8635c3bbd1bcee2257776708522a9c8291b54b72a2909ba7c25b7f905a84dbf6

General

Target

8635c3bbd1bcee2257776708522a9c8291b54b72a2909ba7c25b7f905a84dbf6.exe
Size

625KB
MD5

c8d42fe6d12f6986472edb3eac79d87d
SHA1

9b226951eac072fef165ffb407b9128e4afba0ac
SHA256

8635c3bbd1bcee2257776708522a9c8291b54b72a2909ba7c25b7f905a84dbf6
SHA512

52b4081f60959dbaeaade37aa7dfeded375e8ae019ecc77247cf0536075a0de4a348a8c6f2e9fc159730c1ebb60b786c9b264240f438ab8eecfc3521adde27e1
SSDEEP

12288:76Wq4aaE6KwyF5L0Y2D1PqLff5u/Vkgftg3oTQjInBnWwG:hthEVaPqLMVN+EBhG

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1624	se.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/892-57-0x0000000000400000-0x0000000000518000-memory.dmp	upx
behavioral1/memory/1208-60-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral1/memory/1208-63-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral1/memory/940-66-0x0000000000400000-0x0000000000518000-memory.dmp	upx
behavioral1/memory/1208-62-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral1/memory/1208-67-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral1/memory/1208-68-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral1/memory/1208-71-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral1/files/0x000b000000012308-72.dat	upx
behavioral1/memory/1208-82-0x0000000000400000-0x0000000000462000-memory.dmp	upx

Loads dropped DLL 2 IoCs

pid	Process
1208	svchost.exe
1208	svchost.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\ProgramData\\SoundDriver\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\javaw = "C:\\Users\\Admin\\AppData\\Roaming\\javaw.exe"	se.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/892-57-0x0000000000400000-0x0000000000518000-memory.dmp	autoit_exe
behavioral1/memory/940-66-0x0000000000400000-0x0000000000518000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 940 set thread context of 1208	940	8635c3bbd1bcee2257776708522a9c8291b54b72a2909ba7c25b7f905a84dbf6.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
940	8635c3bbd1bcee2257776708522a9c8291b54b72a2909ba7c25b7f905a84dbf6.exe
1208	svchost.exe
1208	svchost.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
892	8635c3bbd1bcee2257776708522a9c8291b54b72a2909ba7c25b7f905a84dbf6.exe
892	8635c3bbd1bcee2257776708522a9c8291b54b72a2909ba7c25b7f905a84dbf6.exe
892	8635c3bbd1bcee2257776708522a9c8291b54b72a2909ba7c25b7f905a84dbf6.exe
940	8635c3bbd1bcee2257776708522a9c8291b54b72a2909ba7c25b7f905a84dbf6.exe
940	8635c3bbd1bcee2257776708522a9c8291b54b72a2909ba7c25b7f905a84dbf6.exe
940	8635c3bbd1bcee2257776708522a9c8291b54b72a2909ba7c25b7f905a84dbf6.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
892	8635c3bbd1bcee2257776708522a9c8291b54b72a2909ba7c25b7f905a84dbf6.exe
892	8635c3bbd1bcee2257776708522a9c8291b54b72a2909ba7c25b7f905a84dbf6.exe
892	8635c3bbd1bcee2257776708522a9c8291b54b72a2909ba7c25b7f905a84dbf6.exe
940	8635c3bbd1bcee2257776708522a9c8291b54b72a2909ba7c25b7f905a84dbf6.exe
940	8635c3bbd1bcee2257776708522a9c8291b54b72a2909ba7c25b7f905a84dbf6.exe
940	8635c3bbd1bcee2257776708522a9c8291b54b72a2909ba7c25b7f905a84dbf6.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1208	svchost.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 892 wrote to memory of 940	892	8635c3bbd1bcee2257776708522a9c8291b54b72a2909ba7c25b7f905a84dbf6.exe	28
PID 892 wrote to memory of 940	892	8635c3bbd1bcee2257776708522a9c8291b54b72a2909ba7c25b7f905a84dbf6.exe	28
PID 892 wrote to memory of 940	892	8635c3bbd1bcee2257776708522a9c8291b54b72a2909ba7c25b7f905a84dbf6.exe	28
PID 892 wrote to memory of 940	892	8635c3bbd1bcee2257776708522a9c8291b54b72a2909ba7c25b7f905a84dbf6.exe	28
PID 940 wrote to memory of 1208	940	8635c3bbd1bcee2257776708522a9c8291b54b72a2909ba7c25b7f905a84dbf6.exe	29
PID 940 wrote to memory of 1208	940	8635c3bbd1bcee2257776708522a9c8291b54b72a2909ba7c25b7f905a84dbf6.exe	29
PID 940 wrote to memory of 1208	940	8635c3bbd1bcee2257776708522a9c8291b54b72a2909ba7c25b7f905a84dbf6.exe	29
PID 940 wrote to memory of 1208	940	8635c3bbd1bcee2257776708522a9c8291b54b72a2909ba7c25b7f905a84dbf6.exe	29
PID 940 wrote to memory of 1208	940	8635c3bbd1bcee2257776708522a9c8291b54b72a2909ba7c25b7f905a84dbf6.exe	29
PID 940 wrote to memory of 1208	940	8635c3bbd1bcee2257776708522a9c8291b54b72a2909ba7c25b7f905a84dbf6.exe	29
PID 940 wrote to memory of 1208	940	8635c3bbd1bcee2257776708522a9c8291b54b72a2909ba7c25b7f905a84dbf6.exe	29
PID 940 wrote to memory of 1208	940	8635c3bbd1bcee2257776708522a9c8291b54b72a2909ba7c25b7f905a84dbf6.exe	29
PID 1208 wrote to memory of 1624	1208	svchost.exe	31
PID 1208 wrote to memory of 1624	1208	svchost.exe	31
PID 1208 wrote to memory of 1624	1208	svchost.exe	31
PID 1208 wrote to memory of 1624	1208	svchost.exe	31

C:\Users\Admin\AppData\Local\Temp\8635c3bbd1bcee2257776708522a9c8291b54b72a2909ba7c25b7f905a84dbf6.exe
"C:\Users\Admin\AppData\Local\Temp\8635c3bbd1bcee2257776708522a9c8291b54b72a2909ba7c25b7f905a84dbf6.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:892
- C:\Users\Admin\AppData\Local\Temp\8635c3bbd1bcee2257776708522a9c8291b54b72a2909ba7c25b7f905a84dbf6.exe
  C:\Users\Admin\AppData\Local\Temp\8635c3bbd1bcee2257776708522a9c8291b54b72a2909ba7c25b7f905a84dbf6.exe /AutoIt3ExecuteScript "C:\Users\Admin\AppData\Local\Temp\data.bin"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:940
- - \??\c:\windows\SysWOW64\svchost.exe
    "c:\windows\system32\svchost.exe"
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1208
  - - C:\Users\Admin\AppData\Local\Temp\se.exe
      "C:\Users\Admin\AppData\Local\Temp\se.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:1624

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\data.bin

Filesize
156KB

MD5
f1c380eac1b04a186d53f2d413f3d9b2

SHA1
9e9ec15fd0061cbcdb290a5ae007398d0c38d4e7

SHA256
2358aec62d0715b82412cc2c9b48e922f1f20f46f806febe2778f1ee0b82921e

SHA512
d0adf85b9a0eb4642d2a5182a21b917dfb0b69d25ab8e68160b551bda0934ef72cd39920cf13107d15a500d49779c573e5de155f863a9650deabb5e3629dfd8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\image.png

Filesize
625KB

MD5
c8d42fe6d12f6986472edb3eac79d87d

SHA1
9b226951eac072fef165ffb407b9128e4afba0ac

SHA256
8635c3bbd1bcee2257776708522a9c8291b54b72a2909ba7c25b7f905a84dbf6

SHA512
52b4081f60959dbaeaade37aa7dfeded375e8ae019ecc77247cf0536075a0de4a348a8c6f2e9fc159730c1ebb60b786c9b264240f438ab8eecfc3521adde27e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\se.exe

Filesize
22KB

MD5
cb31ff12b5e18053e1f03df35263eadc

SHA1
1632024c7fa4a9e467a8b4fa0d007376a160dce5

SHA256
740100492e27615921fc3e23c3faa98771ab4085de0f557d1c0d4de5400caa6c

SHA512
a0fe0a4bc8b2b3c1b8ed7ad07ce999b340ab7d94e797e13c777b82d764324f5b6a3423d14f3b74820ea3f392c7496945c93ed4ba800e0085568eceee4eda6e52

Download Submit
C:\Users\Admin\AppData\Local\Temp\se.exe

Filesize
22KB

MD5
cb31ff12b5e18053e1f03df35263eadc

SHA1
1632024c7fa4a9e467a8b4fa0d007376a160dce5

SHA256
740100492e27615921fc3e23c3faa98771ab4085de0f557d1c0d4de5400caa6c

SHA512
a0fe0a4bc8b2b3c1b8ed7ad07ce999b340ab7d94e797e13c777b82d764324f5b6a3423d14f3b74820ea3f392c7496945c93ed4ba800e0085568eceee4eda6e52

Download Submit
\Users\Admin\AppData\Local\Temp\se.exe

Filesize
22KB

MD5
cb31ff12b5e18053e1f03df35263eadc

SHA1
1632024c7fa4a9e467a8b4fa0d007376a160dce5

SHA256
740100492e27615921fc3e23c3faa98771ab4085de0f557d1c0d4de5400caa6c

SHA512
a0fe0a4bc8b2b3c1b8ed7ad07ce999b340ab7d94e797e13c777b82d764324f5b6a3423d14f3b74820ea3f392c7496945c93ed4ba800e0085568eceee4eda6e52

Download Submit
\Users\Admin\AppData\Local\Temp\se.exe

Filesize
22KB

MD5
cb31ff12b5e18053e1f03df35263eadc

SHA1
1632024c7fa4a9e467a8b4fa0d007376a160dce5

SHA256
740100492e27615921fc3e23c3faa98771ab4085de0f557d1c0d4de5400caa6c

SHA512
a0fe0a4bc8b2b3c1b8ed7ad07ce999b340ab7d94e797e13c777b82d764324f5b6a3423d14f3b74820ea3f392c7496945c93ed4ba800e0085568eceee4eda6e52

Download Submit
memory/892-57-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/892-54-0x0000000075521000-0x0000000075523000-memory.dmp

Filesize
8KB

Download
memory/940-55-0x0000000000000000-mapping.dmp

Download
memory/940-66-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/1208-63-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1208-60-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1208-71-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1208-67-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1208-62-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1208-64-0x0000000000460100-mapping.dmp

Download
memory/1208-82-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1208-68-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1208-59-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1624-79-0x000007FEF40A0000-0x000007FEF4AC3000-memory.dmp

Filesize
10.1MB

Download
memory/1624-80-0x000007FEF2DC0000-0x000007FEF3E56000-memory.dmp

Filesize
16.6MB

Download
memory/1624-81-0x0000000000A76000-0x0000000000A95000-memory.dmp

Filesize
124KB

Download
memory/1624-76-0x0000000000000000-mapping.dmp

Download
memory/1624-83-0x0000000000A76000-0x0000000000A95000-memory.dmp

Filesize
124KB

Download
memory/1624-84-0x000007FEFBA81000-0x000007FEFBA83000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing