a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978

General

Target

a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978.exe
Size

1.3MB
MD5

871630d7cd2880715ab79290a09859c7
SHA1

5d733eb1bd95b9e3a5d2b9f5d06d5d9027960391
SHA256

a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978
SHA512

f12244a30bc1ec4be22a9839bc33df7f94c178826f5454c8d42c001f88513d0fa32b921ae5c2a1842d256c3eb39daf738afbdbcecd21220792be17a85c06eac9
SSDEEP

3072:iyf8n+BnNpiXN5U+M/hQuaCA3VMxDJAQO7LN:i/+BnNpCqP/hQuavirOH

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

winlogon.exewinlogon.exewinlogon.exewinlogon.exe

pid process

4572 winlogon.exe
4596 winlogon.exe
4636 winlogon.exe
424 winlogon.exe

pid	process
4572	winlogon.exe
4596	winlogon.exe
4636	winlogon.exe
424	winlogon.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1696-134-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/1696-136-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/1696-137-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/1696-140-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/1696-144-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/4596-154-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/4596-158-0x0000000000400000-0x000000000041C000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978.exewinlogon.exewinlogon.exe

description	pid	process	target process
PID 1792 set thread context of 1696	1792	a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978.exe	a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978.exe
PID 4572 set thread context of 4596	4572	winlogon.exe	winlogon.exe
PID 4596 set thread context of 4636	4596	winlogon.exe	winlogon.exe
PID 4596 set thread context of 424	4596	winlogon.exe	winlogon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1620 4636 WerFault.exe winlogon.exe
3732 424 WerFault.exe winlogon.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978.exewinlogon.exe

pid process

1696 a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978.exe
4596 winlogon.exe

pid	pid_target	process	target process
1620	4636	WerFault.exe	winlogon.exe
3732	424	WerFault.exe	winlogon.exe

pid	process
1696	a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978.exe
4596	winlogon.exe

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978.exea2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978.exewinlogon.exewinlogon.exe

description	pid	process	target process
PID 1792 wrote to memory of 1656	1792	a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978.exe	svchost.exe
PID 1792 wrote to memory of 1656	1792	a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978.exe	svchost.exe
PID 1792 wrote to memory of 1656	1792	a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978.exe	svchost.exe
PID 1792 wrote to memory of 1696	1792	a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978.exe	a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978.exe
PID 1792 wrote to memory of 1696	1792	a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978.exe	a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978.exe
PID 1792 wrote to memory of 1696	1792	a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978.exe	a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978.exe
PID 1792 wrote to memory of 1696	1792	a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978.exe	a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978.exe
PID 1792 wrote to memory of 1696	1792	a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978.exe	a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978.exe
PID 1792 wrote to memory of 1696	1792	a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978.exe	a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978.exe
PID 1792 wrote to memory of 1696	1792	a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978.exe	a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978.exe
PID 1792 wrote to memory of 1696	1792	a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978.exe	a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978.exe
PID 1696 wrote to memory of 4572	1696	a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978.exe	winlogon.exe
PID 1696 wrote to memory of 4572	1696	a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978.exe	winlogon.exe
PID 1696 wrote to memory of 4572	1696	a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978.exe	winlogon.exe
PID 4572 wrote to memory of 4160	4572	winlogon.exe	svchost.exe
PID 4572 wrote to memory of 4160	4572	winlogon.exe	svchost.exe
PID 4572 wrote to memory of 4160	4572	winlogon.exe	svchost.exe
PID 4572 wrote to memory of 4596	4572	winlogon.exe	winlogon.exe
PID 4572 wrote to memory of 4596	4572	winlogon.exe	winlogon.exe
PID 4572 wrote to memory of 4596	4572	winlogon.exe	winlogon.exe
PID 4572 wrote to memory of 4596	4572	winlogon.exe	winlogon.exe
PID 4572 wrote to memory of 4596	4572	winlogon.exe	winlogon.exe
PID 4572 wrote to memory of 4596	4572	winlogon.exe	winlogon.exe
PID 4572 wrote to memory of 4596	4572	winlogon.exe	winlogon.exe
PID 4572 wrote to memory of 4596	4572	winlogon.exe	winlogon.exe
PID 4596 wrote to memory of 4636	4596	winlogon.exe	winlogon.exe
PID 4596 wrote to memory of 4636	4596	winlogon.exe	winlogon.exe
PID 4596 wrote to memory of 4636	4596	winlogon.exe	winlogon.exe
PID 4596 wrote to memory of 4636	4596	winlogon.exe	winlogon.exe
PID 4596 wrote to memory of 4636	4596	winlogon.exe	winlogon.exe
PID 4596 wrote to memory of 4636	4596	winlogon.exe	winlogon.exe
PID 4596 wrote to memory of 4636	4596	winlogon.exe	winlogon.exe
PID 4596 wrote to memory of 4636	4596	winlogon.exe	winlogon.exe
PID 4596 wrote to memory of 424	4596	winlogon.exe	winlogon.exe
PID 4596 wrote to memory of 424	4596	winlogon.exe	winlogon.exe
PID 4596 wrote to memory of 424	4596	winlogon.exe	winlogon.exe
PID 4596 wrote to memory of 424	4596	winlogon.exe	winlogon.exe
PID 4596 wrote to memory of 424	4596	winlogon.exe	winlogon.exe
PID 4596 wrote to memory of 424	4596	winlogon.exe	winlogon.exe
PID 4596 wrote to memory of 424	4596	winlogon.exe	winlogon.exe
PID 4596 wrote to memory of 424	4596	winlogon.exe	winlogon.exe

C:\Users\Admin\AppData\Local\Temp\a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978.exe
"C:\Users\Admin\AppData\Local\Temp\a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1792

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\\svchost.exe
2⤵
PID:1656

C:\Users\Admin\AppData\Local\Temp\a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978.exe
2⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1696

C:\Users\Admin\E696D64614\winlogon.exe
"C:\Users\Admin\E696D64614\winlogon.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4572

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\\svchost.exe
4⤵
PID:4160

C:\Users\Admin\E696D64614\winlogon.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4596

C:\Users\Admin\E696D64614\winlogon.exe
"C:\Users\Admin\E696D64614\winlogon.exe"
5⤵
- Executes dropped EXE
PID:4636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 12
6⤵
- Program crash
PID:1620

C:\Users\Admin\E696D64614\winlogon.exe
"C:\Users\Admin\E696D64614\winlogon.exe"
5⤵
- Executes dropped EXE
PID:424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 424 -s 12
6⤵
- Program crash
PID:3732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4636 -ip 4636
1⤵
PID:3936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 424 -ip 424
1⤵
PID:1476

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\E696D64614\winlogon.exe
Filesize
1.3MB

MD5
871630d7cd2880715ab79290a09859c7

SHA1
5d733eb1bd95b9e3a5d2b9f5d06d5d9027960391

SHA256
a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978

SHA512
f12244a30bc1ec4be22a9839bc33df7f94c178826f5454c8d42c001f88513d0fa32b921ae5c2a1842d256c3eb39daf738afbdbcecd21220792be17a85c06eac9

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe
Filesize
1.3MB

MD5
871630d7cd2880715ab79290a09859c7

SHA1
5d733eb1bd95b9e3a5d2b9f5d06d5d9027960391

SHA256
a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978

SHA512
f12244a30bc1ec4be22a9839bc33df7f94c178826f5454c8d42c001f88513d0fa32b921ae5c2a1842d256c3eb39daf738afbdbcecd21220792be17a85c06eac9

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe
Filesize
1.3MB

MD5
871630d7cd2880715ab79290a09859c7

SHA1
5d733eb1bd95b9e3a5d2b9f5d06d5d9027960391

SHA256
a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978

SHA512
f12244a30bc1ec4be22a9839bc33df7f94c178826f5454c8d42c001f88513d0fa32b921ae5c2a1842d256c3eb39daf738afbdbcecd21220792be17a85c06eac9

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe
Filesize
1.3MB

MD5
871630d7cd2880715ab79290a09859c7

SHA1
5d733eb1bd95b9e3a5d2b9f5d06d5d9027960391

SHA256
a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978

SHA512
f12244a30bc1ec4be22a9839bc33df7f94c178826f5454c8d42c001f88513d0fa32b921ae5c2a1842d256c3eb39daf738afbdbcecd21220792be17a85c06eac9

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe
Filesize
1.3MB

MD5
871630d7cd2880715ab79290a09859c7

SHA1
5d733eb1bd95b9e3a5d2b9f5d06d5d9027960391

SHA256
a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978

SHA512
f12244a30bc1ec4be22a9839bc33df7f94c178826f5454c8d42c001f88513d0fa32b921ae5c2a1842d256c3eb39daf738afbdbcecd21220792be17a85c06eac9

Download Submit
memory/424-159-0x0000000000000000-mapping.dmp

Download
memory/1656-132-0x0000000000000000-mapping.dmp

Download
memory/1696-137-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1696-140-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1696-134-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1696-136-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1696-133-0x0000000000000000-mapping.dmp

Download
memory/1696-144-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4160-145-0x0000000000000000-mapping.dmp

Download
memory/4572-141-0x0000000000000000-mapping.dmp

Download
memory/4596-158-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4596-154-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4596-146-0x0000000000000000-mapping.dmp

Download
memory/4636-155-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads