3895d6355398594677b5efb3a82f3fea218bde20c8e0fc2955082c3d5917354d

General

Target

3895d6355398594677b5efb3a82f3fea218bde20c8e0fc2955082c3d5917354d.exe
Size

4.3MB
MD5

9e0fc7817fc7b291f14c5b726070f9d1
SHA1

b89af4ef99d4f8dff5597abcfd43c7731d710f94
SHA256

3895d6355398594677b5efb3a82f3fea218bde20c8e0fc2955082c3d5917354d
SHA512

ac9b7b94d7b3857b1ce06ba3084049f5cad8467775b7e359bb2cbecd8222e4e64b154803c663010d269398564f750e68211cd4580661b594eac350ca8920e9fa
SSDEEP

98304:jclPDq5+TGDNLADj2+4RGeg3i71jn92LtEiMyneDrk12/n7aHXZ2:jclPDqoTCiDi+4R43i7pn9utGyj12/OI

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4956	AutoUpdater.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	AutoUpdater.exe

Loads dropped DLL 3 IoCs

pid	Process
644	3895d6355398594677b5efb3a82f3fea218bde20c8e0fc2955082c3d5917354d.exe
644	3895d6355398594677b5efb3a82f3fea218bde20c8e0fc2955082c3d5917354d.exe
644	3895d6355398594677b5efb3a82f3fea218bde20c8e0fc2955082c3d5917354d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
644	3895d6355398594677b5efb3a82f3fea218bde20c8e0fc2955082c3d5917354d.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4064 wrote to memory of 4956	4064	3895d6355398594677b5efb3a82f3fea218bde20c8e0fc2955082c3d5917354d.exe	78
PID 4064 wrote to memory of 4956	4064	3895d6355398594677b5efb3a82f3fea218bde20c8e0fc2955082c3d5917354d.exe	78
PID 4064 wrote to memory of 4956	4064	3895d6355398594677b5efb3a82f3fea218bde20c8e0fc2955082c3d5917354d.exe	78
PID 4956 wrote to memory of 644	4956	AutoUpdater.exe	79
PID 4956 wrote to memory of 644	4956	AutoUpdater.exe	79
PID 4956 wrote to memory of 644	4956	AutoUpdater.exe	79

C:\Users\Admin\AppData\Local\Temp\3895d6355398594677b5efb3a82f3fea218bde20c8e0fc2955082c3d5917354d.exe
"C:\Users\Admin\AppData\Local\Temp\3895d6355398594677b5efb3a82f3fea218bde20c8e0fc2955082c3d5917354d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4064
- C:\Users\Admin\AppData\Local\Temp\autoUpdater\AutoUpdater.exe
  "C:\Users\Admin\AppData\Local\Temp\autoUpdater\\AutoUpdater.exe" "--url" "http://soft.tzsucai.com/auto/VRay/patch6.0/update.json" "--src" "C:\Users\Admin\AppData\Local\Temp\3895d6355398594677b5efb3a82f3fea218bde20c8e0fc2955082c3d5917354d.exe" "--ver" "V6.2" "--ins" "C:\Users\Admin\AppData\Local\Temp\3895d6355398594677b5efb3a82f3fea218bde20c8e0fc2955082c3d5917354d.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4956
- - C:\Users\Admin\AppData\Local\Temp\3895d6355398594677b5efb3a82f3fea218bde20c8e0fc2955082c3d5917354d.exe
    "C:\Users\Admin\AppData\Local\Temp\3895d6355398594677b5efb3a82f3fea218bde20c8e0fc2955082c3d5917354d.exe" /NoCheck
    3⤵
    - Loads dropped DLL
    - Suspicious use of FindShellTrayWindow
    PID:644

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\autoUpdater\AutoUpdater.exe

Filesize
3.1MB

MD5
c4bac11b0aa0a5acdf3054279c1a3082

SHA1
f6ec0f931d0c53a5eacd14320ff4f54401f03faf

SHA256
d906de000b890a93d21a29d200b2dfa75522a478f9a914ca4bf22d797bdaade5

SHA512
7aa089c5240c5b08fa2ecc8350f49b6c7763d0100a640a7f572d2f8181ff37f261bf85c5792ca679da32f2e67794e2d0d525c7921e9e8363e6fe8548f8ff29ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\autoUpdater\AutoUpdater.exe

Filesize
3.1MB

MD5
c4bac11b0aa0a5acdf3054279c1a3082

SHA1
f6ec0f931d0c53a5eacd14320ff4f54401f03faf

SHA256
d906de000b890a93d21a29d200b2dfa75522a478f9a914ca4bf22d797bdaade5

SHA512
7aa089c5240c5b08fa2ecc8350f49b6c7763d0100a640a7f572d2f8181ff37f261bf85c5792ca679da32f2e67794e2d0d525c7921e9e8363e6fe8548f8ff29ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\autoUpdater\skin\Default.xml

Filesize
3KB

MD5
b48c1b03ee602dab980da9218eebdb2b

SHA1
4ef564696d04f17c1cf7b7b0c707d7dc23fd428a

SHA256
f12172064c5bb74eefc37cecb94515e42a9cd722051f2dbbb590066f34e02286

SHA512
861df24756db3d0fdcd1d23b7603cce15a882e4ffc70d54a383db4e25c8f10a3b0b918c95ac3fdbcf1c6ce0a9d66878c099d06301ba79ed8ec5cb6c9f987229c

Download Submit
C:\Users\Admin\AppData\Local\Temp\autoUpdater\skin\MainWnd.xml

Filesize
1KB

MD5
abeff0c61ee1a4c300902ea118d2c57b

SHA1
323311f450bacf2731c38b2a4ae847f124ad01a4

SHA256
b48f3ed4768a65c3def336a23a19183bba5954179863199c11f1cf162aba150a

SHA512
e30b003a5c1fc7a35caf69e1ffc63513c1c577879d71d40b59b19b89ffb3123bf851a2eec16abab53fa3a616e0a280509f1d6548b33190894fdb6bcf6a98b1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\autoUpdater\skin\bk.gif

Filesize
1.0MB

MD5
dd076516618bc98ca10e0a46cf819b72

SHA1
93dedb5cbeaa3aba1807964d3858c5c53eeb03c9

SHA256
095c1cce081d7b895caef716f4fac0f4ebd186cbc9b288918948576f13743dc2

SHA512
218ec0bbf13d65cfe7e84f799ae68f37edd9e25e2f2365401a4bb7dafefe09325c596fcf2a7163df34b41091ecb60169e6e88a5523f6d10bdad2e51ca67c2684

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmFFF1.tmp\System.dll

Filesize
11KB

MD5
dfe3a60a5e1ff0edd7cb8ebf74b10775

SHA1
45a97108f948165fb43f2ec871416100d1976462

SHA256
456853c9ba9f180434826d1f4c5c771af445a3f11e980447e3b1c75b19ada7a7

SHA512
37cbeb7defe9f42185f4905552d8445e1c96dfe8122e7aefd4b55f40d2b9ce1d7d1820fc78d7bd169ce3f5f47bfa9c96c92895a5b20352da945c8dc745bdb4ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmFFF1.tmp\nsSkinEngine.dll

Filesize
646KB

MD5
e460a42c2c4abc7437f6a3b8a472b850

SHA1
24bc25f622e0b3e69c35e131f9e05cd0c678661b

SHA256
e94b7f35b62eb4c6360371b836251265ff6cfb7ee077afb884d860f7d76d5a05

SHA512
cc36225c3c7011674babb60f62de044646fb33f0d55388d17eaffa9d1f25644af955825b9a63b7dc08a31369c5ecec2a5b1721e29fe4ea211cd046e98f532a2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmFFF1.tmp\nsUtils.dll

Filesize
166KB

MD5
f94ced0f40a82f6828e498377230f041

SHA1
bc926b0a2344a82ee6262bfbfe12c54eca6db31a

SHA256
7339d2fdfc5d9fa055c8b932c708104a7bf055154062107d51e55da412a49d7e

SHA512
31ae5ed3886be569ad9daa1df958228a11d147b09a9f6bfa4193ab13f8be619dc03c46bcaa6e7d5df2f7d9594b55eb7287f43f48d4ef5d03c1648f126c23f631

Download Submit

Analysis

Sharing