f01d2a63b0affa1ae031361f39577986a6b9156a24f04a35cdc64048b8f3b8ff

General

Target

25654_71747677_f01d2a63b0affa1ae031361f39577986a6b9156a24f04a35cdc64048b8f3b8ff_wzdu46.exe
Size

20.7MB
MD5

cf02dd7831c0c7ec3bc6568197c341b6
SHA1

b828f901bc0c1659ee6e1a000cc031bb58cc57ef
SHA256

f01d2a63b0affa1ae031361f39577986a6b9156a24f04a35cdc64048b8f3b8ff
SHA512

b0af28ff34ef66080c01fba3cfee12459a5ed3ac0b6bc905fbce4f7cafd13de99a30f171bf4e8b51a6360f5a37c315214768298afb5fd57ee0631e3933ddc8dd
SSDEEP

393216:Wu/kurLSL/jCfRZiXLFELF2smA8BtXwwAXhPc+vzif0rkPy/UowxBS:Wu/k8qjCn65O2smBX76K0ruO

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

b1aa2bf1-4859-45f4-ba53-dd92fc803772.exega_utility.exe

pid process

684 b1aa2bf1-4859-45f4-ba53-dd92fc803772.exe
1112 ga_utility.exe

Loads dropped DLL 5 IoCs

Processes:

b1aa2bf1-4859-45f4-ba53-dd92fc803772.exe

pid	process
684	b1aa2bf1-4859-45f4-ba53-dd92fc803772.exe
684	b1aa2bf1-4859-45f4-ba53-dd92fc803772.exe
684	b1aa2bf1-4859-45f4-ba53-dd92fc803772.exe
684	b1aa2bf1-4859-45f4-ba53-dd92fc803772.exe
684	b1aa2bf1-4859-45f4-ba53-dd92fc803772.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

b1aa2bf1-4859-45f4-ba53-dd92fc803772.exe

pid process

684 b1aa2bf1-4859-45f4-ba53-dd92fc803772.exe
684 b1aa2bf1-4859-45f4-ba53-dd92fc803772.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

25654_71747677_f01d2a63b0affa1ae031361f39577986a6b9156a24f04a35cdc64048b8f3b8ff_wzdu46.exeb1aa2bf1-4859-45f4-ba53-dd92fc803772.exe

description	pid	process	target process
PID 752 wrote to memory of 684	752	25654_71747677_f01d2a63b0affa1ae031361f39577986a6b9156a24f04a35cdc64048b8f3b8ff_wzdu46.exe	b1aa2bf1-4859-45f4-ba53-dd92fc803772.exe
PID 752 wrote to memory of 684	752	25654_71747677_f01d2a63b0affa1ae031361f39577986a6b9156a24f04a35cdc64048b8f3b8ff_wzdu46.exe	b1aa2bf1-4859-45f4-ba53-dd92fc803772.exe
PID 752 wrote to memory of 684	752	25654_71747677_f01d2a63b0affa1ae031361f39577986a6b9156a24f04a35cdc64048b8f3b8ff_wzdu46.exe	b1aa2bf1-4859-45f4-ba53-dd92fc803772.exe
PID 752 wrote to memory of 684	752	25654_71747677_f01d2a63b0affa1ae031361f39577986a6b9156a24f04a35cdc64048b8f3b8ff_wzdu46.exe	b1aa2bf1-4859-45f4-ba53-dd92fc803772.exe
PID 752 wrote to memory of 684	752	25654_71747677_f01d2a63b0affa1ae031361f39577986a6b9156a24f04a35cdc64048b8f3b8ff_wzdu46.exe	b1aa2bf1-4859-45f4-ba53-dd92fc803772.exe
PID 752 wrote to memory of 684	752	25654_71747677_f01d2a63b0affa1ae031361f39577986a6b9156a24f04a35cdc64048b8f3b8ff_wzdu46.exe	b1aa2bf1-4859-45f4-ba53-dd92fc803772.exe
PID 752 wrote to memory of 684	752	25654_71747677_f01d2a63b0affa1ae031361f39577986a6b9156a24f04a35cdc64048b8f3b8ff_wzdu46.exe	b1aa2bf1-4859-45f4-ba53-dd92fc803772.exe
PID 684 wrote to memory of 1112	684	b1aa2bf1-4859-45f4-ba53-dd92fc803772.exe	ga_utility.exe
PID 684 wrote to memory of 1112	684	b1aa2bf1-4859-45f4-ba53-dd92fc803772.exe	ga_utility.exe
PID 684 wrote to memory of 1112	684	b1aa2bf1-4859-45f4-ba53-dd92fc803772.exe	ga_utility.exe
PID 684 wrote to memory of 1112	684	b1aa2bf1-4859-45f4-ba53-dd92fc803772.exe	ga_utility.exe

C:\Users\Admin\AppData\Local\Temp\25654_71747677_f01d2a63b0affa1ae031361f39577986a6b9156a24f04a35cdc64048b8f3b8ff_wzdu46.exe
"C:\Users\Admin\AppData\Local\Temp\25654_71747677_f01d2a63b0affa1ae031361f39577986a6b9156a24f04a35cdc64048b8f3b8ff_wzdu46.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:752
- C:\b1aa2bf1-4859-45f4-ba53-dd92fc803772.exe
  \b1aa2bf1-4859-45f4-ba53-dd92fc803772.exe /OSOURCE="wzdu46" /BUILD_ID="46"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:684
- - C:\Users\Admin\AppData\Local\Temp\nsoC34.tmp\ga_utility.exe
    "C:\Users\Admin\AppData\Local\Temp\nsoC34.tmp\ga_utility.exe" -install_start -guid "1BC27486-3B6B-4406-857B-751DB7EBA02B" -language "en" -app_version "5.41.0.24" -product_code "DU" -app_name "WinZip Driver Updater" -track_id "UA-66457935-11"
    3⤵
    - Executes dropped EXE
    PID:1112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsoC34.tmp\ga_utility.exe

Filesize
415KB

MD5
8bde676533380d8d64fbd20c8a70ae36

SHA1
9a43e264722ccec3c9bfc3fc6da2cd28422e8a0c

SHA256
6b7bd7039ee340f0f3b91b38d9ebce0d9f13afaebcdf671520e3803ae9224a52

SHA512
6650b998763be971159e4f48d9ed965b255c3d14ee7ade98098715cced9a72000ac27ed78a8a569d135f6af95451199f65af36b7cad4545fc3939a76cb4f0813

Download Submit
C:\b1aa2bf1-4859-45f4-ba53-dd92fc803772.exe

Filesize
20.3MB

MD5
b0cb067eb613e7fec037ab02c285f4cd

SHA1
7de4ebf1db06eb6e0e7efd16d39fe29289046f09

SHA256
94bfeafae2c0ff1f18d29e5276561df5024fde3b33d438756092d3f3bd24f47b

SHA512
bb964bd09c2ab8df4129eeb8db0a8d2eecb24c131d0cfb63e1846ea1f37288536510ea6f0c4b13723a4a12f6401e76e3a57d5d71448bbb8829e17754a1fc8f10

Download Submit
C:\b1aa2bf1-4859-45f4-ba53-dd92fc803772.exe

Filesize
20.3MB

MD5
b0cb067eb613e7fec037ab02c285f4cd

SHA1
7de4ebf1db06eb6e0e7efd16d39fe29289046f09

SHA256
94bfeafae2c0ff1f18d29e5276561df5024fde3b33d438756092d3f3bd24f47b

SHA512
bb964bd09c2ab8df4129eeb8db0a8d2eecb24c131d0cfb63e1846ea1f37288536510ea6f0c4b13723a4a12f6401e76e3a57d5d71448bbb8829e17754a1fc8f10

Download Submit
\Users\Admin\AppData\Local\Temp\nsoC34.tmp\InstallOptions.dll

Filesize
15KB

MD5
67d8f4d5acdb722e9cb7a99570b3ded1

SHA1
f4a729ba77332325ea4dbdeea98b579f501fd26f

SHA256
fa8de036b1d9bb06be383a82041966c73473fc8382d041fb5c1758f991afeae7

SHA512
03999cc26a76b0de6f7e4e8a45137ee4d9c250366ac5a458110f00f7962158311eea5f22d3ee4f32f85aa6969eb143bdb8f03ca989568764ed2bc488c89b4b7f

Download Submit
\Users\Admin\AppData\Local\Temp\nsoC34.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
\Users\Admin\AppData\Local\Temp\nsoC34.tmp\ga_utility.exe

Filesize
415KB

MD5
8bde676533380d8d64fbd20c8a70ae36

SHA1
9a43e264722ccec3c9bfc3fc6da2cd28422e8a0c

SHA256
6b7bd7039ee340f0f3b91b38d9ebce0d9f13afaebcdf671520e3803ae9224a52

SHA512
6650b998763be971159e4f48d9ed965b255c3d14ee7ade98098715cced9a72000ac27ed78a8a569d135f6af95451199f65af36b7cad4545fc3939a76cb4f0813

Download Submit
\Users\Admin\AppData\Local\Temp\nsoC34.tmp\linker.dll

Filesize
7KB

MD5
0d5cf965fafcb11f8744d0dc729339da

SHA1
ccfeb09534dce671a3fcd216606d7ee572a0341e

SHA256
02ee7e90b9379827cb186df48db5b412aaf800196d6967762fb513b9143cd1ef

SHA512
993a598e3c46a4544ee0011a94fd9a4df66131b1526744db31faf8c5bfba4b5695a096d787555a9807d8bfd3e09bebfa73df97db83b144990c84cb14a000ba56

Download Submit
\Users\Admin\AppData\Local\Temp\nsoC34.tmp\nsEnvVariables.dll

Filesize
41KB

MD5
29924ed9ad063b5fda86aaf08dd3227f

SHA1
f2628d325dd17c1dcc8edd167e2417d7c582f5c5

SHA256
083cbb8fdd692134bb80b6d12c0fcd71ede5444064d226b6d747e3227995e045

SHA512
7909415f5efbd12d4cb152e44222f3564178cc242809909fe094f6d5e2578634ed07f7d71aa9cd2e31cc3371a5e7875bd4691a2d85f7041ebb1c4e2bca978549

Download Submit
memory/684-55-0x0000000000000000-mapping.dmp

Download
memory/684-65-0x0000000000320000-0x000000000032E000-memory.dmp

Filesize
56KB

Download
memory/752-54-0x0000000075241000-0x0000000075243000-memory.dmp

Filesize
8KB

Download
memory/1112-61-0x0000000000000000-mapping.dmp

Download

pid	process
684	b1aa2bf1-4859-45f4-ba53-dd92fc803772.exe
1112	ga_utility.exe

Analysis

Sharing