27d62cd979d82249873d0f8e5a3b4cbbc3826cc8d1210f6651b8ec7fe985e475

General

Target

27d62cd979d82249873d0f8e5a3b4cbbc3826cc8d1210f6651b8ec7fe985e475.exe
Size

1.1MB
MD5

0a97932019e7b5048e3440d5e1d85ed2
SHA1

6a8c81bdf07c72a8612655ed70e33f9b5932975a
SHA256

27d62cd979d82249873d0f8e5a3b4cbbc3826cc8d1210f6651b8ec7fe985e475
SHA512

6cd9a27dd4ee513cfd2a980a9556f1e19dbb02fdd6fe932b6d04904e3b08b88c773b79c6554cead6eb653b455bc369a2e82898a62bb7d4f935d631670b0ef0b3
SSDEEP

12288:gcv6pFioQk7qaBzZbfhNQZwH5DIjnk+xG7/SMZoSRgUFNGTucH+fOkEXRTrC6/mt:gcvBo17TBzZFN8Nnk+xGuMdCT5/mdD0

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 26 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5060-132-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/5060-135-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/5060-134-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/5060-136-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/5060-137-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/5060-139-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/5060-141-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/5060-143-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/5060-145-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/5060-147-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/5060-149-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/5060-153-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/5060-151-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/5060-155-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/5060-157-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/5060-159-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/5060-161-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/5060-165-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/5060-163-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/5060-167-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/5060-169-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/5060-177-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/5060-175-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/5060-173-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/5060-171-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral2/memory/5060-178-0x0000000010000000-0x000000001003D000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\LeiLeiGn8cE.sys	27d62cd979d82249873d0f8e5a3b4cbbc3826cc8d1210f6651b8ec7fe985e475.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3136	5060	WerFault.exe	81
340	5060	WerFault.exe	81

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
648	Process not Found
648	Process not Found

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
5060	27d62cd979d82249873d0f8e5a3b4cbbc3826cc8d1210f6651b8ec7fe985e475.exe
5060	27d62cd979d82249873d0f8e5a3b4cbbc3826cc8d1210f6651b8ec7fe985e475.exe
5060	27d62cd979d82249873d0f8e5a3b4cbbc3826cc8d1210f6651b8ec7fe985e475.exe
5060	27d62cd979d82249873d0f8e5a3b4cbbc3826cc8d1210f6651b8ec7fe985e475.exe
5060	27d62cd979d82249873d0f8e5a3b4cbbc3826cc8d1210f6651b8ec7fe985e475.exe

C:\Users\Admin\AppData\Local\Temp\27d62cd979d82249873d0f8e5a3b4cbbc3826cc8d1210f6651b8ec7fe985e475.exe
"C:\Users\Admin\AppData\Local\Temp\27d62cd979d82249873d0f8e5a3b4cbbc3826cc8d1210f6651b8ec7fe985e475.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:5060
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 1156
  2⤵
  - Program crash
  PID:3136
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 1196
  2⤵
  - Program crash
  PID:340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5060 -ip 5060
1⤵
PID:1748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5060 -ip 5060
1⤵
PID:3496

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/5060-132-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/5060-135-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/5060-134-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/5060-136-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/5060-137-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/5060-139-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/5060-141-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/5060-143-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/5060-145-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/5060-147-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/5060-149-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/5060-153-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/5060-151-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/5060-155-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/5060-157-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/5060-159-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/5060-161-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/5060-165-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/5060-163-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/5060-167-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/5060-169-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/5060-177-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/5060-175-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/5060-173-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/5060-171-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/5060-178-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing