6a50ec0f1b62a9af3b5d8f387cb228be0c23a81f63ac1ede0c340b077e187191

General

Target

6a50ec0f1b62a9af3b5d8f387cb228be0c23a81f63ac1ede0c340b077e187191.exe
Size

22KB
MD5

ce17d920e84a8704c311f814ba980421
SHA1

755c5beb7a15dd3a6d5eb6a5cf6f1326e3dcafa9
SHA256

6a50ec0f1b62a9af3b5d8f387cb228be0c23a81f63ac1ede0c340b077e187191
SHA512

daee1137e0c510d848f9fb7ef0b81ad3bfc6399ee4d95ee33584409b2c6f3ac383b86258d36dde7e801c6af9cce6862050c5c6086e0125be3398d21bce7c722e
SSDEEP

384:rIiV728hUQ7Y2P/cVEccDdye7kjlWLe7grPiA8jyrMPhTjanbBoZSuniaNJawcuQ:rRGuY2P0Vo6r7SiAwyrMRjbgKnbcuyDw

Score

8^/10

evasion upx

Malware Config

Signatures

Drops file in Drivers directory 4 IoCs

Processes:

cmd.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	cmd.exe
File created	C:\Windows\system32\drivers\etc\hosts.ics	cmd.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts.ics	cmd.exe
File created	C:\Windows\system32\drivers\etc\hosts	cmd.exe

Sets file to hidden 1 TTPs 4 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exe

pid process

1976 attrib.exe
1992 attrib.exe
1968 attrib.exe
1980 attrib.exe

pid	process
1976	attrib.exe
1992	attrib.exe
1968	attrib.exe
1980	attrib.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1372-61-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/1372-66-0x0000000000400000-0x0000000000413000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

6a50ec0f1b62a9af3b5d8f387cb228be0c23a81f63ac1ede0c340b077e187191.execmd.exe

description	pid	process	target process
PID 1372 wrote to memory of 1448	1372	6a50ec0f1b62a9af3b5d8f387cb228be0c23a81f63ac1ede0c340b077e187191.exe	cmd.exe
PID 1372 wrote to memory of 1448	1372	6a50ec0f1b62a9af3b5d8f387cb228be0c23a81f63ac1ede0c340b077e187191.exe	cmd.exe
PID 1372 wrote to memory of 1448	1372	6a50ec0f1b62a9af3b5d8f387cb228be0c23a81f63ac1ede0c340b077e187191.exe	cmd.exe
PID 1372 wrote to memory of 1448	1372	6a50ec0f1b62a9af3b5d8f387cb228be0c23a81f63ac1ede0c340b077e187191.exe	cmd.exe
PID 1448 wrote to memory of 2000	1448	cmd.exe	attrib.exe
PID 1448 wrote to memory of 2000	1448	cmd.exe	attrib.exe
PID 1448 wrote to memory of 2000	1448	cmd.exe	attrib.exe
PID 1448 wrote to memory of 2000	1448	cmd.exe	attrib.exe
PID 1448 wrote to memory of 2012	1448	cmd.exe	attrib.exe
PID 1448 wrote to memory of 2012	1448	cmd.exe	attrib.exe
PID 1448 wrote to memory of 2012	1448	cmd.exe	attrib.exe
PID 1448 wrote to memory of 2012	1448	cmd.exe	attrib.exe
PID 1448 wrote to memory of 948	1448	cmd.exe	attrib.exe
PID 1448 wrote to memory of 948	1448	cmd.exe	attrib.exe
PID 1448 wrote to memory of 948	1448	cmd.exe	attrib.exe
PID 1448 wrote to memory of 948	1448	cmd.exe	attrib.exe
PID 1448 wrote to memory of 1928	1448	cmd.exe	attrib.exe
PID 1448 wrote to memory of 1928	1448	cmd.exe	attrib.exe
PID 1448 wrote to memory of 1928	1448	cmd.exe	attrib.exe
PID 1448 wrote to memory of 1928	1448	cmd.exe	attrib.exe
PID 1448 wrote to memory of 1976	1448	cmd.exe	attrib.exe
PID 1448 wrote to memory of 1976	1448	cmd.exe	attrib.exe
PID 1448 wrote to memory of 1976	1448	cmd.exe	attrib.exe
PID 1448 wrote to memory of 1976	1448	cmd.exe	attrib.exe
PID 1448 wrote to memory of 1992	1448	cmd.exe	attrib.exe
PID 1448 wrote to memory of 1992	1448	cmd.exe	attrib.exe
PID 1448 wrote to memory of 1992	1448	cmd.exe	attrib.exe
PID 1448 wrote to memory of 1992	1448	cmd.exe	attrib.exe
PID 1448 wrote to memory of 1968	1448	cmd.exe	attrib.exe
PID 1448 wrote to memory of 1968	1448	cmd.exe	attrib.exe
PID 1448 wrote to memory of 1968	1448	cmd.exe	attrib.exe
PID 1448 wrote to memory of 1968	1448	cmd.exe	attrib.exe
PID 1448 wrote to memory of 1980	1448	cmd.exe	attrib.exe
PID 1448 wrote to memory of 1980	1448	cmd.exe	attrib.exe
PID 1448 wrote to memory of 1980	1448	cmd.exe	attrib.exe
PID 1448 wrote to memory of 1980	1448	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 8 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid process

1928 attrib.exe
1976 attrib.exe
1992 attrib.exe
1968 attrib.exe
1980 attrib.exe
2000 attrib.exe
2012 attrib.exe
948 attrib.exe

pid	process
1928	attrib.exe
1976	attrib.exe
1992	attrib.exe
1968	attrib.exe
1980	attrib.exe
2000	attrib.exe
2012	attrib.exe
948	attrib.exe

C:\Users\Admin\AppData\Local\Temp\6a50ec0f1b62a9af3b5d8f387cb228be0c23a81f63ac1ede0c340b077e187191.exe
"C:\Users\Admin\AppData\Local\Temp\6a50ec0f1b62a9af3b5d8f387cb228be0c23a81f63ac1ede0c340b077e187191.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1372

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\F068.tmp\encrypt.bat" "
2⤵
- Drops file in Drivers directory
- Suspicious use of WriteProcessMemory
PID:1448

C:\Windows\SysWOW64\attrib.exe
attrib C:\Windows\system32\drivers\etc\hosts -r -s -h
3⤵
- Views/modifies file attributes
PID:2000

C:\Windows\SysWOW64\attrib.exe
attrib C:\Windows\system32\drivers\etc\hosts.ics -r -s -h
3⤵
- Views/modifies file attributes
PID:2012

C:\Windows\SysWOW64\attrib.exe
attrib C:\Windows\system32\drivers\etc\hosts -r -s -h
3⤵
- Views/modifies file attributes
PID:948

C:\Windows\SysWOW64\attrib.exe
attrib C:\Windows\system32\drivers\etc\hosts.ics -r -s -h
3⤵
- Views/modifies file attributes
PID:1928

C:\Windows\SysWOW64\attrib.exe
attrib C:\Windows\system32\drivers\etc\hosts +r +s +h
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1976

C:\Windows\SysWOW64\attrib.exe
attrib C:\Windows\system32\drivers\etc\hosts.ics +r +s +h
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1992

C:\Windows\SysWOW64\attrib.exe
attrib C:\Windows\system32\drivers\etc\hosts +r +s +h
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1968

C:\Windows\SysWOW64\attrib.exe
attrib C:\Windows\system32\drivers\etc\hosts.ics +r +s +h
3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

2

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

2

T1158

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\F068.tmp\encrypt.bat

Filesize
13KB

MD5
d57e330a794766ec0ff5c9d766f59519

SHA1
fa535aae290ad5b44f9a91eb001ad5e164d1f01c

SHA256
eed45a63e3b37916d9cf90fafe088022c14c701e844701e81688f4f0e8c19ace

SHA512
718e6eefa237edceb049aba6d3f598d0e326988edce8bddd09e3e5e36f22250676517d204b6a80e6bd91cd71ccfc830f60f4221ed3fc8c934b7ae9471431842f

Download Submit
memory/948-59-0x0000000000000000-mapping.dmp

Download
memory/1372-66-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1372-61-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1372-54-0x0000000075921000-0x0000000075923000-memory.dmp

Filesize
8KB

Download
memory/1448-55-0x0000000000000000-mapping.dmp

Download
memory/1928-60-0x0000000000000000-mapping.dmp

Download
memory/1968-64-0x0000000000000000-mapping.dmp

Download
memory/1976-62-0x0000000000000000-mapping.dmp

Download
memory/1980-65-0x0000000000000000-mapping.dmp

Download
memory/1992-63-0x0000000000000000-mapping.dmp

Download
memory/2000-57-0x0000000000000000-mapping.dmp

Download
memory/2012-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads