a9027c6070365053c3cb91261991c71f1d3a63707df8467e413847f344b3af4d

Analysis

max time kernel
204s
max time network
235s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
18-09-2022 14:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TrashMalwares-main/winnit6.6.6 V10.exe
Size

5.8MB
MD5

28258bd9de6f0127035ed41c6d027660
SHA1

03a805ac69a2ff3fda5eab132c563a4b78c8d714
SHA256

4466771e8922523602f18ec194477eccdaaf0327bebeb429e5bcc79df7e88023
SHA512

c85002b9ae4b310925501ecc5ca619ae85df8a2a6bde20204aa136f5162a3ed05879bd327a0c89ecf33deb60786067c7b0ac28b04e9103f5de895e035f2fe78f
SSDEEP

98304:tuWPfhCeliyuv733FTvN1EDfc4YIRwv0mmdYSAaHmtlY2K7uackr6z+hZdERW2c+:t3c5D33Z86mW0muAaHtiaN6z+GRCXFJ6

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

winnit6.6.6 V10.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	winnit6.6.6 V10.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

winnit6.6.6 V10.exe

description	pid	process	target process
PID 728 wrote to memory of 3764	728	winnit6.6.6 V10.exe	cmd.exe
PID 728 wrote to memory of 3764	728	winnit6.6.6 V10.exe	cmd.exe
PID 728 wrote to memory of 3764	728	winnit6.6.6 V10.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\winnit6.6.6 V10.exe
"C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\winnit6.6.6 V10.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\temp\2.bat" "
2⤵
PID:3764

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\temp\2.bat
Filesize
207B

MD5
3f9c36fd234c07608cb65e0a4591b998

SHA1
d1445496ee110a1eb03937a1ab1da97778e6ba87

SHA256
bfcb093dd8292f6654622e53ec452e0f9e9d8b8ccad3eed5dddd88d00cdfdb72

SHA512
9f5a5120beb952df8be93456cc9c86fa54c0a5f9d1e894de86845fcc7de659ab8a0401ef8c84dcafb5915b3c354775bdac0fccf4fae0bd9a3c39eb0cd4011400

Download Submit
memory/3764-132-0x0000000000000000-mapping.dmp

Download