c37a889731f1d13c1c107ecc494c7f3deb831c98a7afa4ac2e3731c0c4994485

General

Target

c37a889731f1d13c1c107ecc494c7f3deb831c98a7afa4ac2e3731c0c4994485.exe
Size

692KB
MD5

80e0e41c5bdaac069e2b30378ec366b6
SHA1

200732386956fe16ef0e5c583f8f19272bd08e37
SHA256

c37a889731f1d13c1c107ecc494c7f3deb831c98a7afa4ac2e3731c0c4994485
SHA512

dc4188c68826388f5cea9eb5ee3b36c00f8e4e1462f73de23783fbf65b8a81a86961d78d8442da856f505a92ee1d377d298f06180bda78c7d1794c874861b58c
SSDEEP

12288:yw+e128lASKpmP84IyiiZV26ioxM9fJvyZJFzLck0iszvO94ACYm:oeU8l6j9y46HxMBt+JFsUszvo4ACYm

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
828	WindowsSecurityUpdate.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1676-61-0x0000000000400000-0x0000000000515000-memory.dmp	upx
behavioral1/memory/828-64-0x0000000000400000-0x0000000000515000-memory.dmp	upx
behavioral1/memory/828-65-0x0000000000400000-0x0000000000515000-memory.dmp	upx

Loads dropped DLL 4 IoCs

pid	Process
1676	c37a889731f1d13c1c107ecc494c7f3deb831c98a7afa4ac2e3731c0c4994485.exe
1676	c37a889731f1d13c1c107ecc494c7f3deb831c98a7afa4ac2e3731c0c4994485.exe
1676	c37a889731f1d13c1c107ecc494c7f3deb831c98a7afa4ac2e3731c0c4994485.exe
1676	c37a889731f1d13c1c107ecc494c7f3deb831c98a7afa4ac2e3731c0c4994485.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1676	c37a889731f1d13c1c107ecc494c7f3deb831c98a7afa4ac2e3731c0c4994485.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1676 wrote to memory of 828	1676	c37a889731f1d13c1c107ecc494c7f3deb831c98a7afa4ac2e3731c0c4994485.exe	28
PID 1676 wrote to memory of 828	1676	c37a889731f1d13c1c107ecc494c7f3deb831c98a7afa4ac2e3731c0c4994485.exe	28
PID 1676 wrote to memory of 828	1676	c37a889731f1d13c1c107ecc494c7f3deb831c98a7afa4ac2e3731c0c4994485.exe	28
PID 1676 wrote to memory of 828	1676	c37a889731f1d13c1c107ecc494c7f3deb831c98a7afa4ac2e3731c0c4994485.exe	28
PID 1676 wrote to memory of 828	1676	c37a889731f1d13c1c107ecc494c7f3deb831c98a7afa4ac2e3731c0c4994485.exe	28
PID 1676 wrote to memory of 828	1676	c37a889731f1d13c1c107ecc494c7f3deb831c98a7afa4ac2e3731c0c4994485.exe	28
PID 1676 wrote to memory of 828	1676	c37a889731f1d13c1c107ecc494c7f3deb831c98a7afa4ac2e3731c0c4994485.exe	28

C:\Users\Admin\AppData\Local\Temp\c37a889731f1d13c1c107ecc494c7f3deb831c98a7afa4ac2e3731c0c4994485.exe
"C:\Users\Admin\AppData\Local\Temp\c37a889731f1d13c1c107ecc494c7f3deb831c98a7afa4ac2e3731c0c4994485.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Users\Admin\AppData\Roaming\HfDRRR9D\WindowsSecurityUpdate.exe
  "C:\Users\Admin\AppData\Roaming\HfDRRR9D\WindowsSecurityUpdate.exe" -services
  2⤵
  - Executes dropped EXE
  PID:828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\HfDRRR9D\WindowsSecurityUpdate.exe

Filesize
692KB

MD5
80e0e41c5bdaac069e2b30378ec366b6

SHA1
200732386956fe16ef0e5c583f8f19272bd08e37

SHA256
c37a889731f1d13c1c107ecc494c7f3deb831c98a7afa4ac2e3731c0c4994485

SHA512
dc4188c68826388f5cea9eb5ee3b36c00f8e4e1462f73de23783fbf65b8a81a86961d78d8442da856f505a92ee1d377d298f06180bda78c7d1794c874861b58c

Download Submit
\Users\Admin\AppData\Roaming\HfDRRR9D\WindowsSecurityUpdate.exe

Filesize
692KB

MD5
80e0e41c5bdaac069e2b30378ec366b6

SHA1
200732386956fe16ef0e5c583f8f19272bd08e37

SHA256
c37a889731f1d13c1c107ecc494c7f3deb831c98a7afa4ac2e3731c0c4994485

SHA512
dc4188c68826388f5cea9eb5ee3b36c00f8e4e1462f73de23783fbf65b8a81a86961d78d8442da856f505a92ee1d377d298f06180bda78c7d1794c874861b58c

Download Submit
\Users\Admin\AppData\Roaming\HfDRRR9D\WindowsSecurityUpdate.exe

Filesize
692KB

MD5
80e0e41c5bdaac069e2b30378ec366b6

SHA1
200732386956fe16ef0e5c583f8f19272bd08e37

SHA256
c37a889731f1d13c1c107ecc494c7f3deb831c98a7afa4ac2e3731c0c4994485

SHA512
dc4188c68826388f5cea9eb5ee3b36c00f8e4e1462f73de23783fbf65b8a81a86961d78d8442da856f505a92ee1d377d298f06180bda78c7d1794c874861b58c

Download Submit
\Users\Admin\AppData\Roaming\HfDRRR9D\WindowsSecurityUpdate.exe

Filesize
692KB

MD5
80e0e41c5bdaac069e2b30378ec366b6

SHA1
200732386956fe16ef0e5c583f8f19272bd08e37

SHA256
c37a889731f1d13c1c107ecc494c7f3deb831c98a7afa4ac2e3731c0c4994485

SHA512
dc4188c68826388f5cea9eb5ee3b36c00f8e4e1462f73de23783fbf65b8a81a86961d78d8442da856f505a92ee1d377d298f06180bda78c7d1794c874861b58c

Download Submit
\Users\Admin\AppData\Roaming\HfDRRR9D\WindowsSecurityUpdate.exe

Filesize
692KB

MD5
80e0e41c5bdaac069e2b30378ec366b6

SHA1
200732386956fe16ef0e5c583f8f19272bd08e37

SHA256
c37a889731f1d13c1c107ecc494c7f3deb831c98a7afa4ac2e3731c0c4994485

SHA512
dc4188c68826388f5cea9eb5ee3b36c00f8e4e1462f73de23783fbf65b8a81a86961d78d8442da856f505a92ee1d377d298f06180bda78c7d1794c874861b58c

Download Submit
memory/828-64-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/828-65-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/1676-54-0x00000000002C0000-0x00000000002C4000-memory.dmp

Filesize
16KB

Download
memory/1676-55-0x0000000075E31000-0x0000000075E33000-memory.dmp

Filesize
8KB

Download
memory/1676-61-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing