f19d9cba13b674f2d9f24d1bdd3882d5537f827e2e154862da4b25f656d7273c

General

Target

b70a0bd6e45135566a7aa9faa196e615.exe
Size

2.3MB
MD5

b70a0bd6e45135566a7aa9faa196e615
SHA1

d29fa049e885849bf8e67251e01ac15d520dc98d
SHA256

f19d9cba13b674f2d9f24d1bdd3882d5537f827e2e154862da4b25f656d7273c
SHA512

5634102cf6f8f8179fc6a2a2ab6ee65a337a3a31a683a62381fb35a631b977bc914e729f5f0bb6e68e6fc8c2011745a80bb845a31645e4497bb1ed6dd75fce0d
SSDEEP

49152:Jtjtjt2rOuCQhJohq3oHrh3JajtObu2+NUF5V54QN:Jtjtjt23hahqOr9JajQbu2+NUzx

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4108	winupdates.exe

Loads dropped DLL 2 IoCs

pid	Process
4108	winupdates.exe
4108	winupdates.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winupdates = "C:\\Program Files (x86)\\winupdates\\winupdates.exe /auto"	winupdates.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winupdates = "C:\\Program Files (x86)\\winupdates\\winupdates.exe /auto"	b70a0bd6e45135566a7aa9faa196e615.exe

Drops file in System32 directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\taskmgr.exe	b70a0bd6e45135566a7aa9faa196e615.exe
File opened for modification	C:\Windows\SysWOW64\taskkill.com	b70a0bd6e45135566a7aa9faa196e615.exe
File opened for modification	C:\Windows\SysWOW64\regedit.com	b70a0bd6e45135566a7aa9faa196e615.exe
File opened for modification	C:\Windows\SysWOW64\cmd.com	b70a0bd6e45135566a7aa9faa196e615.exe
File opened for modification	C:\Windows\SysWOW64\taskmgr.exe	winupdates.exe
File opened for modification	C:\Windows\SysWOW64\netstat.com	winupdates.exe
File opened for modification	C:\Windows\SysWOW64\ping.com	winupdates.exe
File opened for modification	C:\Windows\SysWOW64\netstat.com	b70a0bd6e45135566a7aa9faa196e615.exe
File opened for modification	C:\Windows\SysWOW64\ping.com	b70a0bd6e45135566a7aa9faa196e615.exe
File opened for modification	C:\Windows\SysWOW64\tracert.com	b70a0bd6e45135566a7aa9faa196e615.exe
File opened for modification	C:\Windows\SysWOW64\tasklist.com	b70a0bd6e45135566a7aa9faa196e615.exe
File opened for modification	C:\Windows\SysWOW64\tracert.com	winupdates.exe
File opened for modification	C:\Windows\SysWOW64\tasklist.com	winupdates.exe
File opened for modification	C:\Windows\SysWOW64\regedit.com	winupdates.exe
File opened for modification	C:\Windows\SysWOW64\cmd.com	winupdates.exe
File opened for modification	C:\Windows\SysWOW64\taskkill.com	winupdates.exe
File opened for modification	C:\Windows\SysWOW64\bszip.dll	winupdates.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\winupdates\a.zip	winupdates.exe
File opened for modification	C:\Program Files (x86)\winupdates	b70a0bd6e45135566a7aa9faa196e615.exe
File created	C:\Program Files (x86)\winupdates\winupdates.exe	b70a0bd6e45135566a7aa9faa196e615.exe
File opened for modification	C:\Program Files (x86)\winupdates\winupdates.exe	b70a0bd6e45135566a7aa9faa196e615.exe
File created	C:\Program Files (x86)\winupdates\a.tmp	winupdates.exe
File opened for modification	C:\Program Files (x86)\winupdates\a.tmp	winupdates.exe
File created	C:\Program Files (x86)\winupdates\bszd6384.tmp	winupdates.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64	b70a0bd6e45135566a7aa9faa196e615.exe
File opened for modification	C:\Windows\SysWOW64	winupdates.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4108	winupdates.exe
4108	winupdates.exe
4108	winupdates.exe
4108	winupdates.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1664	b70a0bd6e45135566a7aa9faa196e615.exe
4108	winupdates.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 4108	1664	b70a0bd6e45135566a7aa9faa196e615.exe	96
PID 1664 wrote to memory of 4108	1664	b70a0bd6e45135566a7aa9faa196e615.exe	96
PID 1664 wrote to memory of 4108	1664	b70a0bd6e45135566a7aa9faa196e615.exe	96

C:\Users\Admin\AppData\Local\Temp\b70a0bd6e45135566a7aa9faa196e615.exe
"C:\Users\Admin\AppData\Local\Temp\b70a0bd6e45135566a7aa9faa196e615.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Program Files (x86)\winupdates\winupdates.exe
  "C:\Program Files (x86)\winupdates\winupdates.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4240 --field-trial-handle=2276,i,1205556100727695622,5044463180471657307,262144 --variations-seed-version /prefetch:8
1⤵
PID:4980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\winupdates\a.tmp

Filesize
904KB

MD5
39f1f99a2555fa9e7e5b851c03de585b

SHA1
c4c47c78e2ecc31e73d2eabeceed5e8b04a34e5b

SHA256
9fa0c708952151908fa2f383b3c07153068d733da107ba9d2ff4b2523143847c

SHA512
80c74a056e9e9196e6ec79892160c38b74e0282a0ac9bb10776299931ae70e2fce2c56d2c2c8514a838d910cd71680bc04f27894b6f9fc935f5f9d27cd963164

Download Submit
C:\Program Files (x86)\winupdates\winupdates.exe

Filesize
549KB

MD5
2d44b1cfcd48fdea5abfe23162d0d2c0

SHA1
c00c007a8b62b9bde38ae06c72344bc5821d5e05

SHA256
d8f3a70a374584c4e536597421d6dcbdca0eaf8b07da8e21a1aa480a77b5ee1e

SHA512
6170b375179a5db32e8a9e6caf0ec7ea5e7f9bf7796093ec95c8925dec5aa57dfd91c5d12a10a1f86d3d6e4473844c594ef5a2aa0ab2102b20449aca1fba3b87

Download Submit
C:\Program Files (x86)\winupdates\winupdates.exe

Filesize
216KB

MD5
77e609512ef9532169a288172ad7d74b

SHA1
7449d3b1786d53c25cb737217482afbb8d097399

SHA256
4ad4475b2ca6d9dfcabd2d47a4a1169d3619a3f00cf7cb1ca4d73888cbf97a54

SHA512
c9cd863096d300038ba98555b66148eb75361f3c02eee74c747d7ac883fba0554c2cf6c5c5db3db0157338866daa1581e0166a4cc2035f26de47694c0e021126

Download Submit
C:\Windows\SysWOW64\bszip.dll

Filesize
61KB

MD5
077aee101adcf2421a1f3e616f79ffdb

SHA1
bcc7d956c46b73a59fd699b6b567e3bb0f052536

SHA256
434a88595f40af95768387c453443b7c4b5653f1d77cdf5554319fc1ee59d2d4

SHA512
62a8fd0a565cb6f0c6004261e8ef7a1fadc6b8081ac35ec511141f5ebf1de1f058ffa039d5b2257211632735db894c679e1d346e5b82aeb5ab5f91d44c6639b3

Download Submit
C:\Windows\SysWOW64\tracert.com

Filesize
2B

MD5
ac6ad5d9b99757c3a878f2d275ace198

SHA1
439baa1b33514fb81632aaf44d16a9378c5664fc

SHA256
9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d

SHA512
bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b

Download Submit
memory/4108-51-0x0000000003EF0000-0x0000000003FF8000-memory.dmp

Filesize
1.0MB

Download
memory/4108-65-0x0000000003EF0000-0x0000000003FF8000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads