Analysis

  • max time kernel
    145s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/03/2024, 09:03

General

  • Target

    b70a0bd6e45135566a7aa9faa196e615.exe

  • Size

    2.3MB

  • MD5

    b70a0bd6e45135566a7aa9faa196e615

  • SHA1

    d29fa049e885849bf8e67251e01ac15d520dc98d

  • SHA256

    f19d9cba13b674f2d9f24d1bdd3882d5537f827e2e154862da4b25f656d7273c

  • SHA512

    5634102cf6f8f8179fc6a2a2ab6ee65a337a3a31a683a62381fb35a631b977bc914e729f5f0bb6e68e6fc8c2011745a80bb845a31645e4497bb1ed6dd75fce0d

  • SSDEEP

    49152:Jtjtjt2rOuCQhJohq3oHrh3JajtObu2+NUF5V54QN:Jtjtjt23hahqOr9JajQbu2+NUzx

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in System32 directory 17 IoCs
  • Drops file in Program Files directory 7 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b70a0bd6e45135566a7aa9faa196e615.exe
    "C:\Users\Admin\AppData\Local\Temp\b70a0bd6e45135566a7aa9faa196e615.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1664
    • C:\Program Files (x86)\winupdates\winupdates.exe
      "C:\Program Files (x86)\winupdates\winupdates.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:4108
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4240 --field-trial-handle=2276,i,1205556100727695622,5044463180471657307,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:4980

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\winupdates\a.tmp

      Filesize

      904KB

      MD5

      39f1f99a2555fa9e7e5b851c03de585b

      SHA1

      c4c47c78e2ecc31e73d2eabeceed5e8b04a34e5b

      SHA256

      9fa0c708952151908fa2f383b3c07153068d733da107ba9d2ff4b2523143847c

      SHA512

      80c74a056e9e9196e6ec79892160c38b74e0282a0ac9bb10776299931ae70e2fce2c56d2c2c8514a838d910cd71680bc04f27894b6f9fc935f5f9d27cd963164

    • C:\Program Files (x86)\winupdates\winupdates.exe

      Filesize

      549KB

      MD5

      2d44b1cfcd48fdea5abfe23162d0d2c0

      SHA1

      c00c007a8b62b9bde38ae06c72344bc5821d5e05

      SHA256

      d8f3a70a374584c4e536597421d6dcbdca0eaf8b07da8e21a1aa480a77b5ee1e

      SHA512

      6170b375179a5db32e8a9e6caf0ec7ea5e7f9bf7796093ec95c8925dec5aa57dfd91c5d12a10a1f86d3d6e4473844c594ef5a2aa0ab2102b20449aca1fba3b87

    • C:\Program Files (x86)\winupdates\winupdates.exe

      Filesize

      216KB

      MD5

      77e609512ef9532169a288172ad7d74b

      SHA1

      7449d3b1786d53c25cb737217482afbb8d097399

      SHA256

      4ad4475b2ca6d9dfcabd2d47a4a1169d3619a3f00cf7cb1ca4d73888cbf97a54

      SHA512

      c9cd863096d300038ba98555b66148eb75361f3c02eee74c747d7ac883fba0554c2cf6c5c5db3db0157338866daa1581e0166a4cc2035f26de47694c0e021126

    • C:\Windows\SysWOW64\bszip.dll

      Filesize

      61KB

      MD5

      077aee101adcf2421a1f3e616f79ffdb

      SHA1

      bcc7d956c46b73a59fd699b6b567e3bb0f052536

      SHA256

      434a88595f40af95768387c453443b7c4b5653f1d77cdf5554319fc1ee59d2d4

      SHA512

      62a8fd0a565cb6f0c6004261e8ef7a1fadc6b8081ac35ec511141f5ebf1de1f058ffa039d5b2257211632735db894c679e1d346e5b82aeb5ab5f91d44c6639b3

    • C:\Windows\SysWOW64\tracert.com

      Filesize

      2B

      MD5

      ac6ad5d9b99757c3a878f2d275ace198

      SHA1

      439baa1b33514fb81632aaf44d16a9378c5664fc

      SHA256

      9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d

      SHA512

      bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b

    • memory/4108-51-0x0000000003EF0000-0x0000000003FF8000-memory.dmp

      Filesize

      1.0MB

    • memory/4108-65-0x0000000003EF0000-0x0000000003FF8000-memory.dmp

      Filesize

      1.0MB