89060004c00d55394058a8e4a7221f90f5b66d1d62e04fc2de260bdf50b0a269

General

Target

89060004c00d55394058a8e4a7221f90f5b66d1d62e04fc2de260bdf50b0a269.exe
Size

224KB
MD5

e2175c209e35f13f45c8d42b9b52b663
SHA1

9c2edc42d5b399f621f6237208b7010babed0d82
SHA256

89060004c00d55394058a8e4a7221f90f5b66d1d62e04fc2de260bdf50b0a269
SHA512

4c9e4babb3060cdc2e51cf32413e43e930520370e5cc1597e6fb1932e7bb0d535cb0e9386118d816028f004613b1e0938864d06690dd0ef0b9fbf6ef3984e0be
SSDEEP

3072:iyf8n+BnNpiXN5U+M/hQuaCA3VMxDJAQO7LN:i/+BnNpCqP/hQuavirOH

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

winlogon.exewinlogon.exewinlogon.exewinlogon.exe

pid process

4704 winlogon.exe
3560 winlogon.exe
2488 winlogon.exe
4084 winlogon.exe

pid	process
4704	winlogon.exe
3560	winlogon.exe
2488	winlogon.exe
4084	winlogon.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4924-134-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/4924-136-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/4924-137-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/4924-140-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/4924-145-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/3560-154-0x0000000000400000-0x000000000041C000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

89060004c00d55394058a8e4a7221f90f5b66d1d62e04fc2de260bdf50b0a269.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	89060004c00d55394058a8e4a7221f90f5b66d1d62e04fc2de260bdf50b0a269.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

89060004c00d55394058a8e4a7221f90f5b66d1d62e04fc2de260bdf50b0a269.exewinlogon.exewinlogon.exe

description	pid	process	target process
PID 4788 set thread context of 4924	4788	89060004c00d55394058a8e4a7221f90f5b66d1d62e04fc2de260bdf50b0a269.exe	89060004c00d55394058a8e4a7221f90f5b66d1d62e04fc2de260bdf50b0a269.exe
PID 4704 set thread context of 3560	4704	winlogon.exe	winlogon.exe
PID 3560 set thread context of 2488	3560	winlogon.exe	winlogon.exe
PID 3560 set thread context of 4084	3560	winlogon.exe	winlogon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

5088 2768 WerFault.exe
4236 4084 WerFault.exe winlogon.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

89060004c00d55394058a8e4a7221f90f5b66d1d62e04fc2de260bdf50b0a269.exewinlogon.exe

pid process

4924 89060004c00d55394058a8e4a7221f90f5b66d1d62e04fc2de260bdf50b0a269.exe
3560 winlogon.exe

pid	pid_target	process	target process
5088	2768	WerFault.exe
4236	4084	WerFault.exe	winlogon.exe

pid	process
4924	89060004c00d55394058a8e4a7221f90f5b66d1d62e04fc2de260bdf50b0a269.exe
3560	winlogon.exe

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

89060004c00d55394058a8e4a7221f90f5b66d1d62e04fc2de260bdf50b0a269.exe89060004c00d55394058a8e4a7221f90f5b66d1d62e04fc2de260bdf50b0a269.exewinlogon.exewinlogon.exe

description	pid	process	target process
PID 4788 wrote to memory of 4748	4788	89060004c00d55394058a8e4a7221f90f5b66d1d62e04fc2de260bdf50b0a269.exe	svchost.exe
PID 4788 wrote to memory of 4748	4788	89060004c00d55394058a8e4a7221f90f5b66d1d62e04fc2de260bdf50b0a269.exe	svchost.exe
PID 4788 wrote to memory of 4748	4788	89060004c00d55394058a8e4a7221f90f5b66d1d62e04fc2de260bdf50b0a269.exe	svchost.exe
PID 4788 wrote to memory of 4924	4788	89060004c00d55394058a8e4a7221f90f5b66d1d62e04fc2de260bdf50b0a269.exe	89060004c00d55394058a8e4a7221f90f5b66d1d62e04fc2de260bdf50b0a269.exe
PID 4788 wrote to memory of 4924	4788	89060004c00d55394058a8e4a7221f90f5b66d1d62e04fc2de260bdf50b0a269.exe	89060004c00d55394058a8e4a7221f90f5b66d1d62e04fc2de260bdf50b0a269.exe
PID 4788 wrote to memory of 4924	4788	89060004c00d55394058a8e4a7221f90f5b66d1d62e04fc2de260bdf50b0a269.exe	89060004c00d55394058a8e4a7221f90f5b66d1d62e04fc2de260bdf50b0a269.exe
PID 4788 wrote to memory of 4924	4788	89060004c00d55394058a8e4a7221f90f5b66d1d62e04fc2de260bdf50b0a269.exe	89060004c00d55394058a8e4a7221f90f5b66d1d62e04fc2de260bdf50b0a269.exe
PID 4788 wrote to memory of 4924	4788	89060004c00d55394058a8e4a7221f90f5b66d1d62e04fc2de260bdf50b0a269.exe	89060004c00d55394058a8e4a7221f90f5b66d1d62e04fc2de260bdf50b0a269.exe
PID 4788 wrote to memory of 4924	4788	89060004c00d55394058a8e4a7221f90f5b66d1d62e04fc2de260bdf50b0a269.exe	89060004c00d55394058a8e4a7221f90f5b66d1d62e04fc2de260bdf50b0a269.exe
PID 4788 wrote to memory of 4924	4788	89060004c00d55394058a8e4a7221f90f5b66d1d62e04fc2de260bdf50b0a269.exe	89060004c00d55394058a8e4a7221f90f5b66d1d62e04fc2de260bdf50b0a269.exe
PID 4788 wrote to memory of 4924	4788	89060004c00d55394058a8e4a7221f90f5b66d1d62e04fc2de260bdf50b0a269.exe	89060004c00d55394058a8e4a7221f90f5b66d1d62e04fc2de260bdf50b0a269.exe
PID 4924 wrote to memory of 4704	4924	89060004c00d55394058a8e4a7221f90f5b66d1d62e04fc2de260bdf50b0a269.exe	winlogon.exe
PID 4924 wrote to memory of 4704	4924	89060004c00d55394058a8e4a7221f90f5b66d1d62e04fc2de260bdf50b0a269.exe	winlogon.exe
PID 4924 wrote to memory of 4704	4924	89060004c00d55394058a8e4a7221f90f5b66d1d62e04fc2de260bdf50b0a269.exe	winlogon.exe
PID 4704 wrote to memory of 1716	4704	winlogon.exe	svchost.exe
PID 4704 wrote to memory of 1716	4704	winlogon.exe	svchost.exe
PID 4704 wrote to memory of 1716	4704	winlogon.exe	svchost.exe
PID 4704 wrote to memory of 3560	4704	winlogon.exe	winlogon.exe
PID 4704 wrote to memory of 3560	4704	winlogon.exe	winlogon.exe
PID 4704 wrote to memory of 3560	4704	winlogon.exe	winlogon.exe
PID 4704 wrote to memory of 3560	4704	winlogon.exe	winlogon.exe
PID 4704 wrote to memory of 3560	4704	winlogon.exe	winlogon.exe
PID 4704 wrote to memory of 3560	4704	winlogon.exe	winlogon.exe
PID 4704 wrote to memory of 3560	4704	winlogon.exe	winlogon.exe
PID 4704 wrote to memory of 3560	4704	winlogon.exe	winlogon.exe
PID 3560 wrote to memory of 2488	3560	winlogon.exe	winlogon.exe
PID 3560 wrote to memory of 2488	3560	winlogon.exe	winlogon.exe
PID 3560 wrote to memory of 2488	3560	winlogon.exe	winlogon.exe
PID 3560 wrote to memory of 2488	3560	winlogon.exe	winlogon.exe
PID 3560 wrote to memory of 2488	3560	winlogon.exe	winlogon.exe
PID 3560 wrote to memory of 2488	3560	winlogon.exe	winlogon.exe
PID 3560 wrote to memory of 2488	3560	winlogon.exe	winlogon.exe
PID 3560 wrote to memory of 2488	3560	winlogon.exe	winlogon.exe
PID 3560 wrote to memory of 4084	3560	winlogon.exe	winlogon.exe
PID 3560 wrote to memory of 4084	3560	winlogon.exe	winlogon.exe
PID 3560 wrote to memory of 4084	3560	winlogon.exe	winlogon.exe
PID 3560 wrote to memory of 4084	3560	winlogon.exe	winlogon.exe
PID 3560 wrote to memory of 4084	3560	winlogon.exe	winlogon.exe
PID 3560 wrote to memory of 4084	3560	winlogon.exe	winlogon.exe
PID 3560 wrote to memory of 4084	3560	winlogon.exe	winlogon.exe
PID 3560 wrote to memory of 4084	3560	winlogon.exe	winlogon.exe

C:\Users\Admin\AppData\Local\Temp\89060004c00d55394058a8e4a7221f90f5b66d1d62e04fc2de260bdf50b0a269.exe
"C:\Users\Admin\AppData\Local\Temp\89060004c00d55394058a8e4a7221f90f5b66d1d62e04fc2de260bdf50b0a269.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4788

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\\svchost.exe
2⤵
PID:4748

C:\Users\Admin\AppData\Local\Temp\89060004c00d55394058a8e4a7221f90f5b66d1d62e04fc2de260bdf50b0a269.exe
2⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4924

C:\Users\Admin\E696D64614\winlogon.exe
"C:\Users\Admin\E696D64614\winlogon.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4704

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\\svchost.exe
4⤵
PID:1716

C:\Users\Admin\E696D64614\winlogon.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3560

C:\Users\Admin\E696D64614\winlogon.exe
"C:\Users\Admin\E696D64614\winlogon.exe"
5⤵
- Executes dropped EXE
PID:2488

C:\Users\Admin\E696D64614\winlogon.exe
"C:\Users\Admin\E696D64614\winlogon.exe"
5⤵
- Executes dropped EXE
PID:4084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4084 -s 12
6⤵
- Program crash
PID:4236

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 468 -p 2768 -ip 2768
1⤵
PID:4440

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2768 -s 1740
1⤵
- Program crash
PID:5088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2488 -ip 2488
1⤵
PID:1872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4084 -ip 4084
1⤵
PID:4124

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\E696D64614\winlogon.exe
Filesize
224KB

MD5
e2175c209e35f13f45c8d42b9b52b663

SHA1
9c2edc42d5b399f621f6237208b7010babed0d82

SHA256
89060004c00d55394058a8e4a7221f90f5b66d1d62e04fc2de260bdf50b0a269

SHA512
4c9e4babb3060cdc2e51cf32413e43e930520370e5cc1597e6fb1932e7bb0d535cb0e9386118d816028f004613b1e0938864d06690dd0ef0b9fbf6ef3984e0be

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe
Filesize
224KB

MD5
e2175c209e35f13f45c8d42b9b52b663

SHA1
9c2edc42d5b399f621f6237208b7010babed0d82

SHA256
89060004c00d55394058a8e4a7221f90f5b66d1d62e04fc2de260bdf50b0a269

SHA512
4c9e4babb3060cdc2e51cf32413e43e930520370e5cc1597e6fb1932e7bb0d535cb0e9386118d816028f004613b1e0938864d06690dd0ef0b9fbf6ef3984e0be

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe
Filesize
224KB

MD5
e2175c209e35f13f45c8d42b9b52b663

SHA1
9c2edc42d5b399f621f6237208b7010babed0d82

SHA256
89060004c00d55394058a8e4a7221f90f5b66d1d62e04fc2de260bdf50b0a269

SHA512
4c9e4babb3060cdc2e51cf32413e43e930520370e5cc1597e6fb1932e7bb0d535cb0e9386118d816028f004613b1e0938864d06690dd0ef0b9fbf6ef3984e0be

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe
Filesize
224KB

MD5
e2175c209e35f13f45c8d42b9b52b663

SHA1
9c2edc42d5b399f621f6237208b7010babed0d82

SHA256
89060004c00d55394058a8e4a7221f90f5b66d1d62e04fc2de260bdf50b0a269

SHA512
4c9e4babb3060cdc2e51cf32413e43e930520370e5cc1597e6fb1932e7bb0d535cb0e9386118d816028f004613b1e0938864d06690dd0ef0b9fbf6ef3984e0be

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe
Filesize
224KB

MD5
e2175c209e35f13f45c8d42b9b52b663

SHA1
9c2edc42d5b399f621f6237208b7010babed0d82

SHA256
89060004c00d55394058a8e4a7221f90f5b66d1d62e04fc2de260bdf50b0a269

SHA512
4c9e4babb3060cdc2e51cf32413e43e930520370e5cc1597e6fb1932e7bb0d535cb0e9386118d816028f004613b1e0938864d06690dd0ef0b9fbf6ef3984e0be

Download Submit
memory/1716-144-0x0000000000000000-mapping.dmp

Download
memory/2488-155-0x0000000000000000-mapping.dmp

Download
memory/3560-146-0x0000000000000000-mapping.dmp

Download
memory/3560-154-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4084-158-0x0000000000000000-mapping.dmp

Download
memory/4704-141-0x0000000000000000-mapping.dmp

Download
memory/4748-132-0x0000000000000000-mapping.dmp

Download
memory/4924-145-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4924-133-0x0000000000000000-mapping.dmp

Download
memory/4924-134-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4924-136-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4924-140-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4924-137-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads