5b3122191c57179eb2668f42441870fc4e5807aa6a21eafa6969a51c59ccf8c1

General

Target

5b3122191c57179eb2668f42441870fc4e5807aa6a21eafa6969a51c59ccf8c1.exe
Size

92KB
MD5

e73d7d30d292dce26fa195095547bbc4
SHA1

6e7f1cc4d390455868a114b9328c933d8ef8fb3a
SHA256

5b3122191c57179eb2668f42441870fc4e5807aa6a21eafa6969a51c59ccf8c1
SHA512

e5743903333f759eef594d6fc0c8daed88a9c3575a02fdbced3afb7d196e2a2ecea98109aa9eee4763b2ac288d42129543878040be006374d9d66ad375dd04a7
SSDEEP

1536:V8XPFn+jEmNQFEPAlRggWm7og1nsLA1ZyleXZnZCeVoBCWdI3GfOJQFox:V8fUAmNQFEPAIgblsLA7KemhlfOJ+W

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1928	winlogon.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1980-55-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/1980-57-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/1980-58-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/1980-61-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/1980-62-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/1980-66-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral1/memory/1980-71-0x0000000000400000-0x0000000000418000-memory.dmp	upx

Loads dropped DLL 5 IoCs

pid	Process
1980	5b3122191c57179eb2668f42441870fc4e5807aa6a21eafa6969a51c59ccf8c1.exe
1980	5b3122191c57179eb2668f42441870fc4e5807aa6a21eafa6969a51c59ccf8c1.exe
1500	WerFault.exe
1500	WerFault.exe
1500	WerFault.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1716 set thread context of 1980	1716	5b3122191c57179eb2668f42441870fc4e5807aa6a21eafa6969a51c59ccf8c1.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1500	1928	WerFault.exe	29

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1980	5b3122191c57179eb2668f42441870fc4e5807aa6a21eafa6969a51c59ccf8c1.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1716 wrote to memory of 1980	1716	5b3122191c57179eb2668f42441870fc4e5807aa6a21eafa6969a51c59ccf8c1.exe	28
PID 1716 wrote to memory of 1980	1716	5b3122191c57179eb2668f42441870fc4e5807aa6a21eafa6969a51c59ccf8c1.exe	28
PID 1716 wrote to memory of 1980	1716	5b3122191c57179eb2668f42441870fc4e5807aa6a21eafa6969a51c59ccf8c1.exe	28
PID 1716 wrote to memory of 1980	1716	5b3122191c57179eb2668f42441870fc4e5807aa6a21eafa6969a51c59ccf8c1.exe	28
PID 1716 wrote to memory of 1980	1716	5b3122191c57179eb2668f42441870fc4e5807aa6a21eafa6969a51c59ccf8c1.exe	28
PID 1716 wrote to memory of 1980	1716	5b3122191c57179eb2668f42441870fc4e5807aa6a21eafa6969a51c59ccf8c1.exe	28
PID 1716 wrote to memory of 1980	1716	5b3122191c57179eb2668f42441870fc4e5807aa6a21eafa6969a51c59ccf8c1.exe	28
PID 1716 wrote to memory of 1980	1716	5b3122191c57179eb2668f42441870fc4e5807aa6a21eafa6969a51c59ccf8c1.exe	28
PID 1980 wrote to memory of 1928	1980	5b3122191c57179eb2668f42441870fc4e5807aa6a21eafa6969a51c59ccf8c1.exe	29
PID 1980 wrote to memory of 1928	1980	5b3122191c57179eb2668f42441870fc4e5807aa6a21eafa6969a51c59ccf8c1.exe	29
PID 1980 wrote to memory of 1928	1980	5b3122191c57179eb2668f42441870fc4e5807aa6a21eafa6969a51c59ccf8c1.exe	29
PID 1980 wrote to memory of 1928	1980	5b3122191c57179eb2668f42441870fc4e5807aa6a21eafa6969a51c59ccf8c1.exe	29
PID 1928 wrote to memory of 1500	1928	winlogon.exe	30
PID 1928 wrote to memory of 1500	1928	winlogon.exe	30
PID 1928 wrote to memory of 1500	1928	winlogon.exe	30
PID 1928 wrote to memory of 1500	1928	winlogon.exe	30

C:\Users\Admin\AppData\Local\Temp\5b3122191c57179eb2668f42441870fc4e5807aa6a21eafa6969a51c59ccf8c1.exe
"C:\Users\Admin\AppData\Local\Temp\5b3122191c57179eb2668f42441870fc4e5807aa6a21eafa6969a51c59ccf8c1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Users\Admin\AppData\Local\Temp\5b3122191c57179eb2668f42441870fc4e5807aa6a21eafa6969a51c59ccf8c1.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Users\Admin\E696D64614\winlogon.exe
    "C:\Users\Admin\E696D64614\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1928
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 172
      4⤵
      Loads dropped DLL
      Program crash
      PID:1500

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\E696D64614\winlogon.exe

Filesize
92KB

MD5
e73d7d30d292dce26fa195095547bbc4

SHA1
6e7f1cc4d390455868a114b9328c933d8ef8fb3a

SHA256
5b3122191c57179eb2668f42441870fc4e5807aa6a21eafa6969a51c59ccf8c1

SHA512
e5743903333f759eef594d6fc0c8daed88a9c3575a02fdbced3afb7d196e2a2ecea98109aa9eee4763b2ac288d42129543878040be006374d9d66ad375dd04a7

Download Submit
\Users\Admin\E696D64614\winlogon.exe

Filesize
92KB

MD5
e73d7d30d292dce26fa195095547bbc4

SHA1
6e7f1cc4d390455868a114b9328c933d8ef8fb3a

SHA256
5b3122191c57179eb2668f42441870fc4e5807aa6a21eafa6969a51c59ccf8c1

SHA512
e5743903333f759eef594d6fc0c8daed88a9c3575a02fdbced3afb7d196e2a2ecea98109aa9eee4763b2ac288d42129543878040be006374d9d66ad375dd04a7

Download Submit
\Users\Admin\E696D64614\winlogon.exe

Filesize
92KB

MD5
e73d7d30d292dce26fa195095547bbc4

SHA1
6e7f1cc4d390455868a114b9328c933d8ef8fb3a

SHA256
5b3122191c57179eb2668f42441870fc4e5807aa6a21eafa6969a51c59ccf8c1

SHA512
e5743903333f759eef594d6fc0c8daed88a9c3575a02fdbced3afb7d196e2a2ecea98109aa9eee4763b2ac288d42129543878040be006374d9d66ad375dd04a7

Download Submit
\Users\Admin\E696D64614\winlogon.exe

Filesize
92KB

MD5
e73d7d30d292dce26fa195095547bbc4

SHA1
6e7f1cc4d390455868a114b9328c933d8ef8fb3a

SHA256
5b3122191c57179eb2668f42441870fc4e5807aa6a21eafa6969a51c59ccf8c1

SHA512
e5743903333f759eef594d6fc0c8daed88a9c3575a02fdbced3afb7d196e2a2ecea98109aa9eee4763b2ac288d42129543878040be006374d9d66ad375dd04a7

Download Submit
\Users\Admin\E696D64614\winlogon.exe

Filesize
92KB

MD5
e73d7d30d292dce26fa195095547bbc4

SHA1
6e7f1cc4d390455868a114b9328c933d8ef8fb3a

SHA256
5b3122191c57179eb2668f42441870fc4e5807aa6a21eafa6969a51c59ccf8c1

SHA512
e5743903333f759eef594d6fc0c8daed88a9c3575a02fdbced3afb7d196e2a2ecea98109aa9eee4763b2ac288d42129543878040be006374d9d66ad375dd04a7

Download Submit
\Users\Admin\E696D64614\winlogon.exe

Filesize
92KB

MD5
e73d7d30d292dce26fa195095547bbc4

SHA1
6e7f1cc4d390455868a114b9328c933d8ef8fb3a

SHA256
5b3122191c57179eb2668f42441870fc4e5807aa6a21eafa6969a51c59ccf8c1

SHA512
e5743903333f759eef594d6fc0c8daed88a9c3575a02fdbced3afb7d196e2a2ecea98109aa9eee4763b2ac288d42129543878040be006374d9d66ad375dd04a7

Download Submit
memory/1980-66-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1980-65-0x00000000760C1000-0x00000000760C3000-memory.dmp

Filesize
8KB

Download
memory/1980-62-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1980-61-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1980-71-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1980-54-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1980-58-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1980-57-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1980-55-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing