Analysis
-
max time kernel
119s -
max time network
147s -
platform
windows7_x64 -
resource
win7-de-20210920 -
submitted
21-10-2021 12:47
Static task
static1
Behavioral task
behavioral1
Sample
Software-update-patc_579570356.exe
Resource
win7-ja-20211014
Behavioral task
behavioral2
Sample
Software-update-patc_579570356.exe
Resource
win7-en-20210920
Behavioral task
behavioral3
Sample
Software-update-patc_579570356.exe
Resource
win7-de-20210920
Behavioral task
behavioral4
Sample
Software-update-patc_579570356.exe
Resource
win11
Behavioral task
behavioral5
Sample
Software-update-patc_579570356.exe
Resource
win10-ja-20211014
Behavioral task
behavioral6
Sample
Software-update-patc_579570356.exe
Resource
win10-en-20211014
Behavioral task
behavioral7
Sample
Software-update-patc_579570356.exe
Resource
win10-de-20210920
General
-
Target
Software-update-patc_579570356.exe
-
Size
4.7MB
-
MD5
c027026e244f74549a49e1f98216719c
-
SHA1
9e9b4459e9225a432eef8f97b9193707dd7247b5
-
SHA256
bd20ddd34d178d08736818991be6d5d8e4d62d81180d1d293ffafb1418bf2781
-
SHA512
68953341f9dc46daae4e738bd4418bca5edb22035958ddba46de86cf6e44c8731f49f52763f3addc6e4d5a6cfcb48ee5b1345a2727ba7983b07a9322ae2713d7
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Software-update-patc_579570356.tmpVoluptatem.exepid process 1704 Software-update-patc_579570356.tmp 304 Voluptatem.exe -
Loads dropped DLL 5 IoCs
Processes:
Software-update-patc_579570356.exeSoftware-update-patc_579570356.tmppid process 108 Software-update-patc_579570356.exe 1704 Software-update-patc_579570356.tmp 1704 Software-update-patc_579570356.tmp 1704 Software-update-patc_579570356.tmp 1704 Software-update-patc_579570356.tmp -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 20 IoCs
Processes:
Software-update-patc_579570356.tmpdescription ioc process File created C:\Program Files (x86)\Autem\is-MAT5C.tmp Software-update-patc_579570356.tmp File created C:\Program Files (x86)\Autem\is-49ML6.tmp Software-update-patc_579570356.tmp File created C:\Program Files (x86)\Autem\is-04PSS.tmp Software-update-patc_579570356.tmp File created C:\Program Files (x86)\Autem\eaque\is-QAOCV.tmp Software-update-patc_579570356.tmp File created C:\Program Files (x86)\Autem\eaque\is-1AER1.tmp Software-update-patc_579570356.tmp File created C:\Program Files (x86)\Autem\rerum\is-TK71K.tmp Software-update-patc_579570356.tmp File opened for modification C:\Program Files (x86)\Autem\unins000.dat Software-update-patc_579570356.tmp File created C:\Program Files (x86)\Autem\is-0SC2K.tmp Software-update-patc_579570356.tmp File created C:\Program Files (x86)\Autem\rerum\is-5STBK.tmp Software-update-patc_579570356.tmp File opened for modification C:\Program Files (x86)\Autem\rerum\Voluptatem.exe Software-update-patc_579570356.tmp File created C:\Program Files (x86)\Autem\is-8T86K.tmp Software-update-patc_579570356.tmp File created C:\Program Files (x86)\Autem\is-2GGNK.tmp Software-update-patc_579570356.tmp File created C:\Program Files (x86)\Autem\eaque\is-D1IUU.tmp Software-update-patc_579570356.tmp File created C:\Program Files (x86)\Autem\rerum\is-JLTOB.tmp Software-update-patc_579570356.tmp File created C:\Program Files (x86)\Autem\unins000.dat Software-update-patc_579570356.tmp File created C:\Program Files (x86)\Autem\is-TU2OA.tmp Software-update-patc_579570356.tmp File created C:\Program Files (x86)\Autem\eaque\is-NRAJQ.tmp Software-update-patc_579570356.tmp File created C:\Program Files (x86)\Autem\eaque\is-ETUIL.tmp Software-update-patc_579570356.tmp File created C:\Program Files (x86)\Autem\rerum\is-LAFNB.tmp Software-update-patc_579570356.tmp File created C:\Program Files (x86)\Autem\rerum\is-GRBF4.tmp Software-update-patc_579570356.tmp -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Software-update-patc_579570356.tmpVoluptatem.exepid process 1704 Software-update-patc_579570356.tmp 1704 Software-update-patc_579570356.tmp 304 Voluptatem.exe 304 Voluptatem.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Software-update-patc_579570356.tmppid process 1704 Software-update-patc_579570356.tmp -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
