Overview

overview

3

Static

static

1

Update.exe

windows7-x64

3

Update.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    150s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-10-2024 15:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Update.exe

  • Size

    1.5MB

  • MD5

    d9aefa815c8389953a136125d4baaae6

  • SHA1

    77cb094fb0229e9a3354457ed9b096d5dca11bb9

  • SHA256

    65df86270cfcfdc5612a327a137d64a3e2e71a9109f21cc5ff9868108710ac2d

  • SHA512

    07c8a47ff90ebff621e79354f054de627398c79ab410dc002cc385998994f789beb6c54c87a09651fe34aa70245e37af655b98e0b6b65530c6285dafb262a626

  • SSDEEP

    12288:u6CyLEgR0ro/0EhcXAHjRYSN9bUlOr/oJfT9Pu0XejfQ1JRQ3Tzvx+nDIpnUk:3EgRN/th3VelBPu0XUfWJms0pnp

Score
3/10
discovery

Malware Config

Signatures

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Update.exe
    "C:\Users\Admin\AppData\Local\Temp\Update.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:968
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:2016
    • C:\Users\Admin\AppData\Local\Temp\Update.exe
      "C:\Users\Admin\AppData\Local\Temp\Update.exe"
      1⤵
      • System Location Discovery: System Language Discovery
      PID:4060
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2052

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Update.exe.log
      Filesize

      1KB

      MD5

      e57a6e70b8ae6940ed761121e5f86bad

      SHA1

      aa080336f2f6fd47ba55b7d9b5ff21ec27c665a2

      SHA256

      3f9e9790ecc228887f345c8cc495b550487c345c2ddb63aa8d81f45d02741f44

      SHA512

      16dc9d8b849f4a330e81fc8dfbfdc29823fb9fee7983bd9de7b936d14ccf94561b6697d67c237fc11d9720ad212b7c3b34b37921eb50fe315ee1b9678f058d9b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\SquirrelSetup.log
      Filesize

      67B

      MD5

      908e836b9206db545e0c5fca6ac6e79b

      SHA1

      43260ab2f507c0fc8234767aef33d6168693e6c3

      SHA256

      c398aa23e8aeca8242160d5e3f4f170da7e7f8b9198894fca27ede23d6fe61bd

      SHA512

      25453194867386d5f00ee745d8d0ed37aa2cf8013f67297dea5811ad474889f67a322f2bf123f826a9e9c4cc92dd6f68f45b541695434ac5fb0c9aa43f481856

      Download Submit

    • memory/968-1-0x0000000000530000-0x00000000006A6000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/968-2-0x0000000074880000-0x0000000075030000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/968-5-0x0000000074880000-0x0000000075030000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/968-0-0x000000007488E000-0x000000007488F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2052-18-0x0000018925680000-0x0000018925681000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2052-14-0x0000018925680000-0x0000018925681000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2052-13-0x0000018925680000-0x0000018925681000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2052-12-0x0000018925680000-0x0000018925681000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2052-24-0x0000018925680000-0x0000018925681000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2052-23-0x0000018925680000-0x0000018925681000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2052-22-0x0000018925680000-0x0000018925681000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2052-21-0x0000018925680000-0x0000018925681000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2052-20-0x0000018925680000-0x0000018925681000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2052-19-0x0000018925680000-0x0000018925681000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4060-9-0x0000000074880000-0x0000000075030000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4060-11-0x0000000074880000-0x0000000075030000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4060-8-0x0000000074880000-0x0000000075030000-memory.dmp

      Filesize

      7.7MB

      Download