Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-ja-20211014 -
submitted
21-10-2021 12:47
Static task
static1
Behavioral task
behavioral1
Sample
Software-update-patc_579570356.exe
Resource
win7-ja-20211014
Behavioral task
behavioral2
Sample
Software-update-patc_579570356.exe
Resource
win7-en-20210920
Behavioral task
behavioral3
Sample
Software-update-patc_579570356.exe
Resource
win7-de-20210920
Behavioral task
behavioral4
Sample
Software-update-patc_579570356.exe
Resource
win11
Behavioral task
behavioral5
Sample
Software-update-patc_579570356.exe
Resource
win10-ja-20211014
Behavioral task
behavioral6
Sample
Software-update-patc_579570356.exe
Resource
win10-en-20211014
Behavioral task
behavioral7
Sample
Software-update-patc_579570356.exe
Resource
win10-de-20210920
General
-
Target
Software-update-patc_579570356.exe
-
Size
4.7MB
-
MD5
c027026e244f74549a49e1f98216719c
-
SHA1
9e9b4459e9225a432eef8f97b9193707dd7247b5
-
SHA256
bd20ddd34d178d08736818991be6d5d8e4d62d81180d1d293ffafb1418bf2781
-
SHA512
68953341f9dc46daae4e738bd4418bca5edb22035958ddba46de86cf6e44c8731f49f52763f3addc6e4d5a6cfcb48ee5b1345a2727ba7983b07a9322ae2713d7
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Software-update-patc_579570356.tmpVoluptatem.exepid process 800 Software-update-patc_579570356.tmp 1124 Voluptatem.exe -
Loads dropped DLL 5 IoCs
Processes:
Software-update-patc_579570356.exeSoftware-update-patc_579570356.tmppid process 1660 Software-update-patc_579570356.exe 800 Software-update-patc_579570356.tmp 800 Software-update-patc_579570356.tmp 800 Software-update-patc_579570356.tmp 800 Software-update-patc_579570356.tmp -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 20 IoCs
Processes:
Software-update-patc_579570356.tmpdescription ioc process File opened for modification C:\Program Files (x86)\Autem\rerum\Voluptatem.exe Software-update-patc_579570356.tmp File created C:\Program Files (x86)\Autem\is-F6LPI.tmp Software-update-patc_579570356.tmp File created C:\Program Files (x86)\Autem\eaque\is-P58K0.tmp Software-update-patc_579570356.tmp File created C:\Program Files (x86)\Autem\eaque\is-P4NI9.tmp Software-update-patc_579570356.tmp File created C:\Program Files (x86)\Autem\rerum\is-QSE74.tmp Software-update-patc_579570356.tmp File created C:\Program Files (x86)\Autem\rerum\is-6V4NM.tmp Software-update-patc_579570356.tmp File created C:\Program Files (x86)\Autem\unins000.dat Software-update-patc_579570356.tmp File created C:\Program Files (x86)\Autem\is-C7S5F.tmp Software-update-patc_579570356.tmp File created C:\Program Files (x86)\Autem\is-AIF1U.tmp Software-update-patc_579570356.tmp File created C:\Program Files (x86)\Autem\eaque\is-R730L.tmp Software-update-patc_579570356.tmp File created C:\Program Files (x86)\Autem\eaque\is-BIIK5.tmp Software-update-patc_579570356.tmp File created C:\Program Files (x86)\Autem\is-ODTEI.tmp Software-update-patc_579570356.tmp File created C:\Program Files (x86)\Autem\eaque\is-AC700.tmp Software-update-patc_579570356.tmp File created C:\Program Files (x86)\Autem\rerum\is-P9T6G.tmp Software-update-patc_579570356.tmp File created C:\Program Files (x86)\Autem\rerum\is-OODKV.tmp Software-update-patc_579570356.tmp File opened for modification C:\Program Files (x86)\Autem\unins000.dat Software-update-patc_579570356.tmp File created C:\Program Files (x86)\Autem\is-V5BR3.tmp Software-update-patc_579570356.tmp File created C:\Program Files (x86)\Autem\is-I45V8.tmp Software-update-patc_579570356.tmp File created C:\Program Files (x86)\Autem\is-K2IA1.tmp Software-update-patc_579570356.tmp File created C:\Program Files (x86)\Autem\rerum\is-BV1IR.tmp Software-update-patc_579570356.tmp -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Software-update-patc_579570356.tmpVoluptatem.exepid process 800 Software-update-patc_579570356.tmp 800 Software-update-patc_579570356.tmp 1124 Voluptatem.exe 1124 Voluptatem.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Software-update-patc_579570356.tmppid process 800 Software-update-patc_579570356.tmp -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
Software-update-patc_579570356.exeSoftware-update-patc_579570356.tmpdescription pid process target process PID 1660 wrote to memory of 800 1660 Software-update-patc_579570356.exe Software-update-patc_579570356.tmp PID 1660 wrote to memory of 800 1660 Software-update-patc_579570356.exe Software-update-patc_579570356.tmp PID 1660 wrote to memory of 800 1660 Software-update-patc_579570356.exe Software-update-patc_579570356.tmp PID 1660 wrote to memory of 800 1660 Software-update-patc_579570356.exe Software-update-patc_579570356.tmp PID 1660 wrote to memory of 800 1660 Software-update-patc_579570356.exe Software-update-patc_579570356.tmp PID 1660 wrote to memory of 800 1660 Software-update-patc_579570356.exe Software-update-patc_579570356.tmp PID 1660 wrote to memory of 800 1660 Software-update-patc_579570356.exe Software-update-patc_579570356.tmp PID 800 wrote to memory of 1124 800 Software-update-patc_579570356.tmp Voluptatem.exe PID 800 wrote to memory of 1124 800 Software-update-patc_579570356.tmp Voluptatem.exe PID 800 wrote to memory of 1124 800 Software-update-patc_579570356.tmp Voluptatem.exe PID 800 wrote to memory of 1124 800 Software-update-patc_579570356.tmp Voluptatem.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Software-update-patc_579570356.exe"C:\Users\Admin\AppData\Local\Temp\Software-update-patc_579570356.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-M4C3I.tmp\Software-update-patc_579570356.tmp"C:\Users\Admin\AppData\Local\Temp\is-M4C3I.tmp\Software-update-patc_579570356.tmp" /SL5="$3015A,4499537,466944,C:\Users\Admin\AppData\Local\Temp\Software-update-patc_579570356.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Autem\rerum\Voluptatem.exe"C:\Program Files (x86)\Autem/\rerum\Voluptatem.exe" b0ad3d01dc1c01fd7e87a06144c12f593⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Autem\rerum\Voluptatem.exeMD5
0c56ac590273d1feb7c0564c809915a5
SHA12a17747673000c17634113e634e4166152a88688
SHA256850f46f685e44dcbafd8a61fa5881b0f4471cf3441342b3fe8c0a2559ec4c15e
SHA51295a86884d2950687064ddb348184133e26c56c617297ee992daefa05ff7f1cf8e544208048462ac173d66ed5eb291fd6d860d324721a1441d76a11a62df8ebc4
-
C:\Users\Admin\AppData\Local\Temp\is-M4C3I.tmp\Software-update-patc_579570356.tmpMD5
4caf2ca22417bb2cd44c0d0daf5fdd8b
SHA1bdb2b86d9c033785c9b1db5618986030b2852ffd
SHA256a1c11ed2d5bb2399e27a35e04114a5e244e4ae251c905160ffa1fefe1530d7b4
SHA512ff99d66ae326d6f63243e7e732bf69417ca4732686095cffb59f80d53b4bb44a9ea74900f04d64f3bfa047ec1e962ed81ce78d9ebbe009ddd58097e7ce3913da
-
C:\Users\Admin\AppData\Local\Temp\is-M4C3I.tmp\Software-update-patc_579570356.tmpMD5
4caf2ca22417bb2cd44c0d0daf5fdd8b
SHA1bdb2b86d9c033785c9b1db5618986030b2852ffd
SHA256a1c11ed2d5bb2399e27a35e04114a5e244e4ae251c905160ffa1fefe1530d7b4
SHA512ff99d66ae326d6f63243e7e732bf69417ca4732686095cffb59f80d53b4bb44a9ea74900f04d64f3bfa047ec1e962ed81ce78d9ebbe009ddd58097e7ce3913da
-
\Program Files (x86)\Autem\rerum\Voluptatem.exeMD5
0c56ac590273d1feb7c0564c809915a5
SHA12a17747673000c17634113e634e4166152a88688
SHA256850f46f685e44dcbafd8a61fa5881b0f4471cf3441342b3fe8c0a2559ec4c15e
SHA51295a86884d2950687064ddb348184133e26c56c617297ee992daefa05ff7f1cf8e544208048462ac173d66ed5eb291fd6d860d324721a1441d76a11a62df8ebc4
-
\Users\Admin\AppData\Local\Temp\is-M4C3I.tmp\Software-update-patc_579570356.tmpMD5
4caf2ca22417bb2cd44c0d0daf5fdd8b
SHA1bdb2b86d9c033785c9b1db5618986030b2852ffd
SHA256a1c11ed2d5bb2399e27a35e04114a5e244e4ae251c905160ffa1fefe1530d7b4
SHA512ff99d66ae326d6f63243e7e732bf69417ca4732686095cffb59f80d53b4bb44a9ea74900f04d64f3bfa047ec1e962ed81ce78d9ebbe009ddd58097e7ce3913da
-
\Users\Admin\AppData\Local\Temp\is-R9K39.tmp\_isetup\_iscrypt.dllMD5
a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
\Users\Admin\AppData\Local\Temp\is-R9K39.tmp\_isetup\_shfoldr.dllMD5
92dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
\Users\Admin\AppData\Local\Temp\is-R9K39.tmp\_isetup\_shfoldr.dllMD5
92dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
memory/800-59-0x0000000000000000-mapping.dmp
-
memory/800-63-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/800-67-0x0000000074141000-0x0000000074143000-memory.dmpFilesize
8KB
-
memory/1124-70-0x0000000000000000-mapping.dmp
-
memory/1124-72-0x0000000000400000-0x0000000001860000-memory.dmpFilesize
20.4MB
-
memory/1124-75-0x0000000000370000-0x0000000000371000-memory.dmpFilesize
4KB
-
memory/1124-74-0x0000000000400000-0x0000000001860000-memory.dmpFilesize
20.4MB
-
memory/1660-55-0x0000000074931000-0x0000000074933000-memory.dmpFilesize
8KB
-
memory/1660-61-0x0000000000400000-0x000000000047C000-memory.dmpFilesize
496KB