Analysis
-
max time kernel
145s -
max time network
189s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
25-11-2022 03:04
General
-
Target
32a8606658fdaad1bf63ad2ec4fca8c1acb23bb424e6516b98acd98af043d85f.exe
-
Size
521KB
-
MD5
a1b89dc6328584521be91c0ce72d3d87
-
SHA1
aab7aea67283b50c69e00c15db7ef922680b3d50
-
SHA256
32a8606658fdaad1bf63ad2ec4fca8c1acb23bb424e6516b98acd98af043d85f
-
SHA512
4a60116f47032a15edde0fa3ea61a909c336a825c703b87de8249602302b54809d2cccf0806e407ec6646289d088432530203de9cbea16c76b618385b023ad56
-
SSDEEP
6144:zuRqBr74bS/QTjhUqBfxrwEnuNcSsm7IoYGW0VvBXCAt6kihwE+VDpJYWmlwnx9N:974QtqB5urTIoYWBQk1E+VF9mOx9Mi
Malware Config
Signatures
-
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
-
Nirsoft 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\32a8606658fdaad1bf63ad2ec4fca8c1acb23bb424e6516b98acd98af043d85f.exe"C:\Users\Admin\AppData\Local\Temp\32a8606658fdaad1bf63ad2ec4fca8c1acb23bb424e6516b98acd98af043d85f.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 11043⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
521KB
MD5a1b89dc6328584521be91c0ce72d3d87
SHA1aab7aea67283b50c69e00c15db7ef922680b3d50
SHA25632a8606658fdaad1bf63ad2ec4fca8c1acb23bb424e6516b98acd98af043d85f
SHA5124a60116f47032a15edde0fa3ea61a909c336a825c703b87de8249602302b54809d2cccf0806e407ec6646289d088432530203de9cbea16c76b618385b023ad56
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
521KB
MD5a1b89dc6328584521be91c0ce72d3d87
SHA1aab7aea67283b50c69e00c15db7ef922680b3d50
SHA25632a8606658fdaad1bf63ad2ec4fca8c1acb23bb424e6516b98acd98af043d85f
SHA5124a60116f47032a15edde0fa3ea61a909c336a825c703b87de8249602302b54809d2cccf0806e407ec6646289d088432530203de9cbea16c76b618385b023ad56
-
memory/1136-138-0x0000000000000000-mapping.dmp
-
memory/2168-132-0x00000000745F0000-0x0000000074BA1000-memory.dmpFilesize
5.7MB
-
memory/2168-133-0x00000000745F0000-0x0000000074BA1000-memory.dmpFilesize
5.7MB
-
memory/2168-137-0x00000000745F0000-0x0000000074BA1000-memory.dmpFilesize
5.7MB
-
memory/4156-134-0x0000000000000000-mapping.dmp
-
memory/4156-139-0x00000000745F0000-0x0000000074BA1000-memory.dmpFilesize
5.7MB
-
memory/4156-140-0x00000000745F0000-0x0000000074BA1000-memory.dmpFilesize
5.7MB
-
memory/4156-141-0x00000000745F0000-0x0000000074BA1000-memory.dmpFilesize
5.7MB