Overview

overview

8

Static

static

c6c9253d79...0a.exe

windows7-x64

8

c6c9253d79...0a.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    157s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/10/2022, 19:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c6c9253d79a583bf2e87be9333578d3ab5de6ac5c07c59cc6fc46fc14aa98c0a.exe

  • Size

    132KB

  • MD5

    832b01c03637cb0487a62694da6da49f

  • SHA1

    34e89534b8b7b059057a0ff9b5329201565c93d4

  • SHA256

    c6c9253d79a583bf2e87be9333578d3ab5de6ac5c07c59cc6fc46fc14aa98c0a

  • SHA512

    90485b4adca938df1a78957c244abe9a4ff3cd53b591c04533ad310b68461c7e7873adb9b3e648b1d057fd1fab235a8b3ff4fb445cd083eedc498687702d8f5f

  • SSDEEP

    1536:bHFjwOqUuflO+6peVdM/d2yv6n0APB8qFE0OSqHW2PYoPPrCLaC46lxIDCwMZOD7:ryOqxY+6pejzNB8A4xAo784KmMMDLH

Score
8/10
persistenceupx

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c6c9253d79a583bf2e87be9333578d3ab5de6ac5c07c59cc6fc46fc14aa98c0a.exe
    "C:\Users\Admin\AppData\Local\Temp\c6c9253d79a583bf2e87be9333578d3ab5de6ac5c07c59cc6fc46fc14aa98c0a.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1864
    • C:\Users\Admin\AppData\Local\Temp\c6c9253d79a583bf2e87be9333578d3ab5de6ac5c07c59cc6fc46fc14aa98c0a.exe
      "C:\Users\Admin\AppData\Local\Temp\c6c9253d79a583bf2e87be9333578d3ab5de6ac5c07c59cc6fc46fc14aa98c0a.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1424
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BRSPX.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2744
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "indiagamcaaa" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\india gamcaa\indiagamcaa.exe" /f
          4⤵
          • Adds Run key to start application
          PID:4848
      • C:\Users\Admin\AppData\Roaming\india gamcaa\indiagamcaa.exe
        "C:\Users\Admin\AppData\Roaming\india gamcaa\indiagamcaa.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4832
        • C:\Users\Admin\AppData\Roaming\india gamcaa\indiagamcaa.exe
          "C:\Users\Admin\AppData\Roaming\india gamcaa\indiagamcaa.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:1256

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\BRSPX.bat
    Filesize

    158B

    MD5

    033ff48e13742ca54269e0846484b830

    SHA1

    082ce1eed215dda59ea75a8227f8cd0e1b15d36f

    SHA256

    597efbff7588882d8866604df4e7a4f715418a7d9bae4736029412fda3bfa455

    SHA512

    8727692731b3788a5f8a5b5d4e79f009a8953d9a236f66e4cdc963c82c9aff3b6e833a491f78f88d55d8bad4d46f5d81e279974600ddbe5ea2c42003f043adda

    Download Submit

  • C:\Users\Admin\AppData\Roaming\india gamcaa\indiagamcaa.exe
    Filesize

    132KB

    MD5

    bad8343bc3f31210e5fa6bfe46398752

    SHA1

    af83fa15773ce8668edc6bee4f19e1e8ed6fe8d2

    SHA256

    1c5f0caf944f7ce8abf2b9996cb76ac747797803eaa08b5d1be2a78e2d1465d3

    SHA512

    7d33be4e48b5c6c21b5cae752c57119aad6381c163396f45248d57430f6a5083c5464609d2f4ea5f04e0d8dc4fd49a66645ed6b954cf76fe5fd34a7002457fee

    Download Submit

  • C:\Users\Admin\AppData\Roaming\india gamcaa\indiagamcaa.exe
    Filesize

    132KB

    MD5

    bad8343bc3f31210e5fa6bfe46398752

    SHA1

    af83fa15773ce8668edc6bee4f19e1e8ed6fe8d2

    SHA256

    1c5f0caf944f7ce8abf2b9996cb76ac747797803eaa08b5d1be2a78e2d1465d3

    SHA512

    7d33be4e48b5c6c21b5cae752c57119aad6381c163396f45248d57430f6a5083c5464609d2f4ea5f04e0d8dc4fd49a66645ed6b954cf76fe5fd34a7002457fee

    Download Submit

  • C:\Users\Admin\AppData\Roaming\india gamcaa\indiagamcaa.exe
    Filesize

    132KB

    MD5

    bad8343bc3f31210e5fa6bfe46398752

    SHA1

    af83fa15773ce8668edc6bee4f19e1e8ed6fe8d2

    SHA256

    1c5f0caf944f7ce8abf2b9996cb76ac747797803eaa08b5d1be2a78e2d1465d3

    SHA512

    7d33be4e48b5c6c21b5cae752c57119aad6381c163396f45248d57430f6a5083c5464609d2f4ea5f04e0d8dc4fd49a66645ed6b954cf76fe5fd34a7002457fee

    Download Submit

  • memory/0-155-0x0000000000400000-0x0000000000419000-memory.dmp

    Filesize

    100KB

    Download

  • memory/1256-161-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/1256-162-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/1424-141-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/1424-138-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/1424-150-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/1424-137-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/1424-135-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/1424-160-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download