Analysis
-
max time kernel
148s -
max time network
180s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
30-11-2022 17:25
Static task
static1
Behavioral task
behavioral1
Sample
8b99d632f384bc365e1b478dde82e030a5dc3eb51b9f58767bd4012a50d83f8f.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
8b99d632f384bc365e1b478dde82e030a5dc3eb51b9f58767bd4012a50d83f8f.exe
Resource
win10v2004-20221111-en
General
-
Target
8b99d632f384bc365e1b478dde82e030a5dc3eb51b9f58767bd4012a50d83f8f.exe
-
Size
814KB
-
MD5
401072f6b087f742d80cb9b6f4394141
-
SHA1
58024ebb3fd04470984581b4cdafd732748774e1
-
SHA256
8b99d632f384bc365e1b478dde82e030a5dc3eb51b9f58767bd4012a50d83f8f
-
SHA512
422bfc1ea8e0ef7fb7f04325ef619ec7f6c8e865a20d62a7e30e9647186e9d6421f410228ebfc70611413bde8d7ca112536ed42e2e8cd3faec79ac2b2e184375
-
SSDEEP
12288:LmQZ4NUMNEUHLsrUYVcYkzot2bdOHOJWZDFonFucyJoES+AXV:ZZ4CreJYVcYYoD2OAXV
Malware Config
Signatures
-
NirSoft MailPassView 1 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/1732-145-0x0000000002140000-0x00000000021D0000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/1732-145-0x0000000002140000-0x00000000021D0000-memory.dmp WebBrowserPassView -
Nirsoft 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1732-145-0x0000000002140000-0x00000000021D0000-memory.dmp Nirsoft -
Executes dropped EXE 2 IoCs
Processes:
Windows Update.exeWindows Update.exepid process 1112 Windows Update.exe 456 Windows Update.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
8b99d632f384bc365e1b478dde82e030a5dc3eb51b9f58767bd4012a50d83f8f.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation 8b99d632f384bc365e1b478dde82e030a5dc3eb51b9f58767bd4012a50d83f8f.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
8b99d632f384bc365e1b478dde82e030a5dc3eb51b9f58767bd4012a50d83f8f.exeWindows Update.exedescription pid process target process PID 2656 set thread context of 1732 2656 8b99d632f384bc365e1b478dde82e030a5dc3eb51b9f58767bd4012a50d83f8f.exe 8b99d632f384bc365e1b478dde82e030a5dc3eb51b9f58767bd4012a50d83f8f.exe PID 1112 set thread context of 456 1112 Windows Update.exe Windows Update.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
8b99d632f384bc365e1b478dde82e030a5dc3eb51b9f58767bd4012a50d83f8f.exeWindows Update.exepid process 2656 8b99d632f384bc365e1b478dde82e030a5dc3eb51b9f58767bd4012a50d83f8f.exe 1112 Windows Update.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
8b99d632f384bc365e1b478dde82e030a5dc3eb51b9f58767bd4012a50d83f8f.exe8b99d632f384bc365e1b478dde82e030a5dc3eb51b9f58767bd4012a50d83f8f.exeWindows Update.exedescription pid process target process PID 2656 wrote to memory of 1732 2656 8b99d632f384bc365e1b478dde82e030a5dc3eb51b9f58767bd4012a50d83f8f.exe 8b99d632f384bc365e1b478dde82e030a5dc3eb51b9f58767bd4012a50d83f8f.exe PID 2656 wrote to memory of 1732 2656 8b99d632f384bc365e1b478dde82e030a5dc3eb51b9f58767bd4012a50d83f8f.exe 8b99d632f384bc365e1b478dde82e030a5dc3eb51b9f58767bd4012a50d83f8f.exe PID 2656 wrote to memory of 1732 2656 8b99d632f384bc365e1b478dde82e030a5dc3eb51b9f58767bd4012a50d83f8f.exe 8b99d632f384bc365e1b478dde82e030a5dc3eb51b9f58767bd4012a50d83f8f.exe PID 1732 wrote to memory of 1112 1732 8b99d632f384bc365e1b478dde82e030a5dc3eb51b9f58767bd4012a50d83f8f.exe Windows Update.exe PID 1732 wrote to memory of 1112 1732 8b99d632f384bc365e1b478dde82e030a5dc3eb51b9f58767bd4012a50d83f8f.exe Windows Update.exe PID 1732 wrote to memory of 1112 1732 8b99d632f384bc365e1b478dde82e030a5dc3eb51b9f58767bd4012a50d83f8f.exe Windows Update.exe PID 1112 wrote to memory of 456 1112 Windows Update.exe Windows Update.exe PID 1112 wrote to memory of 456 1112 Windows Update.exe Windows Update.exe PID 1112 wrote to memory of 456 1112 Windows Update.exe Windows Update.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8b99d632f384bc365e1b478dde82e030a5dc3eb51b9f58767bd4012a50d83f8f.exe"C:\Users\Admin\AppData\Local\Temp\8b99d632f384bc365e1b478dde82e030a5dc3eb51b9f58767bd4012a50d83f8f.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Users\Admin\AppData\Local\Temp\8b99d632f384bc365e1b478dde82e030a5dc3eb51b9f58767bd4012a50d83f8f.exeC:\Users\Admin\AppData\Local\Temp\8b99d632f384bc365e1b478dde82e030a5dc3eb51b9f58767bd4012a50d83f8f.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Users\Admin\AppData\Roaming\Windows Update.exeC:\Users\Admin\AppData\Roaming\Windows Update.exe"4⤵
- Executes dropped EXE
PID:456
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
814KB
MD5401072f6b087f742d80cb9b6f4394141
SHA158024ebb3fd04470984581b4cdafd732748774e1
SHA2568b99d632f384bc365e1b478dde82e030a5dc3eb51b9f58767bd4012a50d83f8f
SHA512422bfc1ea8e0ef7fb7f04325ef619ec7f6c8e865a20d62a7e30e9647186e9d6421f410228ebfc70611413bde8d7ca112536ed42e2e8cd3faec79ac2b2e184375
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
814KB
MD5401072f6b087f742d80cb9b6f4394141
SHA158024ebb3fd04470984581b4cdafd732748774e1
SHA2568b99d632f384bc365e1b478dde82e030a5dc3eb51b9f58767bd4012a50d83f8f
SHA512422bfc1ea8e0ef7fb7f04325ef619ec7f6c8e865a20d62a7e30e9647186e9d6421f410228ebfc70611413bde8d7ca112536ed42e2e8cd3faec79ac2b2e184375
-
C:\Users\Admin\AppData\Roaming\Windows Update.exeFilesize
814KB
MD5401072f6b087f742d80cb9b6f4394141
SHA158024ebb3fd04470984581b4cdafd732748774e1
SHA2568b99d632f384bc365e1b478dde82e030a5dc3eb51b9f58767bd4012a50d83f8f
SHA512422bfc1ea8e0ef7fb7f04325ef619ec7f6c8e865a20d62a7e30e9647186e9d6421f410228ebfc70611413bde8d7ca112536ed42e2e8cd3faec79ac2b2e184375
-
memory/456-158-0x0000000000000000-mapping.dmp
-
memory/1112-160-0x00000000772B0000-0x0000000077453000-memory.dmpFilesize
1.6MB
-
memory/1112-151-0x0000000000000000-mapping.dmp
-
memory/1732-140-0x0000000000400000-0x0000000000477000-memory.dmpFilesize
476KB
-
memory/1732-145-0x0000000002140000-0x00000000021D0000-memory.dmpFilesize
576KB
-
memory/1732-148-0x00000000772B0000-0x0000000077453000-memory.dmpFilesize
1.6MB
-
memory/1732-149-0x0000000074920000-0x0000000074ED1000-memory.dmpFilesize
5.7MB
-
memory/1732-150-0x0000000074920000-0x0000000074ED1000-memory.dmpFilesize
5.7MB
-
memory/1732-144-0x00000000772B0000-0x0000000077453000-memory.dmpFilesize
1.6MB
-
memory/1732-143-0x00000000772B0000-0x0000000077453000-memory.dmpFilesize
1.6MB
-
memory/1732-156-0x00000000772B0000-0x0000000077453000-memory.dmpFilesize
1.6MB
-
memory/1732-157-0x0000000074920000-0x0000000074ED1000-memory.dmpFilesize
5.7MB
-
memory/1732-137-0x00000000772B0000-0x0000000077453000-memory.dmpFilesize
1.6MB
-
memory/1732-135-0x0000000000000000-mapping.dmp
-
memory/2656-134-0x00000000023C0000-0x00000000023C7000-memory.dmpFilesize
28KB
-
memory/2656-136-0x00000000772B0000-0x0000000077453000-memory.dmpFilesize
1.6MB