b59b724091cead1305095f15b85073b6208cbb46ccf5a67a253862fb9e905277

General

Target

b59b724091cead1305095f15b85073b6208cbb46ccf5a67a253862fb9e905277.exe
Size

546KB
MD5

9c6e9bae04e514b47eefbddbb5e67d2b
SHA1

6e9b1f7ee1b723035409ecd1d16c932b4141e1cb
SHA256

b59b724091cead1305095f15b85073b6208cbb46ccf5a67a253862fb9e905277
SHA512

0bb63b5cd7f019fccfe4a8e77cb15ae9a69de84ad7d9e89e7235a15e19bd540eefa68002bfa7a15c70fe94b77f0c3bc1340781ca5da1dde7fd5305ecbc4bdee0
SSDEEP

3072:CNnqDxIGX/9nDiG7t6yCAti1zxGJidD5iYAHg4Cs7lJgxwL0out:CNnxKL0oS

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4028	winlogon.exe
4212	winlogon.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000022e52-135.dat	upx
behavioral2/files/0x0006000000022e52-136.dat	upx
behavioral2/memory/3756-137-0x0000000000400000-0x0000000000448000-memory.dmp	upx
behavioral2/memory/4028-140-0x0000000000400000-0x0000000000448000-memory.dmp	upx
behavioral2/memory/4028-141-0x0000000000400000-0x0000000000448000-memory.dmp	upx
behavioral2/memory/4212-143-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/files/0x0006000000022e52-144.dat	upx
behavioral2/memory/4212-146-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/memory/4212-147-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/memory/4212-150-0x0000000000400000-0x000000000043F000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	b59b724091cead1305095f15b85073b6208cbb46ccf5a67a253862fb9e905277.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4028 set thread context of 4212	4028	winlogon.exe	97

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3756	b59b724091cead1305095f15b85073b6208cbb46ccf5a67a253862fb9e905277.exe
4028	winlogon.exe
4212	winlogon.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3756 wrote to memory of 4028	3756	b59b724091cead1305095f15b85073b6208cbb46ccf5a67a253862fb9e905277.exe	87
PID 3756 wrote to memory of 4028	3756	b59b724091cead1305095f15b85073b6208cbb46ccf5a67a253862fb9e905277.exe	87
PID 3756 wrote to memory of 4028	3756	b59b724091cead1305095f15b85073b6208cbb46ccf5a67a253862fb9e905277.exe	87
PID 4028 wrote to memory of 4212	4028	winlogon.exe	97
PID 4028 wrote to memory of 4212	4028	winlogon.exe	97
PID 4028 wrote to memory of 4212	4028	winlogon.exe	97
PID 4028 wrote to memory of 4212	4028	winlogon.exe	97
PID 4028 wrote to memory of 4212	4028	winlogon.exe	97
PID 4028 wrote to memory of 4212	4028	winlogon.exe	97
PID 4028 wrote to memory of 4212	4028	winlogon.exe	97
PID 4028 wrote to memory of 4212	4028	winlogon.exe	97

C:\Users\Admin\AppData\Local\Temp\b59b724091cead1305095f15b85073b6208cbb46ccf5a67a253862fb9e905277.exe
"C:\Users\Admin\AppData\Local\Temp\b59b724091cead1305095f15b85073b6208cbb46ccf5a67a253862fb9e905277.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3756
- C:\Users\Admin\E696D64614\winlogon.exe
  "C:\Users\Admin\E696D64614\winlogon.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4028
- - C:\Users\Admin\E696D64614\winlogon.exe
    Error 448
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4212

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
2KB

MD5
97acf0930ce9f2f69d40ed8e1178cec6

SHA1
6380a2d97e4b4ccc3b4598cc2d431702e54ed69c

SHA256
b38f02de41dbb7db433a5f440dff85432150ff71d53b7ef8792d96da80962343

SHA512
f49c8a4fa51127e7d8b71cd0257bbedc8855ea708ec0e313e5071b656aedb815b55e51619df24ed967c4df0e685a4940cc1f123aa4ee0198a3d1ada1b42480e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2119239CBE0D3DBEF6F19E0B10265873

Filesize
472B

MD5
0be73f837e6aeb740e5c608fb17237b5

SHA1
4dfd1104c0558f35d83b35ca08e4874052be4bc7

SHA256
9f57778d4b2af1df4ee9000e3be98a38927c78d4d61b8a70f7a6499c2842fa89

SHA512
1bd4cfb2889952a56d3b6c58f181343d491d18d10b645289746176d392426467a9e68f52a48315bb809cd917ac598489b0e2cad995fd689a1b8673376316313e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
488B

MD5
130a8b6b866c371560107bb88b81fe43

SHA1
68c3bd5364e57738f04636f511549fdcfca02d14

SHA256
b3d22680069f518a90ecf87f76cbb93864bfd843f7e788b4c6ee6e743ad973d2

SHA512
9726e5dd79f553fbc98afcae7d6cfec963bc464a678493af370f8cb0a51507a17d06908aada671dceae1028ee3c0e9550feb28c83d0847ac40a222af4ff74138

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2119239CBE0D3DBEF6F19E0B10265873

Filesize
476B

MD5
793252ffde02a85dfa0e3daf689fbd38

SHA1
8b1d0b26ba423b8d1fe6b904d6db4243fee53833

SHA256
308322f24b71fb00a4b7130036489e201d8301bf86d9636a65568ee95cbc088e

SHA512
3015ec61266c53733b840d331de2ba7088a21be8bdad42b3caf28a842b3c181877b0c005c26e70152c865e0496e90a07df423115c3091e3c74e3205a96592312

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
546KB

MD5
9c6e9bae04e514b47eefbddbb5e67d2b

SHA1
6e9b1f7ee1b723035409ecd1d16c932b4141e1cb

SHA256
b59b724091cead1305095f15b85073b6208cbb46ccf5a67a253862fb9e905277

SHA512
0bb63b5cd7f019fccfe4a8e77cb15ae9a69de84ad7d9e89e7235a15e19bd540eefa68002bfa7a15c70fe94b77f0c3bc1340781ca5da1dde7fd5305ecbc4bdee0

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
546KB

MD5
9c6e9bae04e514b47eefbddbb5e67d2b

SHA1
6e9b1f7ee1b723035409ecd1d16c932b4141e1cb

SHA256
b59b724091cead1305095f15b85073b6208cbb46ccf5a67a253862fb9e905277

SHA512
0bb63b5cd7f019fccfe4a8e77cb15ae9a69de84ad7d9e89e7235a15e19bd540eefa68002bfa7a15c70fe94b77f0c3bc1340781ca5da1dde7fd5305ecbc4bdee0

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
546KB

MD5
9c6e9bae04e514b47eefbddbb5e67d2b

SHA1
6e9b1f7ee1b723035409ecd1d16c932b4141e1cb

SHA256
b59b724091cead1305095f15b85073b6208cbb46ccf5a67a253862fb9e905277

SHA512
0bb63b5cd7f019fccfe4a8e77cb15ae9a69de84ad7d9e89e7235a15e19bd540eefa68002bfa7a15c70fe94b77f0c3bc1340781ca5da1dde7fd5305ecbc4bdee0

Download Submit
memory/3756-137-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4028-141-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4028-140-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4212-143-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4212-146-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4212-147-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4212-150-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing