261ebe49a3dfaa434c3cb2cd67c39b1b77cb7cfb6e4a7d502b118bc2cc67f6a3

General

Target

261ebe49a3dfaa434c3cb2cd67c39b1b77cb7cfb6e4a7d502b118bc2cc67f6a3.exe
Size

608KB
MD5

70c5133b811f507be0eb5602ccdc9320
SHA1

d1a0e0a6cd8c93936d31fb2c2d310b1fe0bf44bb
SHA256

261ebe49a3dfaa434c3cb2cd67c39b1b77cb7cfb6e4a7d502b118bc2cc67f6a3
SHA512

3f99b5b2420930cbb5b0b14830d421e2eb50b3d93807d12c278e98cefde0a4f22fae80bbe2b340481148c690d7bc88df8ee1ea71c3aa5183b9008c51d5d1c518
SSDEEP

6144:MVY0W0sVVZ/dkq5BCoFaJ2i5Lf24C07N5OvSLTUF6pQxI6Upe2cBnTu19bco2KWw:MgDhdkq5BCoC5LfWSLTUQpr2Zu19Q3w

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe IEXPLORER.exe"	261ebe49a3dfaa434c3cb2cd67c39b1b77cb7cfb6e4a7d502b118bc2cc67f6a3.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	261ebe49a3dfaa434c3cb2cd67c39b1b77cb7cfb6e4a7d502b118bc2cc67f6a3.exe

Disables Task Manager via registry modification
evasion

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/956-55-0x0000000000400000-0x000000000049D000-memory.dmp	upx
behavioral1/memory/956-62-0x0000000000400000-0x000000000049D000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	261ebe49a3dfaa434c3cb2cd67c39b1b77cb7cfb6e4a7d502b118bc2cc67f6a3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Yahoo Messengger = "C:\\Windows\\system32\\IEXPLORER.exe"	261ebe49a3dfaa434c3cb2cd67c39b1b77cb7cfb6e4a7d502b118bc2cc67f6a3.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/956-55-0x0000000000400000-0x000000000049D000-memory.dmp	autoit_exe
behavioral1/memory/956-62-0x0000000000400000-0x000000000049D000-memory.dmp	autoit_exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WORD.exe	261ebe49a3dfaa434c3cb2cd67c39b1b77cb7cfb6e4a7d502b118bc2cc67f6a3.exe
File opened for modification	C:\Windows\SysWOW64\WORD.exe	261ebe49a3dfaa434c3cb2cd67c39b1b77cb7cfb6e4a7d502b118bc2cc67f6a3.exe
File opened for modification	C:\Windows\SysWOW64\autorun.ini	261ebe49a3dfaa434c3cb2cd67c39b1b77cb7cfb6e4a7d502b118bc2cc67f6a3.exe
File created	C:\Windows\SysWOW64\IEXPLORER.exe	261ebe49a3dfaa434c3cb2cd67c39b1b77cb7cfb6e4a7d502b118bc2cc67f6a3.exe
File opened for modification	C:\Windows\SysWOW64\IEXPLORER.exe	261ebe49a3dfaa434c3cb2cd67c39b1b77cb7cfb6e4a7d502b118bc2cc67f6a3.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\IEXPLORER.exe	261ebe49a3dfaa434c3cb2cd67c39b1b77cb7cfb6e4a7d502b118bc2cc67f6a3.exe
File opened for modification	C:\Windows\IEXPLORER.exe	261ebe49a3dfaa434c3cb2cd67c39b1b77cb7cfb6e4a7d502b118bc2cc67f6a3.exe
File created	C:\Windows\setting.ini	261ebe49a3dfaa434c3cb2cd67c39b1b77cb7cfb6e4a7d502b118bc2cc67f6a3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
956	261ebe49a3dfaa434c3cb2cd67c39b1b77cb7cfb6e4a7d502b118bc2cc67f6a3.exe
956	261ebe49a3dfaa434c3cb2cd67c39b1b77cb7cfb6e4a7d502b118bc2cc67f6a3.exe
956	261ebe49a3dfaa434c3cb2cd67c39b1b77cb7cfb6e4a7d502b118bc2cc67f6a3.exe
956	261ebe49a3dfaa434c3cb2cd67c39b1b77cb7cfb6e4a7d502b118bc2cc67f6a3.exe
956	261ebe49a3dfaa434c3cb2cd67c39b1b77cb7cfb6e4a7d502b118bc2cc67f6a3.exe
956	261ebe49a3dfaa434c3cb2cd67c39b1b77cb7cfb6e4a7d502b118bc2cc67f6a3.exe
956	261ebe49a3dfaa434c3cb2cd67c39b1b77cb7cfb6e4a7d502b118bc2cc67f6a3.exe
956	261ebe49a3dfaa434c3cb2cd67c39b1b77cb7cfb6e4a7d502b118bc2cc67f6a3.exe
956	261ebe49a3dfaa434c3cb2cd67c39b1b77cb7cfb6e4a7d502b118bc2cc67f6a3.exe
956	261ebe49a3dfaa434c3cb2cd67c39b1b77cb7cfb6e4a7d502b118bc2cc67f6a3.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 956 wrote to memory of 2024	956	261ebe49a3dfaa434c3cb2cd67c39b1b77cb7cfb6e4a7d502b118bc2cc67f6a3.exe	27
PID 956 wrote to memory of 2024	956	261ebe49a3dfaa434c3cb2cd67c39b1b77cb7cfb6e4a7d502b118bc2cc67f6a3.exe	27
PID 956 wrote to memory of 2024	956	261ebe49a3dfaa434c3cb2cd67c39b1b77cb7cfb6e4a7d502b118bc2cc67f6a3.exe	27
PID 956 wrote to memory of 2024	956	261ebe49a3dfaa434c3cb2cd67c39b1b77cb7cfb6e4a7d502b118bc2cc67f6a3.exe	27
PID 2024 wrote to memory of 1616	2024	cmd.exe	29
PID 2024 wrote to memory of 1616	2024	cmd.exe	29
PID 2024 wrote to memory of 1616	2024	cmd.exe	29
PID 2024 wrote to memory of 1616	2024	cmd.exe	29
PID 956 wrote to memory of 668	956	261ebe49a3dfaa434c3cb2cd67c39b1b77cb7cfb6e4a7d502b118bc2cc67f6a3.exe	30
PID 956 wrote to memory of 668	956	261ebe49a3dfaa434c3cb2cd67c39b1b77cb7cfb6e4a7d502b118bc2cc67f6a3.exe	30
PID 956 wrote to memory of 668	956	261ebe49a3dfaa434c3cb2cd67c39b1b77cb7cfb6e4a7d502b118bc2cc67f6a3.exe	30
PID 956 wrote to memory of 668	956	261ebe49a3dfaa434c3cb2cd67c39b1b77cb7cfb6e4a7d502b118bc2cc67f6a3.exe	30
PID 668 wrote to memory of 108	668	cmd.exe	32
PID 668 wrote to memory of 108	668	cmd.exe	32
PID 668 wrote to memory of 108	668	cmd.exe	32
PID 668 wrote to memory of 108	668	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\261ebe49a3dfaa434c3cb2cd67c39b1b77cb7cfb6e4a7d502b118bc2cc67f6a3.exe
"C:\Users\Admin\AppData\Local\Temp\261ebe49a3dfaa434c3cb2cd67c39b1b77cb7cfb6e4a7d502b118bc2cc67f6a3.exe"
1⤵
- Modifies WinLogon for persistence
- Disables RegEdit via registry modification
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:956
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C AT /delete /yes
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Windows\SysWOW64\at.exe
    AT /delete /yes
    3⤵
    PID:1616
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\WORD.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:668
- - C:\Windows\SysWOW64\at.exe
    AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\WORD.exe
    3⤵
    PID:108

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/956-54-0x0000000076561000-0x0000000076563000-memory.dmp

Filesize
8KB

Download
memory/956-55-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/956-62-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads