78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152

General

Target

78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe
Size

32KB
MD5

2cf817952883313ef3635569720dcbc0
SHA1

eac3afa4e4d0ee2d6a20e3ce8ae54463b7a23179
SHA256

78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152
SHA512

bbe72539bdb123bd3337b626bbff6178014ae98556c022197701cbee0edf63a825235882cef4f64022fb4bf2cd6d74e6e4104eb2b4e799821a1fa1d39a8d7d74
SSDEEP

384:zB1jprsW8cCCpKlOIEgKv427jOpBLnzQr6D6GpCwKVw5Dnw:zB1dswKldrKvhCVQGRCwF

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

pxbyz.exepxbyz.exe

pid process

660 pxbyz.exe
1396 pxbyz.exe
Deletes itself 1 IoCs

Processes:

pxbyz.exe

pid process

1396 pxbyz.exe

pid	process
660	pxbyz.exe
1396	pxbyz.exe

pid	process
1396	pxbyz.exe

Loads dropped DLL 3 IoCs

Processes:

78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exepxbyz.exe

pid	process
1452	78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe
1452	78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe
660	pxbyz.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exepxbyz.exe

description	pid	process	target process
PID 1052 set thread context of 1452	1052	78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe	78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe
PID 660 set thread context of 1396	660	pxbyz.exe	pxbyz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exepxbyz.exe

description	pid	process	target process
PID 1052 wrote to memory of 1452	1052	78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe	78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe
PID 1052 wrote to memory of 1452	1052	78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe	78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe
PID 1052 wrote to memory of 1452	1052	78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe	78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe
PID 1052 wrote to memory of 1452	1052	78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe	78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe
PID 1052 wrote to memory of 1452	1052	78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe	78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe
PID 1052 wrote to memory of 1452	1052	78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe	78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe
PID 1052 wrote to memory of 1452	1052	78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe	78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe
PID 1052 wrote to memory of 1452	1052	78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe	78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe
PID 1452 wrote to memory of 660	1452	78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe	pxbyz.exe
PID 1452 wrote to memory of 660	1452	78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe	pxbyz.exe
PID 1452 wrote to memory of 660	1452	78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe	pxbyz.exe
PID 1452 wrote to memory of 660	1452	78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe	pxbyz.exe
PID 660 wrote to memory of 1396	660	pxbyz.exe	pxbyz.exe
PID 660 wrote to memory of 1396	660	pxbyz.exe	pxbyz.exe
PID 660 wrote to memory of 1396	660	pxbyz.exe	pxbyz.exe
PID 660 wrote to memory of 1396	660	pxbyz.exe	pxbyz.exe
PID 660 wrote to memory of 1396	660	pxbyz.exe	pxbyz.exe
PID 660 wrote to memory of 1396	660	pxbyz.exe	pxbyz.exe
PID 660 wrote to memory of 1396	660	pxbyz.exe	pxbyz.exe
PID 660 wrote to memory of 1396	660	pxbyz.exe	pxbyz.exe

C:\Users\Admin\AppData\Local\Temp\78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe
"C:\Users\Admin\AppData\Local\Temp\78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1052

C:\Users\Admin\AppData\Local\Temp\78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe
"C:\Users\Admin\AppData\Local\Temp\78f4029a6736d448bd7ad92a0a94754e80dec8a27f0be8f8689ea58210677152.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1452

C:\Users\Admin\AppData\Local\Temp\pxbyz.exe
"C:\Users\Admin\AppData\Local\Temp\pxbyz.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:660

C:\Users\Admin\AppData\Local\Temp\pxbyz.exe
"C:\Users\Admin\AppData\Local\Temp\pxbyz.exe"
4⤵
- Executes dropped EXE
- Deletes itself
PID:1396

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\pxbyz.exe
Filesize
32KB

MD5
69226fabedfe385c37e17e8cad1baae9

SHA1
7f59758414e1940118fb80133edc993551563d17

SHA256
2d2af37936a64887c9a698aff3de3d6eea3602094f0aac5a22672ee95e3c4938

SHA512
26435e54d7777ab88004d0f21debf411fc7dc7c6e9096f6cbe47930b05f364e63a76b5bf4980a88f2042e0295020997c274ba4a2d89332601def77e65377fb51

Download Submit
C:\Users\Admin\AppData\Local\Temp\pxbyz.exe
Filesize
32KB

MD5
69226fabedfe385c37e17e8cad1baae9

SHA1
7f59758414e1940118fb80133edc993551563d17

SHA256
2d2af37936a64887c9a698aff3de3d6eea3602094f0aac5a22672ee95e3c4938

SHA512
26435e54d7777ab88004d0f21debf411fc7dc7c6e9096f6cbe47930b05f364e63a76b5bf4980a88f2042e0295020997c274ba4a2d89332601def77e65377fb51

Download Submit
C:\Users\Admin\AppData\Local\Temp\pxbyz.exe
Filesize
32KB

MD5
69226fabedfe385c37e17e8cad1baae9

SHA1
7f59758414e1940118fb80133edc993551563d17

SHA256
2d2af37936a64887c9a698aff3de3d6eea3602094f0aac5a22672ee95e3c4938

SHA512
26435e54d7777ab88004d0f21debf411fc7dc7c6e9096f6cbe47930b05f364e63a76b5bf4980a88f2042e0295020997c274ba4a2d89332601def77e65377fb51

Download Submit
\Users\Admin\AppData\Local\Temp\pxbyz.exe
Filesize
32KB

MD5
69226fabedfe385c37e17e8cad1baae9

SHA1
7f59758414e1940118fb80133edc993551563d17

SHA256
2d2af37936a64887c9a698aff3de3d6eea3602094f0aac5a22672ee95e3c4938

SHA512
26435e54d7777ab88004d0f21debf411fc7dc7c6e9096f6cbe47930b05f364e63a76b5bf4980a88f2042e0295020997c274ba4a2d89332601def77e65377fb51

Download Submit
\Users\Admin\AppData\Local\Temp\pxbyz.exe
Filesize
32KB

MD5
69226fabedfe385c37e17e8cad1baae9

SHA1
7f59758414e1940118fb80133edc993551563d17

SHA256
2d2af37936a64887c9a698aff3de3d6eea3602094f0aac5a22672ee95e3c4938

SHA512
26435e54d7777ab88004d0f21debf411fc7dc7c6e9096f6cbe47930b05f364e63a76b5bf4980a88f2042e0295020997c274ba4a2d89332601def77e65377fb51

Download Submit
\Users\Admin\AppData\Local\Temp\pxbyz.exe
Filesize
32KB

MD5
69226fabedfe385c37e17e8cad1baae9

SHA1
7f59758414e1940118fb80133edc993551563d17

SHA256
2d2af37936a64887c9a698aff3de3d6eea3602094f0aac5a22672ee95e3c4938

SHA512
26435e54d7777ab88004d0f21debf411fc7dc7c6e9096f6cbe47930b05f364e63a76b5bf4980a88f2042e0295020997c274ba4a2d89332601def77e65377fb51

Download Submit
memory/660-62-0x0000000000000000-mapping.dmp

Download
memory/660-69-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1052-54-0x0000000075291000-0x0000000075293000-memory.dmp

Filesize
8KB

Download
memory/1052-56-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1452-55-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1452-59-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads