88238b9229cb7ed4864dc3ee37eea6cb8c098419badf807a19045f18167e891c

General

Target

88238b9229cb7ed4864dc3ee37eea6cb8c098419badf807a19045f18167e891c.exe
Size

1.7MB
MD5

6ed097c7478105da712177a6d49d7e70
SHA1

bb4df3e1299b83fa446c7cb641e69594cd11576a
SHA256

88238b9229cb7ed4864dc3ee37eea6cb8c098419badf807a19045f18167e891c
SHA512

c45e9db6885efa437ad5ebf8170d8665fd719d43bb7c99d27adc06b9fdbc642d50bdf8edd510a3dd583aeeb1331f5ead028159c3361fb742ad1d93d230a58a83
SSDEEP

24576:xthEVaPqLB/OXA8faoMTRpyikthEVaPqLB/OXA8faoMTRpyiZ:pEVUcwkB3V4EVUcwkB3VZ

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/508-132-0x0000000000400000-0x0000000000516000-memory.dmp	upx
behavioral2/memory/508-134-0x0000000000400000-0x0000000000516000-memory.dmp	upx
behavioral2/memory/3644-136-0x0000000000400000-0x0000000000516000-memory.dmp	upx
behavioral2/memory/3644-139-0x0000000000400000-0x0000000000516000-memory.dmp	upx

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral2/memory/508-134-0x0000000000400000-0x0000000000516000-memory.dmp	autoit_exe
behavioral2/memory/3644-136-0x0000000000400000-0x0000000000516000-memory.dmp	autoit_exe
behavioral2/memory/3644-139-0x0000000000400000-0x0000000000516000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

88238b9229cb7ed4864dc3ee37eea6cb8c098419badf807a19045f18167e891c.exe

description	pid	process	target process
PID 3644 set thread context of 4456	3644	88238b9229cb7ed4864dc3ee37eea6cb8c098419badf807a19045f18167e891c.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

88238b9229cb7ed4864dc3ee37eea6cb8c098419badf807a19045f18167e891c.exe

pid	process
3644	88238b9229cb7ed4864dc3ee37eea6cb8c098419badf807a19045f18167e891c.exe
3644	88238b9229cb7ed4864dc3ee37eea6cb8c098419badf807a19045f18167e891c.exe
3644	88238b9229cb7ed4864dc3ee37eea6cb8c098419badf807a19045f18167e891c.exe
3644	88238b9229cb7ed4864dc3ee37eea6cb8c098419badf807a19045f18167e891c.exe
3644	88238b9229cb7ed4864dc3ee37eea6cb8c098419badf807a19045f18167e891c.exe
3644	88238b9229cb7ed4864dc3ee37eea6cb8c098419badf807a19045f18167e891c.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

88238b9229cb7ed4864dc3ee37eea6cb8c098419badf807a19045f18167e891c.exe88238b9229cb7ed4864dc3ee37eea6cb8c098419badf807a19045f18167e891c.exe

pid	process
508	88238b9229cb7ed4864dc3ee37eea6cb8c098419badf807a19045f18167e891c.exe
508	88238b9229cb7ed4864dc3ee37eea6cb8c098419badf807a19045f18167e891c.exe
508	88238b9229cb7ed4864dc3ee37eea6cb8c098419badf807a19045f18167e891c.exe
3644	88238b9229cb7ed4864dc3ee37eea6cb8c098419badf807a19045f18167e891c.exe
3644	88238b9229cb7ed4864dc3ee37eea6cb8c098419badf807a19045f18167e891c.exe
3644	88238b9229cb7ed4864dc3ee37eea6cb8c098419badf807a19045f18167e891c.exe

Suspicious use of SendNotifyMessage 6 IoCs

Processes:

88238b9229cb7ed4864dc3ee37eea6cb8c098419badf807a19045f18167e891c.exe88238b9229cb7ed4864dc3ee37eea6cb8c098419badf807a19045f18167e891c.exe

pid	process
508	88238b9229cb7ed4864dc3ee37eea6cb8c098419badf807a19045f18167e891c.exe
508	88238b9229cb7ed4864dc3ee37eea6cb8c098419badf807a19045f18167e891c.exe
508	88238b9229cb7ed4864dc3ee37eea6cb8c098419badf807a19045f18167e891c.exe
3644	88238b9229cb7ed4864dc3ee37eea6cb8c098419badf807a19045f18167e891c.exe
3644	88238b9229cb7ed4864dc3ee37eea6cb8c098419badf807a19045f18167e891c.exe
3644	88238b9229cb7ed4864dc3ee37eea6cb8c098419badf807a19045f18167e891c.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

88238b9229cb7ed4864dc3ee37eea6cb8c098419badf807a19045f18167e891c.exe88238b9229cb7ed4864dc3ee37eea6cb8c098419badf807a19045f18167e891c.exe

description	pid	process	target process
PID 508 wrote to memory of 3644	508	88238b9229cb7ed4864dc3ee37eea6cb8c098419badf807a19045f18167e891c.exe	88238b9229cb7ed4864dc3ee37eea6cb8c098419badf807a19045f18167e891c.exe
PID 508 wrote to memory of 3644	508	88238b9229cb7ed4864dc3ee37eea6cb8c098419badf807a19045f18167e891c.exe	88238b9229cb7ed4864dc3ee37eea6cb8c098419badf807a19045f18167e891c.exe
PID 508 wrote to memory of 3644	508	88238b9229cb7ed4864dc3ee37eea6cb8c098419badf807a19045f18167e891c.exe	88238b9229cb7ed4864dc3ee37eea6cb8c098419badf807a19045f18167e891c.exe
PID 3644 wrote to memory of 4456	3644	88238b9229cb7ed4864dc3ee37eea6cb8c098419badf807a19045f18167e891c.exe	svchost.exe
PID 3644 wrote to memory of 4456	3644	88238b9229cb7ed4864dc3ee37eea6cb8c098419badf807a19045f18167e891c.exe	svchost.exe
PID 3644 wrote to memory of 4456	3644	88238b9229cb7ed4864dc3ee37eea6cb8c098419badf807a19045f18167e891c.exe	svchost.exe
PID 3644 wrote to memory of 4456	3644	88238b9229cb7ed4864dc3ee37eea6cb8c098419badf807a19045f18167e891c.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\88238b9229cb7ed4864dc3ee37eea6cb8c098419badf807a19045f18167e891c.exe
"C:\Users\Admin\AppData\Local\Temp\88238b9229cb7ed4864dc3ee37eea6cb8c098419badf807a19045f18167e891c.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:508

C:\Users\Admin\AppData\Local\Temp\88238b9229cb7ed4864dc3ee37eea6cb8c098419badf807a19045f18167e891c.exe
C:\Users\Admin\AppData\Local\Temp\88238b9229cb7ed4864dc3ee37eea6cb8c098419badf807a19045f18167e891c.exe /AutoIt3ExecuteScript "C:\Users\Admin\AppData\Local\Temp\test.a3x"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3644

\??\c:\windows\SysWOW64\svchost.exe
"c:\windows\system32\svchost.exe"
3⤵
PID:4456

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\test.a3x

Filesize
397KB

MD5
4e4cddd13c848074c11d4f1d291c6aba

SHA1
53e0002cead55ba20ef6261b1a43967e612fb558

SHA256
4070ad29af1c0328ceec6b7032f2ff7fa94ee4adaead367f32c549d13ebbcf77

SHA512
261bca93ac6b50af8c96b22d74b5a740380516869b3773c5f162924e8825770ebf6b65da83ac578cb592cfe9997bee8433e55648d32c2f2da83297904fbebb76

Download Submit
memory/508-132-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/508-134-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/3644-133-0x0000000000000000-mapping.dmp

Download
memory/3644-136-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/3644-139-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/4456-137-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads