8635c3bbd1bcee2257776708522a9c8291b54b72a2909ba7c25b7f905a84dbf6

General

Target

8635c3bbd1bcee2257776708522a9c8291b54b72a2909ba7c25b7f905a84dbf6.exe
Size

625KB
MD5

c8d42fe6d12f6986472edb3eac79d87d
SHA1

9b226951eac072fef165ffb407b9128e4afba0ac
SHA256

8635c3bbd1bcee2257776708522a9c8291b54b72a2909ba7c25b7f905a84dbf6
SHA512

52b4081f60959dbaeaade37aa7dfeded375e8ae019ecc77247cf0536075a0de4a348a8c6f2e9fc159730c1ebb60b786c9b264240f438ab8eecfc3521adde27e1
SSDEEP

12288:76Wq4aaE6KwyF5L0Y2D1PqLff5u/Vkgftg3oTQjInBnWwG:hthEVaPqLMVN+EBhG

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4836	se.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3856-132-0x0000000000400000-0x0000000000518000-memory.dmp	upx
behavioral2/memory/3856-135-0x0000000000400000-0x0000000000518000-memory.dmp	upx
behavioral2/memory/1028-136-0x0000000000400000-0x0000000000518000-memory.dmp	upx
behavioral2/memory/5116-138-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral2/memory/5116-141-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral2/memory/1028-140-0x0000000000400000-0x0000000000518000-memory.dmp	upx
behavioral2/memory/5116-142-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral2/files/0x0003000000022ddb-145.dat	upx
behavioral2/memory/5116-146-0x0000000000400000-0x0000000000462000-memory.dmp	upx
behavioral2/memory/5116-151-0x0000000000400000-0x0000000000462000-memory.dmp	upx

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\ProgramData\\SoundDriver\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\javaw = "C:\\Users\\Admin\\AppData\\Roaming\\javaw.exe"	se.exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/3856-135-0x0000000000400000-0x0000000000518000-memory.dmp	autoit_exe
behavioral2/memory/1028-136-0x0000000000400000-0x0000000000518000-memory.dmp	autoit_exe
behavioral2/memory/1028-140-0x0000000000400000-0x0000000000518000-memory.dmp	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1028 set thread context of 5116	1028	8635c3bbd1bcee2257776708522a9c8291b54b72a2909ba7c25b7f905a84dbf6.exe	82

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1028	8635c3bbd1bcee2257776708522a9c8291b54b72a2909ba7c25b7f905a84dbf6.exe
1028	8635c3bbd1bcee2257776708522a9c8291b54b72a2909ba7c25b7f905a84dbf6.exe
5116	svchost.exe
5116	svchost.exe
5116	svchost.exe
5116	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4836	se.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
3856	8635c3bbd1bcee2257776708522a9c8291b54b72a2909ba7c25b7f905a84dbf6.exe
3856	8635c3bbd1bcee2257776708522a9c8291b54b72a2909ba7c25b7f905a84dbf6.exe
3856	8635c3bbd1bcee2257776708522a9c8291b54b72a2909ba7c25b7f905a84dbf6.exe
1028	8635c3bbd1bcee2257776708522a9c8291b54b72a2909ba7c25b7f905a84dbf6.exe
1028	8635c3bbd1bcee2257776708522a9c8291b54b72a2909ba7c25b7f905a84dbf6.exe
1028	8635c3bbd1bcee2257776708522a9c8291b54b72a2909ba7c25b7f905a84dbf6.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
3856	8635c3bbd1bcee2257776708522a9c8291b54b72a2909ba7c25b7f905a84dbf6.exe
3856	8635c3bbd1bcee2257776708522a9c8291b54b72a2909ba7c25b7f905a84dbf6.exe
3856	8635c3bbd1bcee2257776708522a9c8291b54b72a2909ba7c25b7f905a84dbf6.exe
1028	8635c3bbd1bcee2257776708522a9c8291b54b72a2909ba7c25b7f905a84dbf6.exe
1028	8635c3bbd1bcee2257776708522a9c8291b54b72a2909ba7c25b7f905a84dbf6.exe
1028	8635c3bbd1bcee2257776708522a9c8291b54b72a2909ba7c25b7f905a84dbf6.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5116	svchost.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 3856 wrote to memory of 1028	3856	8635c3bbd1bcee2257776708522a9c8291b54b72a2909ba7c25b7f905a84dbf6.exe	81
PID 3856 wrote to memory of 1028	3856	8635c3bbd1bcee2257776708522a9c8291b54b72a2909ba7c25b7f905a84dbf6.exe	81
PID 3856 wrote to memory of 1028	3856	8635c3bbd1bcee2257776708522a9c8291b54b72a2909ba7c25b7f905a84dbf6.exe	81
PID 1028 wrote to memory of 5116	1028	8635c3bbd1bcee2257776708522a9c8291b54b72a2909ba7c25b7f905a84dbf6.exe	82
PID 1028 wrote to memory of 5116	1028	8635c3bbd1bcee2257776708522a9c8291b54b72a2909ba7c25b7f905a84dbf6.exe	82
PID 1028 wrote to memory of 5116	1028	8635c3bbd1bcee2257776708522a9c8291b54b72a2909ba7c25b7f905a84dbf6.exe	82
PID 1028 wrote to memory of 5116	1028	8635c3bbd1bcee2257776708522a9c8291b54b72a2909ba7c25b7f905a84dbf6.exe	82
PID 1028 wrote to memory of 5116	1028	8635c3bbd1bcee2257776708522a9c8291b54b72a2909ba7c25b7f905a84dbf6.exe	82
PID 1028 wrote to memory of 5116	1028	8635c3bbd1bcee2257776708522a9c8291b54b72a2909ba7c25b7f905a84dbf6.exe	82
PID 1028 wrote to memory of 5116	1028	8635c3bbd1bcee2257776708522a9c8291b54b72a2909ba7c25b7f905a84dbf6.exe	82
PID 1028 wrote to memory of 5116	1028	8635c3bbd1bcee2257776708522a9c8291b54b72a2909ba7c25b7f905a84dbf6.exe	82
PID 5116 wrote to memory of 4836	5116	svchost.exe	83
PID 5116 wrote to memory of 4836	5116	svchost.exe	83

C:\Users\Admin\AppData\Local\Temp\8635c3bbd1bcee2257776708522a9c8291b54b72a2909ba7c25b7f905a84dbf6.exe
"C:\Users\Admin\AppData\Local\Temp\8635c3bbd1bcee2257776708522a9c8291b54b72a2909ba7c25b7f905a84dbf6.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3856
- C:\Users\Admin\AppData\Local\Temp\8635c3bbd1bcee2257776708522a9c8291b54b72a2909ba7c25b7f905a84dbf6.exe
  C:\Users\Admin\AppData\Local\Temp\8635c3bbd1bcee2257776708522a9c8291b54b72a2909ba7c25b7f905a84dbf6.exe /AutoIt3ExecuteScript "C:\Users\Admin\AppData\Local\Temp\data.bin"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1028
- - \??\c:\windows\SysWOW64\svchost.exe
    "c:\windows\system32\svchost.exe"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5116
  - - C:\Users\Admin\AppData\Local\Temp\se.exe
      "C:\Users\Admin\AppData\Local\Temp\se.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      PID:4836

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\data.bin

Filesize
217KB

MD5
03caf4324832d673d4566062d35e3b30

SHA1
8811c8e130e781e405874a94f6d62ef3dbbbf41f

SHA256
ee4303bf97990099dbad4d74ac7f3fc02ecca5e3fe3cbf8bd89aea6b2534ff96

SHA512
6719a5b818f9cbebf1d5544eff20af29fa6a386c62fd3d8d947404645e5c1c83afff8ecdaa73e9ac67ff8bfe09e7bfcd5319079bbb142a1c82c6acc269742da6

Download Submit
C:\Users\Admin\AppData\Local\Temp\image.png

Filesize
625KB

MD5
c8d42fe6d12f6986472edb3eac79d87d

SHA1
9b226951eac072fef165ffb407b9128e4afba0ac

SHA256
8635c3bbd1bcee2257776708522a9c8291b54b72a2909ba7c25b7f905a84dbf6

SHA512
52b4081f60959dbaeaade37aa7dfeded375e8ae019ecc77247cf0536075a0de4a348a8c6f2e9fc159730c1ebb60b786c9b264240f438ab8eecfc3521adde27e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\se.exe

Filesize
22KB

MD5
cb31ff12b5e18053e1f03df35263eadc

SHA1
1632024c7fa4a9e467a8b4fa0d007376a160dce5

SHA256
740100492e27615921fc3e23c3faa98771ab4085de0f557d1c0d4de5400caa6c

SHA512
a0fe0a4bc8b2b3c1b8ed7ad07ce999b340ab7d94e797e13c777b82d764324f5b6a3423d14f3b74820ea3f392c7496945c93ed4ba800e0085568eceee4eda6e52

Download Submit
C:\Users\Admin\AppData\Local\Temp\se.exe

Filesize
22KB

MD5
cb31ff12b5e18053e1f03df35263eadc

SHA1
1632024c7fa4a9e467a8b4fa0d007376a160dce5

SHA256
740100492e27615921fc3e23c3faa98771ab4085de0f557d1c0d4de5400caa6c

SHA512
a0fe0a4bc8b2b3c1b8ed7ad07ce999b340ab7d94e797e13c777b82d764324f5b6a3423d14f3b74820ea3f392c7496945c93ed4ba800e0085568eceee4eda6e52

Download Submit
memory/1028-140-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/1028-136-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/3856-132-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/3856-135-0x0000000000400000-0x0000000000518000-memory.dmp

Filesize
1.1MB

Download
memory/4836-150-0x00007FF946E30000-0x00007FF947866000-memory.dmp

Filesize
10.2MB

Download
memory/5116-138-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/5116-141-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/5116-142-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/5116-146-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/5116-151-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download

Analysis

Sharing