85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042

General

Target

85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042.exe
Size

1.0MB
MD5

516a264d8e43a5ddd5353693b300e4d5
SHA1

d45b6b317c1eb73872fd4c1ea73d714e4b2ee040
SHA256

85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042
SHA512

c05d08f51dc0454a682ea4ebdd56bd4e6b8f5d9763fb69c7dfc7058e416ede6d6ac86160027dccda5134b05ef3eed0fe3b9fc3096fdfb0238259fce806d7ed61
SSDEEP

1536:SNIkp2IdtEo1gbsSklrZWNXuQHPGrQ+wEaYNyZf/3Qcn6aNirob1e4p24JMdWqhM:9YvEo13SklFWNVerQ+KMspBMgX24iE

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

winlogon.exewinlogon.exewinlogon.exe

pid process

3724 winlogon.exe
2060 winlogon.exe
2328 winlogon.exe

pid	process
3724	winlogon.exe
2060	winlogon.exe
2328	winlogon.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1660-134-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/2364-136-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral2/memory/1660-137-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/1660-138-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/1660-141-0x0000000000400000-0x000000000041C000-memory.dmp	upx
C:\Users\Admin\E696D64614\winlogon.exe	upx
behavioral2/memory/1660-145-0x0000000000400000-0x000000000041C000-memory.dmp	upx
C:\Users\Admin\E696D64614\winlogon.exe	upx
C:\Users\Admin\E696D64614\winlogon.exe	upx
behavioral2/memory/3724-150-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral2/memory/2060-156-0x0000000000400000-0x000000000041C000-memory.dmp	upx
C:\Users\Admin\E696D64614\winlogon.exe	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042.exewinlogon.exewinlogon.exe

description	pid	process	target process
PID 2364 set thread context of 1660	2364	85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042.exe	85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042.exe
PID 3724 set thread context of 2060	3724	winlogon.exe	winlogon.exe
PID 2060 set thread context of 2328	2060	winlogon.exe	winlogon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2816 2328 WerFault.exe winlogon.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042.exewinlogon.exe

pid process

1660 85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042.exe
2060 winlogon.exe

pid	pid_target	process	target process
2816	2328	WerFault.exe	winlogon.exe

pid	process
1660	85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042.exe
2060	winlogon.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042.exe85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042.exewinlogon.exewinlogon.exe

description	pid	process	target process
PID 2364 wrote to memory of 1796	2364	85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042.exe	svchost.exe
PID 2364 wrote to memory of 1796	2364	85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042.exe	svchost.exe
PID 2364 wrote to memory of 1796	2364	85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042.exe	svchost.exe
PID 2364 wrote to memory of 1660	2364	85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042.exe	85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042.exe
PID 2364 wrote to memory of 1660	2364	85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042.exe	85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042.exe
PID 2364 wrote to memory of 1660	2364	85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042.exe	85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042.exe
PID 2364 wrote to memory of 1660	2364	85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042.exe	85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042.exe
PID 2364 wrote to memory of 1660	2364	85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042.exe	85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042.exe
PID 2364 wrote to memory of 1660	2364	85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042.exe	85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042.exe
PID 2364 wrote to memory of 1660	2364	85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042.exe	85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042.exe
PID 2364 wrote to memory of 1660	2364	85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042.exe	85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042.exe
PID 1660 wrote to memory of 3724	1660	85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042.exe	winlogon.exe
PID 1660 wrote to memory of 3724	1660	85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042.exe	winlogon.exe
PID 1660 wrote to memory of 3724	1660	85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042.exe	winlogon.exe
PID 3724 wrote to memory of 4464	3724	winlogon.exe	svchost.exe
PID 3724 wrote to memory of 4464	3724	winlogon.exe	svchost.exe
PID 3724 wrote to memory of 4464	3724	winlogon.exe	svchost.exe
PID 3724 wrote to memory of 2060	3724	winlogon.exe	winlogon.exe
PID 3724 wrote to memory of 2060	3724	winlogon.exe	winlogon.exe
PID 3724 wrote to memory of 2060	3724	winlogon.exe	winlogon.exe
PID 3724 wrote to memory of 2060	3724	winlogon.exe	winlogon.exe
PID 3724 wrote to memory of 2060	3724	winlogon.exe	winlogon.exe
PID 3724 wrote to memory of 2060	3724	winlogon.exe	winlogon.exe
PID 3724 wrote to memory of 2060	3724	winlogon.exe	winlogon.exe
PID 3724 wrote to memory of 2060	3724	winlogon.exe	winlogon.exe
PID 2060 wrote to memory of 2328	2060	winlogon.exe	winlogon.exe
PID 2060 wrote to memory of 2328	2060	winlogon.exe	winlogon.exe
PID 2060 wrote to memory of 2328	2060	winlogon.exe	winlogon.exe
PID 2060 wrote to memory of 2328	2060	winlogon.exe	winlogon.exe
PID 2060 wrote to memory of 2328	2060	winlogon.exe	winlogon.exe
PID 2060 wrote to memory of 2328	2060	winlogon.exe	winlogon.exe
PID 2060 wrote to memory of 2328	2060	winlogon.exe	winlogon.exe
PID 2060 wrote to memory of 2328	2060	winlogon.exe	winlogon.exe

C:\Users\Admin\AppData\Local\Temp\85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042.exe
"C:\Users\Admin\AppData\Local\Temp\85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2364

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\\svchost.exe
2⤵
PID:1796

C:\Users\Admin\AppData\Local\Temp\85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042.exe
2⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1660

C:\Users\Admin\E696D64614\winlogon.exe
"C:\Users\Admin\E696D64614\winlogon.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3724

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\\svchost.exe
4⤵
PID:4464

C:\Users\Admin\E696D64614\winlogon.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2060

C:\Users\Admin\E696D64614\winlogon.exe
"C:\Users\Admin\E696D64614\winlogon.exe"
5⤵
- Executes dropped EXE
PID:2328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2328 -s 12
6⤵
- Program crash
PID:2816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2328 -ip 2328
1⤵
PID:3912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\E696D64614\winlogon.exe

Filesize
1.0MB

MD5
516a264d8e43a5ddd5353693b300e4d5

SHA1
d45b6b317c1eb73872fd4c1ea73d714e4b2ee040

SHA256
85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042

SHA512
c05d08f51dc0454a682ea4ebdd56bd4e6b8f5d9763fb69c7dfc7058e416ede6d6ac86160027dccda5134b05ef3eed0fe3b9fc3096fdfb0238259fce806d7ed61

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
1.0MB

MD5
516a264d8e43a5ddd5353693b300e4d5

SHA1
d45b6b317c1eb73872fd4c1ea73d714e4b2ee040

SHA256
85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042

SHA512
c05d08f51dc0454a682ea4ebdd56bd4e6b8f5d9763fb69c7dfc7058e416ede6d6ac86160027dccda5134b05ef3eed0fe3b9fc3096fdfb0238259fce806d7ed61

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
1.0MB

MD5
516a264d8e43a5ddd5353693b300e4d5

SHA1
d45b6b317c1eb73872fd4c1ea73d714e4b2ee040

SHA256
85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042

SHA512
c05d08f51dc0454a682ea4ebdd56bd4e6b8f5d9763fb69c7dfc7058e416ede6d6ac86160027dccda5134b05ef3eed0fe3b9fc3096fdfb0238259fce806d7ed61

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
1.0MB

MD5
516a264d8e43a5ddd5353693b300e4d5

SHA1
d45b6b317c1eb73872fd4c1ea73d714e4b2ee040

SHA256
85ed2a26c7f272a5abc232f3027fb2f2898e7fca5a23c921d91bcecff16f7042

SHA512
c05d08f51dc0454a682ea4ebdd56bd4e6b8f5d9763fb69c7dfc7058e416ede6d6ac86160027dccda5134b05ef3eed0fe3b9fc3096fdfb0238259fce806d7ed61

Download Submit
memory/1660-137-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1660-141-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1660-138-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1660-133-0x0000000000000000-mapping.dmp

Download
memory/1660-145-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1660-134-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1796-132-0x0000000000000000-mapping.dmp

Download
memory/2060-156-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2060-147-0x0000000000000000-mapping.dmp

Download
memory/2328-157-0x0000000000000000-mapping.dmp

Download
memory/2364-136-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3724-142-0x0000000000000000-mapping.dmp

Download
memory/3724-150-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4464-146-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads