6bd85b343bc2343ff626f234b3fd067bb6807503856c90fea0f2916fc5b1ae1f

General

Target

6bd85b343bc2343ff626f234b3fd067bb6807503856c90fea0f2916fc5b1ae1f.exe
Size

595KB
MD5

187e823d21f4f97771aaba5317d47470
SHA1

df211400139ee9229a364dd78560bcf119057a8f
SHA256

6bd85b343bc2343ff626f234b3fd067bb6807503856c90fea0f2916fc5b1ae1f
SHA512

4d86ba93b158d5e6864485a420e636131a5036b9e06ec376a356b75434303397318749241f80591c6d0c0f502f973908c38d324cf910a87364e70a9409d33f00
SSDEEP

12288:ko0ZjcnNr3So4Ybgob0vSZcVm/IMnfiNAKrCVFcHaaq3J:kPZjcnxh4eIvFMIQ6PrCVkaaq5

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

pndoPx.exe

pid process

5108 pndoPx.exe

pid	process
5108	pndoPx.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1008-139-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/1008-141-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/1008-142-0x0000000000400000-0x0000000000459000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

Processes:

pndoPx.exe

description pid process target process

PID 5108 set thread context of 1008 5108 pndoPx.exe svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3872 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

pndoPx.exesvchost.exe

pid process

5108 pndoPx.exe
5108 pndoPx.exe
5108 pndoPx.exe
5108 pndoPx.exe
1008 svchost.exe
1008 svchost.exe

description	pid	process	target process
PID 5108 set thread context of 1008	5108	pndoPx.exe	svchost.exe

pid	process
3872	schtasks.exe

pid	process
5108	pndoPx.exe
5108	pndoPx.exe
5108	pndoPx.exe
5108	pndoPx.exe
1008	svchost.exe
1008	svchost.exe

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

6bd85b343bc2343ff626f234b3fd067bb6807503856c90fea0f2916fc5b1ae1f.exe

pid	process
4056	6bd85b343bc2343ff626f234b3fd067bb6807503856c90fea0f2916fc5b1ae1f.exe
4056	6bd85b343bc2343ff626f234b3fd067bb6807503856c90fea0f2916fc5b1ae1f.exe
4056	6bd85b343bc2343ff626f234b3fd067bb6807503856c90fea0f2916fc5b1ae1f.exe
4056	6bd85b343bc2343ff626f234b3fd067bb6807503856c90fea0f2916fc5b1ae1f.exe
4056	6bd85b343bc2343ff626f234b3fd067bb6807503856c90fea0f2916fc5b1ae1f.exe
4056	6bd85b343bc2343ff626f234b3fd067bb6807503856c90fea0f2916fc5b1ae1f.exe
4056	6bd85b343bc2343ff626f234b3fd067bb6807503856c90fea0f2916fc5b1ae1f.exe

Suspicious use of SendNotifyMessage 7 IoCs

Processes:

6bd85b343bc2343ff626f234b3fd067bb6807503856c90fea0f2916fc5b1ae1f.exe

pid	process
4056	6bd85b343bc2343ff626f234b3fd067bb6807503856c90fea0f2916fc5b1ae1f.exe
4056	6bd85b343bc2343ff626f234b3fd067bb6807503856c90fea0f2916fc5b1ae1f.exe
4056	6bd85b343bc2343ff626f234b3fd067bb6807503856c90fea0f2916fc5b1ae1f.exe
4056	6bd85b343bc2343ff626f234b3fd067bb6807503856c90fea0f2916fc5b1ae1f.exe
4056	6bd85b343bc2343ff626f234b3fd067bb6807503856c90fea0f2916fc5b1ae1f.exe
4056	6bd85b343bc2343ff626f234b3fd067bb6807503856c90fea0f2916fc5b1ae1f.exe
4056	6bd85b343bc2343ff626f234b3fd067bb6807503856c90fea0f2916fc5b1ae1f.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

svchost.exe

pid process

1008 svchost.exe

pid	process
1008	svchost.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

6bd85b343bc2343ff626f234b3fd067bb6807503856c90fea0f2916fc5b1ae1f.execmd.exepndoPx.exesvchost.exe

description	pid	process	target process
PID 4056 wrote to memory of 408	4056	6bd85b343bc2343ff626f234b3fd067bb6807503856c90fea0f2916fc5b1ae1f.exe	cmd.exe
PID 4056 wrote to memory of 408	4056	6bd85b343bc2343ff626f234b3fd067bb6807503856c90fea0f2916fc5b1ae1f.exe	cmd.exe
PID 4056 wrote to memory of 408	4056	6bd85b343bc2343ff626f234b3fd067bb6807503856c90fea0f2916fc5b1ae1f.exe	cmd.exe
PID 408 wrote to memory of 5108	408	cmd.exe	pndoPx.exe
PID 408 wrote to memory of 5108	408	cmd.exe	pndoPx.exe
PID 408 wrote to memory of 5108	408	cmd.exe	pndoPx.exe
PID 5108 wrote to memory of 1008	5108	pndoPx.exe	svchost.exe
PID 5108 wrote to memory of 1008	5108	pndoPx.exe	svchost.exe
PID 5108 wrote to memory of 1008	5108	pndoPx.exe	svchost.exe
PID 5108 wrote to memory of 1008	5108	pndoPx.exe	svchost.exe
PID 5108 wrote to memory of 1008	5108	pndoPx.exe	svchost.exe
PID 5108 wrote to memory of 1008	5108	pndoPx.exe	svchost.exe
PID 5108 wrote to memory of 1008	5108	pndoPx.exe	svchost.exe
PID 5108 wrote to memory of 1008	5108	pndoPx.exe	svchost.exe
PID 1008 wrote to memory of 1656	1008	svchost.exe	schtasks.exe
PID 1008 wrote to memory of 1656	1008	svchost.exe	schtasks.exe
PID 1008 wrote to memory of 1656	1008	svchost.exe	schtasks.exe
PID 1008 wrote to memory of 3872	1008	svchost.exe	schtasks.exe
PID 1008 wrote to memory of 3872	1008	svchost.exe	schtasks.exe
PID 1008 wrote to memory of 3872	1008	svchost.exe	schtasks.exe
PID 1008 wrote to memory of 3176	1008	svchost.exe	cmd.exe
PID 1008 wrote to memory of 3176	1008	svchost.exe	cmd.exe
PID 1008 wrote to memory of 3176	1008	svchost.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\6bd85b343bc2343ff626f234b3fd067bb6807503856c90fea0f2916fc5b1ae1f.exe
"C:\Users\Admin\AppData\Local\Temp\6bd85b343bc2343ff626f234b3fd067bb6807503856c90fea0f2916fc5b1ae1f.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pndoPx.exe DVvUBu
2⤵
- Suspicious use of WriteProcessMemory
PID:408

C:\Users\Admin\AppData\Local\Temp\pndoPx.exe
C:\Users\Admin\AppData\Local\Temp\pndoPx.exe DVvUBu
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5108

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\System32\svchost.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1008

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn WindowsUpdatedvvubu0x8429524
5⤵
PID:1656

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn WindowsUpdatedvvubu0x8429525 /tr "C:\ProgramData\dvvubu\ekGfyO.vbs" /RL HIGHEST
5⤵
- Creates scheduled task(s)
PID:3872

C:\Windows\SysWOW64\cmd.exe
cmd /c icacls "C:\ProgramData\dvvubu" /deny %username%:F
5⤵
PID:3176

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DVvUBu
Filesize
7KB

MD5
e69f8f378670b6cc5dcef736f7c9d28a

SHA1
14e95c3814424dda20c258805ef8d37ba0faaf4f

SHA256
0a4c04f3ebcc3821fbf4097070946e673e98b88cb41329a73dff93f05f03034e

SHA512
1a7546e6a788924a320b6a06479b9c05ed54f9958f3960ef44359da6774357bb79c612d454c6d67333140a6e53244cef3d133768fc2ff57a9ca4f362c92efcff

Download Submit
C:\Users\Admin\AppData\Local\Temp\pndoPx.exe
Filesize
510KB

MD5
01d151ccd2a75bd713b8ce81d6509eb8

SHA1
c751680d504bece45dc84e363e9e976fe77a8eac

SHA256
a4d4dbf9e9124dbd055115706f2a2bfc8816b66cc5f52a148602f9fb0203b801

SHA512
8d49a4d97ef38fe5c6bb875d3bc387fade75f9a5d06a494b6a8c9d87840aa3d7cd87343e6aad268a27a9a33390bef7cd8e10d8ebe1df9f7d1ba6a68fe844107d

Download Submit
C:\Users\Admin\AppData\Local\Temp\pndoPx.exe
Filesize
510KB

MD5
01d151ccd2a75bd713b8ce81d6509eb8

SHA1
c751680d504bece45dc84e363e9e976fe77a8eac

SHA256
a4d4dbf9e9124dbd055115706f2a2bfc8816b66cc5f52a148602f9fb0203b801

SHA512
8d49a4d97ef38fe5c6bb875d3bc387fade75f9a5d06a494b6a8c9d87840aa3d7cd87343e6aad268a27a9a33390bef7cd8e10d8ebe1df9f7d1ba6a68fe844107d

Download Submit
C:\Users\Admin\AppData\Local\Temp\qDnAmR.txt
Filesize
235KB

MD5
3ca3ec49e23945af994d0827c7414cad

SHA1
03136628d74327113a439a26b1a1a2c14dcd3383

SHA256
e54ddd16d50cc0e27dab130bc42c8284d01fb46f516bbe60666811f779c8ea50

SHA512
1e6bf8bd668fd95cac3c7f2e09b9cf7abff29a5ae70d58d17291e0f00b0d8c883b3df0a1575e754554243f0c227fdb1d64661eab7b7d3a61b44d1287900afe7f

Download Submit
memory/408-132-0x0000000000000000-mapping.dmp

Download
memory/1008-138-0x0000000000000000-mapping.dmp

Download
memory/1008-139-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1008-141-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1008-142-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1656-145-0x0000000000000000-mapping.dmp

Download
memory/3176-147-0x0000000000000000-mapping.dmp

Download
memory/3872-146-0x0000000000000000-mapping.dmp

Download
memory/5108-133-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads