063e2a5a39e6c5c4bfb05866fc927dae5993016dea5f45a207ac41e16404ae4c

General

Target

063e2a5a39e6c5c4bfb05866fc927dae5993016dea5f45a207ac41e16404ae4c.exe
Size

307KB
MD5

a0f8d2b078ce4c93dcbbef7d231e06cf
SHA1

9a154f7e7332c3e9b2f50b08d73f30abff55c547
SHA256

063e2a5a39e6c5c4bfb05866fc927dae5993016dea5f45a207ac41e16404ae4c
SHA512

d08ffb8d21678ea3f5e86db2fc1c51cc1491ed84565356081caeee42b7b627b518660d4598f737ba6b8b9dfa633b2badd91b08f364ef1b62ebf8991f5db9db4d
SSDEEP

3072:iyf8n+BnNpiXN5U+M/hQuaCA3VMxDJAQO7LN:i/+BnNpCqP/hQuavirOH

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2032-62-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2032-63-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2032-59-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2032-71-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2028-87-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2032-58-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2032-56-0x0000000000400000-0x000000000041C000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 908 set thread context of 2032	908	063e2a5a39e6c5c4bfb05866fc927dae5993016dea5f45a207ac41e16404ae4c.exe	23

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2032	063e2a5a39e6c5c4bfb05866fc927dae5993016dea5f45a207ac41e16404ae4c.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 908 wrote to memory of 1536	908	063e2a5a39e6c5c4bfb05866fc927dae5993016dea5f45a207ac41e16404ae4c.exe	17
PID 908 wrote to memory of 1536	908	063e2a5a39e6c5c4bfb05866fc927dae5993016dea5f45a207ac41e16404ae4c.exe	17
PID 908 wrote to memory of 1536	908	063e2a5a39e6c5c4bfb05866fc927dae5993016dea5f45a207ac41e16404ae4c.exe	17
PID 908 wrote to memory of 1536	908	063e2a5a39e6c5c4bfb05866fc927dae5993016dea5f45a207ac41e16404ae4c.exe	17
PID 908 wrote to memory of 2032	908	063e2a5a39e6c5c4bfb05866fc927dae5993016dea5f45a207ac41e16404ae4c.exe	23
PID 908 wrote to memory of 2032	908	063e2a5a39e6c5c4bfb05866fc927dae5993016dea5f45a207ac41e16404ae4c.exe	23
PID 908 wrote to memory of 2032	908	063e2a5a39e6c5c4bfb05866fc927dae5993016dea5f45a207ac41e16404ae4c.exe	23
PID 908 wrote to memory of 2032	908	063e2a5a39e6c5c4bfb05866fc927dae5993016dea5f45a207ac41e16404ae4c.exe	23
PID 908 wrote to memory of 2032	908	063e2a5a39e6c5c4bfb05866fc927dae5993016dea5f45a207ac41e16404ae4c.exe	23
PID 908 wrote to memory of 2032	908	063e2a5a39e6c5c4bfb05866fc927dae5993016dea5f45a207ac41e16404ae4c.exe	23
PID 908 wrote to memory of 2032	908	063e2a5a39e6c5c4bfb05866fc927dae5993016dea5f45a207ac41e16404ae4c.exe	23
PID 908 wrote to memory of 2032	908	063e2a5a39e6c5c4bfb05866fc927dae5993016dea5f45a207ac41e16404ae4c.exe	23

C:\Users\Admin\AppData\Local\Temp\063e2a5a39e6c5c4bfb05866fc927dae5993016dea5f45a207ac41e16404ae4c.exe
"C:\Users\Admin\AppData\Local\Temp\063e2a5a39e6c5c4bfb05866fc927dae5993016dea5f45a207ac41e16404ae4c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:908
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\\svchost.exe
  2⤵
  PID:1536
- C:\Users\Admin\AppData\Local\Temp\063e2a5a39e6c5c4bfb05866fc927dae5993016dea5f45a207ac41e16404ae4c.exe
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2032

C:\Users\Admin\E696D64614\winlogon.exe
1⤵
PID:2028

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\\svchost.exe
1⤵
PID:2008

C:\Users\Admin\E696D64614\winlogon.exe
"C:\Users\Admin\E696D64614\winlogon.exe"
1⤵
PID:1828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\E696D64614\winlogon.exe

Filesize
24KB

MD5
968ad9faee27b8c360ea7db30bba91cf

SHA1
f54c54d1339c5163d69a5f6ee6caadfeb56cc2a4

SHA256
cc29da193c918918cc03574aa73dedbce8f9591fc94e978ca091561a583160a8

SHA512
3e89ef3b62a24d99c83fb27c49eaac55cea4b79aab361ff22aae08cc43c8d063087a257f5c87a90f6a1d96c65f46554153e12e2358612675bb34dcf90fd959cc

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
43KB

MD5
cb50d3c331da0a5bd28afaa53362d6a4

SHA1
3b712210c96ab2c00f206beedf7092f7db938ef0

SHA256
8d3f21016ceaa71c18db10f107da7f9588e546525fd5d17cd490a280b9bec9f0

SHA512
d6f75888776da98364030e05b4384d70a17766f3fd9e69b777078ca1ac987392fc28acc074bcac0bd8d81bc8d019b9d303c4b0abad5f9b33d63c3494a1c6dfc5

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
32KB

MD5
d1fe62e9ad8a5941f578f3d29bf75393

SHA1
a1cb1284ac73967929abeeaaa54f00a7f81ac050

SHA256
89245346b6afd1d5504732f1cfc975c95fcc290be2f04eabdf0623b2e1eb16ba

SHA512
89df12128d4432e97a3e7e67936ae99012b34ad69ae1706fbf8440cb001a26e6427c87cd6a0b573a22d05a51545b73e6717dbf772a33be1a6f9c6951ab22ade9

Download Submit
\Users\Admin\E696D64614\winlogon.exe

Filesize
18KB

MD5
60712f585062fd20d7afe1f055fdf6d6

SHA1
859d7982d917b2b348bf0ee102903b1f12c0be8c

SHA256
8454967c1432f0b94fe4fd596d46fdf3fe58911631226a1cf65d8843d6a58345

SHA512
9150e6a1000664c5517ec3e5dd4e1d024d689c9c6f94018c3c2d84d3b8363938dce8d7bcfb9ae15c1c7cf6d68323fa813bab41820e6e71b15591afa3509cb2b6

Download Submit
\Users\Admin\E696D64614\winlogon.exe

Filesize
35KB

MD5
a9c2ac229636305d1b2ecc0d12b05e4c

SHA1
9c43ff86ae0500c24099b8e0557a5110568bdd79

SHA256
504c2f95fd730bc7e5f6f756447db33cee6eba04c13e66dbea252bc7210782cb

SHA512
7920624ca486983298e9df750555c6285536d5f4234cce4021283c78ab6747ae2bf786df204615188b01a66eac513894b4c243488c59075ed97ba0502be0191e

Download Submit
memory/2028-87-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2032-59-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2032-71-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2032-66-0x0000000075131000-0x0000000075133000-memory.dmp

Filesize
8KB

Download
memory/2032-63-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2032-62-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2032-58-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2032-56-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2032-55-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing