Analysis
-
max time kernel
145s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
06/03/2024, 09:03
Static task
static1
Behavioral task
behavioral1
Sample
b70a0bd6e45135566a7aa9faa196e615.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b70a0bd6e45135566a7aa9faa196e615.exe
Resource
win10v2004-20240226-en
General
-
Target
b70a0bd6e45135566a7aa9faa196e615.exe
-
Size
2.3MB
-
MD5
b70a0bd6e45135566a7aa9faa196e615
-
SHA1
d29fa049e885849bf8e67251e01ac15d520dc98d
-
SHA256
f19d9cba13b674f2d9f24d1bdd3882d5537f827e2e154862da4b25f656d7273c
-
SHA512
5634102cf6f8f8179fc6a2a2ab6ee65a337a3a31a683a62381fb35a631b977bc914e729f5f0bb6e68e6fc8c2011745a80bb845a31645e4497bb1ed6dd75fce0d
-
SSDEEP
49152:Jtjtjt2rOuCQhJohq3oHrh3JajtObu2+NUF5V54QN:Jtjtjt23hahqOr9JajQbu2+NUzx
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4108 winupdates.exe -
Loads dropped DLL 2 IoCs
pid Process 4108 winupdates.exe 4108 winupdates.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winupdates = "C:\\Program Files (x86)\\winupdates\\winupdates.exe /auto" winupdates.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winupdates = "C:\\Program Files (x86)\\winupdates\\winupdates.exe /auto" b70a0bd6e45135566a7aa9faa196e615.exe -
Drops file in System32 directory 17 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\taskmgr.exe b70a0bd6e45135566a7aa9faa196e615.exe File opened for modification C:\Windows\SysWOW64\taskkill.com b70a0bd6e45135566a7aa9faa196e615.exe File opened for modification C:\Windows\SysWOW64\regedit.com b70a0bd6e45135566a7aa9faa196e615.exe File opened for modification C:\Windows\SysWOW64\cmd.com b70a0bd6e45135566a7aa9faa196e615.exe File opened for modification C:\Windows\SysWOW64\taskmgr.exe winupdates.exe File opened for modification C:\Windows\SysWOW64\netstat.com winupdates.exe File opened for modification C:\Windows\SysWOW64\ping.com winupdates.exe File opened for modification C:\Windows\SysWOW64\netstat.com b70a0bd6e45135566a7aa9faa196e615.exe File opened for modification C:\Windows\SysWOW64\ping.com b70a0bd6e45135566a7aa9faa196e615.exe File opened for modification C:\Windows\SysWOW64\tracert.com b70a0bd6e45135566a7aa9faa196e615.exe File opened for modification C:\Windows\SysWOW64\tasklist.com b70a0bd6e45135566a7aa9faa196e615.exe File opened for modification C:\Windows\SysWOW64\tracert.com winupdates.exe File opened for modification C:\Windows\SysWOW64\tasklist.com winupdates.exe File opened for modification C:\Windows\SysWOW64\regedit.com winupdates.exe File opened for modification C:\Windows\SysWOW64\cmd.com winupdates.exe File opened for modification C:\Windows\SysWOW64\taskkill.com winupdates.exe File opened for modification C:\Windows\SysWOW64\bszip.dll winupdates.exe -
Drops file in Program Files directory 7 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\winupdates\a.zip winupdates.exe File opened for modification C:\Program Files (x86)\winupdates b70a0bd6e45135566a7aa9faa196e615.exe File created C:\Program Files (x86)\winupdates\winupdates.exe b70a0bd6e45135566a7aa9faa196e615.exe File opened for modification C:\Program Files (x86)\winupdates\winupdates.exe b70a0bd6e45135566a7aa9faa196e615.exe File created C:\Program Files (x86)\winupdates\a.tmp winupdates.exe File opened for modification C:\Program Files (x86)\winupdates\a.tmp winupdates.exe File created C:\Program Files (x86)\winupdates\bszd6384.tmp winupdates.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64 b70a0bd6e45135566a7aa9faa196e615.exe File opened for modification C:\Windows\SysWOW64 winupdates.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4108 winupdates.exe 4108 winupdates.exe 4108 winupdates.exe 4108 winupdates.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1664 b70a0bd6e45135566a7aa9faa196e615.exe 4108 winupdates.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1664 wrote to memory of 4108 1664 b70a0bd6e45135566a7aa9faa196e615.exe 96 PID 1664 wrote to memory of 4108 1664 b70a0bd6e45135566a7aa9faa196e615.exe 96 PID 1664 wrote to memory of 4108 1664 b70a0bd6e45135566a7aa9faa196e615.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\b70a0bd6e45135566a7aa9faa196e615.exe"C:\Users\Admin\AppData\Local\Temp\b70a0bd6e45135566a7aa9faa196e615.exe"1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Program Files (x86)\winupdates\winupdates.exe"C:\Program Files (x86)\winupdates\winupdates.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4108
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4240 --field-trial-handle=2276,i,1205556100727695622,5044463180471657307,262144 --variations-seed-version /prefetch:81⤵PID:4980
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
904KB
MD539f1f99a2555fa9e7e5b851c03de585b
SHA1c4c47c78e2ecc31e73d2eabeceed5e8b04a34e5b
SHA2569fa0c708952151908fa2f383b3c07153068d733da107ba9d2ff4b2523143847c
SHA51280c74a056e9e9196e6ec79892160c38b74e0282a0ac9bb10776299931ae70e2fce2c56d2c2c8514a838d910cd71680bc04f27894b6f9fc935f5f9d27cd963164
-
Filesize
549KB
MD52d44b1cfcd48fdea5abfe23162d0d2c0
SHA1c00c007a8b62b9bde38ae06c72344bc5821d5e05
SHA256d8f3a70a374584c4e536597421d6dcbdca0eaf8b07da8e21a1aa480a77b5ee1e
SHA5126170b375179a5db32e8a9e6caf0ec7ea5e7f9bf7796093ec95c8925dec5aa57dfd91c5d12a10a1f86d3d6e4473844c594ef5a2aa0ab2102b20449aca1fba3b87
-
Filesize
216KB
MD577e609512ef9532169a288172ad7d74b
SHA17449d3b1786d53c25cb737217482afbb8d097399
SHA2564ad4475b2ca6d9dfcabd2d47a4a1169d3619a3f00cf7cb1ca4d73888cbf97a54
SHA512c9cd863096d300038ba98555b66148eb75361f3c02eee74c747d7ac883fba0554c2cf6c5c5db3db0157338866daa1581e0166a4cc2035f26de47694c0e021126
-
Filesize
61KB
MD5077aee101adcf2421a1f3e616f79ffdb
SHA1bcc7d956c46b73a59fd699b6b567e3bb0f052536
SHA256434a88595f40af95768387c453443b7c4b5653f1d77cdf5554319fc1ee59d2d4
SHA51262a8fd0a565cb6f0c6004261e8ef7a1fadc6b8081ac35ec511141f5ebf1de1f058ffa039d5b2257211632735db894c679e1d346e5b82aeb5ab5f91d44c6639b3
-
Filesize
2B
MD5ac6ad5d9b99757c3a878f2d275ace198
SHA1439baa1b33514fb81632aaf44d16a9378c5664fc
SHA2569b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d
SHA512bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b