f19d9cba13b674f2d9f24d1bdd3882d5537f827e2e154862da4b25f656d7273c

General

Target

b70a0bd6e45135566a7aa9faa196e615.exe
Size

2.3MB
MD5

b70a0bd6e45135566a7aa9faa196e615
SHA1

d29fa049e885849bf8e67251e01ac15d520dc98d
SHA256

f19d9cba13b674f2d9f24d1bdd3882d5537f827e2e154862da4b25f656d7273c
SHA512

5634102cf6f8f8179fc6a2a2ab6ee65a337a3a31a683a62381fb35a631b977bc914e729f5f0bb6e68e6fc8c2011745a80bb845a31645e4497bb1ed6dd75fce0d
SSDEEP

49152:Jtjtjt2rOuCQhJohq3oHrh3JajtObu2+NUF5V54QN:Jtjtjt23hahqOr9JajQbu2+NUzx

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2548	winupdates.exe

Loads dropped DLL 5 IoCs

pid	Process
1964	b70a0bd6e45135566a7aa9faa196e615.exe
2548	winupdates.exe
2548	winupdates.exe
2548	winupdates.exe
2548	winupdates.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winupdates = "C:\\Program Files (x86)\\winupdates\\winupdates.exe /auto"	b70a0bd6e45135566a7aa9faa196e615.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\winupdates = "C:\\Program Files (x86)\\winupdates\\winupdates.exe /auto"	winupdates.exe

Drops file in System32 directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\tracert.com	winupdates.exe
File opened for modification	C:\Windows\SysWOW64\taskmgr.exe	b70a0bd6e45135566a7aa9faa196e615.exe
File opened for modification	C:\Windows\SysWOW64\ping.com	b70a0bd6e45135566a7aa9faa196e615.exe
File opened for modification	C:\Windows\SysWOW64\tracert.com	b70a0bd6e45135566a7aa9faa196e615.exe
File opened for modification	C:\Windows\SysWOW64\tasklist.com	b70a0bd6e45135566a7aa9faa196e615.exe
File opened for modification	C:\Windows\SysWOW64\taskkill.com	b70a0bd6e45135566a7aa9faa196e615.exe
File opened for modification	C:\Windows\SysWOW64\cmd.com	b70a0bd6e45135566a7aa9faa196e615.exe
File opened for modification	C:\Windows\SysWOW64\netstat.com	winupdates.exe
File opened for modification	C:\Windows\SysWOW64\regedit.com	b70a0bd6e45135566a7aa9faa196e615.exe
File opened for modification	C:\Windows\SysWOW64\tasklist.com	winupdates.exe
File opened for modification	C:\Windows\SysWOW64\taskkill.com	winupdates.exe
File opened for modification	C:\Windows\SysWOW64\regedit.com	winupdates.exe
File opened for modification	C:\Windows\SysWOW64\cmd.com	winupdates.exe
File opened for modification	C:\Windows\SysWOW64\netstat.com	b70a0bd6e45135566a7aa9faa196e615.exe
File opened for modification	C:\Windows\SysWOW64\taskmgr.exe	winupdates.exe
File opened for modification	C:\Windows\SysWOW64\ping.com	winupdates.exe
File opened for modification	C:\Windows\SysWOW64\bszip.dll	winupdates.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\winupdates	b70a0bd6e45135566a7aa9faa196e615.exe
File created	C:\Program Files (x86)\winupdates\winupdates.exe	b70a0bd6e45135566a7aa9faa196e615.exe
File opened for modification	C:\Program Files (x86)\winupdates\winupdates.exe	b70a0bd6e45135566a7aa9faa196e615.exe
File created	C:\Program Files (x86)\winupdates\a.tmp	winupdates.exe
File opened for modification	C:\Program Files (x86)\winupdates\a.tmp	winupdates.exe
File created	C:\Program Files (x86)\winupdates\bszd6490.tmp	winupdates.exe
File opened for modification	C:\Program Files (x86)\winupdates\a.zip	winupdates.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64	b70a0bd6e45135566a7aa9faa196e615.exe
File opened for modification	C:\Windows\SysWOW64	winupdates.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2548	winupdates.exe
2548	winupdates.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1964	b70a0bd6e45135566a7aa9faa196e615.exe
2548	winupdates.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 2548	1964	b70a0bd6e45135566a7aa9faa196e615.exe	28
PID 1964 wrote to memory of 2548	1964	b70a0bd6e45135566a7aa9faa196e615.exe	28
PID 1964 wrote to memory of 2548	1964	b70a0bd6e45135566a7aa9faa196e615.exe	28
PID 1964 wrote to memory of 2548	1964	b70a0bd6e45135566a7aa9faa196e615.exe	28
PID 1964 wrote to memory of 2548	1964	b70a0bd6e45135566a7aa9faa196e615.exe	28
PID 1964 wrote to memory of 2548	1964	b70a0bd6e45135566a7aa9faa196e615.exe	28
PID 1964 wrote to memory of 2548	1964	b70a0bd6e45135566a7aa9faa196e615.exe	28

C:\Users\Admin\AppData\Local\Temp\b70a0bd6e45135566a7aa9faa196e615.exe
"C:\Users\Admin\AppData\Local\Temp\b70a0bd6e45135566a7aa9faa196e615.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Program Files (x86)\winupdates\winupdates.exe
  "C:\Program Files (x86)\winupdates\winupdates.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\tracert.com

Filesize
2B

MD5
ac6ad5d9b99757c3a878f2d275ace198

SHA1
439baa1b33514fb81632aaf44d16a9378c5664fc

SHA256
9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d

SHA512
bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b

Download Submit
\Program Files (x86)\winupdates\winupdates.exe

Filesize
2.3MB

MD5
b70a0bd6e45135566a7aa9faa196e615

SHA1
d29fa049e885849bf8e67251e01ac15d520dc98d

SHA256
f19d9cba13b674f2d9f24d1bdd3882d5537f827e2e154862da4b25f656d7273c

SHA512
5634102cf6f8f8179fc6a2a2ab6ee65a337a3a31a683a62381fb35a631b977bc914e729f5f0bb6e68e6fc8c2011745a80bb845a31645e4497bb1ed6dd75fce0d

Download Submit
\Windows\SysWOW64\bszip.dll

Filesize
61KB

MD5
077aee101adcf2421a1f3e616f79ffdb

SHA1
bcc7d956c46b73a59fd699b6b567e3bb0f052536

SHA256
434a88595f40af95768387c453443b7c4b5653f1d77cdf5554319fc1ee59d2d4

SHA512
62a8fd0a565cb6f0c6004261e8ef7a1fadc6b8081ac35ec511141f5ebf1de1f058ffa039d5b2257211632735db894c679e1d346e5b82aeb5ab5f91d44c6639b3

Download Submit
memory/2548-54-0x0000000003400000-0x0000000003508000-memory.dmp

Filesize
1.0MB

Download
memory/2548-61-0x0000000003400000-0x0000000003508000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads