6cfb4ce8486294a2d5ad2f7294f995d3d9c5decf35dda4bd38afa34020996d90

General

Target

6cfb4ce8486294a2d5ad2f7294f995d3d9c5decf35dda4bd38afa34020996d90.exe
Size

3.9MB
MD5

ccd805f09122c944f70e68350ec4f2c0
SHA1

af4612216424c033472e99e4bd5458ce48759cda
SHA256

6cfb4ce8486294a2d5ad2f7294f995d3d9c5decf35dda4bd38afa34020996d90
SHA512

dd1dbf22e2f1643117da6dc0aaf510891ffa82d1a5915760a521caa16b844e91cacaeea0cb87cf5328afaedb4615b139e77440f48d04b7069808ccc2ac05de7e
SSDEEP

98304:b1dl2zGkNX36v8o26W1VYQeXrftJ6wbyzjfsQ:gZ6vp6MXrigs9

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3920	icytower15_install.exe
2348	GLB33C.tmp

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	6cfb4ce8486294a2d5ad2f7294f995d3d9c5decf35dda4bd38afa34020996d90.exe

Loads dropped DLL 3 IoCs

pid	Process
2348	GLB33C.tmp
2348	GLB33C.tmp
2348	GLB33C.tmp

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\GLBSINST.%$D	GLB33C.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Extracted\_ ÉR&·¬m‚&\ùÂ2QG+ŽBD9:ËŠn¶k+K¦¦b¥cóŽ€Xçß‰… I¢q÷ "ŽÜTUÃj6À]žþs`&$¾qØÒ4<cF¡Ë¢ŠjxÆ"èÑH×Œç¨¼ùcVÀï6£Y.ö—a³uïWe`j…ß®Oˆàÿ	6cfb4ce8486294a2d5ad2f7294f995d3d9c5decf35dda4bd38afa34020996d90.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3248 wrote to memory of 3920	3248	6cfb4ce8486294a2d5ad2f7294f995d3d9c5decf35dda4bd38afa34020996d90.exe	82
PID 3248 wrote to memory of 3920	3248	6cfb4ce8486294a2d5ad2f7294f995d3d9c5decf35dda4bd38afa34020996d90.exe	82
PID 3248 wrote to memory of 3920	3248	6cfb4ce8486294a2d5ad2f7294f995d3d9c5decf35dda4bd38afa34020996d90.exe	82
PID 3920 wrote to memory of 2348	3920	icytower15_install.exe	83
PID 3920 wrote to memory of 2348	3920	icytower15_install.exe	83
PID 3920 wrote to memory of 2348	3920	icytower15_install.exe	83

C:\Users\Admin\AppData\Local\Temp\6cfb4ce8486294a2d5ad2f7294f995d3d9c5decf35dda4bd38afa34020996d90.exe
"C:\Users\Admin\AppData\Local\Temp\6cfb4ce8486294a2d5ad2f7294f995d3d9c5decf35dda4bd38afa34020996d90.exe"
1⤵
- Checks computer location settings
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:3248
- C:\Extracted\icytower15_install.exe
  "C:\Extracted\icytower15_install.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3920
- - C:\Users\Admin\AppData\Local\Temp\GLB33C.tmp
    C:\Users\Admin\AppData\Local\Temp\GLB33C.tmp 4736 C:\EXTRAC~1\ICYTOW~1.EXE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    PID:2348

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Extracted\icytower15_install.exe

Filesize
3.7MB

MD5
5b234cc263d81eb55a26157448f0c1d6

SHA1
84765fe68747973ae1b2d460a852eb46f0b293ff

SHA256
275722d0662815eacca4dac0d0840fd42a394f4843ed1dd25d5f2c044302929f

SHA512
c55e833a5732d2cfa697ff044481544aadd5f69ca345f63c6fa3844e2dfe724d5c3e0201540cd7d09b2670f4c8daf6d28189713141307a84ca93701244673631

Download Submit
C:\Extracted\icytower15_install.exe

Filesize
3.7MB

MD5
5b234cc263d81eb55a26157448f0c1d6

SHA1
84765fe68747973ae1b2d460a852eb46f0b293ff

SHA256
275722d0662815eacca4dac0d0840fd42a394f4843ed1dd25d5f2c044302929f

SHA512
c55e833a5732d2cfa697ff044481544aadd5f69ca345f63c6fa3844e2dfe724d5c3e0201540cd7d09b2670f4c8daf6d28189713141307a84ca93701244673631

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLB33C.tmp

Filesize
70KB

MD5
cfb71d5a48f41069e92535ce998c0550

SHA1
09cfb2359ef577a752cb89eebc4aa993083fa8ee

SHA256
ae043259f51429db19c6645b1dbe6575db3bb1782a66727326a94e967b7a3713

SHA512
8866a3312c4a7e590902aa47f51a8da1bbea680ce673f9da1c86fcaaebdde2a178170b46c70b568583092b2c12d3e0636c37c68e8613ec6ec436e98961498ddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLB33C.tmp

Filesize
70KB

MD5
cfb71d5a48f41069e92535ce998c0550

SHA1
09cfb2359ef577a752cb89eebc4aa993083fa8ee

SHA256
ae043259f51429db19c6645b1dbe6575db3bb1782a66727326a94e967b7a3713

SHA512
8866a3312c4a7e590902aa47f51a8da1bbea680ce673f9da1c86fcaaebdde2a178170b46c70b568583092b2c12d3e0636c37c68e8613ec6ec436e98961498ddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLC501.tmp

Filesize
161KB

MD5
8c97d8bb1470c6498e47b12c5a03ce39

SHA1
15d233b22f1c3d756dca29bcc0021e6fb0b8cdf7

SHA256
a87f19f9fee475d2b2e82acfb4589be6d816b613064cd06826e1d4c147beb50a

SHA512
7ad0b2b0319da52152c2595ee45045d0c06b157cdaaa56ad57dde9736be3e45fd7357949126f80d3e72b21510f9bf69d010d51b3967a7644662808beed067c3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLK57F.tmp

Filesize
33KB

MD5
517419cae37f6c78c80f9b7d0fbb8661

SHA1
a9e419f3d9ef589522556e0920c84fe37a548873

SHA256
bfe7e013cfb85e78b994d3ad34eca08286494a835cb85f1d7bced3df6fe93a11

SHA512
5046565443cf463b6fa4d2d5868879efc6a9db969bf05e3c80725b99bd091ce062cfe66c5551eb1cc5f00a38f2cfcda1f36fb4d60d9ff816c4ec3107b5a0df40

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLK57F.tmp

Filesize
33KB

MD5
517419cae37f6c78c80f9b7d0fbb8661

SHA1
a9e419f3d9ef589522556e0920c84fe37a548873

SHA256
bfe7e013cfb85e78b994d3ad34eca08286494a835cb85f1d7bced3df6fe93a11

SHA512
5046565443cf463b6fa4d2d5868879efc6a9db969bf05e3c80725b99bd091ce062cfe66c5551eb1cc5f00a38f2cfcda1f36fb4d60d9ff816c4ec3107b5a0df40

Download Submit
memory/2348-135-0x0000000000000000-mapping.dmp

Download
memory/2348-141-0x0000000000711000-0x0000000000713000-memory.dmp

Filesize
8KB

Download
memory/3920-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing