2f79996a4e3c810984fdfeb1df611ff3a1b3d6e983fee3111eff8f84f1f60c86

Analysis

max time kernel
137s
max time network
50s
platform
windows7_x64
resource
win7-20220414-en
submitted
21-06-2022 20:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f79996a4e3c810984fdfeb1df611ff3a1b3d6e983fee3111eff8f84f1f60c86.exe
Size

825KB
MD5

91a939ac483d6fc201bce7807ec673d3
SHA1

bd8ba0259c9f69636ac5ff284547232e01dbd888
SHA256

2f79996a4e3c810984fdfeb1df611ff3a1b3d6e983fee3111eff8f84f1f60c86
SHA512

41f7e94fce592a1a2e2b0e36d04d6cdbb0c19b7ebc6538cebd254ae4baf06e2e52655d8c474b8fb785273d40e8d08e4673c1152f6dfd2da8d62e86c89e743de5

Score

9^/10

Malware Config

Signatures

NirSoft MailPassView 2 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/1344-66-0x0000000002540000-0x00000000025D0000-memory.dmp	MailPassView
behavioral1/memory/1344-69-0x00000000773F0000-0x0000000077570000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral1/memory/1344-66-0x0000000002540000-0x00000000025D0000-memory.dmp	WebBrowserPassView
behavioral1/memory/1344-69-0x00000000773F0000-0x0000000077570000-memory.dmp	WebBrowserPassView

Nirsoft 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1344-66-0x0000000002540000-0x00000000025D0000-memory.dmp	Nirsoft
behavioral1/memory/1344-69-0x00000000773F0000-0x0000000077570000-memory.dmp	Nirsoft

Executes dropped EXE 2 IoCs

Processes:

Windows Update.exeWindows Update.exe

pid process

2044 Windows Update.exe
1712 Windows Update.exe

pid	process
2044	Windows Update.exe
1712	Windows Update.exe

Loads dropped DLL 8 IoCs

Processes:

2f79996a4e3c810984fdfeb1df611ff3a1b3d6e983fee3111eff8f84f1f60c86.exeWindows Update.exeWindows Update.exe

pid	process
1344	2f79996a4e3c810984fdfeb1df611ff3a1b3d6e983fee3111eff8f84f1f60c86.exe
2044	Windows Update.exe
2044	Windows Update.exe
2044	Windows Update.exe
2044	Windows Update.exe
1712	Windows Update.exe
1712	Windows Update.exe
1712	Windows Update.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

2f79996a4e3c810984fdfeb1df611ff3a1b3d6e983fee3111eff8f84f1f60c86.exeWindows Update.exe

description	pid	process	target process
PID 1992 set thread context of 1344	1992	2f79996a4e3c810984fdfeb1df611ff3a1b3d6e983fee3111eff8f84f1f60c86.exe	2f79996a4e3c810984fdfeb1df611ff3a1b3d6e983fee3111eff8f84f1f60c86.exe
PID 2044 set thread context of 1712	2044	Windows Update.exe	Windows Update.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

2f79996a4e3c810984fdfeb1df611ff3a1b3d6e983fee3111eff8f84f1f60c86.exeWindows Update.exe

pid process

1992 2f79996a4e3c810984fdfeb1df611ff3a1b3d6e983fee3111eff8f84f1f60c86.exe
2044 Windows Update.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

2f79996a4e3c810984fdfeb1df611ff3a1b3d6e983fee3111eff8f84f1f60c86.exe

pid process

1344 2f79996a4e3c810984fdfeb1df611ff3a1b3d6e983fee3111eff8f84f1f60c86.exe

pid	process
1992	2f79996a4e3c810984fdfeb1df611ff3a1b3d6e983fee3111eff8f84f1f60c86.exe
2044	Windows Update.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

