410d29045eef242a2ceaa7718e41c8c427c68ef2e7bb46652a6e0ccba2471cee

Analysis

max time kernel
57s
max time network
52s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
11/10/2022, 16:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

410d29045eef242a2ceaa7718e41c8c427c68ef2e7bb46652a6e0ccba2471cee.exe
Size

622KB
MD5

14328e88f1ee1398d20fdd3627b34330
SHA1

dc51fcf1cc2625e7afe870dce3c8e64d1f3c715b
SHA256

410d29045eef242a2ceaa7718e41c8c427c68ef2e7bb46652a6e0ccba2471cee
SHA512

75ab5d680912170f3b91d258df94c2a2b6ead39feddf8d79469aaff5950041d08e8d9ac261c76dbe7487df2b3240aac945dbf93b13d66aa4364a37dbd9f51ae9
SSDEEP

12288:drdaA2wSjF/DNIs2Jvpmhybi/gSKg9SYq/vWtwWjF/pShqpvp1:drdaAojRDzSBmt9SYwO1jRQhaB1

Score

8^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
880	UpdaterService.exe

Loads dropped DLL 10 IoCs

pid	Process
960	410d29045eef242a2ceaa7718e41c8c427c68ef2e7bb46652a6e0ccba2471cee.exe
960	410d29045eef242a2ceaa7718e41c8c427c68ef2e7bb46652a6e0ccba2471cee.exe
960	410d29045eef242a2ceaa7718e41c8c427c68ef2e7bb46652a6e0ccba2471cee.exe
960	410d29045eef242a2ceaa7718e41c8c427c68ef2e7bb46652a6e0ccba2471cee.exe
960	410d29045eef242a2ceaa7718e41c8c427c68ef2e7bb46652a6e0ccba2471cee.exe
960	410d29045eef242a2ceaa7718e41c8c427c68ef2e7bb46652a6e0ccba2471cee.exe
960	410d29045eef242a2ceaa7718e41c8c427c68ef2e7bb46652a6e0ccba2471cee.exe
960	410d29045eef242a2ceaa7718e41c8c427c68ef2e7bb46652a6e0ccba2471cee.exe
960	410d29045eef242a2ceaa7718e41c8c427c68ef2e7bb46652a6e0ccba2471cee.exe
960	410d29045eef242a2ceaa7718e41c8c427c68ef2e7bb46652a6e0ccba2471cee.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\SoftwareUpdater\AppsUpdaterSem.exe.config	410d29045eef242a2ceaa7718e41c8c427c68ef2e7bb46652a6e0ccba2471cee.exe
File created	C:\Program Files (x86)\SoftwareUpdater\AppsUpdater.exe.config	410d29045eef242a2ceaa7718e41c8c427c68ef2e7bb46652a6e0ccba2471cee.exe
File created	C:\Program Files (x86)\SoftwareUpdater\KeyGen.dll	410d29045eef242a2ceaa7718e41c8c427c68ef2e7bb46652a6e0ccba2471cee.exe
File created	C:\Program Files (x86)\SoftwareUpdater\AppsUpdater.exe	410d29045eef242a2ceaa7718e41c8c427c68ef2e7bb46652a6e0ccba2471cee.exe
File created	C:\Program Files (x86)\SoftwareUpdater\UpdaterService.exe	410d29045eef242a2ceaa7718e41c8c427c68ef2e7bb46652a6e0ccba2471cee.exe
File created	C:\Program Files (x86)\SoftwareUpdater\config.xml	410d29045eef242a2ceaa7718e41c8c427c68ef2e7bb46652a6e0ccba2471cee.exe
File created	C:\Program Files (x86)\SoftwareUpdater\Interop.Shell32.dll	410d29045eef242a2ceaa7718e41c8c427c68ef2e7bb46652a6e0ccba2471cee.exe
File created	C:\Program Files (x86)\SoftwareUpdater\translations.xml	410d29045eef242a2ceaa7718e41c8c427c68ef2e7bb46652a6e0ccba2471cee.exe
File opened for modification	C:\Program Files (x86)\SoftwareUpdater\AppsUpdaterSem.exe.config	410d29045eef242a2ceaa7718e41c8c427c68ef2e7bb46652a6e0ccba2471cee.exe
File created	C:\Program Files (x86)\SoftwareUpdater\uninstall.exe	410d29045eef242a2ceaa7718e41c8c427c68ef2e7bb46652a6e0ccba2471cee.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
1760	taskkill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1760	taskkill.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 960 wrote to memory of 1760	960	410d29045eef242a2ceaa7718e41c8c427c68ef2e7bb46652a6e0ccba2471cee.exe	27
PID 960 wrote to memory of 1760	960	410d29045eef242a2ceaa7718e41c8c427c68ef2e7bb46652a6e0ccba2471cee.exe	27
PID 960 wrote to memory of 1760	960	410d29045eef242a2ceaa7718e41c8c427c68ef2e7bb46652a6e0ccba2471cee.exe	27
PID 960 wrote to memory of 1760	960	410d29045eef242a2ceaa7718e41c8c427c68ef2e7bb46652a6e0ccba2471cee.exe	27

C:\Users\Admin\AppData\Local\Temp\410d29045eef242a2ceaa7718e41c8c427c68ef2e7bb46652a6e0ccba2471cee.exe
"C:\Users\Admin\AppData\Local\Temp\410d29045eef242a2ceaa7718e41c8c427c68ef2e7bb46652a6e0ccba2471cee.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:960
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im AppsUpdater.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1760

C:\Program Files (x86)\SoftwareUpdater\UpdaterService.exe
"C:\Program Files (x86)\SoftwareUpdater\UpdaterService.exe"
1⤵
- Executes dropped EXE
PID:880

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\SoftwareUpdater\UpdaterService.exe

Filesize
39KB

MD5
ddd4e882b3ea7973458ed4ccbbf17715

SHA1
e75c94a44c03c1897bd28522e9df1b673d078b05

SHA256
495a534ce0b72ea2f277239d49f1a501defe3fdb4e93870f5bd5944b026d3563

SHA512
0de4918f4c436bdf9bb3f18474768f187c110dddecb555ab88e17682ec1096fa7c5e6789d44e49c1040c0774490ebbcf01082c9c6aa3d0b1129b0b414b3f3440

Download Submit
C:\Program Files (x86)\SoftwareUpdater\UpdaterService.exe

Filesize
39KB

MD5
ddd4e882b3ea7973458ed4ccbbf17715

SHA1
e75c94a44c03c1897bd28522e9df1b673d078b05

SHA256
495a534ce0b72ea2f277239d49f1a501defe3fdb4e93870f5bd5944b026d3563

SHA512
0de4918f4c436bdf9bb3f18474768f187c110dddecb555ab88e17682ec1096fa7c5e6789d44e49c1040c0774490ebbcf01082c9c6aa3d0b1129b0b414b3f3440

Download Submit
\Users\Admin\AppData\Local\Temp\nsoF901.tmp\SimpleSC.dll

Filesize
61KB

MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
\Users\Admin\AppData\Local\Temp\nsoF901.tmp\SimpleSC.dll

Filesize
61KB

MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
\Users\Admin\AppData\Local\Temp\nsoF901.tmp\SimpleSC.dll

Filesize
61KB

MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
\Users\Admin\AppData\Local\Temp\nsoF901.tmp\SimpleSC.dll

Filesize
61KB

MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
\Users\Admin\AppData\Local\Temp\nsoF901.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsoF901.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsoF901.tmp\nsURL.dll

Filesize
110KB

MD5
6b997e803a10663fa4a2995c030ba1a9

SHA1
3f81a5fc93601f04a4327ffd7c5a063dbf50a882

SHA256
9f50688db497c70cc2c84558dcb71b19d076f983557f2b7de8a742fa804ba060

SHA512
4cb8ecc7bb54c9e506e5061b452d474fd077b9f34b89384f54647dffabd77138fc4ad43e3fc14c6a65da21d72f655cf40560d53179a8317bb7b04382ff5bd776

Download Submit
\Users\Admin\AppData\Local\Temp\nsoF901.tmp\nsURL.dll

Filesize
110KB

MD5
6b997e803a10663fa4a2995c030ba1a9

SHA1
3f81a5fc93601f04a4327ffd7c5a063dbf50a882

SHA256
9f50688db497c70cc2c84558dcb71b19d076f983557f2b7de8a742fa804ba060

SHA512
4cb8ecc7bb54c9e506e5061b452d474fd077b9f34b89384f54647dffabd77138fc4ad43e3fc14c6a65da21d72f655cf40560d53179a8317bb7b04382ff5bd776

Download Submit
\Users\Admin\AppData\Local\Temp\nsoF901.tmp\tkDecript.dll

Filesize
222KB

MD5
ea79ad436f5e54ee5dc2aba13fe1b15a

SHA1
66e248962bfb1f370796dac393621367638c21b1

SHA256
0ae09d65f5284409e6d9a2d40d7aaa8cbf1dd1815e67a9c12a9557f5de1f7832

SHA512
dbd40403126c6ef6f5747c900809140c8897376f03696247cd8d10431bec7abb0c7191761e8ea551cfde2234059ec087ffbca54510ddf0dc78b8329f598fab2e

Download Submit
\Users\Admin\AppData\Local\Temp\nsoF901.tmp\tkDecript.dll

Filesize
222KB

MD5
ea79ad436f5e54ee5dc2aba13fe1b15a

SHA1
66e248962bfb1f370796dac393621367638c21b1

SHA256
0ae09d65f5284409e6d9a2d40d7aaa8cbf1dd1815e67a9c12a9557f5de1f7832

SHA512
dbd40403126c6ef6f5747c900809140c8897376f03696247cd8d10431bec7abb0c7191761e8ea551cfde2234059ec087ffbca54510ddf0dc78b8329f598fab2e

Download Submit
memory/880-70-0x000007FEF4650000-0x000007FEF5073000-memory.dmp

Filesize
10.1MB

Download
memory/880-71-0x000007FEF3370000-0x000007FEF4406000-memory.dmp

Filesize
16.6MB

Download
memory/960-65-0x00000000005C0000-0x00000000005D3000-memory.dmp

Filesize
76KB

Download
memory/960-57-0x00000000003A0000-0x00000000003B3000-memory.dmp

Filesize
76KB

Download
memory/960-54-0x00000000757A1000-0x00000000757A3000-memory.dmp

Filesize
8KB

Download