Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
20-07-2022 18:03
Static task
static1
Behavioral task
behavioral1
Sample
4e4da37e825b035f8be12be4d37fffcd76b1e93b216c99e0e12d585697dafc42.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
4e4da37e825b035f8be12be4d37fffcd76b1e93b216c99e0e12d585697dafc42.exe
Resource
win10v2004-20220718-en
General
-
Target
4e4da37e825b035f8be12be4d37fffcd76b1e93b216c99e0e12d585697dafc42.exe
-
Size
950KB
-
MD5
72a29aa3364417f3194f8e34fad82668
-
SHA1
cf4940254b4e130addb8b76f6d654bd423fc341c
-
SHA256
4e4da37e825b035f8be12be4d37fffcd76b1e93b216c99e0e12d585697dafc42
-
SHA512
0f2a2b3d7344325050f8c92b2f6d260971581b722f9a7abb2277f761a3bc70f6300e1f09180f40c48f90a5c9dfd9c6ab87ec43b63bd4efc8b7697cfff41f5d82
Malware Config
Signatures
-
NirSoft MailPassView 3 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral1/memory/1328-66-0x0000000001CE0000-0x0000000001D70000-memory.dmp MailPassView behavioral1/memory/1328-69-0x00000000779D0000-0x0000000077B50000-memory.dmp MailPassView behavioral1/memory/544-98-0x00000000025B0000-0x0000000002640000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 3 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral1/memory/1328-66-0x0000000001CE0000-0x0000000001D70000-memory.dmp WebBrowserPassView behavioral1/memory/1328-69-0x00000000779D0000-0x0000000077B50000-memory.dmp WebBrowserPassView behavioral1/memory/544-98-0x00000000025B0000-0x0000000002640000-memory.dmp WebBrowserPassView -
Nirsoft 3 IoCs
resource yara_rule behavioral1/memory/1328-66-0x0000000001CE0000-0x0000000001D70000-memory.dmp Nirsoft behavioral1/memory/1328-69-0x00000000779D0000-0x0000000077B50000-memory.dmp Nirsoft behavioral1/memory/544-98-0x00000000025B0000-0x0000000002640000-memory.dmp Nirsoft -
Executes dropped EXE 2 IoCs
pid Process 1968 Windows Update.exe 544 Windows Update.exe -
Deletes itself 1 IoCs
pid Process 544 Windows Update.exe -
Loads dropped DLL 8 IoCs
pid Process 1328 4e4da37e825b035f8be12be4d37fffcd76b1e93b216c99e0e12d585697dafc42.exe 1968 Windows Update.exe 1968 Windows Update.exe 1968 Windows Update.exe 1968 Windows Update.exe 544 Windows Update.exe 544 Windows Update.exe 544 Windows Update.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1364 set thread context of 1328 1364 4e4da37e825b035f8be12be4d37fffcd76b1e93b216c99e0e12d585697dafc42.exe 28 PID 1968 set thread context of 544 1968 Windows Update.exe 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1364 4e4da37e825b035f8be12be4d37fffcd76b1e93b216c99e0e12d585697dafc42.exe 1968 Windows Update.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1328 4e4da37e825b035f8be12be4d37fffcd76b1e93b216c99e0e12d585697dafc42.exe 544 Windows Update.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1364 wrote to memory of 1328 1364 4e4da37e825b035f8be12be4d37fffcd76b1e93b216c99e0e12d585697dafc42.exe 28 PID 1364 wrote to memory of 1328 1364 4e4da37e825b035f8be12be4d37fffcd76b1e93b216c99e0e12d585697dafc42.exe 28 PID 1364 wrote to memory of 1328 1364 4e4da37e825b035f8be12be4d37fffcd76b1e93b216c99e0e12d585697dafc42.exe 28 PID 1364 wrote to memory of 1328 1364 4e4da37e825b035f8be12be4d37fffcd76b1e93b216c99e0e12d585697dafc42.exe 28 PID 1328 wrote to memory of 1968 1328 4e4da37e825b035f8be12be4d37fffcd76b1e93b216c99e0e12d585697dafc42.exe 29 PID 1328 wrote to memory of 1968 1328 4e4da37e825b035f8be12be4d37fffcd76b1e93b216c99e0e12d585697dafc42.exe 29 PID 1328 wrote to memory of 1968 1328 4e4da37e825b035f8be12be4d37fffcd76b1e93b216c99e0e12d585697dafc42.exe 29 PID 1328 wrote to memory of 1968 1328 4e4da37e825b035f8be12be4d37fffcd76b1e93b216c99e0e12d585697dafc42.exe 29 PID 1328 wrote to memory of 1968 1328 4e4da37e825b035f8be12be4d37fffcd76b1e93b216c99e0e12d585697dafc42.exe 29 PID 1328 wrote to memory of 1968 1328 4e4da37e825b035f8be12be4d37fffcd76b1e93b216c99e0e12d585697dafc42.exe 29 PID 1328 wrote to memory of 1968 1328 4e4da37e825b035f8be12be4d37fffcd76b1e93b216c99e0e12d585697dafc42.exe 29 PID 1968 wrote to memory of 544 1968 Windows Update.exe 30 PID 1968 wrote to memory of 544 1968 Windows Update.exe 30 PID 1968 wrote to memory of 544 1968 Windows Update.exe 30 PID 1968 wrote to memory of 544 1968 Windows Update.exe 30 PID 1968 wrote to memory of 544 1968 Windows Update.exe 30 PID 1968 wrote to memory of 544 1968 Windows Update.exe 30 PID 1968 wrote to memory of 544 1968 Windows Update.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\4e4da37e825b035f8be12be4d37fffcd76b1e93b216c99e0e12d585697dafc42.exe"C:\Users\Admin\AppData\Local\Temp\4e4da37e825b035f8be12be4d37fffcd76b1e93b216c99e0e12d585697dafc42.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Users\Admin\AppData\Local\Temp\4e4da37e825b035f8be12be4d37fffcd76b1e93b216c99e0e12d585697dafc42.exeC:\Users\Admin\AppData\Local\Temp\4e4da37e825b035f8be12be4d37fffcd76b1e93b216c99e0e12d585697dafc42.exe"2⤵
- Loads dropped DLL
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Users\Admin\AppData\Roaming\Windows Update.exeC:\Users\Admin\AppData\Roaming\Windows Update.exe"4⤵
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Suspicious use of UnmapMainImage
PID:544
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
102B
MD59f4ef3b0f356638ebb3f2a3e8ab0eb0c
SHA1c11bf6ee80afb55b1435789775e2aa753c90c8dd
SHA2566d580e6f0efd757b2480a5168b47229c5580cd0b17af19a08d23a1a343d30e88
SHA5128c0f79b4254df77a0830dde96b6b2d60584537dd6233da004d71c6c68e468ceee0f3c2c66edb1981d4cf0a475a0ae737f9054f90016439d5387fa5fd8ef00114
-
Filesize
950KB
MD572a29aa3364417f3194f8e34fad82668
SHA1cf4940254b4e130addb8b76f6d654bd423fc341c
SHA2564e4da37e825b035f8be12be4d37fffcd76b1e93b216c99e0e12d585697dafc42
SHA5120f2a2b3d7344325050f8c92b2f6d260971581b722f9a7abb2277f761a3bc70f6300e1f09180f40c48f90a5c9dfd9c6ab87ec43b63bd4efc8b7697cfff41f5d82
-
Filesize
950KB
MD572a29aa3364417f3194f8e34fad82668
SHA1cf4940254b4e130addb8b76f6d654bd423fc341c
