06208e61333652d3aec0ea22dfe9e0f0bb798152e29b8992fc7f82d96a5e1e7d

Analysis

max time kernel
162s
max time network
138s
platform
windows7_x64
resource
win7-en
submitted
14-09-2021 06:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06208e61333652d3aec0ea22dfe9e0f0bb798152e29b8992fc7f82d96a5e1e7d.exe
Size

514KB
MD5

63432a8934949a6c8a0bac35a456187c
SHA1

32af0c79573747414a58fe518d70373b97b725e7
SHA256

06208e61333652d3aec0ea22dfe9e0f0bb798152e29b8992fc7f82d96a5e1e7d
SHA512

d1f18d2703d6c8baff413711eea23b5b091b681e053b5c44f3e62f7e8b79566108a6f1b49c7c90a48ffecf3e0ced314cb13e80954f642c969a28d315136a1725

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1732-56-0x0000000010000000-0x0000000010082000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

06208e61333652d3aec0ea22dfe9e0f0bb798152e29b8992fc7f82d96a5e1e7d.exe

description	pid	process	target process
PID 1656 wrote to memory of 1732	1656	06208e61333652d3aec0ea22dfe9e0f0bb798152e29b8992fc7f82d96a5e1e7d.exe	svchost.exe
PID 1656 wrote to memory of 1732	1656	06208e61333652d3aec0ea22dfe9e0f0bb798152e29b8992fc7f82d96a5e1e7d.exe	svchost.exe
PID 1656 wrote to memory of 1732	1656	06208e61333652d3aec0ea22dfe9e0f0bb798152e29b8992fc7f82d96a5e1e7d.exe	svchost.exe
PID 1656 wrote to memory of 1732	1656	06208e61333652d3aec0ea22dfe9e0f0bb798152e29b8992fc7f82d96a5e1e7d.exe	svchost.exe
PID 1656 wrote to memory of 1732	1656	06208e61333652d3aec0ea22dfe9e0f0bb798152e29b8992fc7f82d96a5e1e7d.exe	svchost.exe
PID 1656 wrote to memory of 1112	1656	06208e61333652d3aec0ea22dfe9e0f0bb798152e29b8992fc7f82d96a5e1e7d.exe	iexplore.exe
PID 1656 wrote to memory of 1112	1656	06208e61333652d3aec0ea22dfe9e0f0bb798152e29b8992fc7f82d96a5e1e7d.exe	iexplore.exe
PID 1656 wrote to memory of 1112	1656	06208e61333652d3aec0ea22dfe9e0f0bb798152e29b8992fc7f82d96a5e1e7d.exe	iexplore.exe
PID 1656 wrote to memory of 1112	1656	06208e61333652d3aec0ea22dfe9e0f0bb798152e29b8992fc7f82d96a5e1e7d.exe	iexplore.exe
PID 1656 wrote to memory of 1112	1656	06208e61333652d3aec0ea22dfe9e0f0bb798152e29b8992fc7f82d96a5e1e7d.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\06208e61333652d3aec0ea22dfe9e0f0bb798152e29b8992fc7f82d96a5e1e7d.exe
"C:\Users\Admin\AppData\Local\Temp\06208e61333652d3aec0ea22dfe9e0f0bb798152e29b8992fc7f82d96a5e1e7d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1656

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
PID:1732

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
2⤵
PID:1112

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1656-53-0x0000000074E61000-0x0000000074E63000-memory.dmp

Filesize
8KB

Download
memory/1732-54-0x0000000000000000-mapping.dmp

Download
memory/1732-56-0x0000000010000000-0x0000000010082000-memory.dmp

Filesize
520KB

Download