Analysis
-
max time kernel
157s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220722-en -
resource tags
arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system -
submitted
31-07-2022 05:20
Static task
static1
Behavioral task
behavioral1
Sample
83e2a7ad036af18cfadc0a723ce688507f2079f05f20ef3678708f80322c6d5b.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
83e2a7ad036af18cfadc0a723ce688507f2079f05f20ef3678708f80322c6d5b.exe
Resource
win10v2004-20220722-en
General
-
Target
83e2a7ad036af18cfadc0a723ce688507f2079f05f20ef3678708f80322c6d5b.exe
-
Size
958KB
-
MD5
a469bc3854c73406e2c2a533cf60de93
-
SHA1
f3e4070d2f091e44068349e07ffe5532ac1b80b8
-
SHA256
83e2a7ad036af18cfadc0a723ce688507f2079f05f20ef3678708f80322c6d5b
-
SHA512
02146bd2d7c094e4470e330028c8e9a06d755f0d85aab6eca3426486eb3f478571fbc5bf74489b7439d299f96d438a3d558eacddee82869246dff00c05ac1b3b
Malware Config
Signatures
-
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/380-143-0x0000000002B20000-0x0000000002BB0000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/380-143-0x0000000002B20000-0x0000000002BB0000-memory.dmp WebBrowserPassView -
Nirsoft 1 IoCs
Processes:
resource yara_rule behavioral2/memory/380-143-0x0000000002B20000-0x0000000002BB0000-memory.dmp Nirsoft -
Executes dropped EXE 2 IoCs
Processes:
Windows Update.exeWindows Update.exepid process 1672 Windows Update.exe 3736 Windows Update.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
83e2a7ad036af18cfadc0a723ce688507f2079f05f20ef3678708f80322c6d5b.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation 83e2a7ad036af18cfadc0a723ce688507f2079f05f20ef3678708f80322c6d5b.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
83e2a7ad036af18cfadc0a723ce688507f2079f05f20ef3678708f80322c6d5b.exeWindows Update.exedescription pid process target process PID 2392 set thread context of 380 2392 83e2a7ad036af18cfadc0a723ce688507f2079f05f20ef3678708f80322c6d5b.exe 83e2a7ad036af18cfadc0a723ce688507f2079f05f20ef3678708f80322c6d5b.exe PID 1672 set thread context of 3736 1672 Windows Update.exe Windows Update.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
83e2a7ad036af18cfadc0a723ce688507f2079f05f20ef3678708f80322c6d5b.exeWindows Update.exepid process 2392 83e2a7ad036af18cfadc0a723ce688507f2079f05f20ef3678708f80322c6d5b.exe 1672 Windows Update.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
83e2a7ad036af18cfadc0a723ce688507f2079f05f20ef3678708f80322c6d5b.exe83e2a7ad036af18cfadc0a723ce688507f2079f05f20ef3678708f80322c6d5b.exeWindows Update.exedescription pid process target process PID 2392 wrote to memory of 380 2392 83e2a7ad036af18cfadc0a723ce688507f2079f05f20ef3678708f80322c6d5b.exe 83e2a7ad036af18cfadc0a723ce688507f2079f05f20ef3678708f80322c6d5b.exe PID 2392 wrote to memory of 380 2392 83e2a7ad036af18cfadc0a723ce688507f2079f05f20ef3678708f80322c6d5b.exe 83e2a7ad036af18cfadc0a723ce688507f2079f05f20ef3678708f80322c6d5b.exe PID 2392 wrote to memory of 380 2392 83e2a7ad036af18cfadc0a723ce688507f2079f05f20ef3678708f80322c6d5b.exe 83e2a7ad036af18cfadc0a723ce688507f2079f05f20ef3678708f80322c6d5b.exe PID 380 wrote to memory of 1672 380 83e2a7ad036af18cfadc0a723ce688507f2079f05f20ef3678708f80322c6d5b.exe Windows Update.exe PID 380 wrote to memory of 1672 380 83e2a7ad036af18cfadc0a723ce688507f2079f05f20ef3678708f80322c6d5b.exe Windows Update.exe PID 380 wrote to memory of 1672 380 83e2a7ad036af18cfadc0a723ce688507f2079f05f20ef3678708f80322c6d5b.exe Windows Update.exe PID 1672 wrote to memory of 3736 1672 Windows Update.exe Windows Update.exe PID 1672 wrote to memory of 3736 1672 Windows Update.exe Windows Update.exe PID 1672 wrote to memory of 3736 1672 Windows Update.exe Windows Update.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\83e2a7ad036af18cfadc0a723ce688507f2079f05f20ef3678708f80322c6d5b.exe"C:\Users\Admin\AppData\Local\Temp\83e2a7ad036af18cfadc0a723ce688507f2079f05f20ef3678708f80322c6d5b.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\83e2a7ad036af18cfadc0a723ce688507f2079f05f20ef3678708f80322c6d5b.exeC:\Users\Admin\AppData\Local\Temp\83e2a7ad036af18cfadc0a723ce688507f2079f05f20ef3678708f80322c6d5b.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeC:\Users\Admin\AppData\Roaming\Windows Update.exe"4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
958KB
MD5a469bc3854c73406e2c2a533cf60de93
SHA1f3e4070d2f091e44068349e07ffe5532ac1b80b8
SHA25683e2a7ad036af18cfadc0a723ce688507f2079f05f20ef3678708f80322c6d5b
SHA51202146bd2d7c094e4470e330028c8e9a06d755f0d85aab6eca3426486eb3f478571fbc5bf74489b7439d299f96d438a3d558eacddee82869246dff00c05ac1b3b
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
958KB
MD5a469bc3854c73406e2c2a533cf60de93
SHA1f3e4070d2f091e44068349e07ffe5532ac1b80b8
SHA25683e2a7ad036af18cfadc0a723ce688507f2079f05f20ef3678708f80322c6d5b
SHA51202146bd2d7c094e4470e330028c8e9a06d755f0d85aab6eca3426486eb3f478571fbc5bf74489b7439d299f96d438a3d558eacddee82869246dff00c05ac1b3b
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
958KB
MD5a469bc3854c73406e2c2a533cf60de93
SHA1f3e4070d2f091e44068349e07ffe5532ac1b80b8
SHA25683e2a7ad036af18cfadc0a723ce688507f2079f05f20ef3678708f80322c6d5b
SHA51202146bd2d7c094e4470e330028c8e9a06d755f0d85aab6eca3426486eb3f478571fbc5bf74489b7439d299f96d438a3d558eacddee82869246dff00c05ac1b3b
-
memory/380-148-0x0000000074630000-0x0000000074BE1000-memory.dmpFilesize
5.7MB
-
memory/380-155-0x0000000074630000-0x0000000074BE1000-memory.dmpFilesize
5.7MB
-
memory/380-143-0x0000000002B20000-0x0000000002BB0000-memory.dmpFilesize
576KB
-
memory/380-146-0x0000000074630000-0x0000000074BE1000-memory.dmpFilesize
5.7MB
-
memory/380-147-0x0000000076FC0000-0x0000000077163000-memory.dmpFilesize
1.6MB
-
memory/380-135-0x0000000000000000-mapping.dmp
-
memory/380-139-0x0000000000400000-0x0000000000477000-memory.dmpFilesize
476KB
-
memory/380-142-0x0000000076FC0000-0x0000000077163000-memory.dmpFilesize
1.6MB
-
memory/380-154-0x0000000076FC0000-0x0000000077163000-memory.dmpFilesize
1.6MB
-
memory/1672-149-0x0000000000000000-mapping.dmp
-
memory/1672-158-0x0000000076FC0000-0x0000000077163000-memory.dmpFilesize
1.6MB
-
memory/2392-136-0x0000000076FC0000-0x0000000077163000-memory.dmpFilesize
1.6MB
-
memory/2392-134-0x00000000022D0000-0x00000000022D7000-memory.dmpFilesize
28KB
-
memory/3736-156-0x0000000000000000-mapping.dmp