48cad7de3bb1247a5fafff1d3a206c3ec11c37b51b125176e4c8de92308a232c

General

Target

0f6c9ce864ca5a40348b4c128d10c964.exe
Size

208KB
MD5

0f6c9ce864ca5a40348b4c128d10c964
SHA1

64758445ad7f8b28a8f04dbd38e11cb57be4de57
SHA256

48cad7de3bb1247a5fafff1d3a206c3ec11c37b51b125176e4c8de92308a232c
SHA512

e6d7eecee4304bd7df5d52347ee001e19298846ec0f3af2a6f394c77a5368791f087b2897d06aea99fec97461638de3183a47b6248e6e0ed9516ea8d3daf4ad2
SSDEEP

3072:cOJopl0OAbGi6sW3hMKtiV8QwOKqTg63vkHnjwD:Cl0HNTeMVldrU63vEnU

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2764	winlogon.exe
2940	winlogon.exe

Loads dropped DLL 3 IoCs

pid	Process
3052	0f6c9ce864ca5a40348b4c128d10c964.exe
3052	0f6c9ce864ca5a40348b4c128d10c964.exe
2764	winlogon.exe

UPX packed file 19 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3052-7-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/3052-12-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/2940-41-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/2940-35-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/3052-23-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/3052-9-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/3052-8-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/3052-5-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/3052-4-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/3052-2-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/2940-42-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/2172-113-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2172-110-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2172-109-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2172-108-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2172-105-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2940-184-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral1/memory/2172-845-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2940-844-0x0000000000400000-0x000000000041A000-memory.dmp	upx

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3048 set thread context of 3052	3048	0f6c9ce864ca5a40348b4c128d10c964.exe	16
PID 2764 set thread context of 2940	2764	winlogon.exe	14

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3052	0f6c9ce864ca5a40348b4c128d10c964.exe
2940	winlogon.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 3052	3048	0f6c9ce864ca5a40348b4c128d10c964.exe	16
PID 3048 wrote to memory of 3052	3048	0f6c9ce864ca5a40348b4c128d10c964.exe	16
PID 3048 wrote to memory of 3052	3048	0f6c9ce864ca5a40348b4c128d10c964.exe	16
PID 3048 wrote to memory of 3052	3048	0f6c9ce864ca5a40348b4c128d10c964.exe	16
PID 3048 wrote to memory of 3052	3048	0f6c9ce864ca5a40348b4c128d10c964.exe	16
PID 3048 wrote to memory of 3052	3048	0f6c9ce864ca5a40348b4c128d10c964.exe	16
PID 3048 wrote to memory of 3052	3048	0f6c9ce864ca5a40348b4c128d10c964.exe	16
PID 3052 wrote to memory of 2764	3052	0f6c9ce864ca5a40348b4c128d10c964.exe	15
PID 3052 wrote to memory of 2764	3052	0f6c9ce864ca5a40348b4c128d10c964.exe	15
PID 3052 wrote to memory of 2764	3052	0f6c9ce864ca5a40348b4c128d10c964.exe	15
PID 3052 wrote to memory of 2764	3052	0f6c9ce864ca5a40348b4c128d10c964.exe	15
PID 2764 wrote to memory of 2940	2764	winlogon.exe	14
PID 2764 wrote to memory of 2940	2764	winlogon.exe	14
PID 2764 wrote to memory of 2940	2764	winlogon.exe	14
PID 2764 wrote to memory of 2940	2764	winlogon.exe	14
PID 2764 wrote to memory of 2940	2764	winlogon.exe	14
PID 2764 wrote to memory of 2940	2764	winlogon.exe	14
PID 2764 wrote to memory of 2940	2764	winlogon.exe	14

C:\Users\Admin\E696D64614\winlogon.exe
C:\Users\Admin\E696D64614\winlogon.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2940
- C:\Users\Admin\E696D64614\winlogon.exe
  "C:\Users\Admin\E696D64614\winlogon.exe"
  2⤵
  PID:2172

C:\Users\Admin\E696D64614\winlogon.exe
"C:\Users\Admin\E696D64614\winlogon.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2764

C:\Users\Admin\AppData\Local\Temp\0f6c9ce864ca5a40348b4c128d10c964.exe
C:\Users\Admin\AppData\Local\Temp\0f6c9ce864ca5a40348b4c128d10c964.exe
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3052

C:\Users\Admin\AppData\Local\Temp\0f6c9ce864ca5a40348b4c128d10c964.exe
"C:\Users\Admin\AppData\Local\Temp\0f6c9ce864ca5a40348b4c128d10c964.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3048

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:688 CREDAT:275457 /prefetch:2
1⤵
PID:1112

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
PID:688
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:688 CREDAT:1389579 /prefetch:2
  2⤵
  PID:2260

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2172-845-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2172-105-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2172-108-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2172-109-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2172-110-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2172-113-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2940-42-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2940-844-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2940-41-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2940-35-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2940-184-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3052-9-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3052-0-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3052-2-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3052-4-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3052-5-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3052-8-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3052-7-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3052-23-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3052-12-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing