2dc1247e145ab0f302b661fa5bd0ce4ff2becab31fde1d8b1f827e4e36b793a3

General

Target

2dc1247e145ab0f302b661fa5bd0ce4ff2becab31fde1d8b1f827e4e36b793a3.exe
Size

502KB
MD5

3d04655fff9858e8791c55ae2044a960
SHA1

fe8126d174403cb0ee84487497f4bc4bfeb3897c
SHA256

2dc1247e145ab0f302b661fa5bd0ce4ff2becab31fde1d8b1f827e4e36b793a3
SHA512

faa202892cf1f22dc35beef393bc1f6bf15c7c386af452d16e328a4777eba41cf23c842c263dc0e302c015b6b7620ff3897699addf21017a7702db5c03b518a4

Score

9^/10

Malware Config

Signatures

NirSoft MailPassView 4 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\Windows Update.exe	MailPassView
C:\Users\Admin\AppData\Roaming\Windows Update.exe	MailPassView
C:\Users\Admin\AppData\Roaming\Windows Update.exe	MailPassView
\Users\Admin\AppData\Roaming\Windows Update.exe	MailPassView

NirSoft WebBrowserPassView 4 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\Windows Update.exe	WebBrowserPassView
C:\Users\Admin\AppData\Roaming\Windows Update.exe	WebBrowserPassView
C:\Users\Admin\AppData\Roaming\Windows Update.exe	WebBrowserPassView
\Users\Admin\AppData\Roaming\Windows Update.exe	WebBrowserPassView

Nirsoft 4 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\Windows Update.exe	Nirsoft
C:\Users\Admin\AppData\Roaming\Windows Update.exe	Nirsoft
C:\Users\Admin\AppData\Roaming\Windows Update.exe	Nirsoft
\Users\Admin\AppData\Roaming\Windows Update.exe	Nirsoft

Executes dropped EXE 1 IoCs

Processes:

Windows Update.exe

pid process

2044 Windows Update.exe
Loads dropped DLL 2 IoCs

Processes:

2dc1247e145ab0f302b661fa5bd0ce4ff2becab31fde1d8b1f827e4e36b793a3.exedw20.exe

pid process

1668 2dc1247e145ab0f302b661fa5bd0ce4ff2becab31fde1d8b1f827e4e36b793a3.exe
956 dw20.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
2044	Windows Update.exe

pid	process
1668	2dc1247e145ab0f302b661fa5bd0ce4ff2becab31fde1d8b1f827e4e36b793a3.exe
956	dw20.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

2dc1247e145ab0f302b661fa5bd0ce4ff2becab31fde1d8b1f827e4e36b793a3.exeWindows Update.exe

description	pid	process	target process
PID 1668 wrote to memory of 2044	1668	2dc1247e145ab0f302b661fa5bd0ce4ff2becab31fde1d8b1f827e4e36b793a3.exe	Windows Update.exe
PID 1668 wrote to memory of 2044	1668	2dc1247e145ab0f302b661fa5bd0ce4ff2becab31fde1d8b1f827e4e36b793a3.exe	Windows Update.exe
PID 1668 wrote to memory of 2044	1668	2dc1247e145ab0f302b661fa5bd0ce4ff2becab31fde1d8b1f827e4e36b793a3.exe	Windows Update.exe
PID 1668 wrote to memory of 2044	1668	2dc1247e145ab0f302b661fa5bd0ce4ff2becab31fde1d8b1f827e4e36b793a3.exe	Windows Update.exe
PID 1668 wrote to memory of 2044	1668	2dc1247e145ab0f302b661fa5bd0ce4ff2becab31fde1d8b1f827e4e36b793a3.exe	Windows Update.exe
PID 1668 wrote to memory of 2044	1668	2dc1247e145ab0f302b661fa5bd0ce4ff2becab31fde1d8b1f827e4e36b793a3.exe	Windows Update.exe
PID 1668 wrote to memory of 2044	1668	2dc1247e145ab0f302b661fa5bd0ce4ff2becab31fde1d8b1f827e4e36b793a3.exe	Windows Update.exe
PID 2044 wrote to memory of 956	2044	Windows Update.exe	dw20.exe
PID 2044 wrote to memory of 956	2044	Windows Update.exe	dw20.exe
PID 2044 wrote to memory of 956	2044	Windows Update.exe	dw20.exe
PID 2044 wrote to memory of 956	2044	Windows Update.exe	dw20.exe

C:\Users\Admin\AppData\Local\Temp\2dc1247e145ab0f302b661fa5bd0ce4ff2becab31fde1d8b1f827e4e36b793a3.exe
"C:\Users\Admin\AppData\Local\Temp\2dc1247e145ab0f302b661fa5bd0ce4ff2becab31fde1d8b1f827e4e36b793a3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1668

C:\Users\Admin\AppData\Roaming\Windows Update.exe
"C:\Users\Admin\AppData\Roaming\Windows Update.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 688
3⤵
- Loads dropped DLL
PID:956

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Windows Update.exe
Filesize
502KB

MD5
3d04655fff9858e8791c55ae2044a960

SHA1
fe8126d174403cb0ee84487497f4bc4bfeb3897c

SHA256
2dc1247e145ab0f302b661fa5bd0ce4ff2becab31fde1d8b1f827e4e36b793a3

SHA512
faa202892cf1f22dc35beef393bc1f6bf15c7c386af452d16e328a4777eba41cf23c842c263dc0e302c015b6b7620ff3897699addf21017a7702db5c03b518a4

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Update.exe
Filesize
502KB

MD5
3d04655fff9858e8791c55ae2044a960

SHA1
fe8126d174403cb0ee84487497f4bc4bfeb3897c

SHA256
2dc1247e145ab0f302b661fa5bd0ce4ff2becab31fde1d8b1f827e4e36b793a3

SHA512
faa202892cf1f22dc35beef393bc1f6bf15c7c386af452d16e328a4777eba41cf23c842c263dc0e302c015b6b7620ff3897699addf21017a7702db5c03b518a4

Download Submit
\Users\Admin\AppData\Roaming\Windows Update.exe
Filesize
502KB

MD5
3d04655fff9858e8791c55ae2044a960

SHA1
fe8126d174403cb0ee84487497f4bc4bfeb3897c

SHA256
2dc1247e145ab0f302b661fa5bd0ce4ff2becab31fde1d8b1f827e4e36b793a3

SHA512
faa202892cf1f22dc35beef393bc1f6bf15c7c386af452d16e328a4777eba41cf23c842c263dc0e302c015b6b7620ff3897699addf21017a7702db5c03b518a4

Download Submit
\Users\Admin\AppData\Roaming\Windows Update.exe
Filesize
502KB

MD5
3d04655fff9858e8791c55ae2044a960

SHA1
fe8126d174403cb0ee84487497f4bc4bfeb3897c

SHA256
2dc1247e145ab0f302b661fa5bd0ce4ff2becab31fde1d8b1f827e4e36b793a3

SHA512
faa202892cf1f22dc35beef393bc1f6bf15c7c386af452d16e328a4777eba41cf23c842c263dc0e302c015b6b7620ff3897699addf21017a7702db5c03b518a4

Download Submit
memory/956-62-0x0000000000000000-mapping.dmp

Download
memory/1668-54-0x0000000075BF1000-0x0000000075BF3000-memory.dmp

Filesize
8KB

Download
memory/1668-55-0x0000000074E10000-0x00000000753BB000-memory.dmp

Filesize
5.7MB

Download
memory/1668-56-0x0000000074E10000-0x00000000753BB000-memory.dmp

Filesize
5.7MB

Download
memory/1668-63-0x0000000074E10000-0x00000000753BB000-memory.dmp

Filesize
5.7MB

Download
memory/2044-58-0x0000000000000000-mapping.dmp

Download
memory/2044-64-0x0000000074E10000-0x00000000753BB000-memory.dmp

Filesize
5.7MB

Download
memory/2044-67-0x0000000074E10000-0x00000000753BB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads