c88e661d84f63639866bc1f42c969e26a5cd49671cbfe4d664409a9a86db2af2

Analysis

max time kernel
28s
max time network
31s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05/01/2023, 18:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c88e661d84f63639866bc1f42c969e26a5cd49671cbfe4d664409a9a86db2af2.exe
Size

3.6MB
MD5

e00465200ce344eaab4ad770c2ac40c2
SHA1

a4e89fbc80b9e4b5b020912d4c26f6b8e577217c
SHA256

c88e661d84f63639866bc1f42c969e26a5cd49671cbfe4d664409a9a86db2af2
SHA512

8e97496f0a779b79488d75bcc68108039c762e856f3907d8c17a4099d3376fa77a655649539c2fd4cdc305241638625cb250df962be877a249611b0cfc439a89
SSDEEP

98304:1Zk1vrnRrYpSQghu4BRC4XRlfquCGFLI+d:4BrRhu4BRC4jfqwLI+d

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2040	UpdateTool.exe

Loads dropped DLL 7 IoCs

pid	Process
1748	c88e661d84f63639866bc1f42c969e26a5cd49671cbfe4d664409a9a86db2af2.exe
1748	c88e661d84f63639866bc1f42c969e26a5cd49671cbfe4d664409a9a86db2af2.exe
1748	c88e661d84f63639866bc1f42c969e26a5cd49671cbfe4d664409a9a86db2af2.exe
1748	c88e661d84f63639866bc1f42c969e26a5cd49671cbfe4d664409a9a86db2af2.exe
2040	UpdateTool.exe
2040	UpdateTool.exe
2040	UpdateTool.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2040	UpdateTool.exe
2040	UpdateTool.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1748 wrote to memory of 2040	1748	c88e661d84f63639866bc1f42c969e26a5cd49671cbfe4d664409a9a86db2af2.exe	28
PID 1748 wrote to memory of 2040	1748	c88e661d84f63639866bc1f42c969e26a5cd49671cbfe4d664409a9a86db2af2.exe	28
PID 1748 wrote to memory of 2040	1748	c88e661d84f63639866bc1f42c969e26a5cd49671cbfe4d664409a9a86db2af2.exe	28
PID 1748 wrote to memory of 2040	1748	c88e661d84f63639866bc1f42c969e26a5cd49671cbfe4d664409a9a86db2af2.exe	28
PID 1748 wrote to memory of 2040	1748	c88e661d84f63639866bc1f42c969e26a5cd49671cbfe4d664409a9a86db2af2.exe	28
PID 1748 wrote to memory of 2040	1748	c88e661d84f63639866bc1f42c969e26a5cd49671cbfe4d664409a9a86db2af2.exe	28
PID 1748 wrote to memory of 2040	1748	c88e661d84f63639866bc1f42c969e26a5cd49671cbfe4d664409a9a86db2af2.exe	28

C:\Users\Admin\AppData\Local\Temp\c88e661d84f63639866bc1f42c969e26a5cd49671cbfe4d664409a9a86db2af2.exe
"C:\Users\Admin\AppData\Local\Temp\c88e661d84f63639866bc1f42c969e26a5cd49671cbfe4d664409a9a86db2af2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\UpdateTool.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\UpdateTool.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:2040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\UpdateTool.exe

Filesize
296KB

MD5
a5a66863f28aa31dea8ee19cd645bda5

SHA1
fa0612fc61aaadb728f3ae70ca27716e3c72bdc1

SHA256
86ae6cdb4706fb78b4bbaf8eaa9d5e2f88c90951a5c0f498602621c8ec1925cd

SHA512
4f43457c5f30413bb6d268cb45c2d09b44c3381a93a9ccd68602ba439aed19e4666cbd323429ace16568225a47fcf4a3178a9d9cd105c529eceff343d5860c6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\UpdateTool.exe

Filesize
296KB

MD5
a5a66863f28aa31dea8ee19cd645bda5

SHA1
fa0612fc61aaadb728f3ae70ca27716e3c72bdc1

SHA256
86ae6cdb4706fb78b4bbaf8eaa9d5e2f88c90951a5c0f498602621c8ec1925cd

SHA512
4f43457c5f30413bb6d268cb45c2d09b44c3381a93a9ccd68602ba439aed19e4666cbd323429ace16568225a47fcf4a3178a9d9cd105c529eceff343d5860c6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\UpdateTool.ini

Filesize
510B

MD5
7b564d4eee5bd94e26b7a901d5ae53c6

SHA1
90add253cc8db805c0264194d1ccadc965a2136c

SHA256
6f74ab70adca2a5bdb0cacb749a0c3c76f771898164643c07435b3e9565c1aa8

SHA512
70e09e9950660d0e0f44f6634257c33226d810fda86d569245a0423a6d2a9740e8d99c5158e9791cb604c8aa340919e12f3f1227479c1c5deee7cb6a0544aa5f

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\UpdateTool.exe

Filesize
296KB

MD5
a5a66863f28aa31dea8ee19cd645bda5

SHA1
fa0612fc61aaadb728f3ae70ca27716e3c72bdc1

SHA256
86ae6cdb4706fb78b4bbaf8eaa9d5e2f88c90951a5c0f498602621c8ec1925cd

SHA512
4f43457c5f30413bb6d268cb45c2d09b44c3381a93a9ccd68602ba439aed19e4666cbd323429ace16568225a47fcf4a3178a9d9cd105c529eceff343d5860c6a

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\UpdateTool.exe

Filesize
296KB

MD5
a5a66863f28aa31dea8ee19cd645bda5

SHA1
fa0612fc61aaadb728f3ae70ca27716e3c72bdc1

SHA256
86ae6cdb4706fb78b4bbaf8eaa9d5e2f88c90951a5c0f498602621c8ec1925cd

SHA512
4f43457c5f30413bb6d268cb45c2d09b44c3381a93a9ccd68602ba439aed19e4666cbd323429ace16568225a47fcf4a3178a9d9cd105c529eceff343d5860c6a

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\UpdateTool.exe

Filesize
296KB

MD5
a5a66863f28aa31dea8ee19cd645bda5

SHA1
fa0612fc61aaadb728f3ae70ca27716e3c72bdc1

SHA256
86ae6cdb4706fb78b4bbaf8eaa9d5e2f88c90951a5c0f498602621c8ec1925cd

SHA512
4f43457c5f30413bb6d268cb45c2d09b44c3381a93a9ccd68602ba439aed19e4666cbd323429ace16568225a47fcf4a3178a9d9cd105c529eceff343d5860c6a

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\UpdateTool.exe

Filesize
296KB

MD5
a5a66863f28aa31dea8ee19cd645bda5

SHA1
fa0612fc61aaadb728f3ae70ca27716e3c72bdc1

SHA256
86ae6cdb4706fb78b4bbaf8eaa9d5e2f88c90951a5c0f498602621c8ec1925cd

SHA512
4f43457c5f30413bb6d268cb45c2d09b44c3381a93a9ccd68602ba439aed19e4666cbd323429ace16568225a47fcf4a3178a9d9cd105c529eceff343d5860c6a

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\UpdateTool.exe

Filesize
296KB

MD5
a5a66863f28aa31dea8ee19cd645bda5

SHA1
fa0612fc61aaadb728f3ae70ca27716e3c72bdc1

SHA256
86ae6cdb4706fb78b4bbaf8eaa9d5e2f88c90951a5c0f498602621c8ec1925cd

SHA512
4f43457c5f30413bb6d268cb45c2d09b44c3381a93a9ccd68602ba439aed19e4666cbd323429ace16568225a47fcf4a3178a9d9cd105c529eceff343d5860c6a

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\UpdateTool.exe

Filesize
296KB

MD5
a5a66863f28aa31dea8ee19cd645bda5

SHA1
fa0612fc61aaadb728f3ae70ca27716e3c72bdc1

SHA256
86ae6cdb4706fb78b4bbaf8eaa9d5e2f88c90951a5c0f498602621c8ec1925cd

SHA512
4f43457c5f30413bb6d268cb45c2d09b44c3381a93a9ccd68602ba439aed19e4666cbd323429ace16568225a47fcf4a3178a9d9cd105c529eceff343d5860c6a

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\UpdateTool.exe

Filesize
296KB

MD5
a5a66863f28aa31dea8ee19cd645bda5

SHA1
fa0612fc61aaadb728f3ae70ca27716e3c72bdc1

SHA256
86ae6cdb4706fb78b4bbaf8eaa9d5e2f88c90951a5c0f498602621c8ec1925cd

SHA512
4f43457c5f30413bb6d268cb45c2d09b44c3381a93a9ccd68602ba439aed19e4666cbd323429ace16568225a47fcf4a3178a9d9cd105c529eceff343d5860c6a

Download Submit
memory/1748-54-0x00000000767F1000-0x00000000767F3000-memory.dmp

Filesize
8KB

Download