51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351

General

Target

51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe
Size

1.6MB
MD5

8dc37e79dea9c99664a8025a21870d3c
SHA1

b8b93e441f4d781412375f2844a3d3978ac03143
SHA256

51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351
SHA512

b5d14b97406c5a2620e48025a661d28dbd37faa76e457904eb7bc66e31728025f99ad0a2536a187ee962cb24b7aa322d6eb8cb6ed41609c4c0ccf538a921b461

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1420-87-0x0000000001610000-0x000000000171E000-memory.dmp	upx
behavioral1/memory/1420-90-0x0000000001610000-0x000000000171E000-memory.dmp	upx
behavioral1/memory/1420-93-0x0000000001610000-0x000000000171E000-memory.dmp	upx
behavioral1/memory/1420-96-0x0000000001610000-0x000000000171E000-memory.dmp	upx
behavioral1/memory/1420-99-0x0000000001610000-0x000000000171E000-memory.dmp	upx
behavioral1/memory/1420-100-0x0000000001610000-0x000000000171E000-memory.dmp	upx
behavioral1/memory/1420-101-0x0000000001610000-0x000000000171E000-memory.dmp	upx

Drops startup file 1 IoCs

Processes:

51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 3 IoCs

Processes:

51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exevbc.exevbc.exe

description	pid	process	target process
PID 996 set thread context of 1396	996	51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe	vbc.exe
PID 1396 set thread context of 1508	1396	vbc.exe	vbc.exe
PID 1508 set thread context of 1420	1508	vbc.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exevbc.exevbc.exe

pid	process
996	51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe
996	51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe
996	51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe
996	51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe
1396	vbc.exe
1396	vbc.exe
1396	vbc.exe
1396	vbc.exe
1396	vbc.exe
1396	vbc.exe
1396	vbc.exe
1396	vbc.exe
1396	vbc.exe
1396	vbc.exe
1396	vbc.exe
1396	vbc.exe
1420	vbc.exe
1396	vbc.exe
1396	vbc.exe
1396	vbc.exe
1396	vbc.exe
1396	vbc.exe
1396	vbc.exe
1396	vbc.exe
1396	vbc.exe
1396	vbc.exe
1396	vbc.exe
1396	vbc.exe
1396	vbc.exe
1396	vbc.exe
1396	vbc.exe
1396	vbc.exe
1396	vbc.exe
1396	vbc.exe
1396	vbc.exe
1396	vbc.exe
1396	vbc.exe
1396	vbc.exe
1396	vbc.exe
1396	vbc.exe
1396	vbc.exe
1396	vbc.exe
1396	vbc.exe
1396	vbc.exe
1396	vbc.exe
1396	vbc.exe
1396	vbc.exe
1396	vbc.exe
1396	vbc.exe
1396	vbc.exe
1396	vbc.exe
1396	vbc.exe
1396	vbc.exe
1396	vbc.exe
1396	vbc.exe
1396	vbc.exe
1396	vbc.exe
1396	vbc.exe
1396	vbc.exe
1396	vbc.exe
1396	vbc.exe
1396	vbc.exe
1396	vbc.exe
1396	vbc.exe

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe

pid	process
292	51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe
292	51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe
292	51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe
292	51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe
996	51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe
996	51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe
996	51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe

Suspicious use of SendNotifyMessage 7 IoCs

Processes:

51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe

pid	process
292	51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe
292	51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe
292	51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe
292	51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe
996	51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe
996	51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe
996	51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

vbc.exevbc.exevbc.exe

pid process

1396 vbc.exe
1508 vbc.exe
1420 vbc.exe

pid	process
1396	vbc.exe
1508	vbc.exe
1420	vbc.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exevbc.exevbc.exe

description	pid	process	target process
PID 292 wrote to memory of 996	292	51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe	51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe
PID 292 wrote to memory of 996	292	51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe	51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe
PID 292 wrote to memory of 996	292	51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe	51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe
PID 292 wrote to memory of 996	292	51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe	51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe
PID 996 wrote to memory of 1396	996	51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe	vbc.exe
PID 996 wrote to memory of 1396	996	51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe	vbc.exe
PID 996 wrote to memory of 1396	996	51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe	vbc.exe
PID 996 wrote to memory of 1396	996	51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe	vbc.exe
PID 996 wrote to memory of 1396	996	51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe	vbc.exe
PID 996 wrote to memory of 1396	996	51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe	vbc.exe
PID 996 wrote to memory of 1396	996	51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe	vbc.exe
PID 996 wrote to memory of 1396	996	51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe	vbc.exe
PID 996 wrote to memory of 1396	996	51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe	vbc.exe
PID 1396 wrote to memory of 1508	1396	vbc.exe	vbc.exe
PID 1396 wrote to memory of 1508	1396	vbc.exe	vbc.exe
PID 1396 wrote to memory of 1508	1396	vbc.exe	vbc.exe
PID 1396 wrote to memory of 1508	1396	vbc.exe	vbc.exe
PID 1396 wrote to memory of 1508	1396	vbc.exe	vbc.exe
PID 1396 wrote to memory of 1508	1396	vbc.exe	vbc.exe
PID 1396 wrote to memory of 1508	1396	vbc.exe	vbc.exe
PID 1396 wrote to memory of 1508	1396	vbc.exe	vbc.exe
PID 1396 wrote to memory of 1508	1396	vbc.exe	vbc.exe
PID 1396 wrote to memory of 1508	1396	vbc.exe	vbc.exe
PID 1396 wrote to memory of 1508	1396	vbc.exe	vbc.exe
PID 1396 wrote to memory of 1508	1396	vbc.exe	vbc.exe
PID 1508 wrote to memory of 1420	1508	vbc.exe	vbc.exe
PID 1508 wrote to memory of 1420	1508	vbc.exe	vbc.exe
PID 1508 wrote to memory of 1420	1508	vbc.exe	vbc.exe
PID 1508 wrote to memory of 1420	1508	vbc.exe	vbc.exe
PID 1508 wrote to memory of 1420	1508	vbc.exe	vbc.exe
PID 1508 wrote to memory of 1420	1508	vbc.exe	vbc.exe
PID 1508 wrote to memory of 1420	1508	vbc.exe	vbc.exe
PID 1508 wrote to memory of 1420	1508	vbc.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe
"C:\Users\Admin\AppData\Local\Temp\51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:292

C:\Users\Admin\AppData\Local\Temp\51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe
"C:\Users\Admin\AppData\Local\Temp\51eeac69a7ec95246f2911db6c24103f6d4641ad9d0bc9d7a05ba76cfc73a351.exe" /AutoIt3ExecuteScript "C:\Users\Admin\AppData\Local\Temp\data.bin"
2⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:996

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1396

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1420

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\data.bin
Filesize
885KB

MD5
c60dafa7d098bce3164c41e85d20ea46

SHA1
e55ba0351ddb540aba0edf3e3f28013c8290ba28

SHA256
fc0d3a9a6cdf50d835b48ee93150e56b9d16f08cc747bc6809120f23a78845c0

SHA512
c0b5577d63f5f9d44c4243a5bf23bd2f5caaaa07da6beebc3b5c8ad213f3eaa322ee74642ae7677837818565ed1a8b5901f1b179da9d334e49064eb1a635f441

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\9hGVNkAaKZH\9hGVNkAaKZH.dat
Filesize
2B

MD5
93e00066d099c0485cfffa1359246d26

SHA1
bc69a773f37b2f2071e25f755a66d47b871e5d98

SHA256
3b271649a94ad5be4ef46ecbb6a4e7363e8498b7e69b751737bf30df2e0d1dde

SHA512
d3dfe508cacae7d36f13908134b5b438b87429fcf93ccb060bcfa346c04633a99e9ca497297418c969537be1da2405171982794055dd0f52e59a82720d3b3d02

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\9hGVNkAaKZH\9hGVNkAaKZH.nfo
Filesize
3KB

MD5
5fae023d0f4d9d94bcdbf6b5581a71ca

SHA1
b6569e50b87b53c912430e8fe1dc1eda4192053e

SHA256
1ff222637a9ef5c034bba5747b119bba0b7635aaf308832d2410d83b89f07ea2

SHA512
97718df3e5f51d20966e4682bcd3ec29b43deafa912b46977197d51e55a1a34431f601462d658e58f5b6057e6708315b38f3a7432494ba8b0dbac31471b90b1c

Download Submit
memory/292-54-0x0000000075BF1000-0x0000000075BF3000-memory.dmp

Filesize
8KB

Download
memory/996-55-0x0000000000000000-mapping.dmp

Download
memory/1396-58-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/1396-59-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/1396-61-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/1396-64-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/1396-65-0x0000000000403090-mapping.dmp

Download
memory/1396-70-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/1420-106-0x00000000016C4000-0x000000000171C000-memory.dmp

Filesize
352KB

Download
memory/1420-90-0x0000000001610000-0x000000000171E000-memory.dmp

Filesize
1.1MB

Download
memory/1420-103-0x0000000001611000-0x00000000016C4000-memory.dmp

Filesize
716KB

Download
memory/1420-102-0x00000000016C4000-0x000000000171C000-memory.dmp

Filesize
352KB

Download
memory/1420-101-0x0000000001610000-0x000000000171E000-memory.dmp

Filesize
1.1MB

Download
memory/1420-100-0x0000000001610000-0x000000000171E000-memory.dmp

Filesize
1.1MB

Download
memory/1420-99-0x0000000001610000-0x000000000171E000-memory.dmp

Filesize
1.1MB

Download
memory/1420-96-0x0000000001610000-0x000000000171E000-memory.dmp

Filesize
1.1MB

Download
memory/1420-95-0x000000000171B950-mapping.dmp

Download
memory/1420-93-0x0000000001610000-0x000000000171E000-memory.dmp

Filesize
1.1MB

Download
memory/1420-86-0x0000000001610000-0x000000000171E000-memory.dmp

Filesize
1.1MB

Download
memory/1420-87-0x0000000001610000-0x000000000171E000-memory.dmp

Filesize
1.1MB

Download
memory/1508-71-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1508-85-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1508-84-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1508-97-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1508-82-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1508-80-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1508-81-0x00000000004085B0-mapping.dmp

Download
memory/1508-78-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1508-77-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1508-76-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1508-75-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1508-74-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1508-72-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads