34 PID 2792 wrote to memory of 1992 2792 cmd.exe 34 PID 2792 wrote to memory of 1992 2792 cmd.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\a0944adca0738fef3c942b008d3646ee.exe"C:\Users\Admin\AppData\Local\Temp\a0944adca0738fef3c942b008d3646ee.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Users\Admin\AppData\Local\Temp\a0944adca0738fef3c942b008d3646ee.exeC:\Users\Admin\AppData\Local\Temp\a0944adca0738fef3c942b008d3646ee2⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\WindowaUpdatet\winupdate.exe"C:\Windows\WindowaUpdatet\winupdate.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Windows\WindowaUpdatet\winupdate.exeC:\Windows\WindowaUpdatet\winupdate4⤵
- Windows security bypass
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2164
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 24⤵
- Runs ping.exe
PID:1992
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
105B
MD58a7ccf4f8832923245069c66ff37712e
SHA1d67a19bfada2c36eb432e0a86e0834ef26107921
SHA256a3c62d78404162e128897d7608d8751561c416c37b10362e5be2a95c7cfbae3a
SHA5126a92cac914b4b681f458976e8755912118ee7199d5a7dda0da1f50415c3a495cae754207568b0ea23afd00f9a74f33547fdb0572f7eefee3b3bfcf3055a168bc
-
Filesize
844KB
MD5a0944adca0738fef3c942b008d3646ee
SHA1039ed8aa1a7f2a9d16a246e245b388b64902f717
SHA25682a9aa0fd8bd98de2279486644673dd85f492310074bd2c94a21558c87e98164
SHA512cfb87fdf2eee241635a4078080546356ad7f1428bf385016d5aa7909b2e23923df28c685e43f38493bd6857ee64c1d57e00ab34bb5f59bea9a1db8a7183f31a1
-
Filesize
832KB
MD5157b70b28ccb30e83648047b554e3c3d
SHA1aec6f47ebbbaeac58e84125eed9718fa3f85a4a9
SHA256f80290a8421be89d934d806011a56f7f200d39cef25aea9d3c67422ef7d04227
SHA5121086fc5604e9dec06b414b68cc550813faae21af6dcb066ce3718573a18778dfccfffdeeeb67bb650effe309c24c23da2f82dc661b2f2e98e1b6c56304e63126