eea3cb397782654810eea1c7bfc350a5c4760b9ea776f08de36b8356a1a3c3a7 | Triage

Submit
Reports

Overview

overview

9

Static

static

3

WinSecurit...es.exe

windows7-x64

8

WinSecurit...es.exe

windows10-2004-x64

9

Sharing

General

Target

WinSecurityUpdates.exe
Size

14.0MB
Sample

220926-dk4hnaachj
MD5

81ec54952bb1f2d77755acc1c72a1022
SHA1

f61fa40dd3b1b36f0ef08335653624a9cf0c0fe5
SHA256

eea3cb397782654810eea1c7bfc350a5c4760b9ea776f08de36b8356a1a3c3a7
SHA512

77d0fd17bb91ac80e747b62f177fe8d2c013a2c7d261ceca0d9738109fa8ef957c6e6e3014a8548da76aaddbf5154a277f529902a3cb05d5e8c128e8a26c7e72
SSDEEP

393216:Ncfbl5euWkQSrstR9zCLFKoL205Suuy0kiOJitcCWRmmd:GfblqkrsX9OLF3L2ASuuy/iCo6Z

Score

9^/10

evasion persistence pyinstaller ransomware spyware stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

WinSecurityUpdates.exe

Resource

win7-20220901-en

evasion persistence ransomware spyware stealer

windows7-x64

10 signatures

150 seconds

Behavioral task

behavioral2

Sample

WinSecurityUpdates.exe

Resource

win10v2004-20220812-en

evasion persistence ransomware spyware stealer

windows10-2004-x64

24 signatures

150 seconds

Malware Config

Targets

- Target
  
  WinSecurityUpdates.exe
- Size
  
  14.0MB
- MD5
  
  81ec54952bb1f2d77755acc1c72a1022
- SHA1
  
  f61fa40dd3b1b36f0ef08335653624a9cf0c0fe5
- SHA256
  
  eea3cb397782654810eea1c7bfc350a5c4760b9ea776f08de36b8356a1a3c3a7
- SHA512
  
  77d0fd17bb91ac80e747b62f177fe8d2c013a2c7d261ceca0d9738109fa8ef957c6e6e3014a8548da76aaddbf5154a277f529902a3cb05d5e8c128e8a26c7e72
- SSDEEP
  
  393216:Ncfbl5euWkQSrstR9zCLFKoL205Suuy0kiOJitcCWRmmd:GfblqkrsX9OLF3L2ASuuy/iCo6Z
Score

9^/10

evasion persistence ransomware spyware stealer
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Disables Task Manager via registry modification
  evasion
- Modifies Installed Components in the registry
  persistence
- Modifies extensions of user files
  Ransomware generally changes the extension on encrypted files.
  ransomware
- Drops startup file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

File Deletion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

Peripheral Device Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Inhibit System Recovery

Tasks

static1

behavioral1

evasionpersistenceransomwarespywarestealer

behavioral2

evasionpersistenceransomwarespywarestealer

© 2018-2024

Terms | Privacy