182e39ddd0bbbe70fc96af6d32568b6f3dfef938980b97c7fdd072b038cd99b2

Analysis

max time kernel
95s
max time network
103s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 10:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

182e39ddd0bbbe70fc96af6d32568b6f3dfef938980b97c7fdd072b038cd99b2.exe
Size

755KB
MD5

f053edde8707fc4575626c6250987bf0
SHA1

a64d282a8d191e38eccae844aeebe5213b5ff892
SHA256

182e39ddd0bbbe70fc96af6d32568b6f3dfef938980b97c7fdd072b038cd99b2
SHA512

f1f355a109c81bed76e4ae0cb07d5d47b3aba4e1ff5b28b4242f4bed70e02d00c2899642ef852fa77d16064beb73cb6e33ee4b1533ab502f07b9c5f252b0d03b
SSDEEP

12288:dE3zRbnrB0iGz8941+aWWNJRtvyhybYHOe7rny2lUobTrB0tGz8f41+aW3NJEKxV:dEjRbn10J1+/WNJTvyFtiobT1X91+/3z

Score

8^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

UpdaterService.exe

pid process

852 UpdaterService.exe

pid	process
852	UpdaterService.exe

Loads dropped DLL 10 IoCs

Processes:

182e39ddd0bbbe70fc96af6d32568b6f3dfef938980b97c7fdd072b038cd99b2.exe

pid	process
1472	182e39ddd0bbbe70fc96af6d32568b6f3dfef938980b97c7fdd072b038cd99b2.exe
1472	182e39ddd0bbbe70fc96af6d32568b6f3dfef938980b97c7fdd072b038cd99b2.exe
1472	182e39ddd0bbbe70fc96af6d32568b6f3dfef938980b97c7fdd072b038cd99b2.exe
1472	182e39ddd0bbbe70fc96af6d32568b6f3dfef938980b97c7fdd072b038cd99b2.exe
1472	182e39ddd0bbbe70fc96af6d32568b6f3dfef938980b97c7fdd072b038cd99b2.exe
1472	182e39ddd0bbbe70fc96af6d32568b6f3dfef938980b97c7fdd072b038cd99b2.exe
1472	182e39ddd0bbbe70fc96af6d32568b6f3dfef938980b97c7fdd072b038cd99b2.exe
1472	182e39ddd0bbbe70fc96af6d32568b6f3dfef938980b97c7fdd072b038cd99b2.exe
1472	182e39ddd0bbbe70fc96af6d32568b6f3dfef938980b97c7fdd072b038cd99b2.exe
1472	182e39ddd0bbbe70fc96af6d32568b6f3dfef938980b97c7fdd072b038cd99b2.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 10 IoCs

Processes:

182e39ddd0bbbe70fc96af6d32568b6f3dfef938980b97c7fdd072b038cd99b2.exe

description	ioc	process
File created	C:\Program Files (x86)\SoftwareUpdater\uninstall.exe	182e39ddd0bbbe70fc96af6d32568b6f3dfef938980b97c7fdd072b038cd99b2.exe
File created	C:\Program Files (x86)\SoftwareUpdater\config.xml	182e39ddd0bbbe70fc96af6d32568b6f3dfef938980b97c7fdd072b038cd99b2.exe
File created	C:\Program Files (x86)\SoftwareUpdater\AppsUpdaterSem.exe.config	182e39ddd0bbbe70fc96af6d32568b6f3dfef938980b97c7fdd072b038cd99b2.exe
File created	C:\Program Files (x86)\SoftwareUpdater\KeyGen.dll	182e39ddd0bbbe70fc96af6d32568b6f3dfef938980b97c7fdd072b038cd99b2.exe
File opened for modification	C:\Program Files (x86)\SoftwareUpdater\AppsUpdaterSem.exe.config	182e39ddd0bbbe70fc96af6d32568b6f3dfef938980b97c7fdd072b038cd99b2.exe
File created	C:\Program Files (x86)\SoftwareUpdater\AppsUpdater.exe	182e39ddd0bbbe70fc96af6d32568b6f3dfef938980b97c7fdd072b038cd99b2.exe
File created	C:\Program Files (x86)\SoftwareUpdater\UpdaterService.exe	182e39ddd0bbbe70fc96af6d32568b6f3dfef938980b97c7fdd072b038cd99b2.exe
File created	C:\Program Files (x86)\SoftwareUpdater\AppsUpdater.exe.config	182e39ddd0bbbe70fc96af6d32568b6f3dfef938980b97c7fdd072b038cd99b2.exe
File created	C:\Program Files (x86)\SoftwareUpdater\Interop.Shell32.dll	182e39ddd0bbbe70fc96af6d32568b6f3dfef938980b97c7fdd072b038cd99b2.exe
File created	C:\Program Files (x86)\SoftwareUpdater\translations.xml	182e39ddd0bbbe70fc96af6d32568b6f3dfef938980b97c7fdd072b038cd99b2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

580 taskkill.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 580 taskkill.exe

pid	process
580	taskkill.exe

description	pid	process
Token: SeDebugPrivilege	580	taskkill.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

182e39ddd0bbbe70fc96af6d32568b6f3dfef938980b97c7fdd072b038cd99b2.exe

description	pid	process	target process
PID 1472 wrote to memory of 580	1472	182e39ddd0bbbe70fc96af6d32568b6f3dfef938980b97c7fdd072b038cd99b2.exe	taskkill.exe
PID 1472 wrote to memory of 580	1472	182e39ddd0bbbe70fc96af6d32568b6f3dfef938980b97c7fdd072b038cd99b2.exe	taskkill.exe
PID 1472 wrote to memory of 580	1472	182e39ddd0bbbe70fc96af6d32568b6f3dfef938980b97c7fdd072b038cd99b2.exe	taskkill.exe
PID 1472 wrote to memory of 580	1472	182e39ddd0bbbe70fc96af6d32568b6f3dfef938980b97c7fdd072b038cd99b2.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\182e39ddd0bbbe70fc96af6d32568b6f3dfef938980b97c7fdd072b038cd99b2.exe
"C:\Users\Admin\AppData\Local\Temp\182e39ddd0bbbe70fc96af6d32568b6f3dfef938980b97c7fdd072b038cd99b2.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1472

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im AppsUpdater.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:580

C:\Program Files (x86)\SoftwareUpdater\UpdaterService.exe
"C:\Program Files (x86)\SoftwareUpdater\UpdaterService.exe"
1⤵
- Executes dropped EXE
PID:852

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\SoftwareUpdater\UpdaterService.exe
Filesize
38KB

MD5
34bd67e213a67ec101bc79af76278b4c

SHA1
422e087b1ba4ec7339d8b3442665dedc58550b76

SHA256
83338257e486cfab3b6064439d7a8eef9462af6c050cecc69306de225d4588f5

SHA512
b4b0f89b0a0c4273fc261e8cc9ce2dae2dc16d74899b025daf02780ee31872d337e5412d18c11f424efed3aa6df8356f105e056703952de24a3de6460f6ad826

Download Submit
C:\Program Files (x86)\SoftwareUpdater\UpdaterService.exe
Filesize
38KB

MD5
34bd67e213a67ec101bc79af76278b4c

SHA1
422e087b1ba4ec7339d8b3442665dedc58550b76

SHA256
83338257e486cfab3b6064439d7a8eef9462af6c050cecc69306de225d4588f5

SHA512
b4b0f89b0a0c4273fc261e8cc9ce2dae2dc16d74899b025daf02780ee31872d337e5412d18c11f424efed3aa6df8356f105e056703952de24a3de6460f6ad826

Download Submit
\Users\Admin\AppData\Local\Temp\nsoAF35.tmp\SimpleSC.dll
Filesize
61KB

MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
\Users\Admin\AppData\Local\Temp\nsoAF35.tmp\SimpleSC.dll
Filesize
61KB

MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
\Users\Admin\AppData\Local\Temp\nsoAF35.tmp\SimpleSC.dll
Filesize
61KB

MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
\Users\Admin\AppData\Local\Temp\nsoAF35.tmp\SimpleSC.dll
Filesize
61KB

MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
\Users\Admin\AppData\Local\Temp\nsoAF35.tmp\System.dll
Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsoAF35.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsoAF35.tmp\nsURL.dll
Filesize
277KB

MD5
8a4cf95fd1eb60ebf730d66446397f16

SHA1
7da71a17d2011c08b9c8330b0092a41ff3b73eee

SHA256
1f4bb0a5cd7aec4f8395bcefb0556c5d38c5ff870c30aa00df925633240d2a39

SHA512
a2e2fe009bb9baf18bef564df00e282503fd31c8a85361db23847447471db5af1b58c370d5d16fb21efc32a4ca94e2d0ea5d5e23397625a14292a445efb69ea2

Download Submit
\Users\Admin\AppData\Local\Temp\nsoAF35.tmp\nsURL.dll
Filesize
277KB

MD5
8a4cf95fd1eb60ebf730d66446397f16

SHA1
7da71a17d2011c08b9c8330b0092a41ff3b73eee

SHA256
1f4bb0a5cd7aec4f8395bcefb0556c5d38c5ff870c30aa00df925633240d2a39

SHA512
a2e2fe009bb9baf18bef564df00e282503fd31c8a85361db23847447471db5af1b58c370d5d16fb21efc32a4ca94e2d0ea5d5e23397625a14292a445efb69ea2

Download Submit
\Users\Admin\AppData\Local\Temp\nsoAF35.tmp\tkDecript.dll
Filesize
223KB

MD5
86a2a4ceda4d7c0a126c8c9619126bb3

SHA1
19d5395fe74374819fd8b6d0eee8500bec5dc31e

SHA256
be40d5c9593ebcb2331b22cc4c8f9e87cf08266827bc6ad1c2ecdb2d52f9c2df

SHA512
4bb63964e06a4f573a9d6e0bb21c329fd5198884d10c636e395e0bb5158981757d53a277eca47a7a9acfd2b20761a11ae9d9f8b0c402bf62bcdd672b724b01e9

Download Submit
\Users\Admin\AppData\Local\Temp\nsoAF35.tmp\tkDecript.dll
Filesize
223KB

MD5
86a2a4ceda4d7c0a126c8c9619126bb3

SHA1
19d5395fe74374819fd8b6d0eee8500bec5dc31e

SHA256
be40d5c9593ebcb2331b22cc4c8f9e87cf08266827bc6ad1c2ecdb2d52f9c2df

SHA512
4bb63964e06a4f573a9d6e0bb21c329fd5198884d10c636e395e0bb5158981757d53a277eca47a7a9acfd2b20761a11ae9d9f8b0c402bf62bcdd672b724b01e9

Download Submit
memory/580-61-0x0000000000000000-mapping.dmp

Download
memory/852-70-0x000007FEF2BD0000-0x000007FEF35F3000-memory.dmp

Filesize
10.1MB

Download
memory/852-71-0x000007FEEE690000-0x000007FEEF726000-memory.dmp

Filesize
16.6MB

Download
memory/1472-57-0x0000000001F40000-0x0000000001F53000-memory.dmp

Filesize
76KB

Download
memory/1472-54-0x0000000075F21000-0x0000000075F23000-memory.dmp

Filesize
8KB

Download