6f0108291363fe6af24a32c77e502e5241369d35bb33b828c899b31824823eef

General

Target

6f0108291363fe6af24a32c77e502e5241369d35bb33b828c899b31824823eef.exe
Size

82KB
MD5

6e6667b71a86780268828232d4363f63
SHA1

e6f6cb0f70c628c797d2e79717cc331c8f5d3f76
SHA256

6f0108291363fe6af24a32c77e502e5241369d35bb33b828c899b31824823eef
SHA512

6400e6e56d5b163050f96d96cb82ad53960efb518760b7c99e7b62886a45d40f1aa914bd872a83fbdc9d0049bcb4ef084ff9027d6affb2cd1363382c6e193395

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

NetFramework.exe

pid process

1216 NetFramework.exe

pid	process
1216	NetFramework.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6f0108291363fe6af24a32c77e502e5241369d35bb33b828c899b31824823eef.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	6f0108291363fe6af24a32c77e502e5241369d35bb33b828c899b31824823eef.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

6f0108291363fe6af24a32c77e502e5241369d35bb33b828c899b31824823eef.exeNetFramework.exe

description	pid	process
Token: SeDebugPrivilege	3144	6f0108291363fe6af24a32c77e502e5241369d35bb33b828c899b31824823eef.exe
Token: SeDebugPrivilege	1216	NetFramework.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

6f0108291363fe6af24a32c77e502e5241369d35bb33b828c899b31824823eef.exe

description	pid	process	target process
PID 3144 wrote to memory of 1216	3144	6f0108291363fe6af24a32c77e502e5241369d35bb33b828c899b31824823eef.exe	NetFramework.exe
PID 3144 wrote to memory of 1216	3144	6f0108291363fe6af24a32c77e502e5241369d35bb33b828c899b31824823eef.exe	NetFramework.exe

C:\Users\Admin\AppData\Local\Temp\6f0108291363fe6af24a32c77e502e5241369d35bb33b828c899b31824823eef.exe
"C:\Users\Admin\AppData\Local\Temp\6f0108291363fe6af24a32c77e502e5241369d35bb33b828c899b31824823eef.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3144

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\NetFramework.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\NetFramework.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1216

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\NetFramework.exe
Filesize
82KB

MD5
6e6667b71a86780268828232d4363f63

SHA1
e6f6cb0f70c628c797d2e79717cc331c8f5d3f76

SHA256
6f0108291363fe6af24a32c77e502e5241369d35bb33b828c899b31824823eef

SHA512
6400e6e56d5b163050f96d96cb82ad53960efb518760b7c99e7b62886a45d40f1aa914bd872a83fbdc9d0049bcb4ef084ff9027d6affb2cd1363382c6e193395

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\NetFramework.exe
Filesize
82KB

MD5
6e6667b71a86780268828232d4363f63

SHA1
e6f6cb0f70c628c797d2e79717cc331c8f5d3f76

SHA256
6f0108291363fe6af24a32c77e502e5241369d35bb33b828c899b31824823eef

SHA512
6400e6e56d5b163050f96d96cb82ad53960efb518760b7c99e7b62886a45d40f1aa914bd872a83fbdc9d0049bcb4ef084ff9027d6affb2cd1363382c6e193395

Download Submit
memory/1216-132-0x0000000000000000-mapping.dmp

Download
memory/1216-135-0x00007FFC79F30000-0x00007FFC7A9F1000-memory.dmp

Filesize
10.8MB

Download
memory/3144-130-0x000001C92F070000-0x000001C92F08C000-memory.dmp

Filesize
112KB

Download
memory/3144-131-0x00007FFC79F30000-0x00007FFC7A9F1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads