Analysis

  • max time kernel
    91s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/09/2022, 10:44

General

  • Target

    3895d6355398594677b5efb3a82f3fea218bde20c8e0fc2955082c3d5917354d.exe

  • Size

    4.3MB

  • MD5

    9e0fc7817fc7b291f14c5b726070f9d1

  • SHA1

    b89af4ef99d4f8dff5597abcfd43c7731d710f94

  • SHA256

    3895d6355398594677b5efb3a82f3fea218bde20c8e0fc2955082c3d5917354d

  • SHA512

    ac9b7b94d7b3857b1ce06ba3084049f5cad8467775b7e359bb2cbecd8222e4e64b154803c663010d269398564f750e68211cd4580661b594eac350ca8920e9fa

  • SSDEEP

    98304:jclPDq5+TGDNLADj2+4RGeg3i71jn92LtEiMyneDrk12/n7aHXZ2:jclPDqoTCiDi+4R43i7pn9utGyj12/OI

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3895d6355398594677b5efb3a82f3fea218bde20c8e0fc2955082c3d5917354d.exe
    "C:\Users\Admin\AppData\Local\Temp\3895d6355398594677b5efb3a82f3fea218bde20c8e0fc2955082c3d5917354d.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4064
    • C:\Users\Admin\AppData\Local\Temp\autoUpdater\AutoUpdater.exe
      "C:\Users\Admin\AppData\Local\Temp\autoUpdater\\AutoUpdater.exe" "--url" "http://soft.tzsucai.com/auto/VRay/patch6.0/update.json" "--src" "C:\Users\Admin\AppData\Local\Temp\3895d6355398594677b5efb3a82f3fea218bde20c8e0fc2955082c3d5917354d.exe" "--ver" "V6.2" "--ins" "C:\Users\Admin\AppData\Local\Temp\3895d6355398594677b5efb3a82f3fea218bde20c8e0fc2955082c3d5917354d.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4956
      • C:\Users\Admin\AppData\Local\Temp\3895d6355398594677b5efb3a82f3fea218bde20c8e0fc2955082c3d5917354d.exe
        "C:\Users\Admin\AppData\Local\Temp\3895d6355398594677b5efb3a82f3fea218bde20c8e0fc2955082c3d5917354d.exe" /NoCheck
        3⤵
        • Loads dropped DLL
        • Suspicious use of FindShellTrayWindow
        PID:644

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\autoUpdater\AutoUpdater.exe

    Filesize

    3.1MB

    MD5

    c4bac11b0aa0a5acdf3054279c1a3082

    SHA1

    f6ec0f931d0c53a5eacd14320ff4f54401f03faf

    SHA256

    d906de000b890a93d21a29d200b2dfa75522a478f9a914ca4bf22d797bdaade5

    SHA512

    7aa089c5240c5b08fa2ecc8350f49b6c7763d0100a640a7f572d2f8181ff37f261bf85c5792ca679da32f2e67794e2d0d525c7921e9e8363e6fe8548f8ff29ef

  • C:\Users\Admin\AppData\Local\Temp\autoUpdater\AutoUpdater.exe

    Filesize

    3.1MB

    MD5

    c4bac11b0aa0a5acdf3054279c1a3082

    SHA1

    f6ec0f931d0c53a5eacd14320ff4f54401f03faf

    SHA256

    d906de000b890a93d21a29d200b2dfa75522a478f9a914ca4bf22d797bdaade5

    SHA512

    7aa089c5240c5b08fa2ecc8350f49b6c7763d0100a640a7f572d2f8181ff37f261bf85c5792ca679da32f2e67794e2d0d525c7921e9e8363e6fe8548f8ff29ef

  • C:\Users\Admin\AppData\Local\Temp\autoUpdater\skin\Default.xml

    Filesize

    3KB

    MD5

    b48c1b03ee602dab980da9218eebdb2b

    SHA1

    4ef564696d04f17c1cf7b7b0c707d7dc23fd428a

    SHA256

    f12172064c5bb74eefc37cecb94515e42a9cd722051f2dbbb590066f34e02286

    SHA512

    861df24756db3d0fdcd1d23b7603cce15a882e4ffc70d54a383db4e25c8f10a3b0b918c95ac3fdbcf1c6ce0a9d66878c099d06301ba79ed8ec5cb6c9f987229c

  • C:\Users\Admin\AppData\Local\Temp\autoUpdater\skin\MainWnd.xml

    Filesize

    1KB

    MD5

    abeff0c61ee1a4c300902ea118d2c57b

    SHA1

    323311f450bacf2731c38b2a4ae847f124ad01a4

    SHA256

    b48f3ed4768a65c3def336a23a19183bba5954179863199c11f1cf162aba150a

    SHA512

    e30b003a5c1fc7a35caf69e1ffc63513c1c577879d71d40b59b19b89ffb3123bf851a2eec16abab53fa3a616e0a280509f1d6548b33190894fdb6bcf6a98b1f8

  • C:\Users\Admin\AppData\Local\Temp\autoUpdater\skin\bk.gif

    Filesize

    1.0MB

    MD5

    dd076516618bc98ca10e0a46cf819b72

    SHA1

    93dedb5cbeaa3aba1807964d3858c5c53eeb03c9

    SHA256

    095c1cce081d7b895caef716f4fac0f4ebd186cbc9b288918948576f13743dc2

    SHA512

    218ec0bbf13d65cfe7e84f799ae68f37edd9e25e2f2365401a4bb7dafefe09325c596fcf2a7163df34b41091ecb60169e6e88a5523f6d10bdad2e51ca67c2684

  • C:\Users\Admin\AppData\Local\Temp\nsmFFF1.tmp\System.dll

    Filesize

    11KB

    MD5

    dfe3a60a5e1ff0edd7cb8ebf74b10775

    SHA1

    45a97108f948165fb43f2ec871416100d1976462

    SHA256

    456853c9ba9f180434826d1f4c5c771af445a3f11e980447e3b1c75b19ada7a7

    SHA512

    37cbeb7defe9f42185f4905552d8445e1c96dfe8122e7aefd4b55f40d2b9ce1d7d1820fc78d7bd169ce3f5f47bfa9c96c92895a5b20352da945c8dc745bdb4ed

  • C:\Users\Admin\AppData\Local\Temp\nsmFFF1.tmp\nsSkinEngine.dll

    Filesize

    646KB

    MD5

    e460a42c2c4abc7437f6a3b8a472b850

    SHA1

    24bc25f622e0b3e69c35e131f9e05cd0c678661b

    SHA256

    e94b7f35b62eb4c6360371b836251265ff6cfb7ee077afb884d860f7d76d5a05

    SHA512

    cc36225c3c7011674babb60f62de044646fb33f0d55388d17eaffa9d1f25644af955825b9a63b7dc08a31369c5ecec2a5b1721e29fe4ea211cd046e98f532a2b

  • C:\Users\Admin\AppData\Local\Temp\nsmFFF1.tmp\nsUtils.dll

    Filesize

    166KB

    MD5

    f94ced0f40a82f6828e498377230f041

    SHA1

    bc926b0a2344a82ee6262bfbfe12c54eca6db31a

    SHA256

    7339d2fdfc5d9fa055c8b932c708104a7bf055154062107d51e55da412a49d7e

    SHA512

    31ae5ed3886be569ad9daa1df958228a11d147b09a9f6bfa4193ab13f8be619dc03c46bcaa6e7d5df2f7d9594b55eb7287f43f48d4ef5d03c1648f126c23f631