c6ff045ea527207672d4dcda0822990c7e4affd6e358932f2f6896a5fa442288

General

Target

c6ff045ea527207672d4dcda0822990c7e4affd6e358932f2f6896a5fa442288.exe
Size

72KB
MD5

1abe47e0df495beb485ff4062f188fe7
SHA1

d905a6616600d0a97ce03e4aba17d600c6c4ed8d
SHA256

c6ff045ea527207672d4dcda0822990c7e4affd6e358932f2f6896a5fa442288
SHA512

32005097a275b57d1108652b22be8e740694fa40b77a56758fa0af58340f2d8a3d3e134eba130261a73fbcb46e54492c32f14bdb8f1405a7d0ecdbc73790cbf3
SSDEEP

768:Keb7WM8xnP/Eth0hJGmJx3LoINdKLQZvwmywbwKwwowwwwwwwqwwwwnwwwww0wwz:F4xnHS0hJllZVqrP3

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	c6ff045ea527207672d4dcda0822990c7e4affd6e358932f2f6896a5fa442288.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\svstn.exe	c6ff045ea527207672d4dcda0822990c7e4affd6e358932f2f6896a5fa442288.exe
File opened for modification	C:\Windows\SysWOW64\ctfmon.exe	cmd.exe
File created	C:\Windows\SysWOW64\ctfmon.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\backdoor.dll	c6ff045ea527207672d4dcda0822990c7e4affd6e358932f2f6896a5fa442288.exe
File created	C:\Windows\SysWOW64\svstn.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\svstn.exe	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2500	c6ff045ea527207672d4dcda0822990c7e4affd6e358932f2f6896a5fa442288.exe
2500	c6ff045ea527207672d4dcda0822990c7e4affd6e358932f2f6896a5fa442288.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2500 wrote to memory of 4952	2500	c6ff045ea527207672d4dcda0822990c7e4affd6e358932f2f6896a5fa442288.exe	79
PID 2500 wrote to memory of 4952	2500	c6ff045ea527207672d4dcda0822990c7e4affd6e358932f2f6896a5fa442288.exe	79
PID 2500 wrote to memory of 4952	2500	c6ff045ea527207672d4dcda0822990c7e4affd6e358932f2f6896a5fa442288.exe	79
PID 2500 wrote to memory of 956	2500	c6ff045ea527207672d4dcda0822990c7e4affd6e358932f2f6896a5fa442288.exe	82
PID 2500 wrote to memory of 956	2500	c6ff045ea527207672d4dcda0822990c7e4affd6e358932f2f6896a5fa442288.exe	82
PID 2500 wrote to memory of 956	2500	c6ff045ea527207672d4dcda0822990c7e4affd6e358932f2f6896a5fa442288.exe	82
PID 2500 wrote to memory of 1924	2500	c6ff045ea527207672d4dcda0822990c7e4affd6e358932f2f6896a5fa442288.exe	84
PID 2500 wrote to memory of 1924	2500	c6ff045ea527207672d4dcda0822990c7e4affd6e358932f2f6896a5fa442288.exe	84
PID 2500 wrote to memory of 1924	2500	c6ff045ea527207672d4dcda0822990c7e4affd6e358932f2f6896a5fa442288.exe	84

C:\Users\Admin\AppData\Local\Temp\c6ff045ea527207672d4dcda0822990c7e4affd6e358932f2f6896a5fa442288.exe
"C:\Users\Admin\AppData\Local\Temp\c6ff045ea527207672d4dcda0822990c7e4affd6e358932f2f6896a5fa442288.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\shopsupportshexinfo.bat" "
  2⤵
  - Drops file in System32 directory
  PID:4952
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\shopsupportshexinfo.bat" "
  2⤵
  - Drops file in System32 directory
  PID:956
- C:\Windows\SysWOW64\ctfmon.exe
  "C:\Windows\system32\ctfmon.exe"
  2⤵
  PID:1924

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\svstn.exe

Filesize
13KB

MD5
25a16663eb214de4e8a7a98c943ce5a2

SHA1
02992481d2fdcec3720fee65be60b5d6bc71c108

SHA256
0f7249ba758467d88fe9e86403f3f0accfb1ed4e6af424262a6c41b9a1cefc4c

SHA512
e7d9936b6b6fabd2c16d664de871ce32e62a7c0e2990e49c022f248f71f139af3203278ec85b2397df25464d01ff5b5300d33397acab10660118e14cbb9c036d

Download Submit
C:\Windows\SysWOW64\svstn.exe

Filesize
13KB

MD5
25a16663eb214de4e8a7a98c943ce5a2

SHA1
02992481d2fdcec3720fee65be60b5d6bc71c108

SHA256
0f7249ba758467d88fe9e86403f3f0accfb1ed4e6af424262a6c41b9a1cefc4c

SHA512
e7d9936b6b6fabd2c16d664de871ce32e62a7c0e2990e49c022f248f71f139af3203278ec85b2397df25464d01ff5b5300d33397acab10660118e14cbb9c036d

Download Submit
C:\shopsupportshexinfo.bat

Filesize
72B

MD5
c8c4deb794d5f3b50d379209426a1839

SHA1
dea20bf92e2644c4f6ef030dfe4459c6391f44c8

SHA256
7282e0bc29f96127363934ebb9386c6ce160df75b2a882d49e58f53955855754

SHA512
653874bf0cf18e1ddeadb20c1b7cdca86e521ab33ae8986f0d89c82f0363b8c5d2d5836476bf4c1dbd8d97f6949974182c1ba0a9ea0a152bb7805866a95d5af8

Download Submit
C:\shopsupportshexinfo.bat

Filesize
134B

MD5
57e4919848fd9044a1a4ac9f64208857

SHA1
4dbd82bc88b65e4d75852685e10a7eaa7e6da060

SHA256
9096a78790fd1e2d8dd8ad29423f12a7b6af36777960ba54e9c6563436830251

SHA512
a67f0912a14c99d321d15c4e90e90bc955847ad142a7bd3d82b5e89a03957eef74e25bac3bd08f3f1ba17c5dc37119ff2668b05f0637fd46ec384c6b572dc698

Download Submit
memory/956-136-0x0000000000000000-mapping.dmp

Download
memory/1924-139-0x0000000000000000-mapping.dmp

Download
memory/2500-132-0x0000000000400000-0x0000000000429200-memory.dmp

Filesize
164KB

Download
memory/2500-140-0x0000000000400000-0x0000000000429200-memory.dmp

Filesize
164KB

Download
memory/4952-133-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing