e0207a9257e33ccd5fa9816be1c47628b69e61ce7d83880434005dbd9c257371

General

Target

e0207a9257e33ccd5fa9816be1c47628b69e61ce7d83880434005dbd9c257371.exe
Size

114KB
MD5

01ee180c315d0f6fa41f20a1f3ed33f0
SHA1

b8fc4a4197a23703e0063ad4ad51b734687803d6
SHA256

e0207a9257e33ccd5fa9816be1c47628b69e61ce7d83880434005dbd9c257371
SHA512

1180e29d757d683661617388507f044b94ca07838dc4e0d6d7caff75bf6ec655743383b12b87458fbe0ac85ef5132783c480f43bccc016db88cd89e064f1caa2
SSDEEP

1536:P7L0gUavuPbzRUSdxRWs+LM2GjbQwTxrPwhwF9gukRuY5Q:TIg7vuzzQM1QwVPw4gukRua

Score

8^/10

persistence upx vmprotect

Malware Config

Signatures

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1872-55-0x0000000000400000-0x000000000041E000-memory.dmp	upx

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Program Files\Monday.ime	vmprotect
\Program Files\Monday.ime	vmprotect

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1452 cmd.exe
Loads dropped DLL 2 IoCs

Processes:

rundll32.exe

pid process

1504 rundll32.exe
1504 rundll32.exe

pid	process
1452	cmd.exe

pid	process
1504	rundll32.exe
1504	rundll32.exe

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	rundll32.exe

Drops file in System32 directory 3 IoCs

Processes:

e0207a9257e33ccd5fa9816be1c47628b69e61ce7d83880434005dbd9c257371.exe

description	ioc	process
File created	C:\Windows\SysWOW64\sfcos.dll	e0207a9257e33ccd5fa9816be1c47628b69e61ce7d83880434005dbd9c257371.exe
File opened for modification	C:\Windows\SysWOW64\sfcos.dll	e0207a9257e33ccd5fa9816be1c47628b69e61ce7d83880434005dbd9c257371.exe
File created	C:\Windows\SysWOW64\systemp	e0207a9257e33ccd5fa9816be1c47628b69e61ce7d83880434005dbd9c257371.exe

Drops file in Program Files directory 6 IoCs

Processes:

e0207a9257e33ccd5fa9816be1c47628b69e61ce7d83880434005dbd9c257371.exe

description	ioc	process
File created	C:\Program Files\Tuesday.ime	e0207a9257e33ccd5fa9816be1c47628b69e61ce7d83880434005dbd9c257371.exe
File created	C:\Program Files\Wednesday.ime	e0207a9257e33ccd5fa9816be1c47628b69e61ce7d83880434005dbd9c257371.exe
File created	C:\Program Files\Sunday.ime	e0207a9257e33ccd5fa9816be1c47628b69e61ce7d83880434005dbd9c257371.exe
File created	C:\Program Files\taskmgr.upx	e0207a9257e33ccd5fa9816be1c47628b69e61ce7d83880434005dbd9c257371.exe
File opened for modification	C:\Program Files\Saturday	e0207a9257e33ccd5fa9816be1c47628b69e61ce7d83880434005dbd9c257371.exe
File created	C:\Program Files\Monday.ime	e0207a9257e33ccd5fa9816be1c47628b69e61ce7d83880434005dbd9c257371.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1336 1504 WerFault.exe rundll32.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

rundll32.exe

pid process

1504 rundll32.exe
1504 rundll32.exe
1504 rundll32.exe

pid	pid_target	process	target process
1336	1504	WerFault.exe	rundll32.exe

pid	process
1504	rundll32.exe
1504	rundll32.exe
1504	rundll32.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

e0207a9257e33ccd5fa9816be1c47628b69e61ce7d83880434005dbd9c257371.execmd.exerundll32.exe

description	pid	process	target process
PID 1872 wrote to memory of 1896	1872	e0207a9257e33ccd5fa9816be1c47628b69e61ce7d83880434005dbd9c257371.exe	sfc.exe
PID 1872 wrote to memory of 1896	1872	e0207a9257e33ccd5fa9816be1c47628b69e61ce7d83880434005dbd9c257371.exe	sfc.exe
PID 1872 wrote to memory of 1896	1872	e0207a9257e33ccd5fa9816be1c47628b69e61ce7d83880434005dbd9c257371.exe	sfc.exe
PID 1872 wrote to memory of 1896	1872	e0207a9257e33ccd5fa9816be1c47628b69e61ce7d83880434005dbd9c257371.exe	sfc.exe
PID 1872 wrote to memory of 1452	1872	e0207a9257e33ccd5fa9816be1c47628b69e61ce7d83880434005dbd9c257371.exe	cmd.exe
PID 1872 wrote to memory of 1452	1872	e0207a9257e33ccd5fa9816be1c47628b69e61ce7d83880434005dbd9c257371.exe	cmd.exe
PID 1872 wrote to memory of 1452	1872	e0207a9257e33ccd5fa9816be1c47628b69e61ce7d83880434005dbd9c257371.exe	cmd.exe
PID 1872 wrote to memory of 1452	1872	e0207a9257e33ccd5fa9816be1c47628b69e61ce7d83880434005dbd9c257371.exe	cmd.exe
PID 1452 wrote to memory of 1504	1452	cmd.exe	rundll32.exe
PID 1452 wrote to memory of 1504	1452	cmd.exe	rundll32.exe
PID 1452 wrote to memory of 1504	1452	cmd.exe	rundll32.exe
PID 1452 wrote to memory of 1504	1452	cmd.exe	rundll32.exe
PID 1452 wrote to memory of 1504	1452	cmd.exe	rundll32.exe
PID 1452 wrote to memory of 1504	1452	cmd.exe	rundll32.exe
PID 1452 wrote to memory of 1504	1452	cmd.exe	rundll32.exe
PID 1504 wrote to memory of 1336	1504	rundll32.exe	WerFault.exe
PID 1504 wrote to memory of 1336	1504	rundll32.exe	WerFault.exe
PID 1504 wrote to memory of 1336	1504	rundll32.exe	WerFault.exe
PID 1504 wrote to memory of 1336	1504	rundll32.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\e0207a9257e33ccd5fa9816be1c47628b69e61ce7d83880434005dbd9c257371.exe
"C:\Users\Admin\AppData\Local\Temp\e0207a9257e33ccd5fa9816be1c47628b69e61ce7d83880434005dbd9c257371.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1872

C:\Windows\SysWOW64\sfc.exe
"C:\Windows\system32\sfc.exe" /REVERT
2⤵
PID:1896

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\del.bat
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1452

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Program Files\Monday.ime",Runed
3⤵
- Loads dropped DLL
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1504 -s 260
4⤵
- Program crash
PID:1336

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Monday.ime
Filesize
23KB

MD5
58040443232918af2ff04a8bd82cdac0

SHA1
30e6fc2f3ec0de36a8c67d943c6771034177617e

SHA256
cce7e85cea31c7277d5dd5199db69a7be3754477a342500bb5e6b8c88f8b4cb7

SHA512
acf3a69b0fef4724cac660e16206cd4056565b3ad901a63c639d22b72c15f5bd784af3bd629543d6f05a5de14b78cf95bb77d62671f0295d813061a6463059ca

Download Submit
C:\Windows\SysWOW64\sfcos.dll
Filesize
40KB

MD5
84799328d87b3091a3bdd251e1ad31f9

SHA1
64dbbe8210049f4d762de22525a7fe4313bf99d0

SHA256
f85521215924388830dbb13580688db70b46af4c7d82d549d09086438f8d237b

SHA512
0a9401c9c687f0edca01258c7920596408934caa21e5392dbaefc222c5c021255a40ec7c114a805cdb7f5a6153ec9fa9592edcc9e45406ce5612aa4e3da6a2c4

Download Submit
C:\Windows\SysWOW64\systemp
Filesize
4KB

MD5
390a723071ff83760f669d65bade0ad6

SHA1
e9a07e9a91708634ea986ca31c6471b75402a3ae

SHA256
50ed8f234a125b1e1430923e2d29afb241e965eb4edf36f41cea56032c8009b0

SHA512
a44d5e2f74b0692ec10209c675de0e1c82c147d9887011a848a80d123349b61db9df00b209a0323ee27d1c7ea6ae525cef1790b792a6fb9f46188b13ae8eca33

Download Submit
\??\c:\del.bat
Filesize
306B

MD5
32b9b10b9ffa6974224679a874b68d4c

SHA1
94a74f48607091435597b4a858128dcdd529f1c7

SHA256
d6844f99a80f339e1a2f5aaf4a76a9f7f6918232c723c7573c21482cb48eb8f9

SHA512
bfe076475ca5791ee99602b36b8d15cec8c20e5c6bf1cff8901894677a187046b11d80d128ad4df2d896eaf90c8514b045971535b5e6cf8dc3dd41020b56d24c

Download Submit
\Program Files\Monday.ime
Filesize
23KB

MD5
58040443232918af2ff04a8bd82cdac0

SHA1
30e6fc2f3ec0de36a8c67d943c6771034177617e

SHA256
cce7e85cea31c7277d5dd5199db69a7be3754477a342500bb5e6b8c88f8b4cb7

SHA512
acf3a69b0fef4724cac660e16206cd4056565b3ad901a63c639d22b72c15f5bd784af3bd629543d6f05a5de14b78cf95bb77d62671f0295d813061a6463059ca

Download Submit
\Windows\SysWOW64\sfcos.dll
Filesize
40KB

MD5
84799328d87b3091a3bdd251e1ad31f9

SHA1
64dbbe8210049f4d762de22525a7fe4313bf99d0

SHA256
f85521215924388830dbb13580688db70b46af4c7d82d549d09086438f8d237b

SHA512
0a9401c9c687f0edca01258c7920596408934caa21e5392dbaefc222c5c021255a40ec7c114a805cdb7f5a6153ec9fa9592edcc9e45406ce5612aa4e3da6a2c4

Download Submit
memory/1336-66-0x0000000000000000-mapping.dmp

Download
memory/1452-57-0x0000000000000000-mapping.dmp

Download
memory/1504-59-0x0000000000000000-mapping.dmp

Download
memory/1872-54-0x0000000075841000-0x0000000075843000-memory.dmp

Filesize
8KB

Download
memory/1872-55-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1896-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads