86926c9e39bb54d641ae883a426ebfb32a2ba822447c984df20f5ecda62b7de9

General

Target

86926c9e39bb54d641ae883a426ebfb32a2ba822447c984df20f5ecda62b7de9.exe
Size

375KB
MD5

e169af1acbdf54ae1f99c469badfa412
SHA1

09e9c5c29c6a3cb51492d0dc0933d8c21997453f
SHA256

86926c9e39bb54d641ae883a426ebfb32a2ba822447c984df20f5ecda62b7de9
SHA512

e4e6811dceb1dbc21407368c95b5959bab089333c88c29a68565fabcdc8f27d66a179751a523519e49b2a286a85fc9ee130b39e8fcdb7f0027ebd2f1cb2242ed
SSDEEP

6144:E93TqotetsvlJ4DGBdu2YpJ3qOe4yufYspgrGQVUAt5OCHmQRGRCnpGI:EFlt88z4yBU/3qO5yx1rGrAt5OCHjgC/

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1064-56-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral1/memory/1064-59-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral1/memory/1064-61-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral1/memory/1064-65-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral1/memory/1064-66-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral1/memory/1064-67-0x0000000010000000-0x000000001031C000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1676 set thread context of 1064	1676	86926c9e39bb54d641ae883a426ebfb32a2ba822447c984df20f5ecda62b7de9.exe	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1676	86926c9e39bb54d641ae883a426ebfb32a2ba822447c984df20f5ecda62b7de9.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1064	86926c9e39bb54d641ae883a426ebfb32a2ba822447c984df20f5ecda62b7de9.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1676 wrote to memory of 2000	1676	86926c9e39bb54d641ae883a426ebfb32a2ba822447c984df20f5ecda62b7de9.exe	28
PID 1676 wrote to memory of 2000	1676	86926c9e39bb54d641ae883a426ebfb32a2ba822447c984df20f5ecda62b7de9.exe	28
PID 1676 wrote to memory of 2000	1676	86926c9e39bb54d641ae883a426ebfb32a2ba822447c984df20f5ecda62b7de9.exe	28
PID 1676 wrote to memory of 2000	1676	86926c9e39bb54d641ae883a426ebfb32a2ba822447c984df20f5ecda62b7de9.exe	28
PID 1676 wrote to memory of 2000	1676	86926c9e39bb54d641ae883a426ebfb32a2ba822447c984df20f5ecda62b7de9.exe	28
PID 1676 wrote to memory of 2000	1676	86926c9e39bb54d641ae883a426ebfb32a2ba822447c984df20f5ecda62b7de9.exe	28
PID 1676 wrote to memory of 2000	1676	86926c9e39bb54d641ae883a426ebfb32a2ba822447c984df20f5ecda62b7de9.exe	28
PID 1676 wrote to memory of 1128	1676	86926c9e39bb54d641ae883a426ebfb32a2ba822447c984df20f5ecda62b7de9.exe	29
PID 1676 wrote to memory of 1128	1676	86926c9e39bb54d641ae883a426ebfb32a2ba822447c984df20f5ecda62b7de9.exe	29
PID 1676 wrote to memory of 1128	1676	86926c9e39bb54d641ae883a426ebfb32a2ba822447c984df20f5ecda62b7de9.exe	29
PID 1676 wrote to memory of 1128	1676	86926c9e39bb54d641ae883a426ebfb32a2ba822447c984df20f5ecda62b7de9.exe	29
PID 1676 wrote to memory of 1128	1676	86926c9e39bb54d641ae883a426ebfb32a2ba822447c984df20f5ecda62b7de9.exe	29
PID 1676 wrote to memory of 1128	1676	86926c9e39bb54d641ae883a426ebfb32a2ba822447c984df20f5ecda62b7de9.exe	29
PID 1676 wrote to memory of 1128	1676	86926c9e39bb54d641ae883a426ebfb32a2ba822447c984df20f5ecda62b7de9.exe	29
PID 1676 wrote to memory of 1064	1676	86926c9e39bb54d641ae883a426ebfb32a2ba822447c984df20f5ecda62b7de9.exe	30
PID 1676 wrote to memory of 1064	1676	86926c9e39bb54d641ae883a426ebfb32a2ba822447c984df20f5ecda62b7de9.exe	30
PID 1676 wrote to memory of 1064	1676	86926c9e39bb54d641ae883a426ebfb32a2ba822447c984df20f5ecda62b7de9.exe	30
PID 1676 wrote to memory of 1064	1676	86926c9e39bb54d641ae883a426ebfb32a2ba822447c984df20f5ecda62b7de9.exe	30
PID 1676 wrote to memory of 1064	1676	86926c9e39bb54d641ae883a426ebfb32a2ba822447c984df20f5ecda62b7de9.exe	30
PID 1676 wrote to memory of 1064	1676	86926c9e39bb54d641ae883a426ebfb32a2ba822447c984df20f5ecda62b7de9.exe	30
PID 1676 wrote to memory of 1064	1676	86926c9e39bb54d641ae883a426ebfb32a2ba822447c984df20f5ecda62b7de9.exe	30
PID 1676 wrote to memory of 1064	1676	86926c9e39bb54d641ae883a426ebfb32a2ba822447c984df20f5ecda62b7de9.exe	30

C:\Users\Admin\AppData\Local\Temp\86926c9e39bb54d641ae883a426ebfb32a2ba822447c984df20f5ecda62b7de9.exe
"C:\Users\Admin\AppData\Local\Temp\86926c9e39bb54d641ae883a426ebfb32a2ba822447c984df20f5ecda62b7de9.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:2000
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:1128
- C:\Users\Admin\AppData\Local\Temp\86926c9e39bb54d641ae883a426ebfb32a2ba822447c984df20f5ecda62b7de9.exe
  C:\Users\Admin\AppData\Local\Temp\86926c9e39bb54d641ae883a426ebfb32a2ba822447c984df20f5ecda62b7de9.exe
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1064

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1064-55-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/1064-56-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/1064-59-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/1064-61-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/1064-65-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/1064-66-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/1064-67-0x0000000010000000-0x000000001031C000-memory.dmp

Filesize
3.1MB

Download
memory/1064-68-0x00000000102CA000-0x000000001031B000-memory.dmp

Filesize
324KB

Download
memory/1064-69-0x0000000010001000-0x00000000102CA000-memory.dmp

Filesize
2.8MB

Download
memory/1064-70-0x0000000010001000-0x00000000102CA000-memory.dmp

Filesize
2.8MB

Download
memory/1676-54-0x0000000075C81000-0x0000000075C83000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing