8c2436625c255ce00d3ab1e532c3579ba515a90058b0e1a81a0e2797433dce68

General

Target

8c2436625c255ce00d3ab1e532c3579ba515a90058b0e1a81a0e2797433dce68.exe
Size

205KB
MD5

9dc71e4294f156afbca0e7d8d28cdc4a
SHA1

12155f83d090b889cf1353b576e47b05b2625092
SHA256

8c2436625c255ce00d3ab1e532c3579ba515a90058b0e1a81a0e2797433dce68
SHA512

1afae78e0cd7717ec67c1c2ac622c668949e52436570e40b0afe5903a4aa645f4d8d26d6801b6a3c7c62872e8e93fa3bbcd8482ff3da7c63572bb6e29a13a6f3
SSDEEP

3072:b1dlKwgj23+Oz05YoNozcraWugB9fKGZ/8BKIRO/SRtPDvxkVHK3cpEYlak:b1dlZro5y/hWXVPSRtPzxkVq3Mwk

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1624	sexy me.scr
1548	sexy me.scr

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000b0000000122c2-55.dat	upx
behavioral1/files/0x000b0000000122c2-56.dat	upx
behavioral1/files/0x000b0000000122c2-58.dat	upx
behavioral1/memory/1624-62-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/files/0x000b0000000122c2-66.dat	upx
behavioral1/files/0x000b0000000122c2-69.dat	upx
behavioral1/memory/1624-71-0x0000000000400000-0x0000000000458000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
1488	8c2436625c255ce00d3ab1e532c3579ba515a90058b0e1a81a0e2797433dce68.exe
1488	8c2436625c255ce00d3ab1e532c3579ba515a90058b0e1a81a0e2797433dce68.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1624 set thread context of 0	1624	sexy me.scr
PID 1624 set thread context of 0	1624	sexy me.scr
PID 1624 set thread context of 1548	1624	sexy me.scr	27

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Extracted\þðÒu!ÁYOå&ô\|ý¶˜CRª’ªò1s…FäÚ¶Ã=èÑðƒgØÿ·>Îa×+f'zÔ§ÏíP"R<¼3ß>ò=ðTVóØ€Ñ\‚Ž)!„%¼¥õqm…ˆžäÅ¼Ã<jþÝ8åpáÂç‘¯m>¬Òâ‹à3ÿõ: :]‡¹8çúó«ðÒä%eNO Ãf°îÇÒ+%fÀ#É•{˜ìJÞÎ[^{Ñó†PMùC7«QhÛÿ>ŽƒÞ«ö¿Ûí™±€ƒyµU‚	8c2436625c255ce00d3ab1e532c3579ba515a90058b0e1a81a0e2797433dce68.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1548	sexy me.scr
1548	sexy me.scr

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
740	DllHost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1624	sexy me.scr

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 1624	1488	8c2436625c255ce00d3ab1e532c3579ba515a90058b0e1a81a0e2797433dce68.exe	26
PID 1488 wrote to memory of 1624	1488	8c2436625c255ce00d3ab1e532c3579ba515a90058b0e1a81a0e2797433dce68.exe	26
PID 1488 wrote to memory of 1624	1488	8c2436625c255ce00d3ab1e532c3579ba515a90058b0e1a81a0e2797433dce68.exe	26
PID 1488 wrote to memory of 1624	1488	8c2436625c255ce00d3ab1e532c3579ba515a90058b0e1a81a0e2797433dce68.exe	26
PID 1624 wrote to memory of 0	1624	sexy me.scr
PID 1624 wrote to memory of 0	1624	sexy me.scr
PID 1624 wrote to memory of 0	1624	sexy me.scr
PID 1624 wrote to memory of 0	1624	sexy me.scr
PID 1624 wrote to memory of 0	1624	sexy me.scr
PID 1624 wrote to memory of 0	1624	sexy me.scr
PID 1624 wrote to memory of 0	1624	sexy me.scr
PID 1624 wrote to memory of 0	1624	sexy me.scr
PID 1624 wrote to memory of 0	1624	sexy me.scr
PID 1624 wrote to memory of 1548	1624	sexy me.scr	27
PID 1624 wrote to memory of 1548	1624	sexy me.scr	27
PID 1624 wrote to memory of 1548	1624	sexy me.scr	27
PID 1624 wrote to memory of 1548	1624	sexy me.scr	27
PID 1624 wrote to memory of 1548	1624	sexy me.scr	27
PID 1624 wrote to memory of 1548	1624	sexy me.scr	27
PID 1624 wrote to memory of 1548	1624	sexy me.scr	27
PID 1624 wrote to memory of 1548	1624	sexy me.scr	27
PID 1548 wrote to memory of 1416	1548	sexy me.scr	15
PID 1548 wrote to memory of 1416	1548	sexy me.scr	15
PID 1548 wrote to memory of 1416	1548	sexy me.scr	15
PID 1548 wrote to memory of 1416	1548	sexy me.scr	15

