323e851ce262a9efbc96176a8720971df71e436470af0b08ff2bf755079aed20

General

Target

323e851ce262a9efbc96176a8720971df71e436470af0b08ff2bf755079aed20.exe
Size

36KB
MD5

06ec1ed9031b5f8c57dd5c1550d2c26e
SHA1

ca0ff93b43e81348b25151e666e024b88f1c05ba
SHA256

323e851ce262a9efbc96176a8720971df71e436470af0b08ff2bf755079aed20
SHA512

b828a008ec92b1b423765368b7460b2ac3732b59058ecdbc8a48f88821bcc52279d9581c377be3231859f13f3ebc2a0aba14f7ee820d385e811d2e63ea293c01
SSDEEP

192:tXU60V/WmoI+af4R9JNRcJLef3Rmtj0IRmtSgUoynaYgH9L1nnCQBRmlFQ93M3pc:tk60V/wI4PJhGYSGS10tdLVC+w7QSc

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

LiveUpdate.exe

pid process

560 LiveUpdate.exe
Loads dropped DLL 1 IoCs

Processes:

323e851ce262a9efbc96176a8720971df71e436470af0b08ff2bf755079aed20.exe

pid process

900 323e851ce262a9efbc96176a8720971df71e436470af0b08ff2bf755079aed20.exe

pid	process
560	LiveUpdate.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\ProgramData\Thunder\LiveUpdate.exe	upx
behavioral2/memory/560-162-0x0000000000400000-0x000000000053F000-memory.dmp	upx
behavioral2/memory/560-166-0x0000000000400000-0x000000000053F000-memory.dmp	upx
behavioral2/memory/560-167-0x0000000000400000-0x000000000053F000-memory.dmp	upx
behavioral2/memory/560-175-0x0000000000400000-0x000000000053F000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

Processes:

LiveUpdate.exe

description pid process target process

PID 560 set thread context of 5028 560 LiveUpdate.exe cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4840 5028 WerFault.exe cmd.exe

description	pid	process	target process
PID 560 set thread context of 5028	560	LiveUpdate.exe	cmd.exe

pid	pid_target	process	target process
4840	5028	WerFault.exe	cmd.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

323e851ce262a9efbc96176a8720971df71e436470af0b08ff2bf755079aed20.exe

pid	process
900	323e851ce262a9efbc96176a8720971df71e436470af0b08ff2bf755079aed20.exe
900	323e851ce262a9efbc96176a8720971df71e436470af0b08ff2bf755079aed20.exe
900	323e851ce262a9efbc96176a8720971df71e436470af0b08ff2bf755079aed20.exe
900	323e851ce262a9efbc96176a8720971df71e436470af0b08ff2bf755079aed20.exe
900	323e851ce262a9efbc96176a8720971df71e436470af0b08ff2bf755079aed20.exe
900	323e851ce262a9efbc96176a8720971df71e436470af0b08ff2bf755079aed20.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

323e851ce262a9efbc96176a8720971df71e436470af0b08ff2bf755079aed20.exeLiveUpdate.exe

pid	process
900	323e851ce262a9efbc96176a8720971df71e436470af0b08ff2bf755079aed20.exe
900	323e851ce262a9efbc96176a8720971df71e436470af0b08ff2bf755079aed20.exe
560	LiveUpdate.exe
560	LiveUpdate.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

LiveUpdate.exe

description	pid	process	target process
PID 560 wrote to memory of 5028	560	LiveUpdate.exe	cmd.exe
PID 560 wrote to memory of 5028	560	LiveUpdate.exe	cmd.exe
PID 560 wrote to memory of 5028	560	LiveUpdate.exe	cmd.exe
PID 560 wrote to memory of 5028	560	LiveUpdate.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\323e851ce262a9efbc96176a8720971df71e436470af0b08ff2bf755079aed20.exe
"C:\Users\Admin\AppData\Local\Temp\323e851ce262a9efbc96176a8720971df71e436470af0b08ff2bf755079aed20.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:900

C:\ProgramData\Thunder\LiveUpdate.exe
C:\ProgramData\Thunder\LiveUpdate.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:560
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:5028
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 80
    3⤵
    - Program crash
    PID:4840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5028 -ip 5028
1⤵
PID:1044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SqlVersion.dll

Filesize
911KB

MD5
8e92fc9c2dda5615002948562c612ef3

SHA1
bebacda192571508bb2010af7b9deafcf9948299

SHA256
a94cee609049fc7851f5a9c31a52d6bd9748ce3f4fd820689e9ff651dbf31ce8

SHA512
0e5a7b6a1fdf0f816161219e468fb981a75b8e8f415f1053cd7c64e9673b1a58b55c3b0e53e9b76edac7c40df01d404b5914ce775de1914a49c06c884dbf5b28

Download Submit
C:\ProgramData\SqlVersion.dll

Filesize
911KB

MD5
8e92fc9c2dda5615002948562c612ef3

SHA1
bebacda192571508bb2010af7b9deafcf9948299

SHA256
a94cee609049fc7851f5a9c31a52d6bd9748ce3f4fd820689e9ff651dbf31ce8

SHA512
0e5a7b6a1fdf0f816161219e468fb981a75b8e8f415f1053cd7c64e9673b1a58b55c3b0e53e9b76edac7c40df01d404b5914ce775de1914a49c06c884dbf5b28

Download Submit
C:\ProgramData\Thunder\LiveUpdate.dat

Filesize
29KB

MD5
0548ecfa93438e3126129b52c8aec910

SHA1
2bc74dc6ac92a8b92da0b90a92225304d1addd0b

SHA256
0951a0e07f3bf8fd0b2bc2bb84f2f9cb462b9e348eebc98e2b6de74c58eb13f8

SHA512
2fc3843c17ebfac7a420e7c75a68c6add88e53e137a9fdc3cc43dc0e1fb9dc5427890b7f1779853411e8c3d35fc6c0cfe29959220d11692ef69435905c229a56

Download Submit
C:\ProgramData\Thunder\LiveUpdate.exe

Filesize
470KB

MD5
96e4b47a136910d6f588b40d872e7f9d

SHA1
0d2eae5df6a4bbf79ec8cd3505d00c4bdabf331e

SHA256
f788ed739241f79688653d27aeefd18c9d8142a31fe0b5342535e392c040dd9b

SHA512
6776e37c4ed134003cdfe1c75e6133e805ee5a8db002710a14735c829fe66d24c3754c5033da6d2fd3e84b85df672b2f4862279bc04915ebfb798334c7f61cb4

Download Submit
memory/560-162-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/560-163-0x00000000025A0000-0x00000000025A7000-memory.dmp

Filesize
28KB

Download
memory/560-165-0x00000000025A0000-0x00000000025A7000-memory.dmp

Filesize
28KB

Download
memory/560-166-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/560-167-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download
memory/560-175-0x0000000000400000-0x000000000053F000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads