Analysis
-
max time kernel
136s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
20-05-2024 15:22
Behavioral task
behavioral1
Sample
Updata.exe
Resource
win7-20231129-en
General
-
Target
Updata.exe
-
Size
303KB
-
MD5
fa8baa8b5f5e19777e1b20104defff51
-
SHA1
a17922c107c303693489530dbfa3bb20afc24e59
-
SHA256
42538f0378843cc317f37ff9731b8c917f6763d811c0fde29bac25b759402f47
-
SHA512
4e2478795dacfe440860f03c8b0e318f238b2d2e09e278c995b49a90415ff275c87645f3d22cbff6102e5db683d4d98f0ef13abb6002eb19c647f86ec8d69d62
-
SSDEEP
6144:4/oT6MDdbICydeBrdEGHpcJWbu6JmA1D0mGW:4/WJEGHpQWaa1DsW
Malware Config
Extracted
44caliber
https://discord.com/api/webhooks/1239246319751528579/IYIQqMQxDmDpiYnpeLyqY8m4ky9T5uSTQX5CVjPoiRejTrVzBHNdk_JlDhnNu15EaRmp
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 freegeoip.app 4 freegeoip.app -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
Processes:
Updata.exetaskmgr.exepid process 4512 Updata.exe 4512 Updata.exe 4512 Updata.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
Updata.exetaskmgr.exedescription pid process Token: SeDebugPrivilege 4512 Updata.exe Token: SeDebugPrivilege 4944 taskmgr.exe Token: SeSystemProfilePrivilege 4944 taskmgr.exe Token: SeCreateGlobalPrivilege 4944 taskmgr.exe Token: 33 4944 taskmgr.exe Token: SeIncBasePriorityPrivilege 4944 taskmgr.exe -
Suspicious use of FindShellTrayWindow 39 IoCs
Processes:
taskmgr.exepid process 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe -
Suspicious use of SendNotifyMessage 39 IoCs
Processes:
taskmgr.exepid process 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe 4944 taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Updata.exe"C:\Users\Admin\AppData\Local\Temp\Updata.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4512-0-0x000001D0B8DA0000-0x000001D0B8DF2000-memory.dmpFilesize
328KB
-
memory/4512-1-0x00007FF99C6E3000-0x00007FF99C6E5000-memory.dmpFilesize
8KB
-
memory/4512-31-0x00007FF99C6E0000-0x00007FF99D1A1000-memory.dmpFilesize
10.8MB
-
memory/4512-32-0x00007FF99C6E0000-0x00007FF99D1A1000-memory.dmpFilesize
10.8MB
-
memory/4944-33-0x00000186443E0000-0x00000186443E1000-memory.dmpFilesize
4KB
-
memory/4944-35-0x00000186443E0000-0x00000186443E1000-memory.dmpFilesize
4KB
-
memory/4944-34-0x00000186443E0000-0x00000186443E1000-memory.dmpFilesize
4KB
-
memory/4944-43-0x00000186443E0000-0x00000186443E1000-memory.dmpFilesize
4KB
-
memory/4944-45-0x00000186443E0000-0x00000186443E1000-memory.dmpFilesize
4KB
-
memory/4944-44-0x00000186443E0000-0x00000186443E1000-memory.dmpFilesize
4KB
-
memory/4944-42-0x00000186443E0000-0x00000186443E1000-memory.dmpFilesize
4KB
-
memory/4944-41-0x00000186443E0000-0x00000186443E1000-memory.dmpFilesize
4KB
-
memory/4944-40-0x00000186443E0000-0x00000186443E1000-memory.dmpFilesize
4KB
-
memory/4944-39-0x00000186443E0000-0x00000186443E1000-memory.dmpFilesize
4KB