8c2436625c255ce00d3ab1e532c3579ba515a90058b0e1a81a0e2797433dce68

General

Target

8c2436625c255ce00d3ab1e532c3579ba515a90058b0e1a81a0e2797433dce68.exe
Size

205KB
MD5

9dc71e4294f156afbca0e7d8d28cdc4a
SHA1

12155f83d090b889cf1353b576e47b05b2625092
SHA256

8c2436625c255ce00d3ab1e532c3579ba515a90058b0e1a81a0e2797433dce68
SHA512

1afae78e0cd7717ec67c1c2ac622c668949e52436570e40b0afe5903a4aa645f4d8d26d6801b6a3c7c62872e8e93fa3bbcd8482ff3da7c63572bb6e29a13a6f3
SSDEEP

3072:b1dlKwgj23+Oz05YoNozcraWugB9fKGZ/8BKIRO/SRtPDvxkVHK3cpEYlak:b1dlZro5y/hWXVPSRtPzxkVq3Mwk

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4196	sexy me.scr
720	sexy me.scr

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000022f5a-133.dat	upx
behavioral2/files/0x0006000000022f5a-134.dat	upx
behavioral2/files/0x0006000000022f5a-141.dat	upx
behavioral2/memory/4196-143-0x0000000000400000-0x0000000000458000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	8c2436625c255ce00d3ab1e532c3579ba515a90058b0e1a81a0e2797433dce68.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4196 set thread context of 0	4196	sexy me.scr
PID 4196 set thread context of 0	4196	sexy me.scr
PID 4196 set thread context of 720	4196	sexy me.scr	82

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Extracted\þðÒu!ÁYOå&ô\|ý¶˜CRª’ªò1s…FäÚ¶Ã=èÑðƒgØÿ·>Îa×+f'zÔ§ÏíP"R<¼3ß>ò=ðTVóØ€Ñ\‚Ž)!„%¼¥õqm…ˆžäÅ¼Ã<jþÝ8åpáÂç‘¯m>¬Òâ‹à3ÿõ: :]‡¹8çúó«ðÒä%eNO Ãf°îÇÒ+%fÀ#É•{˜ìJÞÎ[^{Ñó†PMùC7«QhÛÿ>ŽƒÞ«ö¿Ûí™±€ƒyµU‚	8c2436625c255ce00d3ab1e532c3579ba515a90058b0e1a81a0e2797433dce68.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
720	sexy me.scr
720	sexy me.scr
720	sexy me.scr
720	sexy me.scr

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4196	sexy me.scr

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 5080 wrote to memory of 4196	5080	8c2436625c255ce00d3ab1e532c3579ba515a90058b0e1a81a0e2797433dce68.exe	81
PID 5080 wrote to memory of 4196	5080	8c2436625c255ce00d3ab1e532c3579ba515a90058b0e1a81a0e2797433dce68.exe	81
PID 5080 wrote to memory of 4196	5080	8c2436625c255ce00d3ab1e532c3579ba515a90058b0e1a81a0e2797433dce68.exe	81
PID 4196 wrote to memory of 0	4196	sexy me.scr
PID 4196 wrote to memory of 0	4196	sexy me.scr
PID 4196 wrote to memory of 0	4196	sexy me.scr
PID 4196 wrote to memory of 0	4196	sexy me.scr
PID 4196 wrote to memory of 0	4196	sexy me.scr
PID 4196 wrote to memory of 0	4196	sexy me.scr
PID 4196 wrote to memory of 0	4196	sexy me.scr
PID 4196 wrote to memory of 0	4196	sexy me.scr
PID 4196 wrote to memory of 0	4196	sexy me.scr
PID 4196 wrote to memory of 720	4196	sexy me.scr	82
PID 4196 wrote to memory of 720	4196	sexy me.scr	82
PID 4196 wrote to memory of 720	4196	sexy me.scr	82
PID 4196 wrote to memory of 720	4196	sexy me.scr	82
PID 4196 wrote to memory of 720	4196	sexy me.scr	82
PID 4196 wrote to memory of 720	4196	sexy me.scr	82
PID 4196 wrote to memory of 720	4196	sexy me.scr	82
PID 720 wrote to memory of 2376	720	sexy me.scr	42
PID 720 wrote to memory of 2376	720	sexy me.scr	42
PID 720 wrote to memory of 2376	720	sexy me.scr	42
PID 720 wrote to memory of 2376	720	sexy me.scr	42

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2376
- C:\Users\Admin\AppData\Local\Temp\8c2436625c255ce00d3ab1e532c3579ba515a90058b0e1a81a0e2797433dce68.exe
  "C:\Users\Admin\AppData\Local\Temp\8c2436625c255ce00d3ab1e532c3579ba515a90058b0e1a81a0e2797433dce68.exe"
  2⤵
  - Checks computer location settings
  - NTFS ADS
  - Suspicious use of WriteProcessMemory
  PID:5080
- - C:\Extracted\sexy me.scr
    "C:\Extracted\sexy me.scr" /S
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4196
  - - C:\Extracted\sexy me.scr
      "C:\Extracted\sexy me.scr"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:720

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Extracted\sexy me.scr

Filesize
118KB

MD5
8a074f14f04188be942f3e7f2c8b159c

SHA1
92f31a3401cd7a79dfc8acbb0c257602f168b8e1

SHA256
93cd394cd31766f2d03280aee183d0061ff266d6a09cdad8c045b56f20337694

SHA512
876f27a3beaa7df7ead481a6b4d21ea85e0ad68dc248bae456c11e0a5cad300c250ba52415a8f004eb04d877ae7c72a64ed0578f2493f5b4778e1de6e7af70ec

Download Submit
C:\Extracted\sexy me.scr

Filesize
118KB

MD5
8a074f14f04188be942f3e7f2c8b159c

SHA1
92f31a3401cd7a79dfc8acbb0c257602f168b8e1

SHA256
93cd394cd31766f2d03280aee183d0061ff266d6a09cdad8c045b56f20337694

SHA512
876f27a3beaa7df7ead481a6b4d21ea85e0ad68dc248bae456c11e0a5cad300c250ba52415a8f004eb04d877ae7c72a64ed0578f2493f5b4778e1de6e7af70ec

Download Submit
C:\Extracted\sexy me.scr

Filesize
118KB

MD5
8a074f14f04188be942f3e7f2c8b159c

SHA1
92f31a3401cd7a79dfc8acbb0c257602f168b8e1

SHA256
93cd394cd31766f2d03280aee183d0061ff266d6a09cdad8c045b56f20337694

SHA512
876f27a3beaa7df7ead481a6b4d21ea85e0ad68dc248bae456c11e0a5cad300c250ba52415a8f004eb04d877ae7c72a64ed0578f2493f5b4778e1de6e7af70ec

Download Submit
memory/0-137-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/0-138-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/720-140-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/720-144-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/720-146-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/2376-145-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/4196-143-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download

Analysis

Sharing