5e915727ef2f2087839f8c013fe8b85be8dc0668d5d51d465c9d864a50d0e4cd

General

Target

5e915727ef2f2087839f8c013fe8b85be8dc0668d5d51d465c9d864a50d0e4cd.exe
Size

40KB
MD5

21d84c36f184858f92b07e4724e6c572
SHA1

cf2dec22a900a54f180322d4a34986092e7f1cbf
SHA256

5e915727ef2f2087839f8c013fe8b85be8dc0668d5d51d465c9d864a50d0e4cd
SHA512

1d3e59129047dc06f36135e081fe940c90ac3fe4876ec8193f83b0cb059a4a73392e22a8cae0b3a045300d89762deba247777acef6770e68b083d5eca2273b20
SSDEEP

768:QVdWemzlLOPoUdCgDj+/1x1FSLDLRUNQNIwewoFMQQJj7gKn:+dGFO0yj+/bODLRHQMQsj7g

Score

8^/10

persistence upx

Malware Config

Signatures

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/872-54-0x0000000000400000-0x000000000041D000-memory.dmp	upx

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

628 cmd.exe

pid	process
628	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5e915727ef2f2087839f8c013fe8b85be8dc0668d5d51d465c9d864a50d0e4cd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run	5e915727ef2f2087839f8c013fe8b85be8dc0668d5d51d465c9d864a50d0e4cd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\WINSXS32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5e915727ef2f2087839f8c013fe8b85be8dc0668d5d51d465c9d864a50d0e4cd.exe"	5e915727ef2f2087839f8c013fe8b85be8dc0668d5d51d465c9d864a50d0e4cd.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

5e915727ef2f2087839f8c013fe8b85be8dc0668d5d51d465c9d864a50d0e4cd.exe

description	pid	process	target process
PID 872 set thread context of 672	872	5e915727ef2f2087839f8c013fe8b85be8dc0668d5d51d465c9d864a50d0e4cd.exe	5e915727ef2f2087839f8c013fe8b85be8dc0668d5d51d465c9d864a50d0e4cd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

5e915727ef2f2087839f8c013fe8b85be8dc0668d5d51d465c9d864a50d0e4cd.exe5e915727ef2f2087839f8c013fe8b85be8dc0668d5d51d465c9d864a50d0e4cd.exe

description	pid	process	target process
PID 872 wrote to memory of 672	872	5e915727ef2f2087839f8c013fe8b85be8dc0668d5d51d465c9d864a50d0e4cd.exe	5e915727ef2f2087839f8c013fe8b85be8dc0668d5d51d465c9d864a50d0e4cd.exe
PID 872 wrote to memory of 672	872	5e915727ef2f2087839f8c013fe8b85be8dc0668d5d51d465c9d864a50d0e4cd.exe	5e915727ef2f2087839f8c013fe8b85be8dc0668d5d51d465c9d864a50d0e4cd.exe
PID 872 wrote to memory of 672	872	5e915727ef2f2087839f8c013fe8b85be8dc0668d5d51d465c9d864a50d0e4cd.exe	5e915727ef2f2087839f8c013fe8b85be8dc0668d5d51d465c9d864a50d0e4cd.exe
PID 872 wrote to memory of 672	872	5e915727ef2f2087839f8c013fe8b85be8dc0668d5d51d465c9d864a50d0e4cd.exe	5e915727ef2f2087839f8c013fe8b85be8dc0668d5d51d465c9d864a50d0e4cd.exe
PID 872 wrote to memory of 672	872	5e915727ef2f2087839f8c013fe8b85be8dc0668d5d51d465c9d864a50d0e4cd.exe	5e915727ef2f2087839f8c013fe8b85be8dc0668d5d51d465c9d864a50d0e4cd.exe
PID 872 wrote to memory of 672	872	5e915727ef2f2087839f8c013fe8b85be8dc0668d5d51d465c9d864a50d0e4cd.exe	5e915727ef2f2087839f8c013fe8b85be8dc0668d5d51d465c9d864a50d0e4cd.exe
PID 872 wrote to memory of 672	872	5e915727ef2f2087839f8c013fe8b85be8dc0668d5d51d465c9d864a50d0e4cd.exe	5e915727ef2f2087839f8c013fe8b85be8dc0668d5d51d465c9d864a50d0e4cd.exe
PID 872 wrote to memory of 672	872	5e915727ef2f2087839f8c013fe8b85be8dc0668d5d51d465c9d864a50d0e4cd.exe	5e915727ef2f2087839f8c013fe8b85be8dc0668d5d51d465c9d864a50d0e4cd.exe
PID 872 wrote to memory of 672	872	5e915727ef2f2087839f8c013fe8b85be8dc0668d5d51d465c9d864a50d0e4cd.exe	5e915727ef2f2087839f8c013fe8b85be8dc0668d5d51d465c9d864a50d0e4cd.exe
PID 672 wrote to memory of 628	672	5e915727ef2f2087839f8c013fe8b85be8dc0668d5d51d465c9d864a50d0e4cd.exe	cmd.exe
PID 672 wrote to memory of 628	672	5e915727ef2f2087839f8c013fe8b85be8dc0668d5d51d465c9d864a50d0e4cd.exe	cmd.exe
PID 672 wrote to memory of 628	672	5e915727ef2f2087839f8c013fe8b85be8dc0668d5d51d465c9d864a50d0e4cd.exe	cmd.exe
PID 672 wrote to memory of 628	672	5e915727ef2f2087839f8c013fe8b85be8dc0668d5d51d465c9d864a50d0e4cd.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\5e915727ef2f2087839f8c013fe8b85be8dc0668d5d51d465c9d864a50d0e4cd.exe
"C:\Users\Admin\AppData\Local\Temp\5e915727ef2f2087839f8c013fe8b85be8dc0668d5d51d465c9d864a50d0e4cd.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:872
- C:\Users\Admin\AppData\Local\Temp\5e915727ef2f2087839f8c013fe8b85be8dc0668d5d51d465c9d864a50d0e4cd.exe
  "C:\Users\Admin\AppData\Local\Temp\5e915727ef2f2087839f8c013fe8b85be8dc0668d5d51d465c9d864a50d0e4cd.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:672
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\UNIDD7.tmp.bat" "
    3⤵
    - Deletes itself
    PID:628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\UNIDD7.tmp.bat

Filesize
324B

MD5
f73026bc8d208ece687f4409d59dd0da

SHA1
19f18abfa1f0b3935e99d6b23e55674c96e853a6

SHA256
425fd6b9997512c4c1d40dba9fe97d47ca4bfa00eb11cc926d3ceb2ac741e212

SHA512
94cd28c01a46aa207f7859052a88154d55a709fd13aebd468bce5ca83fb238687c27c5ab84130f7318c48bbed0f2ecbb96fa0a0278431b07e4b9210d3fa3fa1a

Download Submit
memory/628-66-0x0000000000000000-mapping.dmp

Download
memory/672-55-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/672-56-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/672-58-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/672-59-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/672-60-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/672-61-0x00000000004016F0-mapping.dmp

Download
memory/672-63-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

Filesize
8KB

Download
memory/672-64-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/672-65-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/872-54-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads