b3b780ceffb51c3e2f674fc5829423e4907ceca8b3c9f71ca2c5f130a522af4d

Analysis

max time kernel
300s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08/04/2024, 11:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Windows Update.exe
Size

9.0MB
MD5

83f4586de2ada8daa6fad9fdc57ba6aa
SHA1

566eb15119f1d2d471d33362b01802ad05f6376a
SHA256

b8bf7f6ad6486d39ba39c09169e9bd9740fbda852e670fcaf5bf5cb5f3fc4a49
SHA512

4ee3fa8934f8ea2075219943547efb9a4f77ae338e093d90236d9bb07b2e84392cba7b93ed7d94254dfd47d5cd584c4bd5c968d825ae1c0806996c29abf1d694
SSDEEP

196608:A66tn2+geSaA9+1wr9NGRGja3/aTLM89wXVM0rlhPekq/IdT+7:IZgjaA41wKKayfM8oK8lZleIdTk

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	Windows Update.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2824	taskmgr.exe
3012	Windows Update.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2824	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe
2824	taskmgr.exe

C:\Users\Admin\AppData\Local\Temp\Windows Update.exe
"C:\Users\Admin\AppData\Local\Temp\Windows Update.exe"
1⤵
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
PID:3012

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2824-11-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2824-14-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2824-13-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2824-12-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3012-3-0x00000000052A0000-0x00000000052E0000-memory.dmp

Filesize
256KB

Download
memory/3012-5-0x00000000052A0000-0x00000000052E0000-memory.dmp

Filesize
256KB

Download
memory/3012-6-0x00000000052A0000-0x00000000052E0000-memory.dmp

Filesize
256KB

Download
memory/3012-9-0x00000000052A0000-0x00000000052E0000-memory.dmp

Filesize
256KB

Download
memory/3012-10-0x00000000052A0000-0x00000000052E0000-memory.dmp

Filesize
256KB

Download
memory/3012-4-0x0000000074C00000-0x00000000752EE000-memory.dmp

Filesize
6.9MB

Download
memory/3012-0-0x0000000074C00000-0x00000000752EE000-memory.dmp

Filesize
6.9MB

Download
memory/3012-2-0x00000000052A0000-0x00000000052E0000-memory.dmp

Filesize
256KB

Download
memory/3012-1-0x0000000000D30000-0x000000000162E000-memory.dmp

Filesize
9.0MB

Download