Analysis
-
max time kernel
150s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
18-07-2022 18:28
Static task
static1
Behavioral task
behavioral1
Sample
510573af752c0027d747054982ae4823c2fec5c0e22c88732882fe5479adb42e.exe
Resource
win7-20220718-en
General
-
Target
510573af752c0027d747054982ae4823c2fec5c0e22c88732882fe5479adb42e.exe
-
Size
922KB
-
MD5
7e6095adef252a307789fde2a472da27
-
SHA1
45ea251ad20c3664f2a527b70658a1bd77577d18
-
SHA256
510573af752c0027d747054982ae4823c2fec5c0e22c88732882fe5479adb42e
-
SHA512
94473305ec14cba709228267229f80b036212b52a18f5a6cb2f15fb715375bfb2a3f1c1a6b9bbe1a2bf2d1cb5010dc2be0e2ce875ce3c6c29a586fd4b21d8974
Malware Config
Signatures
-
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral1/memory/948-66-0x0000000000690000-0x0000000000720000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral1/memory/948-66-0x0000000000690000-0x0000000000720000-memory.dmp WebBrowserPassView -
Nirsoft 1 IoCs
resource yara_rule behavioral1/memory/948-66-0x0000000000690000-0x0000000000720000-memory.dmp Nirsoft -
Executes dropped EXE 2 IoCs
pid Process 1780 Windows Update.exe 1680 Windows Update.exe -
Loads dropped DLL 8 IoCs
pid Process 948 510573af752c0027d747054982ae4823c2fec5c0e22c88732882fe5479adb42e.exe 1780 Windows Update.exe 1780 Windows Update.exe 1780 Windows Update.exe 1780 Windows Update.exe 1680 Windows Update.exe 1680 Windows Update.exe 1680 Windows Update.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2020 set thread context of 948 2020 510573af752c0027d747054982ae4823c2fec5c0e22c88732882fe5479adb42e.exe 28 PID 1780 set thread context of 1680 1780 Windows Update.exe 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2020 510573af752c0027d747054982ae4823c2fec5c0e22c88732882fe5479adb42e.exe 1780 Windows Update.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 948 510573af752c0027d747054982ae4823c2fec5c0e22c88732882fe5479adb42e.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2020 wrote to memory of 948 2020 510573af752c0027d747054982ae4823c2fec5c0e22c88732882fe5479adb42e.exe 28 PID 2020 wrote to memory of 948 2020 510573af752c0027d747054982ae4823c2fec5c0e22c88732882fe5479adb42e.exe 28 PID 2020 wrote to memory of 948 2020 510573af752c0027d747054982ae4823c2fec5c0e22c88732882fe5479adb42e.exe 28 PID 2020 wrote to memory of 948 2020 510573af752c0027d747054982ae4823c2fec5c0e22c88732882fe5479adb42e.exe 28 PID 948 wrote to memory of 1780 948 510573af752c0027d747054982ae4823c2fec5c0e22c88732882fe5479adb42e.exe 29 PID 948 wrote to memory of 1780 948 510573af752c0027d747054982ae4823c2fec5c0e22c88732882fe5479adb42e.exe 29 PID 948 wrote to memory of 1780 948 510573af752c0027d747054982ae4823c2fec5c0e22c88732882fe5479adb42e.exe 29 PID 948 wrote to memory of 1780 948 510573af752c0027d747054982ae4823c2fec5c0e22c88732882fe5479adb42e.exe 29 PID 948 wrote to memory of 1780 948 510573af752c0027d747054982ae4823c2fec5c0e22c88732882fe5479adb42e.exe 29 PID 948 wrote to memory of 1780 948 510573af752c0027d747054982ae4823c2fec5c0e22c88732882fe5479adb42e.exe 29 PID 948 wrote to memory of 1780 948 510573af752c0027d747054982ae4823c2fec5c0e22c88732882fe5479adb42e.exe 29 PID 1780 wrote to memory of 1680 1780 Windows Update.exe 30 PID 1780 wrote to memory of 1680 1780 Windows Update.exe 30 PID 1780 wrote to memory of 1680 1780 Windows Update.exe 30 PID 1780 wrote to memory of 1680 1780 Windows Update.exe 30 PID 1780 wrote to memory of 1680 1780 Windows Update.exe 30 PID 1780 wrote to memory of 1680 1780 Windows Update.exe 30 PID 1780 wrote to memory of 1680 1780 Windows Update.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\510573af752c0027d747054982ae4823c2fec5c0e22c88732882fe5479adb42e.exe"C:\Users\Admin\AppData\Local\Temp\510573af752c0027d747054982ae4823c2fec5c0e22c88732882fe5479adb42e.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Users\Admin\AppData\Local\Temp\510573af752c0027d747054982ae4823c2fec5c0e22c88732882fe5479adb42e.exeC:\Users\Admin\AppData\Local\Temp\510573af752c0027d747054982ae4823c2fec5c0e22c88732882fe5479adb42e.exe"2⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Users\Admin\AppData\Roaming\Windows Update.exeC:\Users\Admin\AppData\Roaming\Windows Update.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1680
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
922KB
MD57e6095adef252a307789fde2a472da27
SHA145ea251ad20c3664f2a527b70658a1bd77577d18
SHA256510573af752c0027d747054982ae4823c2fec5c0e22c88732882fe5479adb42e
SHA51294473305ec14cba709228267229f80b036212b52a18f5a6cb2f15fb715375bfb2a3f1c1a6b9bbe1a2bf2d1cb5010dc2be0e2ce875ce3c6c29a586fd4b21d8974
-
Filesize
922KB
MD57e6095adef252a307789fde2a472da27
SHA145ea251ad20c3664f2a527b70658a1bd77577d18
SHA256510573af752c0027d747054982ae4823c2fec5c0e22c88732882fe5479adb42e
SHA51294473305ec14cba709228267229f80b036212b52a18f5a6cb2f15fb715375bfb2a3f1c1a6b9bbe1a2bf2d1cb5010dc2be0e2ce875ce3c6c29a586fd4b21d8974
-
Filesize
922KB
MD57e6095adef252a307789fde2a472da27
SHA145ea251ad20c3664f2a527b70658a1bd77577d18
SHA256510573af752c0027d747054982ae4823c2fec5c0e22c88732882fe5479adb42e
SHA51294473305ec14cba709228267229f80b036212b52a18f5a6cb2f15fb715375bfb2a3f1c1a6b9bbe1a2bf2d1cb5010dc2be0e2ce875ce3c6c29a586fd4b21d8974
-
Filesize
922KB
MD57e6095adef252a307789fde2a472da27
SHA145ea251ad20c3664f2a527b70658a1bd77577d18
SHA256510573af752c0027d747054982ae4823c2fec5c0e22c88732882fe5479adb42e
SHA51294473305ec14cba709228267229f80b036212b52a18f5a6cb2f15fb715375bfb2a3f1c1a6b9bbe1a2bf2d1cb5010dc2be0e2ce875ce3c6c29a586fd4b21d8974
-
Filesize
922KB
MD57e6095adef252a307789fde2a472da27
SHA145ea251ad20c3664f2a527b70658a1bd77577d18
SHA256510573af752c0027d747054982ae4823c2fec5c0e22c88732882fe5479adb42e
SHA51294473305ec14cba709228267229f80b036212b52a18f5a6cb2f15fb715375bfb2a3f1c1a6b9bbe1a2bf2d1cb5010dc2be0e2ce875ce3c6c29a586fd4b21d8974
-
Filesize
922KB
MD57e6095adef252a307789fde2a472da27
SHA145ea251ad20c3664f2a527b70658a1bd77577d18
SHA256510573af752c0027d747054982ae4823c2fec5c0e22c88732882fe5479adb42e
SHA51294473305ec14cba709228267229f80b036212b52a18f5a6cb2f15fb715375bfb2a3f1c1a6b9bbe1a2bf2d1cb5010dc2be0e2ce875ce3c6c29a586fd4b21d8974
-
Filesize
922KB
MD57e6095adef252a307789fde2a472da27
SHA145ea251ad20c3664f2a527b70658a1bd77577d18
SHA256510573af752c0027d747054982ae4823c2fec5c0e22c88732882fe5479adb42e
SHA51294473305ec14cba709228267229f80b036212b52a18f5a6cb2f15fb715375bfb2a3f1c1a6b9bbe1a2bf2d1cb5010dc2be0e2ce875ce3c6c29a586fd4b21d8974
-
Filesize
922KB
MD57e6095adef252a307789fde2a472da27
SHA145ea251ad20c3664f2a527b70658a1bd77577d18
SHA256510573af752c0027d747054982ae4823c2fec5c0e22c88732882fe5479adb42e
SHA51294473305ec14cba709228267229f80b036212b52a18f5a6cb2f15fb715375bfb2a3f1c1a6b9bbe1a2bf2d1cb5010dc2be0e2ce875ce3c6c29a586fd4b21d8974
-
Filesize
922KB
MD57e6095adef252a307789fde2a472da27
SHA145ea251ad20c3664f2a527b70658a1bd77577d18
SHA256510573af752c0027d747054982ae4823c2fec5c0e22c88732882fe5479adb42e
SHA51294473305ec14cba709228267229f80b036212b52a18f5a6cb2f15fb715375bfb2a3f1c1a6b9bbe1a2bf2d1cb5010dc2be0e2ce875ce3c6c29a586fd4b21d8974
-
Filesize
922KB
MD57e6095adef252a307789fde2a472da27
SHA145ea251ad20c3664f2a527b70658a1bd77577d18
SHA256510573af752c0027d747054982ae4823c2fec5c0e22c88732882fe5479adb42e
SHA51294473305ec14cba709228267229f80b036212b52a18f5a6cb2f15fb715375bfb2a3f1c1a6b9bbe1a2bf2d1cb5010dc2be0e2ce875ce3c6c29a586fd4b21d8974
-
Filesize
922KB
MD57e6095adef252a307789fde2a472da27
SHA145ea251ad20c3664f2a527b70658a1bd77577d18
SHA256510573af752c0027d747054982ae4823c2fec5c0e22c88732882fe5479adb42e
SHA51294473305ec14cba709228267229f80b036212b52a18f5a6cb2f15fb715375bfb2a3f1c1a6b9bbe1a2bf2d1cb5010dc2be0e2ce875ce3c6c29a586fd4b21d8974