Analysis
-
max time kernel
220s -
max time network
224s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 08:38
Static task
static1
Behavioral task
behavioral1
Sample
e88277164def6f447b033bd93e3f3279518182a538a7ed377af3aba8b30cc4bc.exe
Resource
win7-20221111-en
General
-
Target
e88277164def6f447b033bd93e3f3279518182a538a7ed377af3aba8b30cc4bc.exe
-
Size
1.4MB
-
MD5
4cb53d176ff7bcbd128442aae02a099a
-
SHA1
f36482b9a29ee5e0d200ba2e3243f2b6ff89a635
-
SHA256
e88277164def6f447b033bd93e3f3279518182a538a7ed377af3aba8b30cc4bc
-
SHA512
2b86d268176dd5d4597a4d2141570f3736b4bd2ef767ec6da5af392627704c8b99cd1975d017d39af2b99bc048a82f68068e9fdccc9236ec27d9f1eec0299bad
-
SSDEEP
24576:CiA6O+E+25Zq4qCN3yQtEOzFxa1LBUYrFgzxzFSO2KDAXiW6BlDv:Lrgqc5tza8P0TKP
Malware Config
Signatures
-
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/2572-138-0x0000000000400000-0x00000000004F0000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/2572-138-0x0000000000400000-0x00000000004F0000-memory.dmp WebBrowserPassView -
Nirsoft 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2572-138-0x0000000000400000-0x00000000004F0000-memory.dmp Nirsoft -
Executes dropped EXE 2 IoCs
Processes:
Windows Update.exeWindows Update.exepid process 2236 Windows Update.exe 2904 Windows Update.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
e88277164def6f447b033bd93e3f3279518182a538a7ed377af3aba8b30cc4bc.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation e88277164def6f447b033bd93e3f3279518182a538a7ed377af3aba8b30cc4bc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Windows Update.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" Windows Update.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 110 whatismyipaddress.com 112 whatismyipaddress.com -
Suspicious use of SetThreadContext 2 IoCs
Processes:
e88277164def6f447b033bd93e3f3279518182a538a7ed377af3aba8b30cc4bc.exeWindows Update.exedescription pid process target process PID 1420 set thread context of 2572 1420 e88277164def6f447b033bd93e3f3279518182a538a7ed377af3aba8b30cc4bc.exe e88277164def6f447b033bd93e3f3279518182a538a7ed377af3aba8b30cc4bc.exe PID 2236 set thread context of 2904 2236 Windows Update.exe Windows Update.exe -
Drops file in Windows directory 2 IoCs
Processes:
Windows Update.exedescription ioc process File opened for modification C:\Windows\26 Windows Update.exe File opened for modification C:\Windows\28 Windows Update.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
e88277164def6f447b033bd93e3f3279518182a538a7ed377af3aba8b30cc4bc.exeWindows Update.exeWindows Update.exepid process 1420 e88277164def6f447b033bd93e3f3279518182a538a7ed377af3aba8b30cc4bc.exe 1420 e88277164def6f447b033bd93e3f3279518182a538a7ed377af3aba8b30cc4bc.exe 1420 e88277164def6f447b033bd93e3f3279518182a538a7ed377af3aba8b30cc4bc.exe 2236 Windows Update.exe 2904 Windows Update.exe 2904 Windows Update.exe 2904 Windows Update.exe 2904 Windows Update.exe 2904 Windows Update.exe 2904 Windows Update.exe 2904 Windows Update.exe 2904 Windows Update.exe 2904 Windows Update.exe 2904 Windows Update.exe 2904 Windows Update.exe 2904 Windows Update.exe 2904 Windows Update.exe 2904 Windows Update.exe 2904 Windows Update.exe 2904 Windows Update.exe 2904 Windows Update.exe 2904 Windows Update.exe 2904 Windows Update.exe 2904 Windows Update.exe 2904 Windows Update.exe 2904 Windows Update.exe 2904 Windows Update.exe 2904 Windows Update.exe 2904 Windows Update.exe 2904 Windows Update.exe 2904 Windows Update.exe 2904 Windows Update.exe 2904 Windows Update.exe 2904 Windows Update.exe 2904 Windows Update.exe 2904 Windows Update.exe 2904 Windows Update.exe 2904 Windows Update.exe 2904 Windows Update.exe 2904 Windows Update.exe 2904 Windows Update.exe 2904 Windows Update.exe 2904 Windows Update.exe 2904 Windows Update.exe 2904 Windows Update.exe 2904 Windows Update.exe 2904 Windows Update.exe 2904 Windows Update.exe 2904 Windows Update.exe 2904 Windows Update.exe 2904 Windows Update.exe 2904 Windows Update.exe 2904 Windows Update.exe 2904 Windows Update.exe 2904 Windows Update.exe 2904 Windows Update.exe 2904 Windows Update.exe 2904 Windows Update.exe 2904 Windows Update.exe 2904 Windows Update.exe 2904 Windows Update.exe 2904 Windows Update.exe 2904 Windows Update.exe 2904 Windows Update.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
e88277164def6f447b033bd93e3f3279518182a538a7ed377af3aba8b30cc4bc.exeWindows Update.exeWindows Update.exedescription pid process Token: SeDebugPrivilege 1420 e88277164def6f447b033bd93e3f3279518182a538a7ed377af3aba8b30cc4bc.exe Token: SeDebugPrivilege 2236 Windows Update.exe Token: SeDebugPrivilege 2904 Windows Update.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Windows Update.exepid process 2904 Windows Update.exe -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
e88277164def6f447b033bd93e3f3279518182a538a7ed377af3aba8b30cc4bc.exee88277164def6f447b033bd93e3f3279518182a538a7ed377af3aba8b30cc4bc.exeWindows Update.exedescription pid process target process PID 1420 wrote to memory of 3856 1420 e88277164def6f447b033bd93e3f3279518182a538a7ed377af3aba8b30cc4bc.exe CMD.exe PID 1420 wrote to memory of 3856 1420 e88277164def6f447b033bd93e3f3279518182a538a7ed377af3aba8b30cc4bc.exe CMD.exe PID 1420 wrote to memory of 3856 1420 e88277164def6f447b033bd93e3f3279518182a538a7ed377af3aba8b30cc4bc.exe CMD.exe PID 1420 wrote to memory of 3060 1420 e88277164def6f447b033bd93e3f3279518182a538a7ed377af3aba8b30cc4bc.exe CMD.exe PID 1420 wrote to memory of 3060 1420 e88277164def6f447b033bd93e3f3279518182a538a7ed377af3aba8b30cc4bc.exe CMD.exe PID 1420 wrote to memory of 3060 1420 e88277164def6f447b033bd93e3f3279518182a538a7ed377af3aba8b30cc4bc.exe CMD.exe PID 1420 wrote to memory of 1056 1420 e88277164def6f447b033bd93e3f3279518182a538a7ed377af3aba8b30cc4bc.exe e88277164def6f447b033bd93e3f3279518182a538a7ed377af3aba8b30cc4bc.exe PID 1420 wrote to memory of 1056 1420 e88277164def6f447b033bd93e3f3279518182a538a7ed377af3aba8b30cc4bc.exe e88277164def6f447b033bd93e3f3279518182a538a7ed377af3aba8b30cc4bc.exe PID 1420 wrote to memory of 1056 1420 e88277164def6f447b033bd93e3f3279518182a538a7ed377af3aba8b30cc4bc.exe e88277164def6f447b033bd93e3f3279518182a538a7ed377af3aba8b30cc4bc.exe PID 1420 wrote to memory of 2572 1420 e88277164def6f447b033bd93e3f3279518182a538a7ed377af3aba8b30cc4bc.exe e88277164def6f447b033bd93e3f3279518182a538a7ed377af3aba8b30cc4bc.exe PID 1420 wrote to memory of 2572 1420 e88277164def6f447b033bd93e3f3279518182a538a7ed377af3aba8b30cc4bc.exe e88277164def6f447b033bd93e3f3279518182a538a7ed377af3aba8b30cc4bc.exe PID 1420 wrote to memory of 2572 1420 e88277164def6f447b033bd93e3f3279518182a538a7ed377af3aba8b30cc4bc.exe e88277164def6f447b033bd93e3f3279518182a538a7ed377af3aba8b30cc4bc.exe PID 1420 wrote to memory of 2572 1420 e88277164def6f447b033bd93e3f3279518182a538a7ed377af3aba8b30cc4bc.exe e88277164def6f447b033bd93e3f3279518182a538a7ed377af3aba8b30cc4bc.exe PID 1420 wrote to memory of 2572 1420 e88277164def6f447b033bd93e3f3279518182a538a7ed377af3aba8b30cc4bc.exe e88277164def6f447b033bd93e3f3279518182a538a7ed377af3aba8b30cc4bc.exe PID 1420 wrote to memory of 2572 1420 e88277164def6f447b033bd93e3f3279518182a538a7ed377af3aba8b30cc4bc.exe e88277164def6f447b033bd93e3f3279518182a538a7ed377af3aba8b30cc4bc.exe PID 1420 wrote to memory of 2572 1420 e88277164def6f447b033bd93e3f3279518182a538a7ed377af3aba8b30cc4bc.exe e88277164def6f447b033bd93e3f3279518182a538a7ed377af3aba8b30cc4bc.exe PID 1420 wrote to memory of 2572 1420 e88277164def6f447b033bd93e3f3279518182a538a7ed377af3aba8b30cc4bc.exe e88277164def6f447b033bd93e3f3279518182a538a7ed377af3aba8b30cc4bc.exe PID 2572 wrote to memory of 2236 2572 e88277164def6f447b033bd93e3f3279518182a538a7ed377af3aba8b30cc4bc.exe Windows Update.exe PID 2572 wrote to memory of 2236 2572 e88277164def6f447b033bd93e3f3279518182a538a7ed377af3aba8b30cc4bc.exe Windows Update.exe PID 2572 wrote to memory of 2236 2572 e88277164def6f447b033bd93e3f3279518182a538a7ed377af3aba8b30cc4bc.exe Windows Update.exe PID 2236 wrote to memory of 4812 2236 Windows Update.exe CMD.exe PID 2236 wrote to memory of 4812 2236 Windows Update.exe CMD.exe PID 2236 wrote to memory of 4812 2236 Windows Update.exe CMD.exe PID 2236 wrote to memory of 4336 2236 Windows Update.exe CMD.exe PID 2236 wrote to memory of 4336 2236 Windows Update.exe CMD.exe PID 2236 wrote to memory of 4336 2236 Windows Update.exe CMD.exe PID 2236 wrote to memory of 2904 2236 Windows Update.exe Windows Update.exe PID 2236 wrote to memory of 2904 2236 Windows Update.exe Windows Update.exe PID 2236 wrote to memory of 2904 2236 Windows Update.exe Windows Update.exe PID 2236 wrote to memory of 2904 2236 Windows Update.exe Windows Update.exe PID 2236 wrote to memory of 2904 2236 Windows Update.exe Windows Update.exe PID 2236 wrote to memory of 2904 2236 Windows Update.exe Windows Update.exe PID 2236 wrote to memory of 2904 2236 Windows Update.exe Windows Update.exe PID 2236 wrote to memory of 2904 2236 Windows Update.exe Windows Update.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e88277164def6f447b033bd93e3f3279518182a538a7ed377af3aba8b30cc4bc.exe"C:\Users\Admin\AppData\Local\Temp\e88277164def6f447b033bd93e3f3279518182a538a7ed377af3aba8b30cc4bc.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\CMD.exe"CMD"2⤵
-
C:\Windows\SysWOW64\CMD.exe"CMD"2⤵
-
C:\Users\Admin\AppData\Local\Temp\e88277164def6f447b033bd93e3f3279518182a538a7ed377af3aba8b30cc4bc.exe"C:\Users\Admin\AppData\Local\Temp\e88277164def6f447b033bd93e3f3279518182a538a7ed377af3aba8b30cc4bc.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\e88277164def6f447b033bd93e3f3279518182a538a7ed377af3aba8b30cc4bc.exe"C:\Users\Admin\AppData\Local\Temp\e88277164def6f447b033bd93e3f3279518182a538a7ed377af3aba8b30cc4bc.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\CMD.exe"CMD"4⤵
-
C:\Windows\SysWOW64\CMD.exe"CMD"4⤵
-
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\SysInfo.txtFilesize
102B
MD5edce12c3e2927fda6c3dbd6ab1054b4d
SHA1716b2d8289968637c6edf3784659583d843c6ddf
SHA256612499c5e814f763549196ad79500e5863eb71b8b21f8eaa7b3c10541e5b37a5
SHA512c5a344f89ce0833f32069ea150cf2974dd22e063deaf49bd53d282218912439eb3b1c43cfa9d2dab4b18f84b8d5cbba558fc6f0436bf1ed432d4f638d51a4c8a
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
1.4MB
MD54cb53d176ff7bcbd128442aae02a099a
SHA1f36482b9a29ee5e0d200ba2e3243f2b6ff89a635
SHA256e88277164def6f447b033bd93e3f3279518182a538a7ed377af3aba8b30cc4bc
SHA5122b86d268176dd5d4597a4d2141570f3736b4bd2ef767ec6da5af392627704c8b99cd1975d017d39af2b99bc048a82f68068e9fdccc9236ec27d9f1eec0299bad
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
1.4MB
MD54cb53d176ff7bcbd128442aae02a099a
SHA1f36482b9a29ee5e0d200ba2e3243f2b6ff89a635
SHA256e88277164def6f447b033bd93e3f3279518182a538a7ed377af3aba8b30cc4bc
SHA5122b86d268176dd5d4597a4d2141570f3736b4bd2ef767ec6da5af392627704c8b99cd1975d017d39af2b99bc048a82f68068e9fdccc9236ec27d9f1eec0299bad
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
1.4MB
MD54cb53d176ff7bcbd128442aae02a099a
SHA1f36482b9a29ee5e0d200ba2e3243f2b6ff89a635
SHA256e88277164def6f447b033bd93e3f3279518182a538a7ed377af3aba8b30cc4bc
SHA5122b86d268176dd5d4597a4d2141570f3736b4bd2ef767ec6da5af392627704c8b99cd1975d017d39af2b99bc048a82f68068e9fdccc9236ec27d9f1eec0299bad
-
memory/1056-136-0x0000000000000000-mapping.dmp
-
memory/1420-133-0x0000000074E50000-0x0000000075401000-memory.dmpFilesize
5.7MB
-
memory/1420-132-0x0000000074E50000-0x0000000075401000-memory.dmpFilesize
5.7MB
-
memory/1420-141-0x0000000074E50000-0x0000000075401000-memory.dmpFilesize
5.7MB
-
memory/2236-145-0x0000000074E50000-0x0000000075401000-memory.dmpFilesize
5.7MB
-
memory/2236-155-0x0000000074E50000-0x0000000075401000-memory.dmpFilesize
5.7MB
-
memory/2236-154-0x0000000074E50000-0x0000000075401000-memory.dmpFilesize
5.7MB
-
memory/2236-142-0x0000000000000000-mapping.dmp
-
memory/2572-146-0x0000000074E50000-0x0000000075401000-memory.dmpFilesize
5.7MB
-
memory/2572-140-0x0000000074E50000-0x0000000075401000-memory.dmpFilesize
5.7MB
-
memory/2572-139-0x0000000074E50000-0x0000000075401000-memory.dmpFilesize
5.7MB
-
memory/2572-138-0x0000000000400000-0x00000000004F0000-memory.dmpFilesize
960KB
-
memory/2572-137-0x0000000000000000-mapping.dmp
-
memory/2904-149-0x0000000000000000-mapping.dmp
-
memory/2904-152-0x0000000074E50000-0x0000000075401000-memory.dmpFilesize
5.7MB
-
memory/2904-156-0x0000000074E50000-0x0000000075401000-memory.dmpFilesize
5.7MB
-
memory/3060-135-0x0000000000000000-mapping.dmp
-
memory/3856-134-0x0000000000000000-mapping.dmp
-
memory/4336-148-0x0000000000000000-mapping.dmp
-
memory/4812-147-0x0000000000000000-mapping.dmp