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1416
- C:\Users\Admin\AppData\Local\Temp\8c2436625c255ce00d3ab1e532c3579ba515a90058b0e1a81a0e2797433dce68.exe
  "C:\Users\Admin\AppData\Local\Temp\8c2436625c255ce00d3ab1e532c3579ba515a90058b0e1a81a0e2797433dce68.exe"
  2⤵
  - Loads dropped DLL
  - NTFS ADS
  - Suspicious use of WriteProcessMemory
  PID:1488
- - C:\Extracted\sexy me.scr
    "C:\Extracted\sexy me.scr" /S
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1624
  - - C:\Extracted\sexy me.scr
      "C:\Extracted\sexy me.scr"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1548

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Extracted\images.jpg

Filesize
5KB

MD5
1dfee4b07030347eeecd4fe6ff18c36c

SHA1
ba237a3cfb40e2c694e24640da4413969d4fdd5f

SHA256
2f6a7364fd4e0109bf0c7fd609e073e35b35df62e613e6cd94e0140f3e52c57e

SHA512
25e1dc9540c805e9a25797c2e6bfd7a2d17a9b232c8380593c0d79d72403353c9cc5bbb928c6ff7d1f73989fd9cb8b685f8e018e34e5bdc11aec3a76915aedc8

Download Submit
C:\Extracted\sexy me.scr

Filesize
118KB

MD5
8a074f14f04188be942f3e7f2c8b159c

SHA1
92f31a3401cd7a79dfc8acbb0c257602f168b8e1

SHA256
93cd394cd31766f2d03280aee183d0061ff266d6a09cdad8c045b56f20337694

SHA512
876f27a3beaa7df7ead481a6b4d21ea85e0ad68dc248bae456c11e0a5cad300c250ba52415a8f004eb04d877ae7c72a64ed0578f2493f5b4778e1de6e7af70ec

Download Submit
C:\Extracted\sexy me.scr

Filesize
118KB

MD5
8a074f14f04188be942f3e7f2c8b159c

SHA1
92f31a3401cd7a79dfc8acbb0c257602f168b8e1

SHA256
93cd394cd31766f2d03280aee183d0061ff266d6a09cdad8c045b56f20337694

SHA512
876f27a3beaa7df7ead481a6b4d21ea85e0ad68dc248bae456c11e0a5cad300c250ba52415a8f004eb04d877ae7c72a64ed0578f2493f5b4778e1de6e7af70ec

Download Submit
C:\Extracted\sexy me.scr

Filesize
118KB

MD5
8a074f14f04188be942f3e7f2c8b159c

SHA1
92f31a3401cd7a79dfc8acbb0c257602f168b8e1

SHA256
93cd394cd31766f2d03280aee183d0061ff266d6a09cdad8c045b56f20337694

SHA512
876f27a3beaa7df7ead481a6b4d21ea85e0ad68dc248bae456c11e0a5cad300c250ba52415a8f004eb04d877ae7c72a64ed0578f2493f5b4778e1de6e7af70ec

Download Submit
\Extracted\sexy me.scr

Filesize
118KB

MD5
8a074f14f04188be942f3e7f2c8b159c

SHA1
92f31a3401cd7a79dfc8acbb0c257602f168b8e1

SHA256
93cd394cd31766f2d03280aee183d0061ff266d6a09cdad8c045b56f20337694

SHA512
876f27a3beaa7df7ead481a6b4d21ea85e0ad68dc248bae456c11e0a5cad300c250ba52415a8f004eb04d877ae7c72a64ed0578f2493f5b4778e1de6e7af70ec

Download Submit
\Extracted\sexy me.scr

Filesize
118KB

MD5
8a074f14f04188be942f3e7f2c8b159c

SHA1
92f31a3401cd7a79dfc8acbb0c257602f168b8e1

SHA256
93cd394cd31766f2d03280aee183d0061ff266d6a09cdad8c045b56f20337694

SHA512
876f27a3beaa7df7ead481a6b4d21ea85e0ad68dc248bae456c11e0a5cad300c250ba52415a8f004eb04d877ae7c72a64ed0578f2493f5b4778e1de6e7af70ec

Download Submit
memory/0-64-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/0-65-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1416-74-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/1488-60-0x00000000031A0000-0x00000000031F8000-memory.dmp

Filesize
352KB

Download
memory/1488-61-0x00000000031A0000-0x00000000031F8000-memory.dmp

Filesize
352KB

Download
memory/1488-54-0x0000000076681000-0x0000000076683000-memory.dmp

Filesize
8KB

Download
memory/1548-67-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1548-77-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1548-72-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1624-62-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1624-71-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download

Analysis

Sharing