06208e61333652d3aec0ea22dfe9e0f0bb798152e29b8992fc7f82d96a5e1e7d

Analysis

Target

06208e61333652d3aec0ea22dfe9e0f0bb798152e29b8992fc7f82d96a5e1e7d.exe
Size

514KB
MD5

63432a8934949a6c8a0bac35a456187c
SHA1

32af0c79573747414a58fe518d70373b97b725e7
SHA256

06208e61333652d3aec0ea22dfe9e0f0bb798152e29b8992fc7f82d96a5e1e7d
SHA512

d1f18d2703d6c8baff413711eea23b5b091b681e053b5c44f3e62f7e8b79566108a6f1b49c7c90a48ffecf3e0ced314cb13e80954f642c969a28d315136a1725

Score

8^/10

upx

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

Processes:

resource	yara_rule
behavioral1/memory/1732-56-0x0000000010000000-0x0000000010082000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

06208e61333652d3aec0ea22dfe9e0f0bb798152e29b8992fc7f82d96a5e1e7d.exe

description	pid	process	target process
PID 1656 wrote to memory of 1732	1656	06208e61333652d3aec0ea22dfe9e0f0bb798152e29b8992fc7f82d96a5e1e7d.exe	svchost.exe
PID 1656 wrote to memory of 1732	1656	06208e61333652d3aec0ea22dfe9e0f0bb798152e29b8992fc7f82d96a5e1e7d.exe	svchost.exe
PID 1656 wrote to memory of 1732	1656	06208e61333652d3aec0ea22dfe9e0f0bb798152e29b8992fc7f82d96a5e1e7d.exe	svchost.exe
PID 1656 wrote to memory of 1732	1656	06208e61333652d3aec0ea22dfe9e0f0bb798152e29b8992fc7f82d96a5e1e7d.exe	svchost.exe
PID 1656 wrote to memory of 1732	1656	06208e61333652d3aec0ea22dfe9e0f0bb798152e29b8992fc7f82d96a5e1e7d.exe	svchost.exe
PID 1656 wrote to memory of 1112	1656	06208e61333652d3aec0ea22dfe9e0f0bb798152e29b8992fc7f82d96a5e1e7d.exe	iexplore.exe
PID 1656 wrote to memory of 1112	1656	06208e61333652d3aec0ea22dfe9e0f0bb798152e29b8992fc7f82d96a5e1e7d.exe	iexplore.exe
PID 1656 wrote to memory of 1112	1656	06208e61333652d3aec0ea22dfe9e0f0bb798152e29b8992fc7f82d96a5e1e7d.exe	iexplore.exe
PID 1656 wrote to memory of 1112	1656	06208e61333652d3aec0ea22dfe9e0f0bb798152e29b8992fc7f82d96a5e1e7d.exe	iexplore.exe
PID 1656 wrote to memory of 1112	1656	06208e61333652d3aec0ea22dfe9e0f0bb798152e29b8992fc7f82d96a5e1e7d.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\06208e61333652d3aec0ea22dfe9e0f0bb798152e29b8992fc7f82d96a5e1e7d.exe
"C:\Users\Admin\AppData\Local\Temp\06208e61333652d3aec0ea22dfe9e0f0bb798152e29b8992fc7f82d96a5e1e7d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  PID:1732
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:1112

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/1656-53-0x0000000074E61000-0x0000000074E63000-memory.dmp

Filesize
8KB

Download
memory/1732-54-0x0000000000000000-mapping.dmp

Download
memory/1732-56-0x0000000010000000-0x0000000010082000-memory.dmp

Filesize
520KB

Download