91ff8f57c135a92f616c071e7e1814d2f6a5470c5cec7cf799f388c8498efeb8

Analysis

max time kernel
152s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20/10/2022, 19:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

91ff8f57c135a92f616c071e7e1814d2f6a5470c5cec7cf799f388c8498efeb8.exe
Size

101KB
MD5

a05314a0dd92ba6fb68c6f825f028caf
SHA1

a4ee6b93db17a6f3741724cfa5e597abf8ae5372
SHA256

91ff8f57c135a92f616c071e7e1814d2f6a5470c5cec7cf799f388c8498efeb8
SHA512

6854cc64ce2d166191767a73b0993f91c50c6a455a56abebdeace64e1cb809e13b307965089a2ea9e7e8cff91f85343be5cd34fba6235885f2ad9eecb4b580e7
SSDEEP

1536:8eyMZGRyHYWEmiiqxhhikSHRhALog00bTh9XFebFhP16VgWyK/m:8e9ZIdxmibGROLo4Ph9XqPoKWR/m

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2008	svcupdate.exe
1972	svcupdate.exe

Loads dropped DLL 8 IoCs

pid	Process
848	91ff8f57c135a92f616c071e7e1814d2f6a5470c5cec7cf799f388c8498efeb8.exe
2008	svcupdate.exe
2008	svcupdate.exe
2008	svcupdate.exe
2008	svcupdate.exe
1972	svcupdate.exe
1972	svcupdate.exe
1972	svcupdate.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Update = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\svcupdate.exe"	svcupdate.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1096 set thread context of 848	1096	91ff8f57c135a92f616c071e7e1814d2f6a5470c5cec7cf799f388c8498efeb8.exe	27
PID 2008 set thread context of 1972	2008	svcupdate.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1096	91ff8f57c135a92f616c071e7e1814d2f6a5470c5cec7cf799f388c8498efeb8.exe
2008	svcupdate.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 1096 wrote to memory of 848	1096	91ff8f57c135a92f616c071e7e1814d2f6a5470c5cec7cf799f388c8498efeb8.exe	27
PID 1096 wrote to memory of 848	1096	91ff8f57c135a92f616c071e7e1814d2f6a5470c5cec7cf799f388c8498efeb8.exe	27
PID 1096 wrote to memory of 848	1096	91ff8f57c135a92f616c071e7e1814d2f6a5470c5cec7cf799f388c8498efeb8.exe	27
PID 1096 wrote to memory of 848	1096	91ff8f57c135a92f616c071e7e1814d2f6a5470c5cec7cf799f388c8498efeb8.exe	27
PID 1096 wrote to memory of 848	1096	91ff8f57c135a92f616c071e7e1814d2f6a5470c5cec7cf799f388c8498efeb8.exe	27
PID 1096 wrote to memory of 848	1096	91ff8f57c135a92f616c071e7e1814d2f6a5470c5cec7cf799f388c8498efeb8.exe	27
PID 1096 wrote to memory of 848	1096	91ff8f57c135a92f616c071e7e1814d2f6a5470c5cec7cf799f388c8498efeb8.exe	27
PID 1096 wrote to memory of 848	1096	91ff8f57c135a92f616c071e7e1814d2f6a5470c5cec7cf799f388c8498efeb8.exe	27
PID 1096 wrote to memory of 848	1096	91ff8f57c135a92f616c071e7e1814d2f6a5470c5cec7cf799f388c8498efeb8.exe	27
PID 1096 wrote to memory of 848	1096	91ff8f57c135a92f616c071e7e1814d2f6a5470c5cec7cf799f388c8498efeb8.exe	27
PID 1096 wrote to memory of 848	1096	91ff8f57c135a92f616c071e7e1814d2f6a5470c5cec7cf799f388c8498efeb8.exe	27
PID 1096 wrote to memory of 848	1096	91ff8f57c135a92f616c071e7e1814d2f6a5470c5cec7cf799f388c8498efeb8.exe	27
PID 1096 wrote to memory of 848	1096	91ff8f57c135a92f616c071e7e1814d2f6a5470c5cec7cf799f388c8498efeb8.exe	27
PID 1096 wrote to memory of 848	1096	91ff8f57c135a92f616c071e7e1814d2f6a5470c5cec7cf799f388c8498efeb8.exe	27
PID 1096 wrote to memory of 848	1096	91ff8f57c135a92f616c071e7e1814d2f6a5470c5cec7cf799f388c8498efeb8.exe	27
PID 848 wrote to memory of 2008	848	91ff8f57c135a92f616c071e7e1814d2f6a5470c5cec7cf799f388c8498efeb8.exe	28
PID 848 wrote to memory of 2008	848	91ff8f57c135a92f616c071e7e1814d2f6a5470c5cec7cf799f388c8498efeb8.exe	28
PID 848 wrote to memory of 2008	848	91ff8f57c135a92f616c071e7e1814d2f6a5470c5cec7cf799f388c8498efeb8.exe	28
PID 848 wrote to memory of 2008	848	91ff8f57c135a92f616c071e7e1814d2f6a5470c5cec7cf799f388c8498efeb8.exe	28
PID 848 wrote to memory of 2008	848	91ff8f57c135a92f616c071e7e1814d2f6a5470c5cec7cf799f388c8498efeb8.exe	28
PID 848 wrote to memory of 2008	848	91ff8f57c135a92f616c071e7e1814d2f6a5470c5cec7cf799f388c8498efeb8.exe	28
PID 848 wrote to memory of 2008	848	91ff8f57c135a92f616c071e7e1814d2f6a5470c5cec7cf799f388c8498efeb8.exe	28
PID 2008 wrote to memory of 1972	2008	svcupdate.exe	29
PID 2008 wrote to memory of 1972	2008	svcupdate.exe	29
PID 2008 wrote to memory of 1972	2008	svcupdate.exe	29
PID 2008 wrote to memory of 1972	2008	svcupdate.exe	29
PID 2008 wrote to memory of 1972	2008	svcupdate.exe	29
PID 2008 wrote to memory of 1972	2008	svcupdate.exe	29
PID 2008 wrote to memory of 1972	2008	svcupdate.exe	29
PID 2008 wrote to memory of 1972	2008	svcupdate.exe	29
PID 2008 wrote to memory of 1972	2008	svcupdate.exe	29
PID 2008 wrote to memory of 1972	2008	svcupdate.exe	29
PID 2008 wrote to memory of 1972	2008	svcupdate.exe	29
PID 2008 wrote to memory of 1972	2008	svcupdate.exe	29
PID 2008 wrote to memory of 1972	2008	svcupdate.exe	29
PID 2008 wrote to memory of 1972	2008	svcupdate.exe	29
PID 2008 wrote to memory of 1972	2008	svcupdate.exe	29
PID 2008 wrote to memory of 1972	2008	svcupdate.exe	29
PID 2008 wrote to memory of 1972	2008	svcupdate.exe	29
PID 2008 wrote to memory of 1972	2008	svcupdate.exe	29

C:\Users\Admin\AppData\Local\Temp\91ff8f57c135a92f616c071e7e1814d2f6a5470c5cec7cf799f388c8498efeb8.exe
"C:\Users\Admin\AppData\Local\Temp\91ff8f57c135a92f616c071e7e1814d2f6a5470c5cec7cf799f388c8498efeb8.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1096
- C:\Users\Admin\AppData\Local\Temp\91ff8f57c135a92f616c071e7e1814d2f6a5470c5cec7cf799f388c8498efeb8.exe
  "C:\Users\Admin\AppData\Local\Temp\91ff8f57c135a92f616c071e7e1814d2f6a5470c5cec7cf799f388c8498efeb8.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:848
- - C:\Users\Admin\AppData\Local\Microsoft\svcupdate.exe
    "C:\Users\Admin\AppData\Local\Microsoft\svcupdate.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2008
  - - C:\Users\Admin\AppData\Local\Microsoft\svcupdate.exe
      "C:\Users\Admin\AppData\Local\Microsoft\svcupdate.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      PID:1972

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\svcupdate.exe

Filesize
101KB

MD5
a05314a0dd92ba6fb68c6f825f028caf

SHA1
a4ee6b93db17a6f3741724cfa5e597abf8ae5372

SHA256
91ff8f57c135a92f616c071e7e1814d2f6a5470c5cec7cf799f388c8498efeb8

SHA512
6854cc64ce2d166191767a73b0993f91c50c6a455a56abebdeace64e1cb809e13b307965089a2ea9e7e8cff91f85343be5cd34fba6235885f2ad9eecb4b580e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\svcupdate.exe

Filesize
101KB

MD5
a05314a0dd92ba6fb68c6f825f028caf

SHA1
a4ee6b93db17a6f3741724cfa5e597abf8ae5372

SHA256
91ff8f57c135a92f616c071e7e1814d2f6a5470c5cec7cf799f388c8498efeb8

SHA512
6854cc64ce2d166191767a73b0993f91c50c6a455a56abebdeace64e1cb809e13b307965089a2ea9e7e8cff91f85343be5cd34fba6235885f2ad9eecb4b580e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\svcupdate.exe

Filesize
101KB

MD5
a05314a0dd92ba6fb68c6f825f028caf

SHA1
a4ee6b93db17a6f3741724cfa5e597abf8ae5372

SHA256
91ff8f57c135a92f616c071e7e1814d2f6a5470c5cec7cf799f388c8498efeb8

SHA512
6854cc64ce2d166191767a73b0993f91c50c6a455a56abebdeace64e1cb809e13b307965089a2ea9e7e8cff91f85343be5cd34fba6235885f2ad9eecb4b580e7

Download Submit
\Users\Admin\AppData\Local\Microsoft\svcupdate.exe

Filesize
101KB

MD5
a05314a0dd92ba6fb68c6f825f028caf

SHA1
a4ee6b93db17a6f3741724cfa5e597abf8ae5372

SHA256
91ff8f57c135a92f616c071e7e1814d2f6a5470c5cec7cf799f388c8498efeb8

SHA512
6854cc64ce2d166191767a73b0993f91c50c6a455a56abebdeace64e1cb809e13b307965089a2ea9e7e8cff91f85343be5cd34fba6235885f2ad9eecb4b580e7

Download Submit
\Users\Admin\AppData\Local\Microsoft\svcupdate.exe

Filesize
101KB

MD5
a05314a0dd92ba6fb68c6f825f028caf

SHA1
a4ee6b93db17a6f3741724cfa5e597abf8ae5372

SHA256
91ff8f57c135a92f616c071e7e1814d2f6a5470c5cec7cf799f388c8498efeb8

SHA512
6854cc64ce2d166191767a73b0993f91c50c6a455a56abebdeace64e1cb809e13b307965089a2ea9e7e8cff91f85343be5cd34fba6235885f2ad9eecb4b580e7

Download Submit
\Users\Admin\AppData\Local\Microsoft\svcupdate.exe

Filesize
101KB

MD5
a05314a0dd92ba6fb68c6f825f028caf

SHA1
a4ee6b93db17a6f3741724cfa5e597abf8ae5372

SHA256
91ff8f57c135a92f616c071e7e1814d2f6a5470c5cec7cf799f388c8498efeb8

SHA512
6854cc64ce2d166191767a73b0993f91c50c6a455a56abebdeace64e1cb809e13b307965089a2ea9e7e8cff91f85343be5cd34fba6235885f2ad9eecb4b580e7

Download Submit
\Users\Admin\AppData\Local\Microsoft\svcupdate.exe

Filesize
101KB

MD5
a05314a0dd92ba6fb68c6f825f028caf

SHA1
a4ee6b93db17a6f3741724cfa5e597abf8ae5372

SHA256
91ff8f57c135a92f616c071e7e1814d2f6a5470c5cec7cf799f388c8498efeb8

SHA512
6854cc64ce2d166191767a73b0993f91c50c6a455a56abebdeace64e1cb809e13b307965089a2ea9e7e8cff91f85343be5cd34fba6235885f2ad9eecb4b580e7

Download Submit
\Users\Admin\AppData\Local\Microsoft\svcupdate.exe

Filesize
101KB

MD5
a05314a0dd92ba6fb68c6f825f028caf

SHA1
a4ee6b93db17a6f3741724cfa5e597abf8ae5372

SHA256
91ff8f57c135a92f616c071e7e1814d2f6a5470c5cec7cf799f388c8498efeb8

SHA512
6854cc64ce2d166191767a73b0993f91c50c6a455a56abebdeace64e1cb809e13b307965089a2ea9e7e8cff91f85343be5cd34fba6235885f2ad9eecb4b580e7

Download Submit
\Users\Admin\AppData\Local\Microsoft\svcupdate.exe

Filesize
101KB

MD5
a05314a0dd92ba6fb68c6f825f028caf

SHA1
a4ee6b93db17a6f3741724cfa5e597abf8ae5372

SHA256
91ff8f57c135a92f616c071e7e1814d2f6a5470c5cec7cf799f388c8498efeb8

SHA512
6854cc64ce2d166191767a73b0993f91c50c6a455a56abebdeace64e1cb809e13b307965089a2ea9e7e8cff91f85343be5cd34fba6235885f2ad9eecb4b580e7

Download Submit
\Users\Admin\AppData\Local\Microsoft\svcupdate.exe

Filesize
101KB

MD5
a05314a0dd92ba6fb68c6f825f028caf

SHA1
a4ee6b93db17a6f3741724cfa5e597abf8ae5372

SHA256
91ff8f57c135a92f616c071e7e1814d2f6a5470c5cec7cf799f388c8498efeb8

SHA512
6854cc64ce2d166191767a73b0993f91c50c6a455a56abebdeace64e1cb809e13b307965089a2ea9e7e8cff91f85343be5cd34fba6235885f2ad9eecb4b580e7

Download Submit
\Users\Admin\AppData\Local\Microsoft\svcupdate.exe

Filesize
101KB

MD5
a05314a0dd92ba6fb68c6f825f028caf

SHA1
a4ee6b93db17a6f3741724cfa5e597abf8ae5372

SHA256
91ff8f57c135a92f616c071e7e1814d2f6a5470c5cec7cf799f388c8498efeb8

SHA512
6854cc64ce2d166191767a73b0993f91c50c6a455a56abebdeace64e1cb809e13b307965089a2ea9e7e8cff91f85343be5cd34fba6235885f2ad9eecb4b580e7

Download Submit
memory/848-63-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/848-62-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/848-61-0x0000000075ED1000-0x0000000075ED3000-memory.dmp

Filesize
8KB

Download
memory/848-59-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/848-57-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1096-60-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1096-54-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1972-81-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1972-86-0x0000000000020000-0x0000000000031000-memory.dmp

Filesize
68KB

Download
memory/1972-89-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1972-88-0x0000000000020000-0x0000000000031000-memory.dmp

Filesize
68KB

Download
memory/1972-87-0x0000000000020000-0x0000000000031000-memory.dmp

Filesize
68KB

Download
memory/1972-90-0x0000000000020000-0x0000000000031000-memory.dmp

Filesize
68KB

Download
memory/1972-91-0x0000000000020000-0x0000000000031000-memory.dmp

Filesize
68KB

Download
memory/2008-79-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download