Analysis
-
max time kernel
78s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
22-06-2022 13:51
Static task
static1
Behavioral task
behavioral1
Sample
2dc1247e145ab0f302b661fa5bd0ce4ff2becab31fde1d8b1f827e4e36b793a3.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
2dc1247e145ab0f302b661fa5bd0ce4ff2becab31fde1d8b1f827e4e36b793a3.exe
Resource
win10v2004-20220414-en
General
-
Target
2dc1247e145ab0f302b661fa5bd0ce4ff2becab31fde1d8b1f827e4e36b793a3.exe
-
Size
502KB
-
MD5
3d04655fff9858e8791c55ae2044a960
-
SHA1
fe8126d174403cb0ee84487497f4bc4bfeb3897c
-
SHA256
2dc1247e145ab0f302b661fa5bd0ce4ff2becab31fde1d8b1f827e4e36b793a3
-
SHA512
faa202892cf1f22dc35beef393bc1f6bf15c7c386af452d16e328a4777eba41cf23c842c263dc0e302c015b6b7620ff3897699addf21017a7702db5c03b518a4
Malware Config
Signatures
-
NirSoft MailPassView 4 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\Windows Update.exe MailPassView C:\Users\Admin\AppData\Roaming\Windows Update.exe MailPassView C:\Users\Admin\AppData\Roaming\Windows Update.exe MailPassView \Users\Admin\AppData\Roaming\Windows Update.exe MailPassView -
NirSoft WebBrowserPassView 4 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\Windows Update.exe WebBrowserPassView C:\Users\Admin\AppData\Roaming\Windows Update.exe WebBrowserPassView C:\Users\Admin\AppData\Roaming\Windows Update.exe WebBrowserPassView \Users\Admin\AppData\Roaming\Windows Update.exe WebBrowserPassView -
Nirsoft 4 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\Windows Update.exe Nirsoft C:\Users\Admin\AppData\Roaming\Windows Update.exe Nirsoft C:\Users\Admin\AppData\Roaming\Windows Update.exe Nirsoft \Users\Admin\AppData\Roaming\Windows Update.exe Nirsoft -
Executes dropped EXE 1 IoCs
Processes:
Windows Update.exepid process 2044 Windows Update.exe -
Loads dropped DLL 2 IoCs
Processes:
2dc1247e145ab0f302b661fa5bd0ce4ff2becab31fde1d8b1f827e4e36b793a3.exedw20.exepid process 1668 2dc1247e145ab0f302b661fa5bd0ce4ff2becab31fde1d8b1f827e4e36b793a3.exe 956 dw20.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
2dc1247e145ab0f302b661fa5bd0ce4ff2becab31fde1d8b1f827e4e36b793a3.exeWindows Update.exedescription pid process target process PID 1668 wrote to memory of 2044 1668 2dc1247e145ab0f302b661fa5bd0ce4ff2becab31fde1d8b1f827e4e36b793a3.exe Windows Update.exe PID 1668 wrote to memory of 2044 1668 2dc1247e145ab0f302b661fa5bd0ce4ff2becab31fde1d8b1f827e4e36b793a3.exe Windows Update.exe PID 1668 wrote to memory of 2044 1668 2dc1247e145ab0f302b661fa5bd0ce4ff2becab31fde1d8b1f827e4e36b793a3.exe Windows Update.exe PID 1668 wrote to memory of 2044 1668 2dc1247e145ab0f302b661fa5bd0ce4ff2becab31fde1d8b1f827e4e36b793a3.exe Windows Update.exe PID 1668 wrote to memory of 2044 1668 2dc1247e145ab0f302b661fa5bd0ce4ff2becab31fde1d8b1f827e4e36b793a3.exe Windows Update.exe PID 1668 wrote to memory of 2044 1668 2dc1247e145ab0f302b661fa5bd0ce4ff2becab31fde1d8b1f827e4e36b793a3.exe Windows Update.exe PID 1668 wrote to memory of 2044 1668 2dc1247e145ab0f302b661fa5bd0ce4ff2becab31fde1d8b1f827e4e36b793a3.exe Windows Update.exe PID 2044 wrote to memory of 956 2044 Windows Update.exe dw20.exe PID 2044 wrote to memory of 956 2044 Windows Update.exe dw20.exe PID 2044 wrote to memory of 956 2044 Windows Update.exe dw20.exe PID 2044 wrote to memory of 956 2044 Windows Update.exe dw20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2dc1247e145ab0f302b661fa5bd0ce4ff2becab31fde1d8b1f827e4e36b793a3.exe"C:\Users\Admin\AppData\Local\Temp\2dc1247e145ab0f302b661fa5bd0ce4ff2becab31fde1d8b1f827e4e36b793a3.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 6883⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
502KB
MD53d04655fff9858e8791c55ae2044a960
SHA1fe8126d174403cb0ee84487497f4bc4bfeb3897c
SHA2562dc1247e145ab0f302b661fa5bd0ce4ff2becab31fde1d8b1f827e4e36b793a3
SHA512faa202892cf1f22dc35beef393bc1f6bf15c7c386af452d16e328a4777eba41cf23c842c263dc0e302c015b6b7620ff3897699addf21017a7702db5c03b518a4
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
502KB
MD53d04655fff9858e8791c55ae2044a960
SHA1fe8126d174403cb0ee84487497f4bc4bfeb3897c
SHA2562dc1247e145ab0f302b661fa5bd0ce4ff2becab31fde1d8b1f827e4e36b793a3
SHA512faa202892cf1f22dc35beef393bc1f6bf15c7c386af452d16e328a4777eba41cf23c842c263dc0e302c015b6b7620ff3897699addf21017a7702db5c03b518a4
-
\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
502KB
MD53d04655fff9858e8791c55ae2044a960
SHA1fe8126d174403cb0ee84487497f4bc4bfeb3897c
SHA2562dc1247e145ab0f302b661fa5bd0ce4ff2becab31fde1d8b1f827e4e36b793a3
SHA512faa202892cf1f22dc35beef393bc1f6bf15c7c386af452d16e328a4777eba41cf23c842c263dc0e302c015b6b7620ff3897699addf21017a7702db5c03b518a4
-
\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
502KB
MD53d04655fff9858e8791c55ae2044a960
SHA1fe8126d174403cb0ee84487497f4bc4bfeb3897c
SHA2562dc1247e145ab0f302b661fa5bd0ce4ff2becab31fde1d8b1f827e4e36b793a3
SHA512faa202892cf1f22dc35beef393bc1f6bf15c7c386af452d16e328a4777eba41cf23c842c263dc0e302c015b6b7620ff3897699addf21017a7702db5c03b518a4
-
memory/956-62-0x0000000000000000-mapping.dmp
-
memory/1668-54-0x0000000075BF1000-0x0000000075BF3000-memory.dmpFilesize
8KB
-
memory/1668-55-0x0000000074E10000-0x00000000753BB000-memory.dmpFilesize
5.7MB
-
memory/1668-56-0x0000000074E10000-0x00000000753BB000-memory.dmpFilesize
5.7MB
-
memory/1668-63-0x0000000074E10000-0x00000000753BB000-memory.dmpFilesize
5.7MB
-
memory/2044-58-0x0000000000000000-mapping.dmp
-
memory/2044-64-0x0000000074E10000-0x00000000753BB000-memory.dmpFilesize
5.7MB
-
memory/2044-67-0x0000000074E10000-0x00000000753BB000-memory.dmpFilesize
5.7MB