d07d933cc1697903c9d3617fbf8ec19722a98ee5cea20125741ca87059ce1e36

General

Target

9F9468C84CBC4E5C0C9E2CFE584598EA.exe
Size

14.0MB
MD5

9f9468c84cbc4e5c0c9e2cfe584598ea
SHA1

ef588da98c8ce9b16163803ee43ac9f01f0cfc8f
SHA256

d07d933cc1697903c9d3617fbf8ec19722a98ee5cea20125741ca87059ce1e36
SHA512

925394e6adc80d83d48ab9808ade74f9e8ae9d0ddb328cab4dd762ae80f078a431d22e39ecd5d67519c3d416df2d98afaf26f5484f34f491fc55f0ce5bd7548d
SSDEEP

393216:DOa6z/KV0oZfnRApLv0YZNdmlH/BDEER8ylyaxh8:bkiV0oZ/ILv/NdKuglPxh

Score

8^/10

evasion upx

Malware Config

Signatures

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1360-82-0x0000000000150000-0x0000000001D69000-memory.dmp	upx
behavioral1/memory/1360-104-0x0000000000150000-0x0000000001D69000-memory.dmp	upx
behavioral1/memory/1360-105-0x0000000000150000-0x0000000001D69000-memory.dmp	upx

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1360-82-0x0000000000150000-0x0000000001D69000-memory.dmp	autoit_exe
behavioral1/memory/1360-104-0x0000000000150000-0x0000000001D69000-memory.dmp	autoit_exe
behavioral1/memory/1360-105-0x0000000000150000-0x0000000001D69000-memory.dmp	autoit_exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\VCX.dll	9F9468C84CBC4E5C0C9E2CFE584598EA.exe
File created	C:\Windows\VCX_X64.ini	9F9468C84CBC4E5C0C9E2CFE584598EA.exe
File created	C:\Windows\VCX_X64.dll	9F9468C84CBC4E5C0C9E2CFE584598EA.exe
File created	C:\Windows\VCX.ini	9F9468C84CBC4E5C0C9E2CFE584598EA.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
432	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1360	9F9468C84CBC4E5C0C9E2CFE584598EA.exe
1360	9F9468C84CBC4E5C0C9E2CFE584598EA.exe
1360	9F9468C84CBC4E5C0C9E2CFE584598EA.exe
1360	9F9468C84CBC4E5C0C9E2CFE584598EA.exe
1360	9F9468C84CBC4E5C0C9E2CFE584598EA.exe
1360	9F9468C84CBC4E5C0C9E2CFE584598EA.exe
1360	9F9468C84CBC4E5C0C9E2CFE584598EA.exe
1360	9F9468C84CBC4E5C0C9E2CFE584598EA.exe
1360	9F9468C84CBC4E5C0C9E2CFE584598EA.exe
1360	9F9468C84CBC4E5C0C9E2CFE584598EA.exe
1360	9F9468C84CBC4E5C0C9E2CFE584598EA.exe
1360	9F9468C84CBC4E5C0C9E2CFE584598EA.exe
1360	9F9468C84CBC4E5C0C9E2CFE584598EA.exe
1360	9F9468C84CBC4E5C0C9E2CFE584598EA.exe
1360	9F9468C84CBC4E5C0C9E2CFE584598EA.exe
1360	9F9468C84CBC4E5C0C9E2CFE584598EA.exe
1360	9F9468C84CBC4E5C0C9E2CFE584598EA.exe
1360	9F9468C84CBC4E5C0C9E2CFE584598EA.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1360	9F9468C84CBC4E5C0C9E2CFE584598EA.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1360 wrote to memory of 432	1360	9F9468C84CBC4E5C0C9E2CFE584598EA.exe	28
PID 1360 wrote to memory of 432	1360	9F9468C84CBC4E5C0C9E2CFE584598EA.exe	28
PID 1360 wrote to memory of 432	1360	9F9468C84CBC4E5C0C9E2CFE584598EA.exe	28
PID 1360 wrote to memory of 432	1360	9F9468C84CBC4E5C0C9E2CFE584598EA.exe	28

C:\Users\Admin\AppData\Local\Temp\9F9468C84CBC4E5C0C9E2CFE584598EA.exe
"C:\Users\Admin\AppData\Local\Temp\9F9468C84CBC4E5C0C9E2CFE584598EA.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1360
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" stop CommunicationServer
  2⤵
  - Launches sc.exe
  PID:432

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\VCX.dll

Filesize
6.6MB

MD5
35d0936f2237b4a9976577def330a49f

SHA1
991dfefba4a9ed3d3774fd05d70a6607ad3d8cd2

SHA256
bfc2778563a8274a9577b2fa53c76732d014958783eca4121e610c3f6fe16499

SHA512
c7d51cdb25bfef065dff49df36e135d02137dfd50be8bc310fa0c4519437b00e174589bbd0dfee0c548dafb75d90f6531496ad5c45fd44e3bab2b69ed1965aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\VCX_X64.dll

Filesize
6.9MB

MD5
17928c22b984be64b1d5fec6d9bf7e8c

SHA1
b28164777e0a843545a8650e2b3c912dfcc51c40

SHA256
a6d38b712a3bd2e238751c167b4a1ab56e7cb184c4e5b47bc455ff566c49cf4a

SHA512
1ce26e57b27e37aa2b393c900acac76cb71181e845e48abac8c16907b80b02c3dc2fa728357b2c1e590a90d8fc2f84ec6d3ff624fcc046ab66afdf271a7a034c

Download Submit
C:\Users\Admin\AppData\Local\Temp\back.jpg

Filesize
94KB

MD5
32d91ec411ad49a5802f739795bcf1f4

SHA1
cff0adaa148057d7f237d04eaacaaa169bcfdeb5

SHA256
65242f286beec511f7f99aa31b5e30b57326e993754c85b34ede2f6333d3c58b

SHA512
f7835bd7f2462db0e32cfec60f3cfb93d1c89941e548331195bb96cc7b20b111072d7be247d243c6fb0ad0ad3980cd7efd8b303ef0d82812b604fa7742ad59cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\logo.jpg

Filesize
7KB

MD5
219d5bf751bbec0f87ee673ae233166b

SHA1
2fff9f2596e8c8b793bb4dee31e62a90d364e561

SHA256
5f225cac1a6575680814771bfd095057b77e788301d5786cad7fa148a39fc7eb

SHA512
a59a7ba2cdbef41c480c4e41a353e9ef661e50870277c093b095f014ae72069768758f9788784d45fc61854344470a49c52990626ba6951fb25262789d5a3373

Download Submit
C:\Windows\VCX.ini

Filesize
6KB

MD5
8e8f1a530b6f67f715e66a2ff4de05ff

SHA1
fe526def4b8dca6ad4dc5b8b2972f6348c306f2a

SHA256
90e2f4508b882baece686b5681672eb2be5520916982c888f52739e7e79fa970

SHA512
3307dae03f545b50183d58d147d3f585586ad58d31b631c8681f18432298d6331d3252a1ca51a997b1eda30e0777b331b19d0dd613a4086de623669154538108

Download Submit
memory/1360-82-0x0000000000150000-0x0000000001D69000-memory.dmp

Filesize
28.1MB

Download
memory/1360-104-0x0000000000150000-0x0000000001D69000-memory.dmp

Filesize
28.1MB

Download
memory/1360-105-0x0000000000150000-0x0000000001D69000-memory.dmp

Filesize
28.1MB

Download

Analysis

Sharing