92207fc60af6aad829279d392c19ddeff552f644430a7a0d2481c34e79795507

General

Target

92207fc60af6aad829279d392c19ddeff552f644430a7a0d2481c34e79795507.exe
Size

31KB
MD5

2013d8787778ff3903f5ae99f493d820
SHA1

33ad06da1ef8d3b92236f98d2eed5b99edf98814
SHA256

92207fc60af6aad829279d392c19ddeff552f644430a7a0d2481c34e79795507
SHA512

3d83e94839af4d26088e63ed9e5a9ece02f6c8bf2217b74990da6c71efb32579225101e6d3267a123e7f38906ac0d14c979dbfa67929ffa4d2d8f747d54e0f2d
SSDEEP

768:CKJp4N3U/FzRl8asEC5Ys11avtzEeQ2/xqG7zEKFXyK0ee:C0p4N3U/Ftl8+CHcv1EeqG7zfFXu

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1508	sysmgr.exe
1312	sysmgr.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1196-56-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/1196-60-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/1196-61-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/1196-66-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/1312-77-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral1/memory/1312-79-0x0000000000400000-0x0000000000412000-memory.dmp	upx

Loads dropped DLL 3 IoCs

pid	Process
1196	92207fc60af6aad829279d392c19ddeff552f644430a7a0d2481c34e79795507.exe
1196	92207fc60af6aad829279d392c19ddeff552f644430a7a0d2481c34e79795507.exe
1508	sysmgr.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft(R) System Manager = "C:\\Windows\\system32\\sysmgr.exe"	92207fc60af6aad829279d392c19ddeff552f644430a7a0d2481c34e79795507.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msvcrt2.dll	92207fc60af6aad829279d392c19ddeff552f644430a7a0d2481c34e79795507.exe
File created	C:\Windows\SysWOW64\sysmgr.exe	92207fc60af6aad829279d392c19ddeff552f644430a7a0d2481c34e79795507.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1976 set thread context of 1196	1976	92207fc60af6aad829279d392c19ddeff552f644430a7a0d2481c34e79795507.exe	27
PID 1508 set thread context of 1312	1508	sysmgr.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 1196	1976	92207fc60af6aad829279d392c19ddeff552f644430a7a0d2481c34e79795507.exe	27
PID 1976 wrote to memory of 1196	1976	92207fc60af6aad829279d392c19ddeff552f644430a7a0d2481c34e79795507.exe	27
PID 1976 wrote to memory of 1196	1976	92207fc60af6aad829279d392c19ddeff552f644430a7a0d2481c34e79795507.exe	27
PID 1976 wrote to memory of 1196	1976	92207fc60af6aad829279d392c19ddeff552f644430a7a0d2481c34e79795507.exe	27
PID 1976 wrote to memory of 1196	1976	92207fc60af6aad829279d392c19ddeff552f644430a7a0d2481c34e79795507.exe	27
PID 1976 wrote to memory of 1196	1976	92207fc60af6aad829279d392c19ddeff552f644430a7a0d2481c34e79795507.exe	27
PID 1196 wrote to memory of 1508	1196	92207fc60af6aad829279d392c19ddeff552f644430a7a0d2481c34e79795507.exe	28
PID 1196 wrote to memory of 1508	1196	92207fc60af6aad829279d392c19ddeff552f644430a7a0d2481c34e79795507.exe	28
PID 1196 wrote to memory of 1508	1196	92207fc60af6aad829279d392c19ddeff552f644430a7a0d2481c34e79795507.exe	28
PID 1196 wrote to memory of 1508	1196	92207fc60af6aad829279d392c19ddeff552f644430a7a0d2481c34e79795507.exe	28
PID 1508 wrote to memory of 1312	1508	sysmgr.exe	29
PID 1508 wrote to memory of 1312	1508	sysmgr.exe	29
PID 1508 wrote to memory of 1312	1508	sysmgr.exe	29
PID 1508 wrote to memory of 1312	1508	sysmgr.exe	29
PID 1508 wrote to memory of 1312	1508	sysmgr.exe	29
PID 1508 wrote to memory of 1312	1508	sysmgr.exe	29

C:\Users\Admin\AppData\Local\Temp\92207fc60af6aad829279d392c19ddeff552f644430a7a0d2481c34e79795507.exe
"C:\Users\Admin\AppData\Local\Temp\92207fc60af6aad829279d392c19ddeff552f644430a7a0d2481c34e79795507.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Users\Admin\AppData\Local\Temp\92207fc60af6aad829279d392c19ddeff552f644430a7a0d2481c34e79795507.exe
  C:\Users\Admin\AppData\Local\Temp\92207fc60af6aad829279d392c19ddeff552f644430a7a0d2481c34e79795507.exe
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1196
- - C:\Windows\SysWOW64\sysmgr.exe
    "C:\Windows\system32\sysmgr.exe" del "C:\Users\Admin\AppData\Local\Temp\92207fc60af6aad829279d392c19ddeff552f644430a7a0d2481c34e79795507.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1508
  - - C:\Windows\SysWOW64\sysmgr.exe
      C:\Windows\SysWOW64\sysmgr.exe
      4⤵
      Executes dropped EXE
      PID:1312

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\msvcrt2.dll

Filesize
100KB

MD5
789f6f486ab3106fd67429c0701b239e

SHA1
e4c25d2ef39208e1f6e32dfb2d81252031678ae8

SHA256
b7ee423c5a358599f9880d842ca15ac50a03585f8408448012f135bb3d3d1697

SHA512
16a0c0543a40f97c4885bcc6a9f169914dcacf6ac02d2f8d88c1524e77809a03c224304303b5d7cb21336f1617a2b728c980dcd45582204bacdc8b749f76e98e

Download Submit
C:\Windows\SysWOW64\sysmgr.exe

Filesize
31KB

MD5
2013d8787778ff3903f5ae99f493d820

SHA1
33ad06da1ef8d3b92236f98d2eed5b99edf98814

SHA256
92207fc60af6aad829279d392c19ddeff552f644430a7a0d2481c34e79795507

SHA512
3d83e94839af4d26088e63ed9e5a9ece02f6c8bf2217b74990da6c71efb32579225101e6d3267a123e7f38906ac0d14c979dbfa67929ffa4d2d8f747d54e0f2d

Download Submit
C:\Windows\SysWOW64\sysmgr.exe

Filesize
31KB

MD5
2013d8787778ff3903f5ae99f493d820

SHA1
33ad06da1ef8d3b92236f98d2eed5b99edf98814

SHA256
92207fc60af6aad829279d392c19ddeff552f644430a7a0d2481c34e79795507

SHA512
3d83e94839af4d26088e63ed9e5a9ece02f6c8bf2217b74990da6c71efb32579225101e6d3267a123e7f38906ac0d14c979dbfa67929ffa4d2d8f747d54e0f2d

Download Submit
C:\Windows\SysWOW64\sysmgr.exe

Filesize
31KB

MD5
2013d8787778ff3903f5ae99f493d820

SHA1
33ad06da1ef8d3b92236f98d2eed5b99edf98814

SHA256
92207fc60af6aad829279d392c19ddeff552f644430a7a0d2481c34e79795507

SHA512
3d83e94839af4d26088e63ed9e5a9ece02f6c8bf2217b74990da6c71efb32579225101e6d3267a123e7f38906ac0d14c979dbfa67929ffa4d2d8f747d54e0f2d

Download Submit
\Windows\SysWOW64\sysmgr.exe

Filesize
31KB

MD5
2013d8787778ff3903f5ae99f493d820

SHA1
33ad06da1ef8d3b92236f98d2eed5b99edf98814

SHA256
92207fc60af6aad829279d392c19ddeff552f644430a7a0d2481c34e79795507

SHA512
3d83e94839af4d26088e63ed9e5a9ece02f6c8bf2217b74990da6c71efb32579225101e6d3267a123e7f38906ac0d14c979dbfa67929ffa4d2d8f747d54e0f2d

Download Submit
\Windows\SysWOW64\sysmgr.exe

Filesize
31KB

MD5
2013d8787778ff3903f5ae99f493d820

SHA1
33ad06da1ef8d3b92236f98d2eed5b99edf98814

SHA256
92207fc60af6aad829279d392c19ddeff552f644430a7a0d2481c34e79795507

SHA512
3d83e94839af4d26088e63ed9e5a9ece02f6c8bf2217b74990da6c71efb32579225101e6d3267a123e7f38906ac0d14c979dbfa67929ffa4d2d8f747d54e0f2d

Download Submit
\Windows\SysWOW64\sysmgr.exe

Filesize
31KB

MD5
2013d8787778ff3903f5ae99f493d820

SHA1
33ad06da1ef8d3b92236f98d2eed5b99edf98814

SHA256
92207fc60af6aad829279d392c19ddeff552f644430a7a0d2481c34e79795507

SHA512
3d83e94839af4d26088e63ed9e5a9ece02f6c8bf2217b74990da6c71efb32579225101e6d3267a123e7f38906ac0d14c979dbfa67929ffa4d2d8f747d54e0f2d

Download Submit
memory/1196-60-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1196-66-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1196-61-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1196-54-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1196-59-0x0000000075CF1000-0x0000000075CF3000-memory.dmp

Filesize
8KB

Download
memory/1196-56-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1312-77-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1312-79-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing