Overview

overview

7

Static

static

3

admin.exe

windows10-2004-x64

7

admin.exe

windows10-ltsc_2021-x64

7

admin.exe

windows11-21h2-x64

7

Analysis

  • max time kernel
    58s
  • max time network
    60s
  • platform
    windows10-ltsc_2021_x64
  • resource
    win10ltsc2021-20250314-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
  • submitted
    31/03/2025, 15:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    admin.exe

  • Size

    342KB

  • MD5

    6f57a433dc928532f94273e509e1e165

  • SHA1

    4f9193706a8c0276af4c92b7a86d3c7bb04fd4f0

  • SHA256

    a8cb1f70c6f69f6120c2f4e47b5658cca9a27b3fffdc7cbe1056e6ab93383c81

  • SHA512

    6867c52c74bbbe5dd98895f7923bd1c7d7056bb76efe5fcc49c347a7f7ef7ad517178ded20bcfbb9f6b60be591508bbe27ad6db0fcc61c0cbafafab639e9dbd3

  • SSDEEP

    6144:evHh6j8vEoadosWFRLl0cavPTck2tYI26qIPDpS/Lbg3ZKtPNO:ePJERdoVFYcIT/826qIPDpS/3gktFO

Score
7/10
persistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\admin.exe
    "C:\Users\Admin\AppData\Local\Temp\admin.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2416
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Windows Update Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\admin.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:4552
    • C:\Program Files (x86)\WindowsUpdateSettings\Windows Updater.exe
      "C:\Program Files (x86)\WindowsUpdateSettings\Windows Updater.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops autorun.inf file
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4628
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "Windows Update Client" /sc ONLOGON /tr "C:\Program Files (x86)\WindowsUpdateSettings\Windows Updater.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:3100
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Program Files (x86)\WindowsUpdateSettings\Windows Updater.exe" /sc MINUTE /MO 1
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2544
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\WindowsUpdateSettings\Windows Updater.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2512
    • C:\Program Files (x86)\WindowsUpdateSettings\Windows Updater.exe
      "C:\Program Files (x86)\WindowsUpdateSettings\Windows Updater.exe"
      2⤵
      • Executes dropped EXE
      PID:784

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\WindowsUpdateSettings\Windows Updater.exe
    Filesize

    342KB

    MD5

    6f57a433dc928532f94273e509e1e165

    SHA1

    4f9193706a8c0276af4c92b7a86d3c7bb04fd4f0

    SHA256

    a8cb1f70c6f69f6120c2f4e47b5658cca9a27b3fffdc7cbe1056e6ab93383c81

    SHA512

    6867c52c74bbbe5dd98895f7923bd1c7d7056bb76efe5fcc49c347a7f7ef7ad517178ded20bcfbb9f6b60be591508bbe27ad6db0fcc61c0cbafafab639e9dbd3

    Download Submit

  • memory/2416-0-0x00007FF966A63000-0x00007FF966A65000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2416-1-0x0000000000210000-0x0000000000218000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2416-2-0x000000001AD30000-0x000000001ADCE000-memory.dmp

    Filesize

    632KB

    Download

  • memory/2416-3-0x00007FF966A60000-0x00007FF967522000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2416-4-0x00000000022E0000-0x00000000022F2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2416-5-0x000000001ADD0000-0x000000001AE0C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2416-9-0x00007FF966A60000-0x00007FF967522000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4628-8-0x00007FF966A60000-0x00007FF967522000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4628-10-0x00007FF966A60000-0x00007FF967522000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4628-16-0x00007FF966A60000-0x00007FF967522000-memory.dmp

    Filesize

    10.8MB

    Download