e0207a9257e33ccd5fa9816be1c47628b69e61ce7d83880434005dbd9c257371

General

Target

e0207a9257e33ccd5fa9816be1c47628b69e61ce7d83880434005dbd9c257371.exe
Size

114KB
MD5

01ee180c315d0f6fa41f20a1f3ed33f0
SHA1

b8fc4a4197a23703e0063ad4ad51b734687803d6
SHA256

e0207a9257e33ccd5fa9816be1c47628b69e61ce7d83880434005dbd9c257371
SHA512

1180e29d757d683661617388507f044b94ca07838dc4e0d6d7caff75bf6ec655743383b12b87458fbe0ac85ef5132783c480f43bccc016db88cd89e064f1caa2
SSDEEP

1536:P7L0gUavuPbzRUSdxRWs+LM2GjbQwTxrPwhwF9gukRuY5Q:TIg7vuzzQM1QwVPw4gukRua

Score

8^/10

persistence upx vmprotect

Malware Config

Signatures

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4040-132-0x0000000000400000-0x000000000041E000-memory.dmp	upx

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Program Files\Monday.ime	vmprotect
C:\Program Files\Monday.ime	vmprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e0207a9257e33ccd5fa9816be1c47628b69e61ce7d83880434005dbd9c257371.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	e0207a9257e33ccd5fa9816be1c47628b69e61ce7d83880434005dbd9c257371.exe

Loads dropped DLL 2 IoCs

Processes:

rundll32.exe

pid process

4828 rundll32.exe
4828 rundll32.exe

pid	process
4828	rundll32.exe
4828	rundll32.exe

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable = "4294967197"	rundll32.exe

Drops file in System32 directory 3 IoCs

Processes:

e0207a9257e33ccd5fa9816be1c47628b69e61ce7d83880434005dbd9c257371.exe

description	ioc	process
File created	C:\Windows\SysWOW64\systemp	e0207a9257e33ccd5fa9816be1c47628b69e61ce7d83880434005dbd9c257371.exe
File created	C:\Windows\SysWOW64\sfcos.dll	e0207a9257e33ccd5fa9816be1c47628b69e61ce7d83880434005dbd9c257371.exe
File opened for modification	C:\Windows\SysWOW64\sfcos.dll	e0207a9257e33ccd5fa9816be1c47628b69e61ce7d83880434005dbd9c257371.exe

Drops file in Program Files directory 6 IoCs

Processes:

e0207a9257e33ccd5fa9816be1c47628b69e61ce7d83880434005dbd9c257371.exe

description	ioc	process
File created	C:\Program Files\Monday.ime	e0207a9257e33ccd5fa9816be1c47628b69e61ce7d83880434005dbd9c257371.exe
File created	C:\Program Files\Tuesday.ime	e0207a9257e33ccd5fa9816be1c47628b69e61ce7d83880434005dbd9c257371.exe
File created	C:\Program Files\Wednesday.ime	e0207a9257e33ccd5fa9816be1c47628b69e61ce7d83880434005dbd9c257371.exe
File created	C:\Program Files\Sunday.ime	e0207a9257e33ccd5fa9816be1c47628b69e61ce7d83880434005dbd9c257371.exe
File created	C:\Program Files\taskmgr.upx	e0207a9257e33ccd5fa9816be1c47628b69e61ce7d83880434005dbd9c257371.exe
File opened for modification	C:\Program Files\Saturday	e0207a9257e33ccd5fa9816be1c47628b69e61ce7d83880434005dbd9c257371.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

392 4828 WerFault.exe rundll32.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

rundll32.exe

pid process

4828 rundll32.exe
4828 rundll32.exe
4828 rundll32.exe
4828 rundll32.exe
4828 rundll32.exe
4828 rundll32.exe

pid	pid_target	process	target process
392	4828	WerFault.exe	rundll32.exe

pid	process
4828	rundll32.exe
4828	rundll32.exe
4828	rundll32.exe
4828	rundll32.exe
4828	rundll32.exe
4828	rundll32.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

e0207a9257e33ccd5fa9816be1c47628b69e61ce7d83880434005dbd9c257371.execmd.exe

description	pid	process	target process
PID 4040 wrote to memory of 4388	4040	e0207a9257e33ccd5fa9816be1c47628b69e61ce7d83880434005dbd9c257371.exe	sfc.exe
PID 4040 wrote to memory of 4388	4040	e0207a9257e33ccd5fa9816be1c47628b69e61ce7d83880434005dbd9c257371.exe	sfc.exe
PID 4040 wrote to memory of 4388	4040	e0207a9257e33ccd5fa9816be1c47628b69e61ce7d83880434005dbd9c257371.exe	sfc.exe
PID 4040 wrote to memory of 4628	4040	e0207a9257e33ccd5fa9816be1c47628b69e61ce7d83880434005dbd9c257371.exe	cmd.exe
PID 4040 wrote to memory of 4628	4040	e0207a9257e33ccd5fa9816be1c47628b69e61ce7d83880434005dbd9c257371.exe	cmd.exe
PID 4040 wrote to memory of 4628	4040	e0207a9257e33ccd5fa9816be1c47628b69e61ce7d83880434005dbd9c257371.exe	cmd.exe
PID 4628 wrote to memory of 4828	4628	cmd.exe	rundll32.exe
PID 4628 wrote to memory of 4828	4628	cmd.exe	rundll32.exe
PID 4628 wrote to memory of 4828	4628	cmd.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\e0207a9257e33ccd5fa9816be1c47628b69e61ce7d83880434005dbd9c257371.exe
"C:\Users\Admin\AppData\Local\Temp\e0207a9257e33ccd5fa9816be1c47628b69e61ce7d83880434005dbd9c257371.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4040

C:\Windows\SysWOW64\sfc.exe
"C:\Windows\system32\sfc.exe" /REVERT
2⤵
PID:4388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\del.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:4628

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Program Files\Monday.ime",Runed
3⤵
- Loads dropped DLL
- Modifies WinLogon
- Suspicious behavior: EnumeratesProcesses
PID:4828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 672
4⤵
- Program crash
PID:392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4828 -ip 4828
1⤵
PID:3772

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Monday.ime
Filesize
23KB

MD5
58040443232918af2ff04a8bd82cdac0

SHA1
30e6fc2f3ec0de36a8c67d943c6771034177617e

SHA256
cce7e85cea31c7277d5dd5199db69a7be3754477a342500bb5e6b8c88f8b4cb7

SHA512
acf3a69b0fef4724cac660e16206cd4056565b3ad901a63c639d22b72c15f5bd784af3bd629543d6f05a5de14b78cf95bb77d62671f0295d813061a6463059ca

Download Submit
C:\Program Files\Monday.ime
Filesize
23KB

MD5
58040443232918af2ff04a8bd82cdac0

SHA1
30e6fc2f3ec0de36a8c67d943c6771034177617e

SHA256
cce7e85cea31c7277d5dd5199db69a7be3754477a342500bb5e6b8c88f8b4cb7

SHA512
acf3a69b0fef4724cac660e16206cd4056565b3ad901a63c639d22b72c15f5bd784af3bd629543d6f05a5de14b78cf95bb77d62671f0295d813061a6463059ca

Download Submit
C:\Windows\SysWOW64\sfcos.dll
Filesize
48KB

MD5
98c499fccb739ab23b75c0d8b98e0481

SHA1
0ef5c464823550d5f53dd485e91dabc5d5a1ba0a

SHA256
d9d8ce1b86b3978889466ab1b9f46778942d276922bf7533327a493083913087

SHA512
9e64ac13e18ab0a518bb85b6612520645b5ab2c9a5359ced943813ba7344714999f25ba0e52240ad2d0c2fefc76552ff43173adc46334ff0b5dba171fb58e4e6

Download Submit
C:\Windows\SysWOW64\sfcos.dll
Filesize
48KB

MD5
98c499fccb739ab23b75c0d8b98e0481

SHA1
0ef5c464823550d5f53dd485e91dabc5d5a1ba0a

SHA256
d9d8ce1b86b3978889466ab1b9f46778942d276922bf7533327a493083913087

SHA512
9e64ac13e18ab0a518bb85b6612520645b5ab2c9a5359ced943813ba7344714999f25ba0e52240ad2d0c2fefc76552ff43173adc46334ff0b5dba171fb58e4e6

Download Submit
C:\Windows\SysWOW64\systemp
Filesize
4KB

MD5
390a723071ff83760f669d65bade0ad6

SHA1
e9a07e9a91708634ea986ca31c6471b75402a3ae

SHA256
50ed8f234a125b1e1430923e2d29afb241e965eb4edf36f41cea56032c8009b0

SHA512
a44d5e2f74b0692ec10209c675de0e1c82c147d9887011a848a80d123349b61db9df00b209a0323ee27d1c7ea6ae525cef1790b792a6fb9f46188b13ae8eca33

Download Submit
\??\c:\del.bat
Filesize
306B

MD5
32b9b10b9ffa6974224679a874b68d4c

SHA1
94a74f48607091435597b4a858128dcdd529f1c7

SHA256
d6844f99a80f339e1a2f5aaf4a76a9f7f6918232c723c7573c21482cb48eb8f9

SHA512
bfe076475ca5791ee99602b36b8d15cec8c20e5c6bf1cff8901894677a187046b11d80d128ad4df2d896eaf90c8514b045971535b5e6cf8dc3dd41020b56d24c

Download Submit
memory/4040-132-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4388-133-0x0000000000000000-mapping.dmp

Download
memory/4628-134-0x0000000000000000-mapping.dmp

Download
memory/4828-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads