Analysis
-
max time kernel
130s -
max time network
76s -
platform
windows10-2004_x64 -
resource
win10v2004-20220718-en -
resource tags
arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system -
submitted
20-07-2022 18:03
Static task
static1
Behavioral task
behavioral1
Sample
4e4da37e825b035f8be12be4d37fffcd76b1e93b216c99e0e12d585697dafc42.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
4e4da37e825b035f8be12be4d37fffcd76b1e93b216c99e0e12d585697dafc42.exe
Resource
win10v2004-20220718-en
General
-
Target
4e4da37e825b035f8be12be4d37fffcd76b1e93b216c99e0e12d585697dafc42.exe
-
Size
950KB
-
MD5
72a29aa3364417f3194f8e34fad82668
-
SHA1
cf4940254b4e130addb8b76f6d654bd423fc341c
-
SHA256
4e4da37e825b035f8be12be4d37fffcd76b1e93b216c99e0e12d585697dafc42
-
SHA512
0f2a2b3d7344325050f8c92b2f6d260971581b722f9a7abb2277f761a3bc70f6300e1f09180f40c48f90a5c9dfd9c6ab87ec43b63bd4efc8b7697cfff41f5d82
Malware Config
Signatures
-
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/2564-140-0x00000000021F0000-0x0000000002280000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/memory/2564-140-0x00000000021F0000-0x0000000002280000-memory.dmp WebBrowserPassView -
Nirsoft 1 IoCs
resource yara_rule behavioral2/memory/2564-140-0x00000000021F0000-0x0000000002280000-memory.dmp Nirsoft -
Executes dropped EXE 2 IoCs
pid Process 2608 Windows Update.exe 2044 Windows Update.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1178428168-2939480073-3055857545-1000\Control Panel\International\Geo\Nation 4e4da37e825b035f8be12be4d37fffcd76b1e93b216c99e0e12d585697dafc42.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3224 set thread context of 2564 3224 4e4da37e825b035f8be12be4d37fffcd76b1e93b216c99e0e12d585697dafc42.exe 75 PID 2608 set thread context of 2044 2608 Windows Update.exe 77 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3224 4e4da37e825b035f8be12be4d37fffcd76b1e93b216c99e0e12d585697dafc42.exe 2608 Windows Update.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3224 wrote to memory of 2564 3224 4e4da37e825b035f8be12be4d37fffcd76b1e93b216c99e0e12d585697dafc42.exe 75 PID 3224 wrote to memory of 2564 3224 4e4da37e825b035f8be12be4d37fffcd76b1e93b216c99e0e12d585697dafc42.exe 75 PID 3224 wrote to memory of 2564 3224 4e4da37e825b035f8be12be4d37fffcd76b1e93b216c99e0e12d585697dafc42.exe 75 PID 2564 wrote to memory of 2608 2564 4e4da37e825b035f8be12be4d37fffcd76b1e93b216c99e0e12d585697dafc42.exe 76 PID 2564 wrote to memory of 2608 2564 4e4da37e825b035f8be12be4d37fffcd76b1e93b216c99e0e12d585697dafc42.exe 76 PID 2564 wrote to memory of 2608 2564 4e4da37e825b035f8be12be4d37fffcd76b1e93b216c99e0e12d585697dafc42.exe 76 PID 2608 wrote to memory of 2044 2608 Windows Update.exe 77 PID 2608 wrote to memory of 2044 2608 Windows Update.exe 77 PID 2608 wrote to memory of 2044 2608 Windows Update.exe 77
Processes
-
C:\Users\Admin\AppData\Local\Temp\4e4da37e825b035f8be12be4d37fffcd76b1e93b216c99e0e12d585697dafc42.exe"C:\Users\Admin\AppData\Local\Temp\4e4da37e825b035f8be12be4d37fffcd76b1e93b216c99e0e12d585697dafc42.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3224 -
C:\Users\Admin\AppData\Local\Temp\4e4da37e825b035f8be12be4d37fffcd76b1e93b216c99e0e12d585697dafc42.exeC:\Users\Admin\AppData\Local\Temp\4e4da37e825b035f8be12be4d37fffcd76b1e93b216c99e0e12d585697dafc42.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Users\Admin\AppData\Roaming\Windows Update.exeC:\Users\Admin\AppData\Roaming\Windows Update.exe"4⤵
- Executes dropped EXE
PID:2044
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
950KB
MD572a29aa3364417f3194f8e34fad82668
SHA1cf4940254b4e130addb8b76f6d654bd423fc341c
SHA2564e4da37e825b035f8be12be4d37fffcd76b1e93b216c99e0e12d585697dafc42
SHA5120f2a2b3d7344325050f8c92b2f6d260971581b722f9a7abb2277f761a3bc70f6300e1f09180f40c48f90a5c9dfd9c6ab87ec43b63bd4efc8b7697cfff41f5d82
-
Filesize
950KB
MD572a29aa3364417f3194f8e34fad82668
SHA1cf4940254b4e130addb8b76f6d654bd423fc341c
SHA2564e4da37e825b035f8be12be4d37fffcd76b1e93b216c99e0e12d585697dafc42
SHA5120f2a2b3d7344325050f8c92b2f6d260971581b722f9a7abb2277f761a3bc70f6300e1f09180f40c48f90a5c9dfd9c6ab87ec43b63bd4efc8b7697cfff41f5d82
-
Filesize
950KB
MD572a29aa3364417f3194f8e34fad82668
SHA1cf4940254b4e130addb8b76f6d654bd423fc341c
SHA2564e4da37e825b035f8be12be4d37fffcd76b1e93b216c99e0e12d585697dafc42
SHA5120f2a2b3d7344325050f8c92b2f6d260971581b722f9a7abb2277f761a3bc70f6300e1f09180f40c48f90a5c9dfd9c6ab87ec43b63bd4efc8b7697cfff41f5d82