2f79996a4e3c810984fdfeb1df611ff3a1b3d6e983fee3111eff8f84f1f60c86.exe2f79996a4e3c810984fdfeb1df611ff3a1b3d6e983fee3111eff8f84f1f60c86.exeWindows Update.exe

description	pid	process	target process
PID 1992 wrote to memory of 1344	1992	2f79996a4e3c810984fdfeb1df611ff3a1b3d6e983fee3111eff8f84f1f60c86.exe	2f79996a4e3c810984fdfeb1df611ff3a1b3d6e983fee3111eff8f84f1f60c86.exe
PID 1992 wrote to memory of 1344	1992	2f79996a4e3c810984fdfeb1df611ff3a1b3d6e983fee3111eff8f84f1f60c86.exe	2f79996a4e3c810984fdfeb1df611ff3a1b3d6e983fee3111eff8f84f1f60c86.exe
PID 1992 wrote to memory of 1344	1992	2f79996a4e3c810984fdfeb1df611ff3a1b3d6e983fee3111eff8f84f1f60c86.exe	2f79996a4e3c810984fdfeb1df611ff3a1b3d6e983fee3111eff8f84f1f60c86.exe
PID 1992 wrote to memory of 1344	1992	2f79996a4e3c810984fdfeb1df611ff3a1b3d6e983fee3111eff8f84f1f60c86.exe	2f79996a4e3c810984fdfeb1df611ff3a1b3d6e983fee3111eff8f84f1f60c86.exe
PID 1344 wrote to memory of 2044	1344	2f79996a4e3c810984fdfeb1df611ff3a1b3d6e983fee3111eff8f84f1f60c86.exe	Windows Update.exe
PID 1344 wrote to memory of 2044	1344	2f79996a4e3c810984fdfeb1df611ff3a1b3d6e983fee3111eff8f84f1f60c86.exe	Windows Update.exe
PID 1344 wrote to memory of 2044	1344	2f79996a4e3c810984fdfeb1df611ff3a1b3d6e983fee3111eff8f84f1f60c86.exe	Windows Update.exe
PID 1344 wrote to memory of 2044	1344	2f79996a4e3c810984fdfeb1df611ff3a1b3d6e983fee3111eff8f84f1f60c86.exe	Windows Update.exe
PID 1344 wrote to memory of 2044	1344	2f79996a4e3c810984fdfeb1df611ff3a1b3d6e983fee3111eff8f84f1f60c86.exe	Windows Update.exe
PID 1344 wrote to memory of 2044	1344	2f79996a4e3c810984fdfeb1df611ff3a1b3d6e983fee3111eff8f84f1f60c86.exe	Windows Update.exe
PID 1344 wrote to memory of 2044	1344	2f79996a4e3c810984fdfeb1df611ff3a1b3d6e983fee3111eff8f84f1f60c86.exe	Windows Update.exe
PID 2044 wrote to memory of 1712	2044	Windows Update.exe	Windows Update.exe
PID 2044 wrote to memory of 1712	2044	Windows Update.exe	Windows Update.exe
PID 2044 wrote to memory of 1712	2044	Windows Update.exe	Windows Update.exe
PID 2044 wrote to memory of 1712	2044	Windows Update.exe	Windows Update.exe
PID 2044 wrote to memory of 1712	2044	Windows Update.exe	Windows Update.exe
PID 2044 wrote to memory of 1712	2044	Windows Update.exe	Windows Update.exe
PID 2044 wrote to memory of 1712	2044	Windows Update.exe	Windows Update.exe

C:\Users\Admin\AppData\Local\Temp\2f79996a4e3c810984fdfeb1df611ff3a1b3d6e983fee3111eff8f84f1f60c86.exe
"C:\Users\Admin\AppData\Local\Temp\2f79996a4e3c810984fdfeb1df611ff3a1b3d6e983fee3111eff8f84f1f60c86.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1992

C:\Users\Admin\AppData\Local\Temp\2f79996a4e3c810984fdfeb1df611ff3a1b3d6e983fee3111eff8f84f1f60c86.exe
C:\Users\Admin\AppData\Local\Temp\2f79996a4e3c810984fdfeb1df611ff3a1b3d6e983fee3111eff8f84f1f60c86.exe"
2⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1344

C:\Users\Admin\AppData\Roaming\Windows Update.exe
"C:\Users\Admin\AppData\Roaming\Windows Update.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2044

C:\Users\Admin\AppData\Roaming\Windows Update.exe
C:\Users\Admin\AppData\Roaming\Windows Update.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1712

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Windows Update.exe
Filesize
825KB

MD5
91a939ac483d6fc201bce7807ec673d3

SHA1
bd8ba0259c9f69636ac5ff284547232e01dbd888

SHA256
2f79996a4e3c810984fdfeb1df611ff3a1b3d6e983fee3111eff8f84f1f60c86

SHA512
41f7e94fce592a1a2e2b0e36d04d6cdbb0c19b7ebc6538cebd254ae4baf06e2e52655d8c474b8fb785273d40e8d08e4673c1152f6dfd2da8d62e86c89e743de5

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe
Filesize
825KB

MD5
91a939ac483d6fc201bce7807ec673d3

SHA1
bd8ba0259c9f69636ac5ff284547232e01dbd888

SHA256
2f79996a4e3c810984fdfeb1df611ff3a1b3d6e983fee3111eff8f84f1f60c86

SHA512
41f7e94fce592a1a2e2b0e36d04d6cdbb0c19b7ebc6538cebd254ae4baf06e2e52655d8c474b8fb785273d40e8d08e4673c1152f6dfd2da8d62e86c89e743de5

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe
Filesize
825KB

MD5
91a939ac483d6fc201bce7807ec673d3

SHA1
bd8ba0259c9f69636ac5ff284547232e01dbd888

SHA256
2f79996a4e3c810984fdfeb1df611ff3a1b3d6e983fee3111eff8f84f1f60c86

SHA512
41f7e94fce592a1a2e2b0e36d04d6cdbb0c19b7ebc6538cebd254ae4baf06e2e52655d8c474b8fb785273d40e8d08e4673c1152f6dfd2da8d62e86c89e743de5

Download Submit
\Users\Admin\AppData\Roaming\Windows Update.exe
Filesize
825KB

MD5
91a939ac483d6fc201bce7807ec673d3

SHA1
bd8ba0259c9f69636ac5ff284547232e01dbd888

SHA256
2f79996a4e3c810984fdfeb1df611ff3a1b3d6e983fee3111eff8f84f1f60c86

SHA512
41f7e94fce592a1a2e2b0e36d04d6cdbb0c19b7ebc6538cebd254ae4baf06e2e52655d8c474b8fb785273d40e8d08e4673c1152f6dfd2da8d62e86c89e743de5

Download Submit
\Users\Admin\AppData\Roaming\Windows Update.exe
Filesize
825KB

MD5
91a939ac483d6fc201bce7807ec673d3

SHA1
bd8ba0259c9f69636ac5ff284547232e01dbd888

SHA256
2f79996a4e3c810984fdfeb1df611ff3a1b3d6e983fee3111eff8f84f1f60c86

SHA512
41f7e94fce592a1a2e2b0e36d04d6cdbb0c19b7ebc6538cebd254ae4baf06e2e52655d8c474b8fb785273d40e8d08e4673c1152f6dfd2da8d62e86c89e743de5

Download Submit
\Users\Admin\AppData\Roaming\Windows Update.exe
Filesize
825KB

MD5
91a939ac483d6fc201bce7807ec673d3

SHA1
bd8ba0259c9f69636ac5ff284547232e01dbd888

SHA256
2f79996a4e3c810984fdfeb1df611ff3a1b3d6e983fee3111eff8f84f1f60c86

SHA512
41f7e94fce592a1a2e2b0e36d04d6cdbb0c19b7ebc6538cebd254ae4baf06e2e52655d8c474b8fb785273d40e8d08e4673c1152f6dfd2da8d62e86c89e743de5

Download Submit
\Users\Admin\AppData\Roaming\Windows Update.exe
Filesize
825KB

MD5
91a939ac483d6fc201bce7807ec673d3

SHA1
bd8ba0259c9f69636ac5ff284547232e01dbd888

SHA256
2f79996a4e3c810984fdfeb1df611ff3a1b3d6e983fee3111eff8f84f1f60c86

SHA512
41f7e94fce592a1a2e2b0e36d04d6cdbb0c19b7ebc6538cebd254ae4baf06e2e52655d8c474b8fb785273d40e8d08e4673c1152f6dfd2da8d62e86c89e743de5

Download Submit
\Users\Admin\AppData\Roaming\Windows Update.exe
Filesize
825KB

MD5
91a939ac483d6fc201bce7807ec673d3

SHA1
bd8ba0259c9f69636ac5ff284547232e01dbd888

SHA256
2f79996a4e3c810984fdfeb1df611ff3a1b3d6e983fee3111eff8f84f1f60c86

SHA512
41f7e94fce592a1a2e2b0e36d04d6cdbb0c19b7ebc6538cebd254ae4baf06e2e52655d8c474b8fb785273d40e8d08e4673c1152f6dfd2da8d62e86c89e743de5

Download Submit
\Users\Admin\AppData\Roaming\Windows Update.exe
Filesize
825KB

MD5
91a939ac483d6fc201bce7807ec673d3

SHA1
bd8ba0259c9f69636ac5ff284547232e01dbd888

SHA256
2f79996a4e3c810984fdfeb1df611ff3a1b3d6e983fee3111eff8f84f1f60c86

SHA512
41f7e94fce592a1a2e2b0e36d04d6cdbb0c19b7ebc6538cebd254ae4baf06e2e52655d8c474b8fb785273d40e8d08e4673c1152f6dfd2da8d62e86c89e743de5

Download Submit
\Users\Admin\AppData\Roaming\Windows Update.exe
Filesize
825KB

MD5
91a939ac483d6fc201bce7807ec673d3

SHA1
bd8ba0259c9f69636ac5ff284547232e01dbd888

SHA256
2f79996a4e3c810984fdfeb1df611ff3a1b3d6e983fee3111eff8f84f1f60c86

SHA512
41f7e94fce592a1a2e2b0e36d04d6cdbb0c19b7ebc6538cebd254ae4baf06e2e52655d8c474b8fb785273d40e8d08e4673c1152f6dfd2da8d62e86c89e743de5

Download Submit
\Users\Admin\AppData\Roaming\Windows Update.exe
Filesize
825KB

MD5
91a939ac483d6fc201bce7807ec673d3

SHA1
bd8ba0259c9f69636ac5ff284547232e01dbd888

SHA256
2f79996a4e3c810984fdfeb1df611ff3a1b3d6e983fee3111eff8f84f1f60c86

SHA512
41f7e94fce592a1a2e2b0e36d04d6cdbb0c19b7ebc6538cebd254ae4baf06e2e52655d8c474b8fb785273d40e8d08e4673c1152f6dfd2da8d62e86c89e743de5

Download Submit
memory/1344-70-0x00000000773F0000-0x0000000077570000-memory.dmp

Filesize
1.5MB

Download
memory/1344-69-0x00000000773F0000-0x0000000077570000-memory.dmp

Filesize
1.5MB

Download
memory/1344-66-0x0000000002540000-0x00000000025D0000-memory.dmp

Filesize
576KB

Download
memory/1344-76-0x00000000773F0000-0x0000000077570000-memory.dmp

Filesize
1.5MB

Download
memory/1344-77-0x00000000745C0000-0x0000000074B6B000-memory.dmp

Filesize
5.7MB

Download
memory/1344-63-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1344-71-0x00000000745C0000-0x0000000074B6B000-memory.dmp

Filesize
5.7MB

Download
memory/1344-58-0x00000000004AEF5B-mapping.dmp

Download
memory/1712-85-0x00000000004AEF5B-mapping.dmp

Download
memory/1992-59-0x00000000773F0000-0x0000000077570000-memory.dmp

Filesize
1.5MB

Download
memory/1992-57-0x0000000074E91000-0x0000000074E93000-memory.dmp

Filesize
8KB

Download
memory/1992-56-0x0000000000310000-0x0000000000318000-memory.dmp

Filesize
32KB

Download
memory/2044-88-0x00000000773F0000-0x0000000077570000-memory.dmp

Filesize
1.5MB

Download
memory/2044-73-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads