60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece

General

Target

60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece.exe
Size

1.4MB
MD5

cc12ec67eab006a43338a10951daa7bb
SHA1

72ef2f5b4572d1efa8d7c0f29be89e4873e8c541
SHA256

60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece
SHA512

24136b20415c05eda8ec8efdd75ae3c5b046f8163b93085d19929a4f02178ee88595432d39ceeb6d2db08d6e35a8322c676c6212f7eeb9c5a905ab43cf8bccac
SSDEEP

3072:iyf8n+BnNpiXN5U+M/hQuaCA3VMxDJAQO7LN:i/+BnNpCqP/hQuavirOH

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

winlogon.exewinlogon.exewinlogon.exewinlogon.exe

pid process

4808 winlogon.exe
1004 winlogon.exe
3740 winlogon.exe
3812 winlogon.exe

pid	process
4808	winlogon.exe
1004	winlogon.exe
3740	winlogon.exe
3812	winlogon.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4696-134-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/4696-136-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/4696-137-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/4696-140-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/4696-144-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/1004-154-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/1004-158-0x0000000000400000-0x000000000041C000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece.exewinlogon.exewinlogon.exe

description	pid	process	target process
PID 2140 set thread context of 4696	2140	60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece.exe	60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece.exe
PID 4808 set thread context of 1004	4808	winlogon.exe	winlogon.exe
PID 1004 set thread context of 3740	1004	winlogon.exe	winlogon.exe
PID 1004 set thread context of 3812	1004	winlogon.exe	winlogon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3472 3740 WerFault.exe winlogon.exe
3600 3812 WerFault.exe winlogon.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece.exewinlogon.exe

pid process

4696 60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece.exe
1004 winlogon.exe

pid	pid_target	process	target process
3472	3740	WerFault.exe	winlogon.exe
3600	3812	WerFault.exe	winlogon.exe

pid	process
4696	60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece.exe
1004	winlogon.exe

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece.exe60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece.exewinlogon.exewinlogon.exe

description	pid	process	target process
PID 2140 wrote to memory of 1396	2140	60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece.exe	svchost.exe
PID 2140 wrote to memory of 1396	2140	60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece.exe	svchost.exe
PID 2140 wrote to memory of 1396	2140	60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece.exe	svchost.exe
PID 2140 wrote to memory of 4696	2140	60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece.exe	60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece.exe
PID 2140 wrote to memory of 4696	2140	60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece.exe	60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece.exe
PID 2140 wrote to memory of 4696	2140	60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece.exe	60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece.exe
PID 2140 wrote to memory of 4696	2140	60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece.exe	60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece.exe
PID 2140 wrote to memory of 4696	2140	60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece.exe	60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece.exe
PID 2140 wrote to memory of 4696	2140	60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece.exe	60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece.exe
PID 2140 wrote to memory of 4696	2140	60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece.exe	60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece.exe
PID 2140 wrote to memory of 4696	2140	60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece.exe	60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece.exe
PID 4696 wrote to memory of 4808	4696	60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece.exe	winlogon.exe
PID 4696 wrote to memory of 4808	4696	60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece.exe	winlogon.exe
PID 4696 wrote to memory of 4808	4696	60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece.exe	winlogon.exe
PID 4808 wrote to memory of 3404	4808	winlogon.exe	svchost.exe
PID 4808 wrote to memory of 3404	4808	winlogon.exe	svchost.exe
PID 4808 wrote to memory of 3404	4808	winlogon.exe	svchost.exe
PID 4808 wrote to memory of 1004	4808	winlogon.exe	winlogon.exe
PID 4808 wrote to memory of 1004	4808	winlogon.exe	winlogon.exe
PID 4808 wrote to memory of 1004	4808	winlogon.exe	winlogon.exe
PID 4808 wrote to memory of 1004	4808	winlogon.exe	winlogon.exe
PID 4808 wrote to memory of 1004	4808	winlogon.exe	winlogon.exe
PID 4808 wrote to memory of 1004	4808	winlogon.exe	winlogon.exe
PID 4808 wrote to memory of 1004	4808	winlogon.exe	winlogon.exe
PID 4808 wrote to memory of 1004	4808	winlogon.exe	winlogon.exe
PID 1004 wrote to memory of 3740	1004	winlogon.exe	winlogon.exe
PID 1004 wrote to memory of 3740	1004	winlogon.exe	winlogon.exe
PID 1004 wrote to memory of 3740	1004	winlogon.exe	winlogon.exe
PID 1004 wrote to memory of 3740	1004	winlogon.exe	winlogon.exe
PID 1004 wrote to memory of 3740	1004	winlogon.exe	winlogon.exe
PID 1004 wrote to memory of 3740	1004	winlogon.exe	winlogon.exe
PID 1004 wrote to memory of 3740	1004	winlogon.exe	winlogon.exe
PID 1004 wrote to memory of 3740	1004	winlogon.exe	winlogon.exe
PID 1004 wrote to memory of 3812	1004	winlogon.exe	winlogon.exe
PID 1004 wrote to memory of 3812	1004	winlogon.exe	winlogon.exe
PID 1004 wrote to memory of 3812	1004	winlogon.exe	winlogon.exe
PID 1004 wrote to memory of 3812	1004	winlogon.exe	winlogon.exe
PID 1004 wrote to memory of 3812	1004	winlogon.exe	winlogon.exe
PID 1004 wrote to memory of 3812	1004	winlogon.exe	winlogon.exe
PID 1004 wrote to memory of 3812	1004	winlogon.exe	winlogon.exe
PID 1004 wrote to memory of 3812	1004	winlogon.exe	winlogon.exe

C:\Users\Admin\AppData\Local\Temp\60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece.exe
"C:\Users\Admin\AppData\Local\Temp\60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2140

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\\svchost.exe
2⤵
PID:1396

C:\Users\Admin\AppData\Local\Temp\60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece.exe
2⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4696

C:\Users\Admin\E696D64614\winlogon.exe
"C:\Users\Admin\E696D64614\winlogon.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4808

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\\svchost.exe
4⤵
PID:3404

C:\Users\Admin\E696D64614\winlogon.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1004

C:\Users\Admin\E696D64614\winlogon.exe
"C:\Users\Admin\E696D64614\winlogon.exe"
5⤵
- Executes dropped EXE
PID:3740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3740 -s 12
6⤵
- Program crash
PID:3472

C:\Users\Admin\E696D64614\winlogon.exe
"C:\Users\Admin\E696D64614\winlogon.exe"
5⤵
- Executes dropped EXE
PID:3812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3812 -s 12
6⤵
- Program crash
PID:3600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3740 -ip 3740
1⤵
PID:1844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3812 -ip 3812
1⤵
PID:3632

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\E696D64614\winlogon.exe
Filesize
1.4MB

MD5
cc12ec67eab006a43338a10951daa7bb

SHA1
72ef2f5b4572d1efa8d7c0f29be89e4873e8c541

SHA256
60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece

SHA512
24136b20415c05eda8ec8efdd75ae3c5b046f8163b93085d19929a4f02178ee88595432d39ceeb6d2db08d6e35a8322c676c6212f7eeb9c5a905ab43cf8bccac

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe
Filesize
1.4MB

MD5
cc12ec67eab006a43338a10951daa7bb

SHA1
72ef2f5b4572d1efa8d7c0f29be89e4873e8c541

SHA256
60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece

SHA512
24136b20415c05eda8ec8efdd75ae3c5b046f8163b93085d19929a4f02178ee88595432d39ceeb6d2db08d6e35a8322c676c6212f7eeb9c5a905ab43cf8bccac

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe
Filesize
1.4MB

MD5
cc12ec67eab006a43338a10951daa7bb

SHA1
72ef2f5b4572d1efa8d7c0f29be89e4873e8c541

SHA256
60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece

SHA512
24136b20415c05eda8ec8efdd75ae3c5b046f8163b93085d19929a4f02178ee88595432d39ceeb6d2db08d6e35a8322c676c6212f7eeb9c5a905ab43cf8bccac

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe
Filesize
1.4MB

MD5
cc12ec67eab006a43338a10951daa7bb

SHA1
72ef2f5b4572d1efa8d7c0f29be89e4873e8c541

SHA256
60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece

SHA512
24136b20415c05eda8ec8efdd75ae3c5b046f8163b93085d19929a4f02178ee88595432d39ceeb6d2db08d6e35a8322c676c6212f7eeb9c5a905ab43cf8bccac

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe
Filesize
1.4MB

MD5
cc12ec67eab006a43338a10951daa7bb

SHA1
72ef2f5b4572d1efa8d7c0f29be89e4873e8c541

SHA256
60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece

SHA512
24136b20415c05eda8ec8efdd75ae3c5b046f8163b93085d19929a4f02178ee88595432d39ceeb6d2db08d6e35a8322c676c6212f7eeb9c5a905ab43cf8bccac

Download Submit
memory/1004-146-0x0000000000000000-mapping.dmp

Download
memory/1004-154-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1004-158-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1396-132-0x0000000000000000-mapping.dmp

Download
memory/3404-145-0x0000000000000000-mapping.dmp

Download
memory/3740-155-0x0000000000000000-mapping.dmp

Download
memory/3812-159-0x0000000000000000-mapping.dmp

Download
memory/4696-136-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4696-137-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4696-134-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4696-144-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4696-140-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4696-133-0x0000000000000000-mapping.dmp

Download
memory/4808-141-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads