37c5be1284b6b1e428de3978bc585c86bf381553aaba14b1d1a494da1f13277b

General

Target

37c5be1284b6b1e428de3978bc585c86bf381553aaba14b1d1a494da1f13277b.exe
Size

420KB
MD5

e1286ea43b3659744170817636ad5b77
SHA1

dc7cc793a8064eaaa35d32caeb6151b4cc6657d7
SHA256

37c5be1284b6b1e428de3978bc585c86bf381553aaba14b1d1a494da1f13277b
SHA512

dfb953712ab8ae8bdd69630cefb239224c8c45ab49af76faaaa83dcc601326e64d7d47cb6e2022c036ece88dcc0639faca3d56cb8198bc83ee0193dfe65fda9f
SSDEEP

6144:mGn41XHkt9zJaz/zwzMIgVUh3MmQwei+dOoEjJn8iXKRpbUFCXKU+33XQJJ3F:tn41Tz8FkUGmQrioOqia7EXo3

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1936	~DF63C0.tmp
1448	37c5be1284b6b1e428de3978bc585c86bf381553aaba14b1d1a494da1f13277b.exe
2844	cupate.exe
112	mscaps.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	~DF63C0.tmp

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\mscaps.exe	cupate.exe
File opened for modification	C:\Windows\SysWOW64\mscaps.exe	cupate.exe
File created	C:\Windows\SysWOW64\cupate.exe	~DF63C0.tmp
File opened for modification	C:\Windows\SysWOW64\cupate.exe	~DF63C0.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2564 wrote to memory of 1936	2564	37c5be1284b6b1e428de3978bc585c86bf381553aaba14b1d1a494da1f13277b.exe	78
PID 2564 wrote to memory of 1936	2564	37c5be1284b6b1e428de3978bc585c86bf381553aaba14b1d1a494da1f13277b.exe	78
PID 2564 wrote to memory of 1936	2564	37c5be1284b6b1e428de3978bc585c86bf381553aaba14b1d1a494da1f13277b.exe	78
PID 1936 wrote to memory of 1448	1936	~DF63C0.tmp	79
PID 1936 wrote to memory of 1448	1936	~DF63C0.tmp	79
PID 1936 wrote to memory of 1448	1936	~DF63C0.tmp	79
PID 1936 wrote to memory of 2844	1936	~DF63C0.tmp	80
PID 1936 wrote to memory of 2844	1936	~DF63C0.tmp	80
PID 1936 wrote to memory of 2844	1936	~DF63C0.tmp	80
PID 2844 wrote to memory of 112	2844	cupate.exe	82
PID 2844 wrote to memory of 112	2844	cupate.exe	82
PID 2844 wrote to memory of 112	2844	cupate.exe	82

C:\Users\Admin\AppData\Local\Temp\37c5be1284b6b1e428de3978bc585c86bf381553aaba14b1d1a494da1f13277b.exe
"C:\Users\Admin\AppData\Local\Temp\37c5be1284b6b1e428de3978bc585c86bf381553aaba14b1d1a494da1f13277b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Users\Admin\AppData\Local\Temp\~DF63C0.tmp
  C:\Users\Admin\AppData\Local\Temp\~DF63C0.tmp _$PID:308 _$EXE:C:\Users\Admin\AppData\Local\Temp\37c5be1284b6b1e428de3978bc585c86bf381553aaba14b1d1a494da1f13277b.exe _$CMDLINE:
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1936
- - C:\Users\Admin\AppData\Local\Temp\37c5be1284b6b1e428de3978bc585c86bf381553aaba14b1d1a494da1f13277b.exe
    C:\Users\Admin\AppData\Local\Temp\37c5be1284b6b1e428de3978bc585c86bf381553aaba14b1d1a494da1f13277b.exe
    3⤵
    - Executes dropped EXE
    PID:1448
- - C:\Windows\SysWOW64\cupate.exe
    "C:\Windows\System32\cupate.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2844
  - - C:\Windows\SysWOW64\mscaps.exe
      "C:\Windows\system32\mscaps.exe" /C:\Windows\SysWOW64\cupate.exe
      4⤵
      Executes dropped EXE
      PID:112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\37c5be1284b6b1e428de3978bc585c86bf381553aaba14b1d1a494da1f13277b.exe

Filesize
68KB

MD5
8b4cbba1ea526830c7f97e7822e2493a

SHA1
e519f493e42694c564aaa347745bab035bbcb3d9

SHA256
1dfd05b1c0050db44f5b4293e5574bfc292af804a63fc0a70131bb498c326977

SHA512
d1264f010d21aed0db2cc5749327866605ed701db42541cfe712ba2cedba78360cb2322b76d7101ddf18b7f9311c185d3c08589a4b66d00ea57977664299c6e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF63C0.tmp

Filesize
420KB

MD5
e1286ea43b3659744170817636ad5b77

SHA1
dc7cc793a8064eaaa35d32caeb6151b4cc6657d7

SHA256
37c5be1284b6b1e428de3978bc585c86bf381553aaba14b1d1a494da1f13277b

SHA512
dfb953712ab8ae8bdd69630cefb239224c8c45ab49af76faaaa83dcc601326e64d7d47cb6e2022c036ece88dcc0639faca3d56cb8198bc83ee0193dfe65fda9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF63C0.tmp

Filesize
420KB

MD5
e1286ea43b3659744170817636ad5b77

SHA1
dc7cc793a8064eaaa35d32caeb6151b4cc6657d7

SHA256
37c5be1284b6b1e428de3978bc585c86bf381553aaba14b1d1a494da1f13277b

SHA512
dfb953712ab8ae8bdd69630cefb239224c8c45ab49af76faaaa83dcc601326e64d7d47cb6e2022c036ece88dcc0639faca3d56cb8198bc83ee0193dfe65fda9f

Download Submit
C:\Windows\SysWOW64\cupate.exe

Filesize
276KB

MD5
74cb6d7528cb43b6ae6886481439b8c8

SHA1
9f198d43be925e2e6536d5376ab27fcadb224859

SHA256
fa89f4c4d2730b4f083df903977ac5da9869d3db15e25ec65a28feb236a6ace4

SHA512
f8f716f97cb1a552af1eeeca81fe8aa150fc2cc1a98adca401be53d3fdad58bfa8bc618c52079e60d96db391a82e3d27ffb3f4b10db1c722802d6d2a7c1ea8e5

Download Submit
C:\Windows\SysWOW64\cupate.exe

Filesize
276KB

MD5
74cb6d7528cb43b6ae6886481439b8c8

SHA1
9f198d43be925e2e6536d5376ab27fcadb224859

SHA256
fa89f4c4d2730b4f083df903977ac5da9869d3db15e25ec65a28feb236a6ace4

SHA512
f8f716f97cb1a552af1eeeca81fe8aa150fc2cc1a98adca401be53d3fdad58bfa8bc618c52079e60d96db391a82e3d27ffb3f4b10db1c722802d6d2a7c1ea8e5

Download Submit
C:\Windows\SysWOW64\mscaps.exe

Filesize
200KB

MD5
7465eb9764842e2281d443d12809b07b

SHA1
6b6e12fd43fcfdd9253190c44a1ac315644c3dbb

SHA256
061f1383cef06b07a77fe2c136e6a3e18f5eeaa9030b452e6312e3763a5e7f6b

SHA512
2d69e83328abcc76915cfbbb7b6e9202697be2d6f385b4aa80551286c190eaee1e3c8ffe61b013448ca582abd78c262cbc2b3b4d565901699486aaa4fd346980

Download Submit
C:\Windows\SysWOW64\mscaps.exe

Filesize
200KB

MD5
7465eb9764842e2281d443d12809b07b

SHA1
6b6e12fd43fcfdd9253190c44a1ac315644c3dbb

SHA256
061f1383cef06b07a77fe2c136e6a3e18f5eeaa9030b452e6312e3763a5e7f6b

SHA512
2d69e83328abcc76915cfbbb7b6e9202697be2d6f385b4aa80551286c190eaee1e3c8ffe61b013448ca582abd78c262cbc2b3b4d565901699486aaa4fd346980

Download Submit

Analysis

Sharing