5bb86f8428e34d3e0dfde733c0cd7982ddde863d058465c1a45aba4786125669

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18/04/2024, 15:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

update_server.exe
Size

2.6MB
MD5

3d2fb70391afc2f990fe2c9bfa120389
SHA1

9ee21bc4c2a9e49af59ef1ab4312b21de4b559e8
SHA256

5bb86f8428e34d3e0dfde733c0cd7982ddde863d058465c1a45aba4786125669
SHA512

5e2060c8fccedcdcb7f422375599bff351955e93cc6ee6380866653526c397198ce1a48ec0c57dabcbe9271de9c3cd6678e79ab16604696edfb5fa95329fcbb0
SSDEEP

49152:B2u2fcbD7wZJIVfPMa2a3asVSViS0DgG037PB4EbP9Hd7VLUgb:EuqYD0fIVfE03dwTdGW7J4EbF9JJb

Score

6^/10

discovery evasion persistence trojan

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SPUpDateServerrun = "C:\\Program Files (x86)\\hik\\update_server\\startUp.exe"	update_server.tmp

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SPUpDateServer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 34 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\hik\update_server\Microsoft.VC90.MFC\is-CURE4.tmp	update_server.tmp
File created	C:\Program Files (x86)\hik\update_server\is-8AFPJ.tmp	update_server.tmp
File created	C:\Program Files (x86)\hik\update_server\is-QELIT.tmp	update_server.tmp
File created	C:\Program Files (x86)\hik\update_server\Microsoft.VC90.CRT\is-00UQB.tmp	update_server.tmp
File opened for modification	C:\Program Files (x86)\hik\update_server\log\default.log	SPUpDateServer.exe
File opened for modification	C:\Program Files (x86)\hik\update_server\log\SPUPDATE.log	SPUpDateServer.exe
File created	C:\Program Files (x86)\hik\update_server\is-JIU4N.tmp	update_server.tmp
File opened for modification	C:\Program Files (x86)\hik\update_server\log\HPP.log	SPUpDateServer.exe
File created	C:\Program Files (x86)\hik\update_server\is-DMC0F.tmp	update_server.tmp
File created	C:\Program Files (x86)\hik\update_server\is-7SITF.tmp	update_server.tmp
File created	C:\Program Files (x86)\hik\update_server\is-LBBEV.tmp	update_server.tmp
File created	C:\Program Files (x86)\hik\update_server\Microsoft.VC90.CRT\is-GKBO3.tmp	update_server.tmp
File created	C:\Program Files (x86)\hik\update_server\is-A8L07.tmp	update_server.tmp
File created	C:\Program Files (x86)\hik\update_server\is-NSK3J.tmp	update_server.tmp
File created	C:\Program Files (x86)\hik\update_server\is-EV5BF.tmp	update_server.tmp
File created	C:\Program Files (x86)\hik\update_server\is-NLU2F.tmp	update_server.tmp
File created	C:\Program Files (x86)\hik\update_server\is-O1J2O.tmp	update_server.tmp
File created	C:\Program Files (x86)\hik\update_server\is-SI36C.tmp	update_server.tmp
File created	C:\Program Files (x86)\hik\update_server\Microsoft.VC90.MFC\is-12DRQ.tmp	update_server.tmp
File created	C:\Program Files (x86)\hik\update_server\Microsoft.VC90.MFC\is-LI8TE.tmp	update_server.tmp
File opened for modification	C:\Program Files (x86)\hik\update_server\unins000.dat	update_server.tmp
File created	C:\Program Files (x86)\hik\update_server\unins000.dat	update_server.tmp
File created	C:\Program Files (x86)\hik\update_server\is-DTV3O.tmp	update_server.tmp
File created	C:\Program Files (x86)\hik\update_server\is-R07KR.tmp	update_server.tmp
File created	C:\Program Files (x86)\hik\update_server\Microsoft.VC90.CRT\is-O2JUM.tmp	update_server.tmp
File created	C:\Program Files (x86)\hik\update_server\Microsoft.VC90.MFC\is-9GEDR.tmp	update_server.tmp
File created	C:\Program Files (x86)\hik\update_server\is-1ACOK.tmp	update_server.tmp
File created	C:\Program Files (x86)\hik\update_server\Microsoft.VC90.CRT\is-7EILS.tmp	update_server.tmp
File created	C:\Program Files (x86)\hik\update_server\Microsoft.VC90.MFC\is-PK4GR.tmp	update_server.tmp
File created	C:\Program Files (x86)\hik\update_server\is-N6MA1.tmp	update_server.tmp
File created	C:\Program Files (x86)\hik\update_server\is-GJF13.tmp	update_server.tmp
File created	C:\Program Files (x86)\hik\update_server\is-ACH7E.tmp	update_server.tmp
File created	C:\Program Files (x86)\hik\update_server\is-SLRJ4.tmp	update_server.tmp
File created	C:\Program Files (x86)\hik\update_server\is-CVOUR.tmp	update_server.tmp

Executes dropped EXE 3 IoCs

pid	Process
2836	update_server.tmp
2864	startUp.exe
2404	SPUpDateServer.exe

Loads dropped DLL 20 IoCs

pid	Process
2732	update_server.exe
2836	update_server.tmp
2836	update_server.tmp
2836	update_server.tmp
2836	update_server.tmp
2836	update_server.tmp
2864	startUp.exe
2864	startUp.exe
2864	startUp.exe
2864	startUp.exe
2404	SPUpDateServer.exe
2404	SPUpDateServer.exe
2404	SPUpDateServer.exe
2404	SPUpDateServer.exe
2404	SPUpDateServer.exe
2404	SPUpDateServer.exe
2404	SPUpDateServer.exe
2404	SPUpDateServer.exe
2404	SPUpDateServer.exe
2404	SPUpDateServer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2836	update_server.tmp
2836	update_server.tmp
2864	startUp.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2836	update_server.tmp

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 2836	2732	update_server.exe	28
PID 2732 wrote to memory of 2836	2732	update_server.exe	28
PID 2732 wrote to memory of 2836	2732	update_server.exe	28
PID 2732 wrote to memory of 2836	2732	update_server.exe	28
PID 2732 wrote to memory of 2836	2732	update_server.exe	28
PID 2732 wrote to memory of 2836	2732	update_server.exe	28
PID 2732 wrote to memory of 2836	2732	update_server.exe	28
PID 2836 wrote to memory of 2864	2836	update_server.tmp	29
PID 2836 wrote to memory of 2864	2836	update_server.tmp	29
PID 2836 wrote to memory of 2864	2836	update_server.tmp	29
PID 2836 wrote to memory of 2864	2836	update_server.tmp	29
PID 2864 wrote to memory of 2404	2864	startUp.exe	30
PID 2864 wrote to memory of 2404	2864	startUp.exe	30
PID 2864 wrote to memory of 2404	2864	startUp.exe	30
PID 2864 wrote to memory of 2404	2864	startUp.exe	30
PID 2864 wrote to memory of 2404	2864	startUp.exe	30
PID 2864 wrote to memory of 2404	2864	startUp.exe	30
PID 2864 wrote to memory of 2404	2864	startUp.exe	30

C:\Users\Admin\AppData\Local\Temp\update_server.exe
"C:\Users\Admin\AppData\Local\Temp\update_server.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Users\Admin\AppData\Local\Temp\is-CQ48E.tmp\update_server.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-CQ48E.tmp\update_server.tmp" /SL5="$3013A,2434522,53760,C:\Users\Admin\AppData\Local\Temp\update_server.exe"
  2⤵
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Program Files (x86)\hik\update_server\startUp.exe
    "C:\Program Files (x86)\hik\update_server\startUp.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - C:\Program Files (x86)\hik\update_server\SPUpDateServer.exe
      "C:\Program Files (x86)\hik\update_server\SPUpDateServer.exe"
      4⤵
      Checks whether UAC is enabled
      Drops file in Program Files directory
      Executes dropped EXE
      Loads dropped DLL
      PID:2404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\hik\update_server\LIBBZ2.dll

Filesize
182KB

MD5
706b46d3fda945517fa37279a2f6c99b

SHA1
e4c4601b7126fc3c688b661e9b383e91140fb19a

SHA256
3828f6f5f12b55ae904f23ecb2b460a51ca027bf15883e37c83be519668da119

SHA512
7d24596b8529e4085df86b736013732ac6eb03a469796b2f3cc8f4428b65fa1a405ab44e44a871855d59d544e29231240196de80e9e0aaaa35439cc4ec109de0

Download Submit
C:\Program Files (x86)\hik\update_server\LIBEAY32.dll

Filesize
1.1MB

MD5
07570f69ca94f2771a97f5a197d1558d

SHA1
250378908b10a48628c5e2d17806ada78b68b94e

SHA256
1e7c225aa7bddafb8b7af62440b7a3f0ef837c865903c579ebf96d4d4b7fdfea

SHA512
4760bbf8d6ca1ade200b663483ac9859dbed0a6fe602b6ca8c646237c6bf320d579377d15a13dd02cf827ad151c02b261796457bfd14da0771eb0673685b0433

Download Submit
C:\Program Files (x86)\hik\update_server\LocalConfig.xml

Filesize
170B

MD5
a6f63487407c5f9b7d5412dd9389eba8

SHA1
247464b6ebabf392da562d51dc64418848cac5f3

SHA256
218c4d2581b7c47c074797c54676b290ed84d8a1f3eee315650e78879542f56a

SHA512
f313c8e8ba2079e94268a5cab81fe2047f39da43f57b4afb2fce474a0d2073ee9bad17c6c556b5d81f6e0db2abc227f39ee2ba1ac21f082a82a89403fde31194

Download Submit
C:\Program Files (x86)\hik\update_server\hlog.dll

Filesize
1.3MB

MD5
f7bac757d17a077b7dedbdab0feb1e2f

SHA1
db5b2d501a2c51ab8b76feb3731f13aa37f204e9

SHA256
4d2a7a0990613206a3ae327f74a2a6f93a58aedbbc0946d1188608c7177fe447

SHA512
d695872fef7e5354427aba0ee07ba86cb4d10e1a4bf49d53f9fced331d52a24391b8d08e19a6a0f992895c7d508afbac8c226170e7018aefc47eeb30ade0d0cb

Download Submit
C:\Program Files (x86)\hik\update_server\libGetHDSign.dll

Filesize
45KB

MD5
4ab5f3746404730d6b09057a755d459c

SHA1
75e8d77121d48aac6a97396a13af2db617146aa9

SHA256
b9dbfb00875b5b7d84c97b88cbcdb9ad998c4141c2bdd9fc411078f75416b276

SHA512
85892d4a55f841c4315eeda9d5de8b81a8099e30f118b67039d990edd4711dd7c48c710341c46efa954a1f313441d4aeb814c9fd5b27b745cd737b7067c21f4b

Download Submit
C:\Program Files (x86)\hik\update_server\libcurl.dll

Filesize
278KB

MD5
0073978becad70799d49aa1a427e22ef

SHA1
a05fb430937513e5c0990171622f83f1e1f98358

SHA256
5363ec382d8b75e7087cdc6186e73d5b3cd33bf53009b9f3954dd1161af19c56

SHA512
ee05bfed0e1f837bd4766a581264ea45371c7db6cd955da493dd24dff98a7d050e96dbc3b074b552d3f7b0ffe0341dc46254a3bb858f4317f2511ca7726bd1ad

Download Submit
C:\Program Files (x86)\hik\update_server\log4cxx.properties

Filesize
1KB

MD5
060ff5cc1c71404e1d745bf40c592ff8

SHA1
d6acfbf4d9f24ba2522c7ef2632997cc1393601e

SHA256
fef06bde74bb1bd5db8f2e3f25e92a7faf77ca9976f2a7998b74059e24bf4c7d

SHA512
5a18ff2f7ed9f12f412509a23a3a73b2b214e85440205213d024493198e8e777a18c3868c349883a3baf289a0aaf8e0596acea2b9ebd9ae252a7f99b6b8c8b54

Download Submit
\Program Files (x86)\hik\update_server\ClientUpdateLib.dll

Filesize
99KB

MD5
ca58e48ecde82b03dc7856a7b8a11784

SHA1
6cd52615dd7e494ada24c9cec8917b55573dca60

SHA256
2b5474ae7e23e7485c4de589617a75d218fc1575f37e9e693e2fde9f47f81399

SHA512
fff2eeae05207e70a138b7188ede14c8af9ddd2bbe069ad26a03b6bbe3f840d78d2015d39825e747ec62323af6697a01387874179fd4875a3e4a47a07b3ef587

Download Submit
\Program Files (x86)\hik\update_server\SPUpDate.dll

Filesize
242KB

MD5
9c0b31e5d8e62b1d318d08b8bfd7f769

SHA1
865e894a2473fd6f8489e3dbf9739e483dd253c5

SHA256
df2c0cbfe21474d26d659508c123f080925e148cccda91fd4d654ca1f07e9192

SHA512
9df1bacd3e21eaeddc0db0fc344b0974d2744b91a9a007a31e3ede8e92356c8087ca4a33676e2529a57deffcf04414ec14bccad41f108bd4cf725cdd9147a442

Download Submit
\Program Files (x86)\hik\update_server\SPUpDateServer.exe

Filesize
27KB

MD5
5c2931ef7a92300151c46599bae3dbdf

SHA1
ef487cb1e3c5af7cfdcb31cd2425e21902ea07dc

SHA256
13de1ca007cb2f7b985c913d79bb76ae1387ef6c373ab9a74b1502465429e5f4

SHA512
2d057329391b2952f5ed34929f83be1cf64271bffc4303a4e88ff772ec6279e1e740b76b701c490c68952bb1d58bf981e514e6de89cd35c093883eb01601b868

Download Submit
\Program Files (x86)\hik\update_server\ezbspatch.dll

Filesize
11KB

MD5
4e04ce734dfeff0234698d7d72752798

SHA1
f1ba4b244a46d67c1bc6e7c25b95e927e7f55d72

SHA256
1c207d599bf9fd7234911c0f570aff6cb909792818a47d5a1cf33d0e60f0496e

SHA512
3d325123fffcd6338e5c3257bb17bda781df2f505d438651e75f291e921adc5b31484f7d2893efddfa09728bd4bd9fa3963ef9b36bc746da3e3b7e59684277d4

Download Submit
\Program Files (x86)\hik\update_server\hpr.dll

Filesize
148KB

MD5
e982d6233fe5e315256d545527fb4efe

SHA1
18dad0a98fb7911581313d4a320190323677c42d

SHA256
c0321c4841960960d198b3de744af97a28d8e205b53308278539495b6ad1e9ad

SHA512
abdbfcd68387dee776dad7ceff64c2994e2d7335a42d72a1e2edd0adfe07e0cd9dfac6674286f67c1987d15b1429ea19f64f52470f1b9d88f499bffeea9b6b46

Download Submit
\Program Files (x86)\hik\update_server\ssleay32.dll

Filesize
289KB

MD5
8fcaff6e6785acb340da34b5ed512cfd

SHA1
5a63f20eb336e5a16142fae1d765b50fbc851b47

SHA256
d42c33f4faa35185ad88d62d941986c61585c47ea6d292271cd06bc40d78b06c

SHA512
5bd38b1a9ca2170680c2f74b5e3214c87f5ab6770d5674a24af743b2af32f2a0e20ef8e659539ce9894ff2b68b7c1ea378b74a2f93d1e3c7a75cc09e6601217a

Download Submit
\Program Files (x86)\hik\update_server\startUp.exe

Filesize
26KB

MD5
92eef8620c85797b204fbef420d1e375

SHA1
8329e77e7eb6f58b1dc0f3f5725dc5318ca56c28

SHA256
302cf87d753b2968164c1e5b813b73c0dca6dcc641b1ffedc9406d4304c91c6e

SHA512
e3e422f597cf669b4aafda996b63ca2726dd0dc546d9533139e16a566380b32ed6f1775f61d221c568b1b05de070f4f716f0d98a55cd45a9475f79b072573932

Download Submit
\Program Files (x86)\hik\update_server\unins000.exe

Filesize
689KB

MD5
e44f371578d5c0d7df7cb59fee7994a3

SHA1
e5db92eda78429fbd5ef67d73b1fcbe638efdf92

SHA256
a52da542e5180802eb3df43d6a8707e3d8d568d84dc1aaf8f28a5d07d20891fe

SHA512
f4a84e4473113e09f5837e232e9e57407e0e69d585301245a7ba68a842fe27a2dbd9fcd2a3fcfabfc1c14466b9a82df0e8a1c2884c72903f44d8d375e1ff9dab

Download Submit
\Users\Admin\AppData\Local\Temp\is-A6G7Q.tmp\ISTask.dll

Filesize
66KB

MD5
86a1311d51c00b278cb7f27796ea442e

SHA1
ac08ac9d08f8f5380e2a9a65f4117862aa861a19

SHA256
e916bdf232744e00cbd8d608168a019c9f41a68a7e8390aa48cfb525276c483d

SHA512
129e4b8dd2665bcfc5e72b4585343c51127b5d027dbb0234291e7a197baeca1bab5ed074e65e5e8c969ee01f9f65cc52c9993037416de9bfff2f872e5aeba7ec

Download Submit
\Users\Admin\AppData\Local\Temp\is-A6G7Q.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-CQ48E.tmp\update_server.tmp

Filesize
680KB

MD5
9d321c7096f4bcaeb6f3d8d1636e1744

SHA1
c7797576432f72891986e81afd1be1c3aadbb79b

SHA256
43202b0de2e718d35cdf7eb8b34dd35bf3fae85c0ecd2108830230a121284322

SHA512
a4c3a0bb3090a8192ade70f83a1b3a4a74acfe3307fca7bbc70681ea93e88907ecae60023c9d608729dd179e6ffb991212ecb1040b2483b97efaf812ef731624

Download Submit
memory/2404-104-0x0000000000160000-0x00000000001AC000-memory.dmp

Filesize
304KB

Download
memory/2404-110-0x0000000000570000-0x00000000006A4000-memory.dmp

Filesize
1.2MB

Download
memory/2404-100-0x0000000000330000-0x000000000045C000-memory.dmp

Filesize
1.2MB

Download
memory/2404-120-0x00000000001F0000-0x0000000000223000-memory.dmp

Filesize
204KB

Download
memory/2732-1-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2732-126-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2836-19-0x00000000002D0000-0x00000000002E6000-memory.dmp

Filesize
88KB

Download
memory/2836-125-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2836-8-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download