28555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581

General

Target

28555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581.exe
Size

1.6MB
MD5

0113e41018d832aba3aaabe664ac4775
SHA1

dfeedb9da14800ebedb5bf051a8387d35f48986c
SHA256

28555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581
SHA512

e5bc1fb426ffd2cceb628425d8c3a5597e2a05e2af15837a0b107ef428243489be0ba62a5c4edda1550430c86f550d676637e802c4af90c3b6aff1f96e37bb9a
SSDEEP

3072:iyf8n+BnNpiXN5U+M/hQuaCA3VMxDJAQO7LN:i/+BnNpCqP/hQuavirOH

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

winlogon.exewinlogon.exewinlogon.exewinlogon.exe

pid process

400 winlogon.exe
5064 winlogon.exe
1708 winlogon.exe
5024 winlogon.exe

pid	process
400	winlogon.exe
5064	winlogon.exe
1708	winlogon.exe
5024	winlogon.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/848-134-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/848-136-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/848-137-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/848-143-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/5064-153-0x0000000000400000-0x000000000041C000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

28555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	28555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

28555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581.exewinlogon.exewinlogon.exe

description	pid	process	target process
PID 4152 set thread context of 848	4152	28555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581.exe	28555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581.exe
PID 400 set thread context of 5064	400	winlogon.exe	winlogon.exe
PID 5064 set thread context of 1708	5064	winlogon.exe	winlogon.exe
PID 5064 set thread context of 5024	5064	winlogon.exe	winlogon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1296 1708 WerFault.exe winlogon.exe
4624 5024 WerFault.exe winlogon.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

28555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581.exewinlogon.exe

pid process

848 28555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581.exe
5064 winlogon.exe

pid	pid_target	process	target process
1296	1708	WerFault.exe	winlogon.exe
4624	5024	WerFault.exe	winlogon.exe

pid	process
848	28555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581.exe
5064	winlogon.exe

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

28555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581.exe28555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581.exewinlogon.exewinlogon.exe

description	pid	process	target process
PID 4152 wrote to memory of 1368	4152	28555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581.exe	svchost.exe
PID 4152 wrote to memory of 1368	4152	28555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581.exe	svchost.exe
PID 4152 wrote to memory of 1368	4152	28555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581.exe	svchost.exe
PID 4152 wrote to memory of 848	4152	28555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581.exe	28555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581.exe
PID 4152 wrote to memory of 848	4152	28555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581.exe	28555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581.exe
PID 4152 wrote to memory of 848	4152	28555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581.exe	28555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581.exe
PID 4152 wrote to memory of 848	4152	28555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581.exe	28555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581.exe
PID 4152 wrote to memory of 848	4152	28555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581.exe	28555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581.exe
PID 4152 wrote to memory of 848	4152	28555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581.exe	28555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581.exe
PID 4152 wrote to memory of 848	4152	28555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581.exe	28555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581.exe
PID 4152 wrote to memory of 848	4152	28555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581.exe	28555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581.exe
PID 848 wrote to memory of 400	848	28555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581.exe	winlogon.exe
PID 848 wrote to memory of 400	848	28555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581.exe	winlogon.exe
PID 848 wrote to memory of 400	848	28555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581.exe	winlogon.exe
PID 400 wrote to memory of 3600	400	winlogon.exe	svchost.exe
PID 400 wrote to memory of 3600	400	winlogon.exe	svchost.exe
PID 400 wrote to memory of 3600	400	winlogon.exe	svchost.exe
PID 400 wrote to memory of 5064	400	winlogon.exe	winlogon.exe
PID 400 wrote to memory of 5064	400	winlogon.exe	winlogon.exe
PID 400 wrote to memory of 5064	400	winlogon.exe	winlogon.exe
PID 400 wrote to memory of 5064	400	winlogon.exe	winlogon.exe
PID 400 wrote to memory of 5064	400	winlogon.exe	winlogon.exe
PID 400 wrote to memory of 5064	400	winlogon.exe	winlogon.exe
PID 400 wrote to memory of 5064	400	winlogon.exe	winlogon.exe
PID 400 wrote to memory of 5064	400	winlogon.exe	winlogon.exe
PID 5064 wrote to memory of 1708	5064	winlogon.exe	winlogon.exe
PID 5064 wrote to memory of 1708	5064	winlogon.exe	winlogon.exe
PID 5064 wrote to memory of 1708	5064	winlogon.exe	winlogon.exe
PID 5064 wrote to memory of 1708	5064	winlogon.exe	winlogon.exe
PID 5064 wrote to memory of 1708	5064	winlogon.exe	winlogon.exe
PID 5064 wrote to memory of 1708	5064	winlogon.exe	winlogon.exe
PID 5064 wrote to memory of 1708	5064	winlogon.exe	winlogon.exe
PID 5064 wrote to memory of 1708	5064	winlogon.exe	winlogon.exe
PID 5064 wrote to memory of 5024	5064	winlogon.exe	winlogon.exe
PID 5064 wrote to memory of 5024	5064	winlogon.exe	winlogon.exe
PID 5064 wrote to memory of 5024	5064	winlogon.exe	winlogon.exe
PID 5064 wrote to memory of 5024	5064	winlogon.exe	winlogon.exe
PID 5064 wrote to memory of 5024	5064	winlogon.exe	winlogon.exe
PID 5064 wrote to memory of 5024	5064	winlogon.exe	winlogon.exe
PID 5064 wrote to memory of 5024	5064	winlogon.exe	winlogon.exe
PID 5064 wrote to memory of 5024	5064	winlogon.exe	winlogon.exe

C:\Users\Admin\AppData\Local\Temp\28555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581.exe
"C:\Users\Admin\AppData\Local\Temp\28555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4152

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\\svchost.exe
2⤵
PID:1368

C:\Users\Admin\AppData\Local\Temp\28555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581.exe
2⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:848

C:\Users\Admin\E696D64614\winlogon.exe
"C:\Users\Admin\E696D64614\winlogon.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:400

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\\svchost.exe
4⤵
PID:3600

C:\Users\Admin\E696D64614\winlogon.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5064

C:\Users\Admin\E696D64614\winlogon.exe
"C:\Users\Admin\E696D64614\winlogon.exe"
5⤵
- Executes dropped EXE
PID:1708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 12
6⤵
- Program crash
PID:1296

C:\Users\Admin\E696D64614\winlogon.exe
"C:\Users\Admin\E696D64614\winlogon.exe"
5⤵
- Executes dropped EXE
PID:5024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 12
6⤵
- Program crash
PID:4624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1708 -ip 1708
1⤵
PID:2752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5024 -ip 5024
1⤵
PID:4336

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\E696D64614\winlogon.exe
Filesize
1.6MB

MD5
0113e41018d832aba3aaabe664ac4775

SHA1
dfeedb9da14800ebedb5bf051a8387d35f48986c

SHA256
28555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581

SHA512
e5bc1fb426ffd2cceb628425d8c3a5597e2a05e2af15837a0b107ef428243489be0ba62a5c4edda1550430c86f550d676637e802c4af90c3b6aff1f96e37bb9a

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe
Filesize
1.6MB

MD5
0113e41018d832aba3aaabe664ac4775

SHA1
dfeedb9da14800ebedb5bf051a8387d35f48986c

SHA256
28555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581

SHA512
e5bc1fb426ffd2cceb628425d8c3a5597e2a05e2af15837a0b107ef428243489be0ba62a5c4edda1550430c86f550d676637e802c4af90c3b6aff1f96e37bb9a

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe
Filesize
1.6MB

MD5
0113e41018d832aba3aaabe664ac4775

SHA1
dfeedb9da14800ebedb5bf051a8387d35f48986c

SHA256
28555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581

SHA512
e5bc1fb426ffd2cceb628425d8c3a5597e2a05e2af15837a0b107ef428243489be0ba62a5c4edda1550430c86f550d676637e802c4af90c3b6aff1f96e37bb9a

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe
Filesize
1.6MB

MD5
0113e41018d832aba3aaabe664ac4775

SHA1
dfeedb9da14800ebedb5bf051a8387d35f48986c

SHA256
28555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581

SHA512
e5bc1fb426ffd2cceb628425d8c3a5597e2a05e2af15837a0b107ef428243489be0ba62a5c4edda1550430c86f550d676637e802c4af90c3b6aff1f96e37bb9a

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe
Filesize
1.6MB

MD5
0113e41018d832aba3aaabe664ac4775

SHA1
dfeedb9da14800ebedb5bf051a8387d35f48986c

SHA256
28555e19770ec1dcc1de1321009b4425ba5ef3c4def46006227d99155fd2f581

SHA512
e5bc1fb426ffd2cceb628425d8c3a5597e2a05e2af15837a0b107ef428243489be0ba62a5c4edda1550430c86f550d676637e802c4af90c3b6aff1f96e37bb9a

Download Submit
memory/400-140-0x0000000000000000-mapping.dmp

Download
memory/848-136-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/848-137-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/848-143-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/848-134-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/848-133-0x0000000000000000-mapping.dmp

Download
memory/1368-132-0x0000000000000000-mapping.dmp

Download
memory/1708-154-0x0000000000000000-mapping.dmp

Download
memory/3600-144-0x0000000000000000-mapping.dmp

Download
memory/5024-157-0x0000000000000000-mapping.dmp

Download
memory/5064-153-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5064-145-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads