8a2c5473dfab68887ac6fdd3bbaf32a314f83a4d459a8c76b36c0d4a00d6b835

Analysis

max time kernel
90s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2022 17:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8a2c5473dfab68887ac6fdd3bbaf32a314f83a4d459a8c76b36c0d4a00d6b835.exe
Size

1.4MB
MD5

77387436f26d671226ceb358ea839891
SHA1

2fe2ac4d30bcaad7a2bfb103aaddc312df33657b
SHA256

8a2c5473dfab68887ac6fdd3bbaf32a314f83a4d459a8c76b36c0d4a00d6b835
SHA512

6478ba01da41cd47902c11b72abe846d9a519d5fc3c777b78751bcad956ce131381b88860468f1d8a52675ebd3ca3d9d343ebc14c48a91cf393a6ccdacca2fcf
SSDEEP

24576:3r+AbbTsXb/k5QhD7UFFeZqcm7PgA5G6RA39axucsp8Bob5Tmc//////z:3aUbAQ5QW78k7IMA3fcJq1mc//////z

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1480	fileupdate.exe

Loads dropped DLL 20 IoCs

pid	Process
4804	8a2c5473dfab68887ac6fdd3bbaf32a314f83a4d459a8c76b36c0d4a00d6b835.exe
4804	8a2c5473dfab68887ac6fdd3bbaf32a314f83a4d459a8c76b36c0d4a00d6b835.exe
4804	8a2c5473dfab68887ac6fdd3bbaf32a314f83a4d459a8c76b36c0d4a00d6b835.exe
4804	8a2c5473dfab68887ac6fdd3bbaf32a314f83a4d459a8c76b36c0d4a00d6b835.exe
4804	8a2c5473dfab68887ac6fdd3bbaf32a314f83a4d459a8c76b36c0d4a00d6b835.exe
4804	8a2c5473dfab68887ac6fdd3bbaf32a314f83a4d459a8c76b36c0d4a00d6b835.exe
4804	8a2c5473dfab68887ac6fdd3bbaf32a314f83a4d459a8c76b36c0d4a00d6b835.exe
4804	8a2c5473dfab68887ac6fdd3bbaf32a314f83a4d459a8c76b36c0d4a00d6b835.exe
4804	8a2c5473dfab68887ac6fdd3bbaf32a314f83a4d459a8c76b36c0d4a00d6b835.exe
4804	8a2c5473dfab68887ac6fdd3bbaf32a314f83a4d459a8c76b36c0d4a00d6b835.exe
4804	8a2c5473dfab68887ac6fdd3bbaf32a314f83a4d459a8c76b36c0d4a00d6b835.exe
4804	8a2c5473dfab68887ac6fdd3bbaf32a314f83a4d459a8c76b36c0d4a00d6b835.exe
4804	8a2c5473dfab68887ac6fdd3bbaf32a314f83a4d459a8c76b36c0d4a00d6b835.exe
4804	8a2c5473dfab68887ac6fdd3bbaf32a314f83a4d459a8c76b36c0d4a00d6b835.exe
4804	8a2c5473dfab68887ac6fdd3bbaf32a314f83a4d459a8c76b36c0d4a00d6b835.exe
4804	8a2c5473dfab68887ac6fdd3bbaf32a314f83a4d459a8c76b36c0d4a00d6b835.exe
4804	8a2c5473dfab68887ac6fdd3bbaf32a314f83a4d459a8c76b36c0d4a00d6b835.exe
4804	8a2c5473dfab68887ac6fdd3bbaf32a314f83a4d459a8c76b36c0d4a00d6b835.exe
4804	8a2c5473dfab68887ac6fdd3bbaf32a314f83a4d459a8c76b36c0d4a00d6b835.exe
4804	8a2c5473dfab68887ac6fdd3bbaf32a314f83a4d459a8c76b36c0d4a00d6b835.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1480	fileupdate.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1480	fileupdate.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1480	fileupdate.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4804 wrote to memory of 1480	4804	8a2c5473dfab68887ac6fdd3bbaf32a314f83a4d459a8c76b36c0d4a00d6b835.exe	83
PID 4804 wrote to memory of 1480	4804	8a2c5473dfab68887ac6fdd3bbaf32a314f83a4d459a8c76b36c0d4a00d6b835.exe	83
PID 4804 wrote to memory of 1480	4804	8a2c5473dfab68887ac6fdd3bbaf32a314f83a4d459a8c76b36c0d4a00d6b835.exe	83

C:\Users\Admin\AppData\Local\Temp\8a2c5473dfab68887ac6fdd3bbaf32a314f83a4d459a8c76b36c0d4a00d6b835.exe
"C:\Users\Admin\AppData\Local\Temp\8a2c5473dfab68887ac6fdd3bbaf32a314f83a4d459a8c76b36c0d4a00d6b835.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4804
- C:\Users\Admin\AppData\Local\Temp\fileupdate.exe
  C:\Users\Admin\AppData\Local\Temp\fileupdate.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1480

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fileupdate.exe

Filesize
1.3MB

MD5
e8365b27726f25d9c2bcfc11485fcc57

SHA1
939a9186a376ac25fced61665a6aa82e0b4871eb

SHA256
ee21767fc3ef405ce86701e19bb8655b3ccf005ed468e716ea766c9cb0f18764

SHA512
6fd5b0e3f4455d9dcf72cfa938c799e78a7e6b3a836783d07ba4c61b6f80b43c31fbd635bc7f10137f6e8127b54f8580811849b352946cf24b54aaaf6820e088

Download Submit
C:\Users\Admin\AppData\Local\Temp\fileupdate.exe

Filesize
1.3MB

MD5
e8365b27726f25d9c2bcfc11485fcc57

SHA1
939a9186a376ac25fced61665a6aa82e0b4871eb

SHA256
ee21767fc3ef405ce86701e19bb8655b3ccf005ed468e716ea766c9cb0f18764

SHA512
6fd5b0e3f4455d9dcf72cfa938c799e78a7e6b3a836783d07ba4c61b6f80b43c31fbd635bc7f10137f6e8127b54f8580811849b352946cf24b54aaaf6820e088

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspBB18.tmp\System.dll

Filesize
10KB

MD5
810f3a0aefe36a9f63e29e604bea91a9

SHA1
2559d3d4adf51f8ecbe2d07e669e344eb7d0bd80

SHA256
f160eb7a1b4eb8d2e99e7424ae058acd81ba5019e43cbfa0ce81e3102b356779

SHA512
836b73c38ab60260e1bc81ebf8347e14d02453fc361b7d6f10f137287b8189f8bc43758ce2d9def8fd1c71112aab7ef1930af2d64ae69f6d4e58a6fe17b310bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspBB18.tmp\System.dll

Filesize
10KB

MD5
810f3a0aefe36a9f63e29e604bea91a9

SHA1
2559d3d4adf51f8ecbe2d07e669e344eb7d0bd80

SHA256
f160eb7a1b4eb8d2e99e7424ae058acd81ba5019e43cbfa0ce81e3102b356779

SHA512
836b73c38ab60260e1bc81ebf8347e14d02453fc361b7d6f10f137287b8189f8bc43758ce2d9def8fd1c71112aab7ef1930af2d64ae69f6d4e58a6fe17b310bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspBB18.tmp\System.dll

Filesize
10KB

MD5
810f3a0aefe36a9f63e29e604bea91a9

SHA1
2559d3d4adf51f8ecbe2d07e669e344eb7d0bd80

SHA256
f160eb7a1b4eb8d2e99e7424ae058acd81ba5019e43cbfa0ce81e3102b356779

SHA512
836b73c38ab60260e1bc81ebf8347e14d02453fc361b7d6f10f137287b8189f8bc43758ce2d9def8fd1c71112aab7ef1930af2d64ae69f6d4e58a6fe17b310bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspBB18.tmp\System.dll

Filesize
10KB

MD5
810f3a0aefe36a9f63e29e604bea91a9

SHA1
2559d3d4adf51f8ecbe2d07e669e344eb7d0bd80

SHA256
f160eb7a1b4eb8d2e99e7424ae058acd81ba5019e43cbfa0ce81e3102b356779

SHA512
836b73c38ab60260e1bc81ebf8347e14d02453fc361b7d6f10f137287b8189f8bc43758ce2d9def8fd1c71112aab7ef1930af2d64ae69f6d4e58a6fe17b310bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspBB18.tmp\System.dll

Filesize
10KB

MD5
810f3a0aefe36a9f63e29e604bea91a9

SHA1
2559d3d4adf51f8ecbe2d07e669e344eb7d0bd80

SHA256
f160eb7a1b4eb8d2e99e7424ae058acd81ba5019e43cbfa0ce81e3102b356779

SHA512
836b73c38ab60260e1bc81ebf8347e14d02453fc361b7d6f10f137287b8189f8bc43758ce2d9def8fd1c71112aab7ef1930af2d64ae69f6d4e58a6fe17b310bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspBB18.tmp\System.dll

Filesize
10KB

MD5
810f3a0aefe36a9f63e29e604bea91a9

SHA1
2559d3d4adf51f8ecbe2d07e669e344eb7d0bd80

SHA256
f160eb7a1b4eb8d2e99e7424ae058acd81ba5019e43cbfa0ce81e3102b356779

SHA512
836b73c38ab60260e1bc81ebf8347e14d02453fc361b7d6f10f137287b8189f8bc43758ce2d9def8fd1c71112aab7ef1930af2d64ae69f6d4e58a6fe17b310bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspBB18.tmp\System.dll

Filesize
10KB

MD5
810f3a0aefe36a9f63e29e604bea91a9

SHA1
2559d3d4adf51f8ecbe2d07e669e344eb7d0bd80

SHA256
f160eb7a1b4eb8d2e99e7424ae058acd81ba5019e43cbfa0ce81e3102b356779

SHA512
836b73c38ab60260e1bc81ebf8347e14d02453fc361b7d6f10f137287b8189f8bc43758ce2d9def8fd1c71112aab7ef1930af2d64ae69f6d4e58a6fe17b310bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspBB18.tmp\System.dll

Filesize
10KB

MD5
810f3a0aefe36a9f63e29e604bea91a9

SHA1
2559d3d4adf51f8ecbe2d07e669e344eb7d0bd80

SHA256
f160eb7a1b4eb8d2e99e7424ae058acd81ba5019e43cbfa0ce81e3102b356779

SHA512
836b73c38ab60260e1bc81ebf8347e14d02453fc361b7d6f10f137287b8189f8bc43758ce2d9def8fd1c71112aab7ef1930af2d64ae69f6d4e58a6fe17b310bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspBB18.tmp\System.dll

Filesize
10KB

MD5
810f3a0aefe36a9f63e29e604bea91a9

SHA1
2559d3d4adf51f8ecbe2d07e669e344eb7d0bd80

SHA256
f160eb7a1b4eb8d2e99e7424ae058acd81ba5019e43cbfa0ce81e3102b356779

SHA512
836b73c38ab60260e1bc81ebf8347e14d02453fc361b7d6f10f137287b8189f8bc43758ce2d9def8fd1c71112aab7ef1930af2d64ae69f6d4e58a6fe17b310bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspBB18.tmp\System.dll

Filesize
10KB

MD5
810f3a0aefe36a9f63e29e604bea91a9

SHA1
2559d3d4adf51f8ecbe2d07e669e344eb7d0bd80

SHA256
f160eb7a1b4eb8d2e99e7424ae058acd81ba5019e43cbfa0ce81e3102b356779

SHA512
836b73c38ab60260e1bc81ebf8347e14d02453fc361b7d6f10f137287b8189f8bc43758ce2d9def8fd1c71112aab7ef1930af2d64ae69f6d4e58a6fe17b310bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspBB18.tmp\System.dll

Filesize
10KB

MD5
810f3a0aefe36a9f63e29e604bea91a9

SHA1
2559d3d4adf51f8ecbe2d07e669e344eb7d0bd80

SHA256
f160eb7a1b4eb8d2e99e7424ae058acd81ba5019e43cbfa0ce81e3102b356779

SHA512
836b73c38ab60260e1bc81ebf8347e14d02453fc361b7d6f10f137287b8189f8bc43758ce2d9def8fd1c71112aab7ef1930af2d64ae69f6d4e58a6fe17b310bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspBB18.tmp\System.dll

Filesize
10KB

MD5
810f3a0aefe36a9f63e29e604bea91a9

SHA1
2559d3d4adf51f8ecbe2d07e669e344eb7d0bd80

SHA256
f160eb7a1b4eb8d2e99e7424ae058acd81ba5019e43cbfa0ce81e3102b356779

SHA512
836b73c38ab60260e1bc81ebf8347e14d02453fc361b7d6f10f137287b8189f8bc43758ce2d9def8fd1c71112aab7ef1930af2d64ae69f6d4e58a6fe17b310bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspBB18.tmp\System.dll

Filesize
10KB

MD5
810f3a0aefe36a9f63e29e604bea91a9

SHA1
2559d3d4adf51f8ecbe2d07e669e344eb7d0bd80

SHA256
f160eb7a1b4eb8d2e99e7424ae058acd81ba5019e43cbfa0ce81e3102b356779

SHA512
836b73c38ab60260e1bc81ebf8347e14d02453fc361b7d6f10f137287b8189f8bc43758ce2d9def8fd1c71112aab7ef1930af2d64ae69f6d4e58a6fe17b310bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspBB18.tmp\System.dll

Filesize
10KB

MD5
810f3a0aefe36a9f63e29e604bea91a9

SHA1
2559d3d4adf51f8ecbe2d07e669e344eb7d0bd80

SHA256
f160eb7a1b4eb8d2e99e7424ae058acd81ba5019e43cbfa0ce81e3102b356779

SHA512
836b73c38ab60260e1bc81ebf8347e14d02453fc361b7d6f10f137287b8189f8bc43758ce2d9def8fd1c71112aab7ef1930af2d64ae69f6d4e58a6fe17b310bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspBB18.tmp\System.dll

Filesize
10KB

MD5
810f3a0aefe36a9f63e29e604bea91a9

SHA1
2559d3d4adf51f8ecbe2d07e669e344eb7d0bd80

SHA256
f160eb7a1b4eb8d2e99e7424ae058acd81ba5019e43cbfa0ce81e3102b356779

SHA512
836b73c38ab60260e1bc81ebf8347e14d02453fc361b7d6f10f137287b8189f8bc43758ce2d9def8fd1c71112aab7ef1930af2d64ae69f6d4e58a6fe17b310bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspBB18.tmp\System.dll

Filesize
10KB

MD5
810f3a0aefe36a9f63e29e604bea91a9

SHA1
2559d3d4adf51f8ecbe2d07e669e344eb7d0bd80

SHA256
f160eb7a1b4eb8d2e99e7424ae058acd81ba5019e43cbfa0ce81e3102b356779

SHA512
836b73c38ab60260e1bc81ebf8347e14d02453fc361b7d6f10f137287b8189f8bc43758ce2d9def8fd1c71112aab7ef1930af2d64ae69f6d4e58a6fe17b310bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspBB18.tmp\System.dll

Filesize
10KB

MD5
810f3a0aefe36a9f63e29e604bea91a9

SHA1
2559d3d4adf51f8ecbe2d07e669e344eb7d0bd80

SHA256
f160eb7a1b4eb8d2e99e7424ae058acd81ba5019e43cbfa0ce81e3102b356779

SHA512
836b73c38ab60260e1bc81ebf8347e14d02453fc361b7d6f10f137287b8189f8bc43758ce2d9def8fd1c71112aab7ef1930af2d64ae69f6d4e58a6fe17b310bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspBB18.tmp\System.dll

Filesize
10KB

MD5
810f3a0aefe36a9f63e29e604bea91a9

SHA1
2559d3d4adf51f8ecbe2d07e669e344eb7d0bd80

SHA256
f160eb7a1b4eb8d2e99e7424ae058acd81ba5019e43cbfa0ce81e3102b356779

SHA512
836b73c38ab60260e1bc81ebf8347e14d02453fc361b7d6f10f137287b8189f8bc43758ce2d9def8fd1c71112aab7ef1930af2d64ae69f6d4e58a6fe17b310bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspBB18.tmp\inetc.dll

Filesize
20KB

MD5
50fdadda3e993688401f6f1108fabdb4

SHA1
04a9ae55d0fb726be49809582cea41d75bf22a9a

SHA256
6d6ddc0d2b7d59eb91be44939457858ced5eb23cf4aa93ef33bb600eb28de6f6

SHA512
e9628870feea8c3aaefe22a2af41cf34b1c1778c4a0e81d069f50553ce1a23f68a0ba74b296420b2be92425d4995a43e51c018c2e8197ec2ec39305e87c56be8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspBB18.tmp\inetc.dll

Filesize
20KB

MD5
50fdadda3e993688401f6f1108fabdb4

SHA1
04a9ae55d0fb726be49809582cea41d75bf22a9a

SHA256
6d6ddc0d2b7d59eb91be44939457858ced5eb23cf4aa93ef33bb600eb28de6f6

SHA512
e9628870feea8c3aaefe22a2af41cf34b1c1778c4a0e81d069f50553ce1a23f68a0ba74b296420b2be92425d4995a43e51c018c2e8197ec2ec39305e87c56be8

Download Submit
memory/1480-149-0x0000000000400000-0x000000000091B000-memory.dmp

Filesize
5.1MB

Download
memory/1480-132-0x0000000000000000-mapping.dmp

Download
memory/1480-156-0x0000000000400000-0x000000000091B000-memory.dmp

Filesize
5.1MB

Download