Software-update-patc_579570356.exeSoftware-update-patc_579570356.tmpdescription pid process target process PID 108 wrote to memory of 1704 108 Software-update-patc_579570356.exe Software-update-patc_579570356.tmp PID 108 wrote to memory of 1704 108 Software-update-patc_579570356.exe Software-update-patc_579570356.tmp PID 108 wrote to memory of 1704 108 Software-update-patc_579570356.exe Software-update-patc_579570356.tmp PID 108 wrote to memory of 1704 108 Software-update-patc_579570356.exe Software-update-patc_579570356.tmp PID 108 wrote to memory of 1704 108 Software-update-patc_579570356.exe Software-update-patc_579570356.tmp PID 108 wrote to memory of 1704 108 Software-update-patc_579570356.exe Software-update-patc_579570356.tmp PID 108 wrote to memory of 1704 108 Software-update-patc_579570356.exe Software-update-patc_579570356.tmp PID 1704 wrote to memory of 304 1704 Software-update-patc_579570356.tmp Voluptatem.exe PID 1704 wrote to memory of 304 1704 Software-update-patc_579570356.tmp Voluptatem.exe PID 1704 wrote to memory of 304 1704 Software-update-patc_579570356.tmp Voluptatem.exe PID 1704 wrote to memory of 304 1704 Software-update-patc_579570356.tmp Voluptatem.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Software-update-patc_579570356.exe"C:\Users\Admin\AppData\Local\Temp\Software-update-patc_579570356.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-C2PN7.tmp\Software-update-patc_579570356.tmp"C:\Users\Admin\AppData\Local\Temp\is-C2PN7.tmp\Software-update-patc_579570356.tmp" /SL5="$4010A,4499537,466944,C:\Users\Admin\AppData\Local\Temp\Software-update-patc_579570356.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Autem\rerum\Voluptatem.exe"C:\Program Files (x86)\Autem/\rerum\Voluptatem.exe" b0ad3d01dc1c01fd7e87a06144c12f593⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Autem\rerum\Voluptatem.exeMD5
0c56ac590273d1feb7c0564c809915a5
SHA12a17747673000c17634113e634e4166152a88688
SHA256850f46f685e44dcbafd8a61fa5881b0f4471cf3441342b3fe8c0a2559ec4c15e
SHA51295a86884d2950687064ddb348184133e26c56c617297ee992daefa05ff7f1cf8e544208048462ac173d66ed5eb291fd6d860d324721a1441d76a11a62df8ebc4
-
C:\Users\Admin\AppData\Local\Temp\is-C2PN7.tmp\Software-update-patc_579570356.tmpMD5
4caf2ca22417bb2cd44c0d0daf5fdd8b
SHA1bdb2b86d9c033785c9b1db5618986030b2852ffd
SHA256a1c11ed2d5bb2399e27a35e04114a5e244e4ae251c905160ffa1fefe1530d7b4
SHA512ff99d66ae326d6f63243e7e732bf69417ca4732686095cffb59f80d53b4bb44a9ea74900f04d64f3bfa047ec1e962ed81ce78d9ebbe009ddd58097e7ce3913da
-
C:\Users\Admin\AppData\Local\Temp\is-C2PN7.tmp\Software-update-patc_579570356.tmpMD5
4caf2ca22417bb2cd44c0d0daf5fdd8b
SHA1bdb2b86d9c033785c9b1db5618986030b2852ffd
SHA256a1c11ed2d5bb2399e27a35e04114a5e244e4ae251c905160ffa1fefe1530d7b4
SHA512ff99d66ae326d6f63243e7e732bf69417ca4732686095cffb59f80d53b4bb44a9ea74900f04d64f3bfa047ec1e962ed81ce78d9ebbe009ddd58097e7ce3913da
-
\Program Files (x86)\Autem\rerum\Voluptatem.exeMD5
0c56ac590273d1feb7c0564c809915a5
SHA12a17747673000c17634113e634e4166152a88688
SHA256850f46f685e44dcbafd8a61fa5881b0f4471cf3441342b3fe8c0a2559ec4c15e
SHA51295a86884d2950687064ddb348184133e26c56c617297ee992daefa05ff7f1cf8e544208048462ac173d66ed5eb291fd6d860d324721a1441d76a11a62df8ebc4
-
\Users\Admin\AppData\Local\Temp\is-07T5B.tmp\_isetup\_iscrypt.dllMD5
a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
\Users\Admin\AppData\Local\Temp\is-07T5B.tmp\_isetup\_shfoldr.dllMD5
92dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
\Users\Admin\AppData\Local\Temp\is-07T5B.tmp\_isetup\_shfoldr.dllMD5
92dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
\Users\Admin\AppData\Local\Temp\is-C2PN7.tmp\Software-update-patc_579570356.tmpMD5
4caf2ca22417bb2cd44c0d0daf5fdd8b
SHA1bdb2b86d9c033785c9b1db5618986030b2852ffd
SHA256a1c11ed2d5bb2399e27a35e04114a5e244e4ae251c905160ffa1fefe1530d7b4
SHA512ff99d66ae326d6f63243e7e732bf69417ca4732686095cffb59f80d53b4bb44a9ea74900f04d64f3bfa047ec1e962ed81ce78d9ebbe009ddd58097e7ce3913da
-
memory/108-64-0x0000000000400000-0x000000000047C000-memory.dmpFilesize
496KB
-
memory/108-54-0x0000000076291000-0x0000000076293000-memory.dmpFilesize
8KB
-
memory/304-69-0x0000000000000000-mapping.dmp
-
memory/304-71-0x0000000000400000-0x0000000001860000-memory.dmpFilesize
20.4MB
-
memory/304-73-0x0000000000400000-0x0000000001860000-memory.dmpFilesize
20.4MB
-
memory/304-74-0x00000000018D0000-0x00000000018D1000-memory.dmpFilesize
4KB
-
memory/1704-66-0x0000000074651000-0x0000000074653000-memory.dmpFilesize
8KB
-
memory/1704-65-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/1704-58-0x0000000000000000-mapping.dmp