Analysis
-
max time kernel
183s -
max time network
193s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 12:31
Static task
static1
Behavioral task
behavioral1
Sample
79e08220e55446b0c5bcc49a5ea07a96d6e4cc5de3822d9c5350e55447aa30a6.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
79e08220e55446b0c5bcc49a5ea07a96d6e4cc5de3822d9c5350e55447aa30a6.exe
Resource
win10v2004-20220812-en
General
-
Target
79e08220e55446b0c5bcc49a5ea07a96d6e4cc5de3822d9c5350e55447aa30a6.exe
-
Size
20KB
-
MD5
787e18f089248caeb89d402668125743
-
SHA1
379a98b9de68ae6e58f131a83d8a21e2863ce5bf
-
SHA256
79e08220e55446b0c5bcc49a5ea07a96d6e4cc5de3822d9c5350e55447aa30a6
-
SHA512
2cd061ea2272533ba035bc6251515dd9ef922a1a08fa346be8891efbd52855bf400598361f953c2cee35d8f0980139d111ff3a48c63193bea181e8bea64722d0
-
SSDEEP
192:Ch6L/HuSm0RAMyM+i1oynlEwwwyYmbypar8ws/:CUHuSmcAMyMv1fSgmby68ws
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
apupc.exepid process 320 apupc.exe -
Deletes itself 1 IoCs
Processes:
apupc.exepid process 320 apupc.exe -
Loads dropped DLL 1 IoCs
Processes:
79e08220e55446b0c5bcc49a5ea07a96d6e4cc5de3822d9c5350e55447aa30a6.exepid process 1284 79e08220e55446b0c5bcc49a5ea07a96d6e4cc5de3822d9c5350e55447aa30a6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
79e08220e55446b0c5bcc49a5ea07a96d6e4cc5de3822d9c5350e55447aa30a6.exedescription pid process target process PID 1284 wrote to memory of 320 1284 79e08220e55446b0c5bcc49a5ea07a96d6e4cc5de3822d9c5350e55447aa30a6.exe apupc.exe PID 1284 wrote to memory of 320 1284 79e08220e55446b0c5bcc49a5ea07a96d6e4cc5de3822d9c5350e55447aa30a6.exe apupc.exe PID 1284 wrote to memory of 320 1284 79e08220e55446b0c5bcc49a5ea07a96d6e4cc5de3822d9c5350e55447aa30a6.exe apupc.exe PID 1284 wrote to memory of 320 1284 79e08220e55446b0c5bcc49a5ea07a96d6e4cc5de3822d9c5350e55447aa30a6.exe apupc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\79e08220e55446b0c5bcc49a5ea07a96d6e4cc5de3822d9c5350e55447aa30a6.exe"C:\Users\Admin\AppData\Local\Temp\79e08220e55446b0c5bcc49a5ea07a96d6e4cc5de3822d9c5350e55447aa30a6.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Users\Admin\AppData\Local\Temp\apupc.exe"C:\Users\Admin\AppData\Local\Temp\apupc.exe"2⤵
- Executes dropped EXE
- Deletes itself
PID:320
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\apupc.exeFilesize
20KB
MD554c0b7c1d66bc50b95b3fd64d132284c
SHA1f2294d2302fc578062069ba775a20368183a65ed
SHA256d8bb1c3481202d64d87860f395ed1e3e272c5c6ee4c2136474ff8084011c8b0f
SHA512768d3fe78d9bb846d7d4d93dab143a265eea14f07a6e8a1afeb01b84543f756e9fc04eb85fcccafea3a259abcce01e03ac438fabd63f4b9d84734b3392cae319
-
C:\Users\Admin\AppData\Local\Temp\apupc.exeFilesize
20KB
MD554c0b7c1d66bc50b95b3fd64d132284c
SHA1f2294d2302fc578062069ba775a20368183a65ed
SHA256d8bb1c3481202d64d87860f395ed1e3e272c5c6ee4c2136474ff8084011c8b0f
SHA512768d3fe78d9bb846d7d4d93dab143a265eea14f07a6e8a1afeb01b84543f756e9fc04eb85fcccafea3a259abcce01e03ac438fabd63f4b9d84734b3392cae319
-
\Users\Admin\AppData\Local\Temp\apupc.exeFilesize
20KB
MD554c0b7c1d66bc50b95b3fd64d132284c
SHA1f2294d2302fc578062069ba775a20368183a65ed
SHA256d8bb1c3481202d64d87860f395ed1e3e272c5c6ee4c2136474ff8084011c8b0f
SHA512768d3fe78d9bb846d7d4d93dab143a265eea14f07a6e8a1afeb01b84543f756e9fc04eb85fcccafea3a259abcce01e03ac438fabd63f4b9d84734b3392cae319
-
memory/320-57-0x0000000000000000-mapping.dmp
-
memory/320-61-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/1284-54-0x0000000075F51000-0x0000000075F53000-memory.dmpFilesize
8KB
-
memory/1284-55-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB