91ed6e0ea7f264fd33812bfb6627951759f0e28762687e86e82a6774a1d404a3

Analysis

max time kernel
91s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29/10/2022, 10:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

91ed6e0ea7f264fd33812bfb6627951759f0e28762687e86e82a6774a1d404a3.exe
Size

273KB
MD5

d352c794f7aa71c270b0365b283e14d6
SHA1

0b3486d19926cafaea78094555a892361fe3ee13
SHA256

91ed6e0ea7f264fd33812bfb6627951759f0e28762687e86e82a6774a1d404a3
SHA512

d3166a94b54ff546a0de98441fa3fd50cb4bf7866aa78499dd1e2808be75d8cd149684fae05f1322e58cb11b9bffe3d0a023772b6ade6cd42caf8fd371bb3e85
SSDEEP

6144:14SUjhtLdSYMDJry27Xsd8CoXZM4NIGe+pBSMcAyYHdCLWSZG07V39yTCkL4nD:OzMlrT7I8Pase+rxTdCy507V39va4nD

Score

8^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2208	LiveUpdateWPP.exe
1812	LiveUpdateWPP.exe

Loads dropped DLL 6 IoCs

pid	Process
5012	91ed6e0ea7f264fd33812bfb6627951759f0e28762687e86e82a6774a1d404a3.exe
5012	91ed6e0ea7f264fd33812bfb6627951759f0e28762687e86e82a6774a1d404a3.exe
5012	91ed6e0ea7f264fd33812bfb6627951759f0e28762687e86e82a6774a1d404a3.exe
5012	91ed6e0ea7f264fd33812bfb6627951759f0e28762687e86e82a6774a1d404a3.exe
5012	91ed6e0ea7f264fd33812bfb6627951759f0e28762687e86e82a6774a1d404a3.exe
5012	91ed6e0ea7f264fd33812bfb6627951759f0e28762687e86e82a6774a1d404a3.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\LiveUpdateWPP\LiveUpdateWPP.exe	91ed6e0ea7f264fd33812bfb6627951759f0e28762687e86e82a6774a1d404a3.exe
File created	C:\Program Files (x86)\LiveUpdateWPP\LiveUpdateWPP_uninstaller.exe	91ed6e0ea7f264fd33812bfb6627951759f0e28762687e86e82a6774a1d404a3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5012 wrote to memory of 2208	5012	91ed6e0ea7f264fd33812bfb6627951759f0e28762687e86e82a6774a1d404a3.exe	80
PID 5012 wrote to memory of 2208	5012	91ed6e0ea7f264fd33812bfb6627951759f0e28762687e86e82a6774a1d404a3.exe	80
PID 5012 wrote to memory of 2208	5012	91ed6e0ea7f264fd33812bfb6627951759f0e28762687e86e82a6774a1d404a3.exe	80

C:\Users\Admin\AppData\Local\Temp\91ed6e0ea7f264fd33812bfb6627951759f0e28762687e86e82a6774a1d404a3.exe
"C:\Users\Admin\AppData\Local\Temp\91ed6e0ea7f264fd33812bfb6627951759f0e28762687e86e82a6774a1d404a3.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:5012
- C:\Program Files (x86)\LiveUpdateWPP\LiveUpdateWPP.exe
  "C:\Program Files (x86)\LiveUpdateWPP\LiveUpdateWPP.exe" /install
  2⤵
  - Executes dropped EXE
  PID:2208

C:\Program Files (x86)\LiveUpdateWPP\LiveUpdateWPP.exe
"C:\Program Files (x86)\LiveUpdateWPP\LiveUpdateWPP.exe"
1⤵
- Executes dropped EXE
PID:1812

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\LiveUpdateWPP\LiveUpdateWPP.exe

Filesize
443KB

MD5
23b22fc2ea603602bc340ee7b84f6518

SHA1
4ec24e677d06272a80550bac89a15ea0b476e66b

SHA256
79a3d69fc859f8c6bb6c059f446f7a6b4cd156ce2495f4e39de2599819409dc6

SHA512
a69ca3d1073c030d9ec3993f3eeceadcfb21835066daf9ca159a594e85408a72e509fc0a8aa71626b966ec33f543931a342105b0b8c89217b7f2046493fc8d63

Download Submit
C:\Program Files (x86)\LiveUpdateWPP\LiveUpdateWPP.exe

Filesize
443KB

MD5
23b22fc2ea603602bc340ee7b84f6518

SHA1
4ec24e677d06272a80550bac89a15ea0b476e66b

SHA256
79a3d69fc859f8c6bb6c059f446f7a6b4cd156ce2495f4e39de2599819409dc6

SHA512
a69ca3d1073c030d9ec3993f3eeceadcfb21835066daf9ca159a594e85408a72e509fc0a8aa71626b966ec33f543931a342105b0b8c89217b7f2046493fc8d63

Download Submit
C:\Program Files (x86)\LiveUpdateWPP\LiveUpdateWPP.exe

Filesize
443KB

MD5
23b22fc2ea603602bc340ee7b84f6518

SHA1
4ec24e677d06272a80550bac89a15ea0b476e66b

SHA256
79a3d69fc859f8c6bb6c059f446f7a6b4cd156ce2495f4e39de2599819409dc6

SHA512
a69ca3d1073c030d9ec3993f3eeceadcfb21835066daf9ca159a594e85408a72e509fc0a8aa71626b966ec33f543931a342105b0b8c89217b7f2046493fc8d63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdFEF.tmp\System.dll

Filesize
11KB

MD5
a436db0c473a087eb61ff5c53c34ba27

SHA1
65ea67e424e75f5065132b539c8b2eda88aa0506

SHA256
75ed40311875312617d6711baed0be29fcaee71031ca27a8d308a72b15a51e49

SHA512
908f46a855480af6eacb2fb64de0e60b1e04bbb10b23992e2cf38a4cbebdcd7d3928c4c022d7ad9f7479265a8f426b93eef580afec95570e654c360d62f5e08d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdFEF.tmp\inetc.dll

Filesize
20KB

MD5
c498ae64b4971132bba676873978de1e

SHA1
92e4009cd776b6c8616d8bffade7668ef3cb3c27

SHA256
5552bdde7e4113393f683ef501e4cc84dccc071bdc51391ea7fa3e7c1d49e4e8

SHA512
8e5ca35493f749a39ceae6796d2658ba10f7d8d9ceca45bb4365b338fabd1dfa9b9f92e33f50c91b0273e66adfbce4b98b09c15fd2473f8b214ed797462333d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdFEF.tmp\inetc.dll

Filesize
20KB

MD5
c498ae64b4971132bba676873978de1e

SHA1
92e4009cd776b6c8616d8bffade7668ef3cb3c27

SHA256
5552bdde7e4113393f683ef501e4cc84dccc071bdc51391ea7fa3e7c1d49e4e8

SHA512
8e5ca35493f749a39ceae6796d2658ba10f7d8d9ceca45bb4365b338fabd1dfa9b9f92e33f50c91b0273e66adfbce4b98b09c15fd2473f8b214ed797462333d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdFEF.tmp\nsExec.dll

Filesize
6KB

MD5
14f5984b926208de2aafb55dd9971d4a

SHA1
e5afe0b80568135d3e259c73f93947d758a7b980

SHA256
030bcfa82e3bb424835a5fa53a3ff17ab08557d3bbeea4815313036fc4bdafe1

SHA512
e9ec97dd57ead871789d49ed38d9fde5f31d3cb2547810cae49a736e06b9f9b28cf8efea825eb83c3e07d880ee798abfb9069c6957416d5973c83e4531814e27

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdFEF.tmp\nsExec.dll

Filesize
6KB

MD5
14f5984b926208de2aafb55dd9971d4a

SHA1
e5afe0b80568135d3e259c73f93947d758a7b980

SHA256
030bcfa82e3bb424835a5fa53a3ff17ab08557d3bbeea4815313036fc4bdafe1

SHA512
e9ec97dd57ead871789d49ed38d9fde5f31d3cb2547810cae49a736e06b9f9b28cf8efea825eb83c3e07d880ee798abfb9069c6957416d5973c83e4531814e27

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdFEF.tmp\nsExec.dll

Filesize
6KB

MD5
14f5984b926208de2aafb55dd9971d4a

SHA1
e5afe0b80568135d3e259c73f93947d758a7b980

SHA256
030bcfa82e3bb424835a5fa53a3ff17ab08557d3bbeea4815313036fc4bdafe1

SHA512
e9ec97dd57ead871789d49ed38d9fde5f31d3cb2547810cae49a736e06b9f9b28cf8efea825eb83c3e07d880ee798abfb9069c6957416d5973c83e4531814e27

Download Submit
memory/5012-142-0x0000000002881000-0x0000000002884000-memory.dmp

Filesize
12KB

Download