3f2c70ac1193106b7679ed5747a556248fa8276cc06ad57a84609b7ecff5ea86

Analysis

max time kernel
57s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 10:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f2c70ac1193106b7679ed5747a556248fa8276cc06ad57a84609b7ecff5ea86.exe
Size

638KB
MD5

3e82f11a236be0e6eb80ae6ca035679f
SHA1

401062b03eee170f4f0035eca7aab46bf6188a04
SHA256

3f2c70ac1193106b7679ed5747a556248fa8276cc06ad57a84609b7ecff5ea86
SHA512

eaf2c8582245a5eba37e5ca95cb9ca55ad24d804d3855e2850f8077c50ea2e73218baf659034a805e77b9131ff4743f5cc9b9afe530a2da453aa612a9f207db4
SSDEEP

12288:2UomEFRu3xEPE2blL46TZwdLqsiaTZFKWu/3fbZUCaDFVWinm:CmOMSPE2RLbTZoTxZFKWw3f2Nm

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

update.exe

pid process

1312 update.exe

pid	process
1312	update.exe

Loads dropped DLL 7 IoCs

Processes:

3f2c70ac1193106b7679ed5747a556248fa8276cc06ad57a84609b7ecff5ea86.exeupdate.exe

pid	process
1968	3f2c70ac1193106b7679ed5747a556248fa8276cc06ad57a84609b7ecff5ea86.exe
1968	3f2c70ac1193106b7679ed5747a556248fa8276cc06ad57a84609b7ecff5ea86.exe
1968	3f2c70ac1193106b7679ed5747a556248fa8276cc06ad57a84609b7ecff5ea86.exe
1968	3f2c70ac1193106b7679ed5747a556248fa8276cc06ad57a84609b7ecff5ea86.exe
1312	update.exe
1312	update.exe
1312	update.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

update.exe

pid process

1312 update.exe

pid	process
1312	update.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

3f2c70ac1193106b7679ed5747a556248fa8276cc06ad57a84609b7ecff5ea86.exe

description	pid	process	target process
PID 1968 wrote to memory of 1312	1968	3f2c70ac1193106b7679ed5747a556248fa8276cc06ad57a84609b7ecff5ea86.exe	update.exe
PID 1968 wrote to memory of 1312	1968	3f2c70ac1193106b7679ed5747a556248fa8276cc06ad57a84609b7ecff5ea86.exe	update.exe
PID 1968 wrote to memory of 1312	1968	3f2c70ac1193106b7679ed5747a556248fa8276cc06ad57a84609b7ecff5ea86.exe	update.exe
PID 1968 wrote to memory of 1312	1968	3f2c70ac1193106b7679ed5747a556248fa8276cc06ad57a84609b7ecff5ea86.exe	update.exe
PID 1968 wrote to memory of 1312	1968	3f2c70ac1193106b7679ed5747a556248fa8276cc06ad57a84609b7ecff5ea86.exe	update.exe
PID 1968 wrote to memory of 1312	1968	3f2c70ac1193106b7679ed5747a556248fa8276cc06ad57a84609b7ecff5ea86.exe	update.exe
PID 1968 wrote to memory of 1312	1968	3f2c70ac1193106b7679ed5747a556248fa8276cc06ad57a84609b7ecff5ea86.exe	update.exe

C:\Users\Admin\AppData\Local\Temp\3f2c70ac1193106b7679ed5747a556248fa8276cc06ad57a84609b7ecff5ea86.exe
"C:\Users\Admin\AppData\Local\Temp\3f2c70ac1193106b7679ed5747a556248fa8276cc06ad57a84609b7ecff5ea86.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1968

C:\Users\Admin\AppData\Local\Temp\RarSFX0\update.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\update.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1312

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\update.exe

Filesize
1.6MB

MD5
725b9eaac3340651c785502bff0d1c88

SHA1
785ba6b4c741bc31ae07fe40b52790ddd61cd7c6

SHA256
ee4acb2432e075f723cd1069867a9121c09b8fc4a6bcd45f55d88702eca9a60e

SHA512
c1ec14947e69538ed2473a29d0071c2775669f43d14d132873ff27e6f5f81579bb5d4c0219432c2050c2e139e6dfbf4e4434cbf8e6f09267600299ef38418ca4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\update.exe

Filesize
1.6MB

MD5
725b9eaac3340651c785502bff0d1c88

SHA1
785ba6b4c741bc31ae07fe40b52790ddd61cd7c6

SHA256
ee4acb2432e075f723cd1069867a9121c09b8fc4a6bcd45f55d88702eca9a60e

SHA512
c1ec14947e69538ed2473a29d0071c2775669f43d14d132873ff27e6f5f81579bb5d4c0219432c2050c2e139e6dfbf4e4434cbf8e6f09267600299ef38418ca4

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\update.exe

Filesize
1.6MB

MD5
725b9eaac3340651c785502bff0d1c88

SHA1
785ba6b4c741bc31ae07fe40b52790ddd61cd7c6

SHA256
ee4acb2432e075f723cd1069867a9121c09b8fc4a6bcd45f55d88702eca9a60e

SHA512
c1ec14947e69538ed2473a29d0071c2775669f43d14d132873ff27e6f5f81579bb5d4c0219432c2050c2e139e6dfbf4e4434cbf8e6f09267600299ef38418ca4

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\update.exe

Filesize
1.6MB

MD5
725b9eaac3340651c785502bff0d1c88

SHA1
785ba6b4c741bc31ae07fe40b52790ddd61cd7c6

SHA256
ee4acb2432e075f723cd1069867a9121c09b8fc4a6bcd45f55d88702eca9a60e

SHA512
c1ec14947e69538ed2473a29d0071c2775669f43d14d132873ff27e6f5f81579bb5d4c0219432c2050c2e139e6dfbf4e4434cbf8e6f09267600299ef38418ca4

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\update.exe

Filesize
1.6MB

MD5
725b9eaac3340651c785502bff0d1c88

SHA1
785ba6b4c741bc31ae07fe40b52790ddd61cd7c6

SHA256
ee4acb2432e075f723cd1069867a9121c09b8fc4a6bcd45f55d88702eca9a60e

SHA512
c1ec14947e69538ed2473a29d0071c2775669f43d14d132873ff27e6f5f81579bb5d4c0219432c2050c2e139e6dfbf4e4434cbf8e6f09267600299ef38418ca4

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\update.exe

Filesize
1.6MB

MD5
725b9eaac3340651c785502bff0d1c88

SHA1
785ba6b4c741bc31ae07fe40b52790ddd61cd7c6

SHA256
ee4acb2432e075f723cd1069867a9121c09b8fc4a6bcd45f55d88702eca9a60e

SHA512
c1ec14947e69538ed2473a29d0071c2775669f43d14d132873ff27e6f5f81579bb5d4c0219432c2050c2e139e6dfbf4e4434cbf8e6f09267600299ef38418ca4

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\update.exe

Filesize
1.6MB

MD5
725b9eaac3340651c785502bff0d1c88

SHA1
785ba6b4c741bc31ae07fe40b52790ddd61cd7c6

SHA256
ee4acb2432e075f723cd1069867a9121c09b8fc4a6bcd45f55d88702eca9a60e

SHA512
c1ec14947e69538ed2473a29d0071c2775669f43d14d132873ff27e6f5f81579bb5d4c0219432c2050c2e139e6dfbf4e4434cbf8e6f09267600299ef38418ca4

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\update.exe

Filesize
1.6MB

MD5
725b9eaac3340651c785502bff0d1c88

SHA1
785ba6b4c741bc31ae07fe40b52790ddd61cd7c6

SHA256
ee4acb2432e075f723cd1069867a9121c09b8fc4a6bcd45f55d88702eca9a60e

SHA512
c1ec14947e69538ed2473a29d0071c2775669f43d14d132873ff27e6f5f81579bb5d4c0219432c2050c2e139e6dfbf4e4434cbf8e6f09267600299ef38418ca4

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\update.exe

Filesize
1.6MB

MD5
725b9eaac3340651c785502bff0d1c88

SHA1
785ba6b4c741bc31ae07fe40b52790ddd61cd7c6

SHA256
ee4acb2432e075f723cd1069867a9121c09b8fc4a6bcd45f55d88702eca9a60e

SHA512
c1ec14947e69538ed2473a29d0071c2775669f43d14d132873ff27e6f5f81579bb5d4c0219432c2050c2e139e6dfbf4e4434cbf8e6f09267600299ef38418ca4

Download Submit
memory/1312-59-0x0000000000000000-mapping.dmp

Download
memory/1968-54-0x00000000765A1000-0x00000000765A3000-memory.dmp

Filesize
8KB

Download