SHA2564e4da37e825b035f8be12be4d37fffcd76b1e93b216c99e0e12d585697dafc42
SHA5120f2a2b3d7344325050f8c92b2f6d260971581b722f9a7abb2277f761a3bc70f6300e1f09180f40c48f90a5c9dfd9c6ab87ec43b63bd4efc8b7697cfff41f5d82
-
Filesize
950KB
MD572a29aa3364417f3194f8e34fad82668
SHA1cf4940254b4e130addb8b76f6d654bd423fc341c
SHA2564e4da37e825b035f8be12be4d37fffcd76b1e93b216c99e0e12d585697dafc42
SHA5120f2a2b3d7344325050f8c92b2f6d260971581b722f9a7abb2277f761a3bc70f6300e1f09180f40c48f90a5c9dfd9c6ab87ec43b63bd4efc8b7697cfff41f5d82
-
Filesize
950KB
MD572a29aa3364417f3194f8e34fad82668
SHA1cf4940254b4e130addb8b76f6d654bd423fc341c
SHA2564e4da37e825b035f8be12be4d37fffcd76b1e93b216c99e0e12d585697dafc42
SHA5120f2a2b3d7344325050f8c92b2f6d260971581b722f9a7abb2277f761a3bc70f6300e1f09180f40c48f90a5c9dfd9c6ab87ec43b63bd4efc8b7697cfff41f5d82
-
Filesize
950KB
MD572a29aa3364417f3194f8e34fad82668
SHA1cf4940254b4e130addb8b76f6d654bd423fc341c
SHA2564e4da37e825b035f8be12be4d37fffcd76b1e93b216c99e0e12d585697dafc42
SHA5120f2a2b3d7344325050f8c92b2f6d260971581b722f9a7abb2277f761a3bc70f6300e1f09180f40c48f90a5c9dfd9c6ab87ec43b63bd4efc8b7697cfff41f5d82
-
Filesize
950KB
MD572a29aa3364417f3194f8e34fad82668
SHA1cf4940254b4e130addb8b76f6d654bd423fc341c
SHA2564e4da37e825b035f8be12be4d37fffcd76b1e93b216c99e0e12d585697dafc42
SHA5120f2a2b3d7344325050f8c92b2f6d260971581b722f9a7abb2277f761a3bc70f6300e1f09180f40c48f90a5c9dfd9c6ab87ec43b63bd4efc8b7697cfff41f5d82
-
Filesize
950KB
MD572a29aa3364417f3194f8e34fad82668
SHA1cf4940254b4e130addb8b76f6d654bd423fc341c
SHA2564e4da37e825b035f8be12be4d37fffcd76b1e93b216c99e0e12d585697dafc42
SHA5120f2a2b3d7344325050f8c92b2f6d260971581b722f9a7abb2277f761a3bc70f6300e1f09180f40c48f90a5c9dfd9c6ab87ec43b63bd4efc8b7697cfff41f5d82
-
Filesize
950KB
MD572a29aa3364417f3194f8e34fad82668
SHA1cf4940254b4e130addb8b76f6d654bd423fc341c
SHA2564e4da37e825b035f8be12be4d37fffcd76b1e93b216c99e0e12d585697dafc42
SHA5120f2a2b3d7344325050f8c92b2f6d260971581b722f9a7abb2277f761a3bc70f6300e1f09180f40c48f90a5c9dfd9c6ab87ec43b63bd4efc8b7697cfff41f5d82
-
Filesize
950KB
MD572a29aa3364417f3194f8e34fad82668
SHA1cf4940254b4e130addb8b76f6d654bd423fc341c
SHA2564e4da37e825b035f8be12be4d37fffcd76b1e93b216c99e0e12d585697dafc42
SHA5120f2a2b3d7344325050f8c92b2f6d260971581b722f9a7abb2277f761a3bc70f6300e1f09180f40c48f90a5c9dfd9c6ab87ec43b63bd4efc8b7697cfff41f5d82
-
Filesize
950KB
MD572a29aa3364417f3194f8e34fad82668
SHA1cf4940254b4e130addb8b76f6d654bd423fc341c
SHA2564e4da37e825b035f8be12be4d37fffcd76b1e93b216c99e0e12d585697dafc42
SHA5120f2a2b3d7344325050f8c92b2f6d260971581b722f9a7abb2277f761a3bc70f6300e1f09180f40c48f90a5c9dfd9c6ab87ec43b63bd4efc8b7697cfff41f5d82
-
Filesize
950KB
MD572a29aa3364417f3194f8e34fad82668
SHA1cf4940254b4e130addb8b76f6d654bd423fc341c
SHA2564e4da37e825b035f8be12be4d37fffcd76b1e93b216c99e0e12d585697dafc42
SHA5120f2a2b3d7344325050f8c92b2f6d260971581b722f9a7abb2277f761a3bc70f6300e1f09180f40c48f90a5c9dfd9c6ab87ec43b63bd4efc8b7697cfff41f5d82