Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
23/02/2024, 23:08
Static task
static1
Behavioral task
behavioral1
Sample
a0944adca0738fef3c942b008d3646ee.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a0944adca0738fef3c942b008d3646ee.exe
Resource
win10v2004-20240221-en
General
-
Target
a0944adca0738fef3c942b008d3646ee.exe
-
Size
844KB
-
MD5
a0944adca0738fef3c942b008d3646ee
-
SHA1
039ed8aa1a7f2a9d16a246e245b388b64902f717
-
SHA256
82a9aa0fd8bd98de2279486644673dd85f492310074bd2c94a21558c87e98164
-
SHA512
cfb87fdf2eee241635a4078080546356ad7f1428bf385016d5aa7909b2e23923df28c685e43f38493bd6857ee64c1d57e00ab34bb5f59bea9a1db8a7183f31a1
-
SSDEEP
24576:70MgAAUnebGZYKulmSEuoJzsWdqWeKO0X:PFAUnYKunWIWx
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\WindowaUpdatet\\winupdate.exe" a0944adca0738fef3c942b008d3646ee.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winupdate.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate a0944adca0738fef3c942b008d3646ee.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winupdate.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3054445511-921769590-4013668107-1000\Control Panel\International\Geo\Nation a0944adca0738fef3c942b008d3646ee.exe -
Executes dropped EXE 2 IoCs
pid Process 4292 winupdate.exe 876 winupdate.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winupdate.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3054445511-921769590-4013668107-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\WindowaUpdatet\\winupdate.exe" a0944adca0738fef3c942b008d3646ee.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3616 set thread context of 5088 3616 a0944adca0738fef3c942b008d3646ee.exe 86 PID 4292 set thread context of 876 4292 winupdate.exe 92 -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\WindowaUpdatet\winupdate.exe a0944adca0738fef3c942b008d3646ee.exe File opened for modification C:\Windows\WindowaUpdatet\ a0944adca0738fef3c942b008d3646ee.exe File created C:\Windows\WindowaUpdatet\winupdate.exe a0944adca0738fef3c942b008d3646ee.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 a0944adca0738fef3c942b008d3646ee.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString a0944adca0738fef3c942b008d3646ee.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier a0944adca0738fef3c942b008d3646ee.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier a0944adca0738fef3c942b008d3646ee.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winupdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier winupdate.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier a0944adca0738fef3c942b008d3646ee.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winupdate.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ a0944adca0738fef3c942b008d3646ee.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1828 PING.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 876 winupdate.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 5088 a0944adca0738fef3c942b008d3646ee.exe Token: SeSecurityPrivilege 5088 a0944adca0738fef3c942b008d3646ee.exe Token: SeTakeOwnershipPrivilege 5088 a0944adca0738fef3c942b008d3646ee.exe Token: SeLoadDriverPrivilege 5088 a0944adca0738fef3c942b008d3646ee.exe Token: SeSystemProfilePrivilege 5088 a0944adca0738fef3c942b008d3646ee.exe Token: SeSystemtimePrivilege 5088 a0944adca0738fef3c942b008d3646ee.exe Token: SeProfSingleProcessPrivilege 5088 a0944adca0738fef3c942b008d3646ee.exe Token: SeIncBasePriorityPrivilege 5088 a0944adca0738fef3c942b008d3646ee.exe Token: SeCreatePagefilePrivilege 5088 a0944adca0738fef3c942b008d3646ee.exe Token: SeBackupPrivilege 5088 a0944adca0738fef3c942b008d3646ee.exe Token: SeRestorePrivilege 5088 a0944adca0738fef3c942b008d3646ee.exe Token: SeShutdownPrivilege 5088 a0944adca0738fef3c942b008d3646ee.exe Token: SeDebugPrivilege 5088 a0944adca0738fef3c942b008d3646ee.exe Token: SeSystemEnvironmentPrivilege 5088 a0944adca0738fef3c942b008d3646ee.exe Token: SeChangeNotifyPrivilege 5088 a0944adca0738fef3c942b008d3646ee.exe Token: SeRemoteShutdownPrivilege 5088 a0944adca0738fef3c942b008d3646ee.exe Token: SeUndockPrivilege 5088 a0944adca0738fef3c942b008d3646ee.exe Token: SeManageVolumePrivilege 5088 a0944adca0738fef3c942b008d3646ee.exe Token: SeImpersonatePrivilege 5088 a0944adca0738fef3c942b008d3646ee.exe Token: SeCreateGlobalPrivilege 5088 a0944adca0738fef3c942b008d3646ee.exe Token: 33 5088 a0944adca0738fef3c942b008d3646ee.exe Token: 34 5088 a0944adca0738fef3c942b008d3646ee.exe Token: 35 5088 a0944adca0738fef3c942b008d3646ee.exe Token: 36 5088 a0944adca0738fef3c942b008d3646ee.exe Token: SeIncreaseQuotaPrivilege 876 winupdate.exe Token: SeSecurityPrivilege 876 winupdate.exe Token: SeTakeOwnershipPrivilege 876 winupdate.exe Token: SeLoadDriverPrivilege 876 winupdate.exe Token: SeSystemProfilePrivilege 876 winupdate.exe Token: SeSystemtimePrivilege 876 winupdate.exe Token: SeProfSingleProcessPrivilege 876 winupdate.exe Token: SeIncBasePriorityPrivilege 876 winupdate.exe Token: SeCreatePagefilePrivilege 876 winupdate.exe Token: SeBackupPrivilege 876 winupdate.exe Token: SeRestorePrivilege 876 winupdate.exe Token: SeShutdownPrivilege 876 winupdate.exe Token: SeDebugPrivilege 876 winupdate.exe Token: SeSystemEnvironmentPrivilege 876 winupdate.exe Token: SeChangeNotifyPrivilege 876 winupdate.exe Token: SeRemoteShutdownPrivilege 876 winupdate.exe Token: SeUndockPrivilege 876 winupdate.exe Token: SeManageVolumePrivilege 876 winupdate.exe Token: SeImpersonatePrivilege 876 winupdate.exe Token: SeCreateGlobalPrivilege 876 winupdate.exe Token: 33 876 winupdate.exe Token: 34 876 winupdate.exe Token: 35 876 winupdate.exe Token: 36 876 winupdate.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 3616 a0944adca0738fef3c942b008d3646ee.exe 4292 winupdate.exe 876 winupdate.exe -
Suspicious use of WriteProcessMemory 37 IoCs
description pid Process procid_target PID 3616 wrote to memory of 5088 3616 a0944adca0738fef3c942b008d3646ee.exe 86 PID 3616 wrote to memory of 5088 3616 a0944adca0738fef3c942b008d3646ee.exe 86 PID 3616 wrote to memory of 5088 3616 a0944adca0738fef3c942b008d3646ee.exe 86 PID 3616 wrote to memory of 5088 3616 a0944adca0738fef3c942b008d3646ee.exe 86 PID 3616 wrote to memory of 5088 3616 a0944adca0738fef3c942b008d3646ee.exe 86 PID 3616 wrote to memory of 5088 3616 a0944adca0738fef3c942b008d3646ee.exe 86 PID 3616 wrote to memory of 5088 3616 a0944adca0738fef3c942b008d3646ee.exe 86 PID 3616 wrote to memory of 5088 3616 a0944adca0738fef3c942b008d3646ee.exe 86 PID 3616 wrote to memory of 5088 3616 a0944adca0738fef3c942b008d3646ee.exe 86 PID 3616 wrote to memory of 5088 3616 a0944adca0738fef3c942b008d3646ee.exe 86 PID 3616 wrote to memory of 5088 3616 a0944adca0738fef3c942b008d3646ee.exe 86 PID 3616 wrote to memory of 5088 3616 a0944adca0738fef3c942b008d3646ee.exe 86 PID 3616 wrote to memory of 5088 3616 a0944adca0738fef3c942b008d3646ee.exe 86 PID 3616 wrote to memory of 5088 3616 a0944adca0738fef3c942b008d3646ee.exe 86 PID 5088 wrote to memory of 4292 5088 a0944adca0738fef3c942b008d3646ee.exe 89 PID 5088 wrote to memory of 4292 5088 a0944adca0738fef3c942b008d3646ee.exe 89 PID 5088 wrote to memory of 4292 5088 a0944adca0738fef3c942b008d3646ee.exe 89 PID 5088 wrote to memory of 3636 5088 a0944adca0738fef3c942b008d3646ee.exe 91 PID 5088 wrote to memory of 3636 5088 a0944adca0738fef3c942b008d3646ee.exe 91 PID 5088 wrote to memory of 3636 5088 a0944adca0738fef3c942b008d3646ee.exe 91 PID 4292 wrote to memory of 876 4292 winupdate.exe 92 PID 4292 wrote to memory of 876 4292 winupdate.exe 92 PID 4292 wrote to memory of 876 4292 winupdate.exe 92 PID 4292 wrote to memory of 876 4292 winupdate.exe 92 PID 4292 wrote to memory of 876 4292 winupdate.exe 92 PID 4292 wrote to memory of 876 4292 winupdate.exe 92 PID 4292 wrote to memory of 876 4292 winupdate.exe 92 PID 4292 wrote to memory of 876 4292 winupdate.exe 92 PID 4292 wrote to memory of 876 4292 winupdate.exe 92 PID 4292 wrote to memory of 876 4292 winupdate.exe 92 PID 4292 wrote to memory of 876 4292 winupdate.exe 92 PID 4292 wrote to memory of 876 4292 winupdate.exe 92 PID 4292 wrote to memory of 876 4292 winupdate.exe 92 PID 4292 wrote to memory of 876 4292 winupdate.exe 92 PID 3636 wrote to memory of 1828 3636 cmd.exe 94 PID 3636 wrote to memory of 1828 3636 cmd.exe 94 PID 3636 wrote to memory of 1828 3636 cmd.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\a0944adca0738fef3c942b008d3646ee.exe"C:\Users\Admin\AppData\Local\Temp\a0944adca0738fef3c942b008d3646ee.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Users\Admin\AppData\Local\Temp\a0944adca0738fef3c942b008d3646ee.exeC:\Users\Admin\AppData\Local\Temp\a0944adca0738fef3c942b008d3646ee2⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\Windows\WindowaUpdatet\winupdate.exe"C:\Windows\WindowaUpdatet\winupdate.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\Windows\WindowaUpdatet\winupdate.exeC:\Windows\WindowaUpdatet\winupdate4⤵
- Windows security bypass
- Checks BIOS information in registry
- Executes dropped EXE
- Windows security modification
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:876
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:3636 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 24⤵
- Runs ping.exe
PID:1828
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
105B
MD58a7ccf4f8832923245069c66ff37712e
SHA1d67a19bfada2c36eb432e0a86e0834ef26107921
SHA256a3c62d78404162e128897d7608d8751561c416c37b10362e5be2a95c7cfbae3a
SHA5126a92cac914b4b681f458976e8755912118ee7199d5a7dda0da1f50415c3a495cae754207568b0ea23afd00f9a74f33547fdb0572f7eefee3b3bfcf3055a168bc
-
Filesize
844KB
MD5a0944adca0738fef3c942b008d3646ee
SHA1039ed8aa1a7f2a9d16a246e245b388b64902f717
SHA25682a9aa0fd8bd98de2279486644673dd85f492310074bd2c94a21558c87e98164
SHA512cfb87fdf2eee241635a4078080546356ad7f1428bf385016d5aa7909b2e23923df28c685e43f38493bd6857ee64c1d57e00ab34bb5f59bea9a1db8a7183f31a1