37cbcc4a5322bdf93a3049b8bd2326336cc8af6652716c4da09cc7be7bd6d2f1

Analysis

max time kernel
31s
max time network
31s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
28-11-2022 00:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

37cbcc4a5322bdf93a3049b8bd2326336cc8af6652716c4da09cc7be7bd6d2f1.exe
Size

356KB
MD5

c954cecc8a538f667d7c22f7712c689c
SHA1

26cc7f6e51888384f898aa97f97cdf61d2cb04c5
SHA256

37cbcc4a5322bdf93a3049b8bd2326336cc8af6652716c4da09cc7be7bd6d2f1
SHA512

9cda5c81216caca039b314d31ab245537355b33e77fa3f458df84f59c0cb64c80a6b0178a7b9cc2e7b409576600389d8d1903d6d25030ec439a0c5b9e6280aa5
SSDEEP

6144:Ie348RTnYQHYTRjbGqaY/ySz/Do2dtFGFC0MmWdDoGO8Iw6Wd2oGO8IL:PTz4dGqBqSHdLOz5Wdk4AWd/40

Score

8^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1176	LiveUpdateWPP.exe
2032	LiveUpdateWPP.exe

Loads dropped DLL 7 IoCs

pid	Process
940	37cbcc4a5322bdf93a3049b8bd2326336cc8af6652716c4da09cc7be7bd6d2f1.exe
940	37cbcc4a5322bdf93a3049b8bd2326336cc8af6652716c4da09cc7be7bd6d2f1.exe
940	37cbcc4a5322bdf93a3049b8bd2326336cc8af6652716c4da09cc7be7bd6d2f1.exe
940	37cbcc4a5322bdf93a3049b8bd2326336cc8af6652716c4da09cc7be7bd6d2f1.exe
1176	LiveUpdateWPP.exe
1176	LiveUpdateWPP.exe
940	37cbcc4a5322bdf93a3049b8bd2326336cc8af6652716c4da09cc7be7bd6d2f1.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\LiveUpdateWPP\LiveUpdateWPP.exe	37cbcc4a5322bdf93a3049b8bd2326336cc8af6652716c4da09cc7be7bd6d2f1.exe
File created	C:\Program Files (x86)\LiveUpdateWPP\LiveUpdateWPP_uninstaller.exe	37cbcc4a5322bdf93a3049b8bd2326336cc8af6652716c4da09cc7be7bd6d2f1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 940 wrote to memory of 1176	940	37cbcc4a5322bdf93a3049b8bd2326336cc8af6652716c4da09cc7be7bd6d2f1.exe	28
PID 940 wrote to memory of 1176	940	37cbcc4a5322bdf93a3049b8bd2326336cc8af6652716c4da09cc7be7bd6d2f1.exe	28
PID 940 wrote to memory of 1176	940	37cbcc4a5322bdf93a3049b8bd2326336cc8af6652716c4da09cc7be7bd6d2f1.exe	28
PID 940 wrote to memory of 1176	940	37cbcc4a5322bdf93a3049b8bd2326336cc8af6652716c4da09cc7be7bd6d2f1.exe	28
PID 940 wrote to memory of 1176	940	37cbcc4a5322bdf93a3049b8bd2326336cc8af6652716c4da09cc7be7bd6d2f1.exe	28
PID 940 wrote to memory of 1176	940	37cbcc4a5322bdf93a3049b8bd2326336cc8af6652716c4da09cc7be7bd6d2f1.exe	28
PID 940 wrote to memory of 1176	940	37cbcc4a5322bdf93a3049b8bd2326336cc8af6652716c4da09cc7be7bd6d2f1.exe	28

C:\Users\Admin\AppData\Local\Temp\37cbcc4a5322bdf93a3049b8bd2326336cc8af6652716c4da09cc7be7bd6d2f1.exe
"C:\Users\Admin\AppData\Local\Temp\37cbcc4a5322bdf93a3049b8bd2326336cc8af6652716c4da09cc7be7bd6d2f1.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:940
- C:\Program Files (x86)\LiveUpdateWPP\LiveUpdateWPP.exe
  "C:\Program Files (x86)\LiveUpdateWPP\LiveUpdateWPP.exe" /install
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1176

C:\Program Files (x86)\LiveUpdateWPP\LiveUpdateWPP.exe
"C:\Program Files (x86)\LiveUpdateWPP\LiveUpdateWPP.exe"
1⤵
- Executes dropped EXE
PID:2032

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\LiveUpdateWPP\LiveUpdateWPP.exe

Filesize
416KB

MD5
6acb17f9ef3c6c1862c7880667f88f8e

SHA1
81f6136f353df95da7025424570acd2ee6a5a8c0

SHA256
25ebeda57b3404388a3d019994d7cb810c99799b7eea16ca643d3fc0b652b709

SHA512
aefcd60ad34b935a2dbdb854820296d0a9ab6f1407275909aa711f247bee595608cf5d9296d42bcaf68624c00061912748d4b969b2310724a1d8cb12d05c6ccd

Download Submit
C:\Program Files (x86)\LiveUpdateWPP\LiveUpdateWPP.exe

Filesize
416KB

MD5
6acb17f9ef3c6c1862c7880667f88f8e

SHA1
81f6136f353df95da7025424570acd2ee6a5a8c0

SHA256
25ebeda57b3404388a3d019994d7cb810c99799b7eea16ca643d3fc0b652b709

SHA512
aefcd60ad34b935a2dbdb854820296d0a9ab6f1407275909aa711f247bee595608cf5d9296d42bcaf68624c00061912748d4b969b2310724a1d8cb12d05c6ccd

Download Submit
C:\Program Files (x86)\LiveUpdateWPP\LiveUpdateWPP.exe

Filesize
416KB

MD5
6acb17f9ef3c6c1862c7880667f88f8e

SHA1
81f6136f353df95da7025424570acd2ee6a5a8c0

SHA256
25ebeda57b3404388a3d019994d7cb810c99799b7eea16ca643d3fc0b652b709

SHA512
aefcd60ad34b935a2dbdb854820296d0a9ab6f1407275909aa711f247bee595608cf5d9296d42bcaf68624c00061912748d4b969b2310724a1d8cb12d05c6ccd

Download Submit
\Program Files (x86)\LiveUpdateWPP\LiveUpdateWPP.exe

Filesize
416KB

MD5
6acb17f9ef3c6c1862c7880667f88f8e

SHA1
81f6136f353df95da7025424570acd2ee6a5a8c0

SHA256
25ebeda57b3404388a3d019994d7cb810c99799b7eea16ca643d3fc0b652b709

SHA512
aefcd60ad34b935a2dbdb854820296d0a9ab6f1407275909aa711f247bee595608cf5d9296d42bcaf68624c00061912748d4b969b2310724a1d8cb12d05c6ccd

Download Submit
\Program Files (x86)\LiveUpdateWPP\LiveUpdateWPP.exe

Filesize
416KB

MD5
6acb17f9ef3c6c1862c7880667f88f8e

SHA1
81f6136f353df95da7025424570acd2ee6a5a8c0

SHA256
25ebeda57b3404388a3d019994d7cb810c99799b7eea16ca643d3fc0b652b709

SHA512
aefcd60ad34b935a2dbdb854820296d0a9ab6f1407275909aa711f247bee595608cf5d9296d42bcaf68624c00061912748d4b969b2310724a1d8cb12d05c6ccd

Download Submit
\Program Files (x86)\LiveUpdateWPP\LiveUpdateWPP.exe

Filesize
416KB

MD5
6acb17f9ef3c6c1862c7880667f88f8e

SHA1
81f6136f353df95da7025424570acd2ee6a5a8c0

SHA256
25ebeda57b3404388a3d019994d7cb810c99799b7eea16ca643d3fc0b652b709

SHA512
aefcd60ad34b935a2dbdb854820296d0a9ab6f1407275909aa711f247bee595608cf5d9296d42bcaf68624c00061912748d4b969b2310724a1d8cb12d05c6ccd

Download Submit
\Users\Admin\AppData\Local\Temp\nstA67E.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nstA67E.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nstA67E.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nstA67E.tmp\safed.dll

Filesize
134KB

MD5
e589fa816e6065cc78bcb5c5837cdb5d

SHA1
c48ac52ba31b223f9bdde1125884ebd5825e994a

SHA256
937cd37f651e009457b5f09a6d331ba767282634263aa6252eaab16612f47add

SHA512
eefe6a0eeddd353fa938fed1292018d6f0847b1d37a4d6a4f27ea0259c5da1edfebdfc878da667953149bc81c0e8855bdcf454383be04d8cba817d4d457aa637

Download Submit
memory/940-54-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

Filesize
8KB

Download