Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11/10/2024, 09:27
Behavioral task
behavioral1
Sample
aea5d3574ce30782d8079cb72ba9d7c7d63e3ef0c7d9f9356297b27b923143d5N.exe
Resource
win7-20240903-en
General
-
Target
aea5d3574ce30782d8079cb72ba9d7c7d63e3ef0c7d9f9356297b27b923143d5N.exe
-
Size
986KB
-
MD5
22a2278fc97db1a510ef9a2fbf5d7e90
-
SHA1
6c180bb95fb3bd856bd941ec6e9096058ba5536b
-
SHA256
aea5d3574ce30782d8079cb72ba9d7c7d63e3ef0c7d9f9356297b27b923143d5
-
SHA512
9810975b5816c8fdb6e218efc09f92b06e795d01cb33fb323b414441b3235eb3c4a174eea514490c5aeb7f6ba10eb238631caf81f7bad3e98b4fd89a92929c58
-
SSDEEP
24576:CAEENIq8XwyVPQclDq/+WnpITZ4ATlZfHeuAEx3qs:CAEsw722WnI3PeuAWt
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\x32\\upd.exe" aea5d3574ce30782d8079cb72ba9d7c7d63e3ef0c7d9f9356297b27b923143d5N.exe -
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile upd.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "1" upd.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" upd.exe -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" upd.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" upd.exe -
Disables Task Manager via registry modification
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate aea5d3574ce30782d8079cb72ba9d7c7d63e3ef0c7d9f9356297b27b923143d5N.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate upd.exe -
Deletes itself 1 IoCs
pid Process 2192 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2548 upd.exe -
Loads dropped DLL 2 IoCs
pid Process 1956 aea5d3574ce30782d8079cb72ba9d7c7d63e3ef0c7d9f9356297b27b923143d5N.exe 1956 aea5d3574ce30782d8079cb72ba9d7c7d63e3ef0c7d9f9356297b27b923143d5N.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\x32\\upd.exe" aea5d3574ce30782d8079cb72ba9d7c7d63e3ef0c7d9f9356297b27b923143d5N.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\x32\ aea5d3574ce30782d8079cb72ba9d7c7d63e3ef0c7d9f9356297b27b923143d5N.exe File created C:\Windows\x32\upd.exe aea5d3574ce30782d8079cb72ba9d7c7d63e3ef0c7d9f9356297b27b923143d5N.exe File opened for modification C:\Windows\x32\upd.exe aea5d3574ce30782d8079cb72ba9d7c7d63e3ef0c7d9f9356297b27b923143d5N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language upd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aea5d3574ce30782d8079cb72ba9d7c7d63e3ef0c7d9f9356297b27b923143d5N.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2868 PING.EXE -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier upd.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 aea5d3574ce30782d8079cb72ba9d7c7d63e3ef0c7d9f9356297b27b923143d5N.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString aea5d3574ce30782d8079cb72ba9d7c7d63e3ef0c7d9f9356297b27b923143d5N.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier aea5d3574ce30782d8079cb72ba9d7c7d63e3ef0c7d9f9356297b27b923143d5N.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier aea5d3574ce30782d8079cb72ba9d7c7d63e3ef0c7d9f9356297b27b923143d5N.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 upd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString upd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier upd.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier upd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier aea5d3574ce30782d8079cb72ba9d7c7d63e3ef0c7d9f9356297b27b923143d5N.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2868 PING.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2548 upd.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1956 aea5d3574ce30782d8079cb72ba9d7c7d63e3ef0c7d9f9356297b27b923143d5N.exe Token: SeSecurityPrivilege 1956 aea5d3574ce30782d8079cb72ba9d7c7d63e3ef0c7d9f9356297b27b923143d5N.exe Token: SeTakeOwnershipPrivilege 1956 aea5d3574ce30782d8079cb72ba9d7c7d63e3ef0c7d9f9356297b27b923143d5N.exe Token: SeLoadDriverPrivilege 1956 aea5d3574ce30782d8079cb72ba9d7c7d63e3ef0c7d9f9356297b27b923143d5N.exe Token: SeSystemProfilePrivilege 1956 aea5d3574ce30782d8079cb72ba9d7c7d63e3ef0c7d9f9356297b27b923143d5N.exe Token: SeSystemtimePrivilege 1956 aea5d3574ce30782d8079cb72ba9d7c7d63e3ef0c7d9f9356297b27b923143d5N.exe Token: SeProfSingleProcessPrivilege 1956 aea5d3574ce30782d8079cb72ba9d7c7d63e3ef0c7d9f9356297b27b923143d5N.exe Token: SeIncBasePriorityPrivilege 1956 aea5d3574ce30782d8079cb72ba9d7c7d63e3ef0c7d9f9356297b27b923143d5N.exe Token: SeCreatePagefilePrivilege 1956 aea5d3574ce30782d8079cb72ba9d7c7d63e3ef0c7d9f9356297b27b923143d5N.exe Token: SeBackupPrivilege 1956 aea5d3574ce30782d8079cb72ba9d7c7d63e3ef0c7d9f9356297b27b923143d5N.exe Token: SeRestorePrivilege 1956 aea5d3574ce30782d8079cb72ba9d7c7d63e3ef0c7d9f9356297b27b923143d5N.exe Token: SeShutdownPrivilege 1956 aea5d3574ce30782d8079cb72ba9d7c7d63e3ef0c7d9f9356297b27b923143d5N.exe Token: SeDebugPrivilege 1956 aea5d3574ce30782d8079cb72ba9d7c7d63e3ef0c7d9f9356297b27b923143d5N.exe Token: SeSystemEnvironmentPrivilege 1956 aea5d3574ce30782d8079cb72ba9d7c7d63e3ef0c7d9f9356297b27b923143d5N.exe Token: SeChangeNotifyPrivilege 1956 aea5d3574ce30782d8079cb72ba9d7c7d63e3ef0c7d9f9356297b27b923143d5N.exe Token: SeRemoteShutdownPrivilege 1956 aea5d3574ce30782d8079cb72ba9d7c7d63e3ef0c7d9f9356297b27b923143d5N.exe Token: SeUndockPrivilege 1956 aea5d3574ce30782d8079cb72ba9d7c7d63e3ef0c7d9f9356297b27b923143d5N.exe Token: SeManageVolumePrivilege 1956 aea5d3574ce30782d8079cb72ba9d7c7d63e3ef0c7d9f9356297b27b923143d5N.exe Token: SeImpersonatePrivilege 1956 aea5d3574ce30782d8079cb72ba9d7c7d63e3ef0c7d9f9356297b27b923143d5N.exe Token: SeCreateGlobalPrivilege 1956 aea5d3574ce30782d8079cb72ba9d7c7d63e3ef0c7d9f9356297b27b923143d5N.exe Token: 33 1956 aea5d3574ce30782d8079cb72ba9d7c7d63e3ef0c7d9f9356297b27b923143d5N.exe Token: 34 1956 aea5d3574ce30782d8079cb72ba9d7c7d63e3ef0c7d9f9356297b27b923143d5N.exe Token: 35 1956 aea5d3574ce30782d8079cb72ba9d7c7d63e3ef0c7d9f9356297b27b923143d5N.exe Token: SeIncreaseQuotaPrivilege 2548 upd.exe Token: SeSecurityPrivilege 2548 upd.exe Token: SeTakeOwnershipPrivilege 2548 upd.exe Token: SeLoadDriverPrivilege 2548 upd.exe Token: SeSystemProfilePrivilege 2548 upd.exe Token: SeSystemtimePrivilege 2548 upd.exe Token: SeProfSingleProcessPrivilege 2548 upd.exe Token: SeIncBasePriorityPrivilege 2548 upd.exe Token: SeCreatePagefilePrivilege 2548 upd.exe Token: SeBackupPrivilege 2548 upd.exe Token: SeRestorePrivilege 2548 upd.exe Token: SeShutdownPrivilege 2548 upd.exe Token: SeDebugPrivilege 2548 upd.exe Token: SeSystemEnvironmentPrivilege 2548 upd.exe Token: SeChangeNotifyPrivilege 2548 upd.exe Token: SeRemoteShutdownPrivilege 2548 upd.exe Token: SeUndockPrivilege 2548 upd.exe Token: SeManageVolumePrivilege 2548 upd.exe Token: SeImpersonatePrivilege 2548 upd.exe Token: SeCreateGlobalPrivilege 2548 upd.exe Token: 33 2548 upd.exe Token: 34 2548 upd.exe Token: 35 2548 upd.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2548 upd.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1956 wrote to memory of 2548 1956 aea5d3574ce30782d8079cb72ba9d7c7d63e3ef0c7d9f9356297b27b923143d5N.exe 30 PID 1956 wrote to memory of 2548 1956 aea5d3574ce30782d8079cb72ba9d7c7d63e3ef0c7d9f9356297b27b923143d5N.exe 30 PID 1956 wrote to memory of 2548 1956 aea5d3574ce30782d8079cb72ba9d7c7d63e3ef0c7d9f9356297b27b923143d5N.exe 30 PID 1956 wrote to memory of 2548 1956 aea5d3574ce30782d8079cb72ba9d7c7d63e3ef0c7d9f9356297b27b923143d5N.exe 30 PID 1956 wrote to memory of 2192 1956 aea5d3574ce30782d8079cb72ba9d7c7d63e3ef0c7d9f9356297b27b923143d5N.exe 31 PID 1956 wrote to memory of 2192 1956 aea5d3574ce30782d8079cb72ba9d7c7d63e3ef0c7d9f9356297b27b923143d5N.exe 31 PID 1956 wrote to memory of 2192 1956 aea5d3574ce30782d8079cb72ba9d7c7d63e3ef0c7d9f9356297b27b923143d5N.exe 31 PID 1956 wrote to memory of 2192 1956 aea5d3574ce30782d8079cb72ba9d7c7d63e3ef0c7d9f9356297b27b923143d5N.exe 31 PID 2192 wrote to memory of 2868 2192 cmd.exe 33 PID 2192 wrote to memory of 2868 2192 cmd.exe 33 PID 2192 wrote to memory of 2868 2192 cmd.exe 33 PID 2192 wrote to memory of 2868 2192 cmd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\aea5d3574ce30782d8079cb72ba9d7c7d63e3ef0c7d9f9356297b27b923143d5N.exe"C:\Users\Admin\AppData\Local\Temp\aea5d3574ce30782d8079cb72ba9d7c7d63e3ef0c7d9f9356297b27b923143d5N.exe"1⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\x32\upd.exe"C:\Windows\x32\upd.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Disables RegEdit via registry modification
- Checks BIOS information in registry
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2548
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\_dcsc_.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2868
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
138B
MD5473cf59101857d250d38fa73cdfeb27c
SHA1d33d674c92974e04766cc221378ab1b019f8bff8
SHA2564d1261de7866d1d9048b4da9f283f256c692d739d0cd7d1e24a1bf4cf43282b0
SHA512851a93900fac7d764e41975dfc8242f698861046649530bd105bf76e4313f8de338f99e8231572695e87a3d5537be944aeeaca2cf488cac49c4dd95c04924078
-
Filesize
986KB
MD522a2278fc97db1a510ef9a2fbf5d7e90
SHA16c180bb95fb3bd856bd941ec6e9096058ba5536b
SHA256aea5d3574ce30782d8079cb72ba9d7c7d63e3ef0c7d9f9356297b27b923143d5
SHA5129810975b5816c8fdb6e218efc09f92b06e795d01cb33fb323b414441b3235eb3c4a174eea514490c5aeb7f6ba10eb238631caf81f7bad3e98b4fd89a92929c58