6ba1b3faa9f30e9383793ebe302ae8b9f854455b4c2b3df9de9a369ae6d40d71

Analysis

max time kernel
207s
max time network
219s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 19:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ba1b3faa9f30e9383793ebe302ae8b9f854455b4c2b3df9de9a369ae6d40d71.exe
Size

560KB
MD5

0bed5fbe6172b4da68950a69f73a6655
SHA1

f4c61d3efb83e915bd78060e4ef654bf62b648ad
SHA256

6ba1b3faa9f30e9383793ebe302ae8b9f854455b4c2b3df9de9a369ae6d40d71
SHA512

18822c0d95aae011dc0a4ebde34da6a2cf1c9316aed4473da71f70c710e3be6160b8074b85cfa8e3a55221c3700808b49126cc9e18aefe38cfdf79bde2dee3bd
SSDEEP

12288:vflAhHtn1bvzSP6iTn1UserksHkU5KrVclb6ajydnl:vfShHLvmP6+19egRG10nl

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

4876 svchost.exe

pid	process
4876	svchost.exe

Drops file in Program Files directory 5 IoCs

Processes:

6ba1b3faa9f30e9383793ebe302ae8b9f854455b4c2b3df9de9a369ae6d40d71.exesvchost.exe

description	ioc	process
File created	C:\Program Files\DbProtectSupport\svchost.exe	6ba1b3faa9f30e9383793ebe302ae8b9f854455b4c2b3df9de9a369ae6d40d71.exe
File opened for modification	C:\Program Files\DbProtectSupport\svchost.exe	6ba1b3faa9f30e9383793ebe302ae8b9f854455b4c2b3df9de9a369ae6d40d71.exe
File opened for modification	C:\Program Files\DbProtectSupport\fake.cfg	svchost.exe
File created	C:\Program Files\DbProtectSupport\fake.cfg	svchost.exe
File created	C:\Program Files\DbProtectSupport\svchost.exe.bak	6ba1b3faa9f30e9383793ebe302ae8b9f854455b4c2b3df9de9a369ae6d40d71.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	svchost.exe

C:\Users\Admin\AppData\Local\Temp\6ba1b3faa9f30e9383793ebe302ae8b9f854455b4c2b3df9de9a369ae6d40d71.exe
"C:\Users\Admin\AppData\Local\Temp\6ba1b3faa9f30e9383793ebe302ae8b9f854455b4c2b3df9de9a369ae6d40d71.exe"
1⤵
- Drops file in Program Files directory
PID:4936

C:\Program Files\DbProtectSupport\svchost.exe
"C:\Program Files\DbProtectSupport\svchost.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Checks processor information in registry
PID:4876

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\DbProtectSupport\svchost.exe
Filesize
281KB

MD5
0e5ed49d2c83c2c34031f0c3712bd479

SHA1
068e08738d05ede9d83ce7f1cb74a695e2fcd9f2

SHA256
6c14e4287757b30837a611b3593eba59994fd58a9bd774c9084b6c857c51493b

SHA512
3a8cc2366d0b9feead3b2f5e617f5392579fe4e2199d4aa428c4c2c2ce8360ae87ad3ae4f391ead19f16d24f08a8d0baebef253cbfc2d4772d59823d433fdd6c

Download Submit
C:\Program Files\DbProtectSupport\svchost.exe
Filesize
281KB

MD5
0e5ed49d2c83c2c34031f0c3712bd479

SHA1
068e08738d05ede9d83ce7f1cb74a695e2fcd9f2

SHA256
6c14e4287757b30837a611b3593eba59994fd58a9bd774c9084b6c857c51493b

SHA512
3a8cc2366d0b9feead3b2f5e617f5392579fe4e2199d4aa428c4c2c2ce8360ae87ad3ae4f391ead19f16d24f08a8d0baebef253cbfc2d4772d59823d433fdd6c

Download Submit