10d9739a98aff94460c59fc66b3d8d296933e03e6d98aab537d3d69c05d50088

General

Target

10d9739a98aff94460c59fc66b3d8d296933e03e6d98aab537d3d69c05d50088.exe
Size

521KB
MD5

b59017e1b2c478b22c7079e2881ce4a4
SHA1

5443180e24ed328182a435f95a919d2f4b8fcc24
SHA256

10d9739a98aff94460c59fc66b3d8d296933e03e6d98aab537d3d69c05d50088
SHA512

0e8333a43dfe346c4b5898dc9ae5b054b160b264e3fd8338cc010dd337549610ef9207d732d33177ca406420ecbae4b88bcf4dc47687721f6044516c59492559
SSDEEP

12288:tKFbvjITRVN6B5SFuf2es2TX1EDFzzvhE+XSIVmPI2cL:tPRD+Uz5E/Yn7

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1704	meh.exe
520	vbc.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/520-64-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/520-66-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/520-67-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/520-71-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/520-76-0x0000000000400000-0x0000000000459000-memory.dmp	upx

Loads dropped DLL 1 IoCs

pid	Process
1704	meh.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1704 set thread context of 520	1704	meh.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
520	vbc.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 1704	1672	10d9739a98aff94460c59fc66b3d8d296933e03e6d98aab537d3d69c05d50088.exe	27
PID 1672 wrote to memory of 1704	1672	10d9739a98aff94460c59fc66b3d8d296933e03e6d98aab537d3d69c05d50088.exe	27
PID 1672 wrote to memory of 1704	1672	10d9739a98aff94460c59fc66b3d8d296933e03e6d98aab537d3d69c05d50088.exe	27
PID 1672 wrote to memory of 1704	1672	10d9739a98aff94460c59fc66b3d8d296933e03e6d98aab537d3d69c05d50088.exe	27
PID 1704 wrote to memory of 520	1704	meh.exe	29
PID 1704 wrote to memory of 520	1704	meh.exe	29
PID 1704 wrote to memory of 520	1704	meh.exe	29
PID 1704 wrote to memory of 520	1704	meh.exe	29
PID 1704 wrote to memory of 520	1704	meh.exe	29
PID 1704 wrote to memory of 520	1704	meh.exe	29
PID 1704 wrote to memory of 520	1704	meh.exe	29
PID 1704 wrote to memory of 520	1704	meh.exe	29
PID 1704 wrote to memory of 520	1704	meh.exe	29
PID 1704 wrote to memory of 520	1704	meh.exe	29

C:\Users\Admin\AppData\Local\Temp\10d9739a98aff94460c59fc66b3d8d296933e03e6d98aab537d3d69c05d50088.exe
"C:\Users\Admin\AppData\Local\Temp\10d9739a98aff94460c59fc66b3d8d296933e03e6d98aab537d3d69c05d50088.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Users\Admin\AppData\Local\Temp\meh.exe
  "C:\Users\Admin\AppData\Local\Temp\meh.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1704
- - C:\Users\Admin\AppData\Local\Temp\vbc.exe
    C:\Users\Admin\AppData\Local\Temp\vbc.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:520

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\meh.exe

Filesize
216KB

MD5
fe40685e334fb812696f4bc50735e11f

SHA1
4ea50ab2fd1e7dcebc7c741503ab03d4e1c77173

SHA256
a5e147de4abfc324fad4000d958f8ca848251339be66228303fe45852c4cd2d7

SHA512
b4b0fb9b6a86d44b890d25a2e93bad3204c61169d59a05e1c016f80c3255775712fac7e479fc2c534a2b52b07fb3eb9ff20e50beff8847f3181a6e7ceb9c6d1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\meh.exe

Filesize
216KB

MD5
fe40685e334fb812696f4bc50735e11f

SHA1
4ea50ab2fd1e7dcebc7c741503ab03d4e1c77173

SHA256
a5e147de4abfc324fad4000d958f8ca848251339be66228303fe45852c4cd2d7

SHA512
b4b0fb9b6a86d44b890d25a2e93bad3204c61169d59a05e1c016f80c3255775712fac7e479fc2c534a2b52b07fb3eb9ff20e50beff8847f3181a6e7ceb9c6d1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
\Users\Admin\AppData\Local\Temp\vbc.exe

Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
memory/520-66-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/520-76-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/520-71-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/520-67-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/520-63-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/520-64-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1672-61-0x0000000000496000-0x00000000004B5000-memory.dmp

Filesize
124KB

Download
memory/1672-54-0x000007FEF4230000-0x000007FEF4C53000-memory.dmp

Filesize
10.1MB

Download
memory/1672-55-0x000007FEF2DC0000-0x000007FEF3E56000-memory.dmp

Filesize
16.6MB

Download
memory/1672-56-0x000007FEFBDB1000-0x000007FEFBDB3000-memory.dmp

Filesize
8KB

Download
memory/1704-60-0x0000000075201000-0x0000000075203000-memory.dmp

Filesize
8KB

Download
memory/1704-74-0x0000000074670000-0x0000000074C1B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing