48235feba2ab606004db39d1d3bcbf78513a6bde366469d5556b5456aa635c86

General

Target

48235feba2ab606004db39d1d3bcbf78513a6bde366469d5556b5456aa635c86N.exe
Size

88KB
MD5

8b97b5ed374d6e68451e6742133c3630
SHA1

061b5daf8569180fb017b3df17ef7a9ba17e983d
SHA256

48235feba2ab606004db39d1d3bcbf78513a6bde366469d5556b5456aa635c86
SHA512

3d5639a3459fcd1f33c4119b93bc15b875bae023da7933f5d3e964aac1c2bde4a2374faa35f0080bfaa7135c4840deab0877ba4b17d5437b4be32bdfe81bc799
SSDEEP

1536:t5piVnDXkTbhCtaB6GVA/bVQPxfgiqfoOonoKg+yOH5y/yEn:6D0ctAVA/bmxIMnoKjyR/Nn

Score

7^/10

discovery persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

winlogonr.exe

pid	Process
251368	winlogonr.exe

Loads dropped DLL 5 IoCs

Processes:

48235feba2ab606004db39d1d3bcbf78513a6bde366469d5556b5456aa635c86N.exe

pid	Process
250932	48235feba2ab606004db39d1d3bcbf78513a6bde366469d5556b5456aa635c86N.exe
250932	48235feba2ab606004db39d1d3bcbf78513a6bde366469d5556b5456aa635c86N.exe
250932	48235feba2ab606004db39d1d3bcbf78513a6bde366469d5556b5456aa635c86N.exe
250932	48235feba2ab606004db39d1d3bcbf78513a6bde366469d5556b5456aa635c86N.exe
250932	48235feba2ab606004db39d1d3bcbf78513a6bde366469d5556b5456aa635c86N.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\winlogonr\\winlogonr.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

48235feba2ab606004db39d1d3bcbf78513a6bde366469d5556b5456aa635c86N.exe

description	pid	Process	procid_target
PID 2068 set thread context of 250932	2068	48235feba2ab606004db39d1d3bcbf78513a6bde366469d5556b5456aa635c86N.exe	31

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/250932-540769-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/250932-540768-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/250932-540767-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/250932-540764-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/250932-540762-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/250932-540811-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

winlogonr.exe48235feba2ab606004db39d1d3bcbf78513a6bde366469d5556b5456aa635c86N.exe48235feba2ab606004db39d1d3bcbf78513a6bde366469d5556b5456aa635c86N.execmd.exereg.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogonr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	48235feba2ab606004db39d1d3bcbf78513a6bde366469d5556b5456aa635c86N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	48235feba2ab606004db39d1d3bcbf78513a6bde366469d5556b5456aa635c86N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

48235feba2ab606004db39d1d3bcbf78513a6bde366469d5556b5456aa635c86N.exe48235feba2ab606004db39d1d3bcbf78513a6bde366469d5556b5456aa635c86N.exewinlogonr.exe

pid	Process
2068	48235feba2ab606004db39d1d3bcbf78513a6bde366469d5556b5456aa635c86N.exe
250932	48235feba2ab606004db39d1d3bcbf78513a6bde366469d5556b5456aa635c86N.exe
251368	winlogonr.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

48235feba2ab606004db39d1d3bcbf78513a6bde366469d5556b5456aa635c86N.exe48235feba2ab606004db39d1d3bcbf78513a6bde366469d5556b5456aa635c86N.execmd.exe

description	pid	Process	procid_target
PID 2068 wrote to memory of 250932	2068	48235feba2ab606004db39d1d3bcbf78513a6bde366469d5556b5456aa635c86N.exe	31
PID 2068 wrote to memory of 250932	2068	48235feba2ab606004db39d1d3bcbf78513a6bde366469d5556b5456aa635c86N.exe	31
PID 2068 wrote to memory of 250932	2068	48235feba2ab606004db39d1d3bcbf78513a6bde366469d5556b5456aa635c86N.exe	31
PID 2068 wrote to memory of 250932	2068	48235feba2ab606004db39d1d3bcbf78513a6bde366469d5556b5456aa635c86N.exe	31
PID 2068 wrote to memory of 250932	2068	48235feba2ab606004db39d1d3bcbf78513a6bde366469d5556b5456aa635c86N.exe	31
PID 2068 wrote to memory of 250932	2068	48235feba2ab606004db39d1d3bcbf78513a6bde366469d5556b5456aa635c86N.exe	31
PID 2068 wrote to memory of 250932	2068	48235feba2ab606004db39d1d3bcbf78513a6bde366469d5556b5456aa635c86N.exe	31
PID 2068 wrote to memory of 250932	2068	48235feba2ab606004db39d1d3bcbf78513a6bde366469d5556b5456aa635c86N.exe	31
PID 250932 wrote to memory of 251244	250932	48235feba2ab606004db39d1d3bcbf78513a6bde366469d5556b5456aa635c86N.exe	32
PID 250932 wrote to memory of 251244	250932	48235feba2ab606004db39d1d3bcbf78513a6bde366469d5556b5456aa635c86N.exe	32
PID 250932 wrote to memory of 251244	250932	48235feba2ab606004db39d1d3bcbf78513a6bde366469d5556b5456aa635c86N.exe	32
PID 250932 wrote to memory of 251244	250932	48235feba2ab606004db39d1d3bcbf78513a6bde366469d5556b5456aa635c86N.exe	32
PID 251244 wrote to memory of 251308	251244	cmd.exe	34
PID 251244 wrote to memory of 251308	251244	cmd.exe	34
PID 251244 wrote to memory of 251308	251244	cmd.exe	34
PID 251244 wrote to memory of 251308	251244	cmd.exe	34
PID 250932 wrote to memory of 251368	250932	48235feba2ab606004db39d1d3bcbf78513a6bde366469d5556b5456aa635c86N.exe	35
PID 250932 wrote to memory of 251368	250932	48235feba2ab606004db39d1d3bcbf78513a6bde366469d5556b5456aa635c86N.exe	35
PID 250932 wrote to memory of 251368	250932	48235feba2ab606004db39d1d3bcbf78513a6bde366469d5556b5456aa635c86N.exe	35
PID 250932 wrote to memory of 251368	250932	48235feba2ab606004db39d1d3bcbf78513a6bde366469d5556b5456aa635c86N.exe	35

C:\Users\Admin\AppData\Local\Temp\48235feba2ab606004db39d1d3bcbf78513a6bde366469d5556b5456aa635c86N.exe
"C:\Users\Admin\AppData\Local\Temp\48235feba2ab606004db39d1d3bcbf78513a6bde366469d5556b5456aa635c86N.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Users\Admin\AppData\Local\Temp\48235feba2ab606004db39d1d3bcbf78513a6bde366469d5556b5456aa635c86N.exe
  "C:\Users\Admin\AppData\Local\Temp\48235feba2ab606004db39d1d3bcbf78513a6bde366469d5556b5456aa635c86N.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:250932
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\OGXPL.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:251244
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "winlogon" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:251308
- - C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe
    "C:\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:251368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\OGXPL.bat

Filesize
149B

MD5
6831b89d0b8dc3e07588d733e75c122b

SHA1
8c70088c3224bbaf535ed19ec0f6bd5231c543be

SHA256
9fe102f2c6dff35f03787b85f725d12347cf491c897730a7f2e818f65177ffc2

SHA512
699fb44a25032ee4ad0ace1f941c826b333baddb65049c22e80b272909e85f4c8a00fef73fe2d97fa8998a0b6969b13461237bfc1e8f9bf711849d17d0cda6da

Download Submit
\Users\Admin\AppData\Roaming\winlogonr\winlogonr.exe

Filesize
88KB

MD5
ed2acd4c102294d31109b5058c47b5a5

SHA1
67f60e1abf7b4eba31404cd4cb54590bddfc2b48

SHA256
ab6bfeb31e22b18d5862ac0cad6b07af47f721136c10888d100e132faeb916f9

SHA512
bf786ff6b87316a467f0ff6b41d20aa352298a9fd6ee1a4fb432321fdb5653ca0382228fe9c35a27a93316b48c2cd30631859400d3a70444004ad51c0c548cbf

Download Submit
memory/2068-505417-0x00000000004D0000-0x00000000004D2000-memory.dmp

Filesize
8KB

Download
memory/2068-26-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2068-505416-0x00000000004C0000-0x00000000004C2000-memory.dmp

Filesize
8KB

Download
memory/2068-68-0x00000000004A0000-0x00000000004A1000-memory.dmp

Filesize
4KB

Download
memory/2068-2-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2068-38-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2068-445-0x00000000004E0000-0x00000000004E2000-memory.dmp

Filesize
8KB

Download
memory/2068-14-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2068-440-0x00000000004C0000-0x00000000004C2000-memory.dmp

Filesize
8KB

Download
memory/2068-505418-0x00000000004E0000-0x00000000004E2000-memory.dmp

Filesize
8KB

Download
memory/2068-4-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2068-523297-0x00000000002D0000-0x00000000003D0000-memory.dmp

Filesize
1024KB

Download
memory/2068-76-0x00000000004C0000-0x00000000004C2000-memory.dmp

Filesize
8KB

Download
memory/2068-58-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2068-442-0x00000000004D0000-0x00000000004D2000-memory.dmp

Filesize
8KB

Download
memory/250932-540768-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/250932-540766-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/250932-540764-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/250932-540762-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/250932-540760-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/250932-540767-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/250932-540769-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/250932-540811-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/251368-540815-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/251368-540822-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads