37c5be1284b6b1e428de3978bc585c86bf381553aaba14b1d1a494da1f13277b

Analysis

max time kernel
132s
max time network
30s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 12:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

37c5be1284b6b1e428de3978bc585c86bf381553aaba14b1d1a494da1f13277b.exe
Size

420KB
MD5

e1286ea43b3659744170817636ad5b77
SHA1

dc7cc793a8064eaaa35d32caeb6151b4cc6657d7
SHA256

37c5be1284b6b1e428de3978bc585c86bf381553aaba14b1d1a494da1f13277b
SHA512

dfb953712ab8ae8bdd69630cefb239224c8c45ab49af76faaaa83dcc601326e64d7d47cb6e2022c036ece88dcc0639faca3d56cb8198bc83ee0193dfe65fda9f
SSDEEP

6144:mGn41XHkt9zJaz/zwzMIgVUh3MmQwei+dOoEjJn8iXKRpbUFCXKU+33XQJJ3F:tn41Tz8FkUGmQrioOqia7EXo3

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1484	~DF9B28.tmp
780	37c5be1284b6b1e428de3978bc585c86bf381553aaba14b1d1a494da1f13277b.exe
768	cupate.exe
1664	mscaps.exe

Deletes itself 1 IoCs

pid	Process
1484	~DF9B28.tmp

Loads dropped DLL 4 IoCs

pid	Process
1484	~DF9B28.tmp
1484	~DF9B28.tmp
1484	~DF9B28.tmp
1484	~DF9B28.tmp

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\cupate.exe	~DF9B28.tmp
File opened for modification	C:\Windows\SysWOW64\cupate.exe	~DF9B28.tmp
File created	C:\Windows\SysWOW64\mscaps.exe	cupate.exe
File opened for modification	C:\Windows\SysWOW64\mscaps.exe	cupate.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 900 wrote to memory of 1484	900	37c5be1284b6b1e428de3978bc585c86bf381553aaba14b1d1a494da1f13277b.exe	28
PID 900 wrote to memory of 1484	900	37c5be1284b6b1e428de3978bc585c86bf381553aaba14b1d1a494da1f13277b.exe	28
PID 900 wrote to memory of 1484	900	37c5be1284b6b1e428de3978bc585c86bf381553aaba14b1d1a494da1f13277b.exe	28
PID 900 wrote to memory of 1484	900	37c5be1284b6b1e428de3978bc585c86bf381553aaba14b1d1a494da1f13277b.exe	28
PID 1484 wrote to memory of 780	1484	~DF9B28.tmp	29
PID 1484 wrote to memory of 780	1484	~DF9B28.tmp	29
PID 1484 wrote to memory of 780	1484	~DF9B28.tmp	29
PID 1484 wrote to memory of 780	1484	~DF9B28.tmp	29
PID 1484 wrote to memory of 768	1484	~DF9B28.tmp	30
PID 1484 wrote to memory of 768	1484	~DF9B28.tmp	30
PID 1484 wrote to memory of 768	1484	~DF9B28.tmp	30
PID 1484 wrote to memory of 768	1484	~DF9B28.tmp	30
PID 768 wrote to memory of 1664	768	cupate.exe	31
PID 768 wrote to memory of 1664	768	cupate.exe	31
PID 768 wrote to memory of 1664	768	cupate.exe	31
PID 768 wrote to memory of 1664	768	cupate.exe	31

C:\Users\Admin\AppData\Local\Temp\37c5be1284b6b1e428de3978bc585c86bf381553aaba14b1d1a494da1f13277b.exe
"C:\Users\Admin\AppData\Local\Temp\37c5be1284b6b1e428de3978bc585c86bf381553aaba14b1d1a494da1f13277b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:900
- C:\Users\Admin\AppData\Local\Temp\~DF9B28.tmp
  C:\Users\Admin\AppData\Local\Temp\~DF9B28.tmp _$PID:112 _$EXE:C:\Users\Admin\AppData\Local\Temp\37c5be1284b6b1e428de3978bc585c86bf381553aaba14b1d1a494da1f13277b.exe _$CMDLINE:
  2⤵
  - Executes dropped EXE
  - Deletes itself
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1484
- - C:\Users\Admin\AppData\Local\Temp\37c5be1284b6b1e428de3978bc585c86bf381553aaba14b1d1a494da1f13277b.exe
    C:\Users\Admin\AppData\Local\Temp\37c5be1284b6b1e428de3978bc585c86bf381553aaba14b1d1a494da1f13277b.exe
    3⤵
    - Executes dropped EXE
    PID:780
- - C:\Windows\SysWOW64\cupate.exe
    "C:\Windows\System32\cupate.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:768
  - - C:\Windows\SysWOW64\mscaps.exe
      "C:\Windows\system32\mscaps.exe" /C:\Windows\SysWOW64\cupate.exe
      4⤵
      Executes dropped EXE
      PID:1664

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\37c5be1284b6b1e428de3978bc585c86bf381553aaba14b1d1a494da1f13277b.exe

Filesize
68KB

MD5
8b4cbba1ea526830c7f97e7822e2493a

SHA1
e519f493e42694c564aaa347745bab035bbcb3d9

SHA256
1dfd05b1c0050db44f5b4293e5574bfc292af804a63fc0a70131bb498c326977

SHA512
d1264f010d21aed0db2cc5749327866605ed701db42541cfe712ba2cedba78360cb2322b76d7101ddf18b7f9311c185d3c08589a4b66d00ea57977664299c6e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF9B28.tmp

Filesize
420KB

MD5
e1286ea43b3659744170817636ad5b77

SHA1
dc7cc793a8064eaaa35d32caeb6151b4cc6657d7

SHA256
37c5be1284b6b1e428de3978bc585c86bf381553aaba14b1d1a494da1f13277b

SHA512
dfb953712ab8ae8bdd69630cefb239224c8c45ab49af76faaaa83dcc601326e64d7d47cb6e2022c036ece88dcc0639faca3d56cb8198bc83ee0193dfe65fda9f

Download Submit
C:\Windows\SysWOW64\cupate.exe

Filesize
276KB

MD5
74cb6d7528cb43b6ae6886481439b8c8

SHA1
9f198d43be925e2e6536d5376ab27fcadb224859

SHA256
fa89f4c4d2730b4f083df903977ac5da9869d3db15e25ec65a28feb236a6ace4

SHA512
f8f716f97cb1a552af1eeeca81fe8aa150fc2cc1a98adca401be53d3fdad58bfa8bc618c52079e60d96db391a82e3d27ffb3f4b10db1c722802d6d2a7c1ea8e5

Download Submit
C:\Windows\SysWOW64\cupate.exe

Filesize
276KB

MD5
74cb6d7528cb43b6ae6886481439b8c8

SHA1
9f198d43be925e2e6536d5376ab27fcadb224859

SHA256
fa89f4c4d2730b4f083df903977ac5da9869d3db15e25ec65a28feb236a6ace4

SHA512
f8f716f97cb1a552af1eeeca81fe8aa150fc2cc1a98adca401be53d3fdad58bfa8bc618c52079e60d96db391a82e3d27ffb3f4b10db1c722802d6d2a7c1ea8e5

Download Submit
C:\Windows\SysWOW64\mscaps.exe

Filesize
200KB

MD5
7465eb9764842e2281d443d12809b07b

SHA1
6b6e12fd43fcfdd9253190c44a1ac315644c3dbb

SHA256
061f1383cef06b07a77fe2c136e6a3e18f5eeaa9030b452e6312e3763a5e7f6b

SHA512
2d69e83328abcc76915cfbbb7b6e9202697be2d6f385b4aa80551286c190eaee1e3c8ffe61b013448ca582abd78c262cbc2b3b4d565901699486aaa4fd346980

Download Submit
\Users\Admin\AppData\Local\Temp\37c5be1284b6b1e428de3978bc585c86bf381553aaba14b1d1a494da1f13277b.exe

Filesize
68KB

MD5
8b4cbba1ea526830c7f97e7822e2493a

SHA1
e519f493e42694c564aaa347745bab035bbcb3d9

SHA256
1dfd05b1c0050db44f5b4293e5574bfc292af804a63fc0a70131bb498c326977

SHA512
d1264f010d21aed0db2cc5749327866605ed701db42541cfe712ba2cedba78360cb2322b76d7101ddf18b7f9311c185d3c08589a4b66d00ea57977664299c6e6

Download Submit
\Users\Admin\AppData\Local\Temp\37c5be1284b6b1e428de3978bc585c86bf381553aaba14b1d1a494da1f13277b.exe

Filesize
68KB

MD5
8b4cbba1ea526830c7f97e7822e2493a

SHA1
e519f493e42694c564aaa347745bab035bbcb3d9

SHA256
1dfd05b1c0050db44f5b4293e5574bfc292af804a63fc0a70131bb498c326977

SHA512
d1264f010d21aed0db2cc5749327866605ed701db42541cfe712ba2cedba78360cb2322b76d7101ddf18b7f9311c185d3c08589a4b66d00ea57977664299c6e6

Download Submit
\Windows\SysWOW64\cupate.exe

Filesize
276KB

MD5
74cb6d7528cb43b6ae6886481439b8c8

SHA1
9f198d43be925e2e6536d5376ab27fcadb224859

SHA256
fa89f4c4d2730b4f083df903977ac5da9869d3db15e25ec65a28feb236a6ace4

SHA512
f8f716f97cb1a552af1eeeca81fe8aa150fc2cc1a98adca401be53d3fdad58bfa8bc618c52079e60d96db391a82e3d27ffb3f4b10db1c722802d6d2a7c1ea8e5

Download Submit
\Windows\SysWOW64\cupate.exe

Filesize
276KB

MD5
74cb6d7528cb43b6ae6886481439b8c8

SHA1
9f198d43be925e2e6536d5376ab27fcadb224859

SHA256
fa89f4c4d2730b4f083df903977ac5da9869d3db15e25ec65a28feb236a6ace4

SHA512
f8f716f97cb1a552af1eeeca81fe8aa150fc2cc1a98adca401be53d3fdad58bfa8bc618c52079e60d96db391a82e3d27ffb3f4b10db1c722802d6d2a7c1ea8e5

Download Submit
memory/900-54-0x0000000075FF1000-0x0000000075FF3000-memory.dmp

Filesize
8KB

Download