Analysis
-
max time kernel
201s -
max time network
206s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
26/11/2022, 23:32
Static task
static1
Behavioral task
behavioral1
Sample
d6cf37735c4abba3704e6416656872b077deb3ec41ab5b06408b314e9c4e35da.exe
Resource
win7-20221111-en
General
-
Target
d6cf37735c4abba3704e6416656872b077deb3ec41ab5b06408b314e9c4e35da.exe
-
Size
799KB
-
MD5
c5857e5300ee814283aef378678bf693
-
SHA1
34f0bda19405d0da0eda788985806d3298dba6bb
-
SHA256
d6cf37735c4abba3704e6416656872b077deb3ec41ab5b06408b314e9c4e35da
-
SHA512
bd98f151acebc7d8938c47ad297f48dc4eefe187ba616e8cc18828005a1dd2dedaa957cffb415551b9ac780f4d5b545214cb3d1a404ae017a0cac1c2f2dd778c
-
SSDEEP
12288:y3K4/IJN9odS9QUw1doEwk7Q+mKPh1DwsEPv/iIawU1x2FhgkCXcdl0YaTFiMDsU:2KJ399p+myjDIad1M2yjB
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 3432 SixEngine.exe 4536 SixEngine.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation d6cf37735c4abba3704e6416656872b077deb3ec41ab5b06408b314e9c4e35da.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASUS Live Update.com.url SixEngine.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ASUS Live Update = "C:\\ProgramData\\SixEngine.exe" reg.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SixEngine.exe -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum d6cf37735c4abba3704e6416656872b077deb3ec41ab5b06408b314e9c4e35da.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 d6cf37735c4abba3704e6416656872b077deb3ec41ab5b06408b314e9c4e35da.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum SixEngine.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 SixEngine.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3432 set thread context of 4536 3432 SixEngine.exe 91 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3432 SixEngine.exe 3432 SixEngine.exe 3432 SixEngine.exe 3432 SixEngine.exe 3432 SixEngine.exe 3432 SixEngine.exe 3432 SixEngine.exe 3432 SixEngine.exe 3432 SixEngine.exe 4536 SixEngine.exe 4536 SixEngine.exe 4536 SixEngine.exe 4536 SixEngine.exe 4536 SixEngine.exe 4536 SixEngine.exe 3432 SixEngine.exe 3432 SixEngine.exe 3432 SixEngine.exe 3432 SixEngine.exe 3432 SixEngine.exe 3432 SixEngine.exe 3432 SixEngine.exe 3432 SixEngine.exe 3432 SixEngine.exe 3432 SixEngine.exe 3432 SixEngine.exe 3432 SixEngine.exe 3432 SixEngine.exe 3432 SixEngine.exe 3432 SixEngine.exe 3432 SixEngine.exe 3432 SixEngine.exe 3432 SixEngine.exe 3432 SixEngine.exe 3432 SixEngine.exe 3432 SixEngine.exe 3432 SixEngine.exe 3432 SixEngine.exe 3432 SixEngine.exe 3432 SixEngine.exe 3432 SixEngine.exe 3432 SixEngine.exe 3432 SixEngine.exe 3432 SixEngine.exe 3432 SixEngine.exe 3432 SixEngine.exe 3432 SixEngine.exe 3432 SixEngine.exe 3432 SixEngine.exe 3432 SixEngine.exe 3432 SixEngine.exe 3432 SixEngine.exe 3432 SixEngine.exe 3432 SixEngine.exe 3432 SixEngine.exe 3432 SixEngine.exe 3432 SixEngine.exe 3432 SixEngine.exe 3432 SixEngine.exe 3432 SixEngine.exe 3432 SixEngine.exe 3432 SixEngine.exe 3432 SixEngine.exe 3432 SixEngine.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4536 SixEngine.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 60 d6cf37735c4abba3704e6416656872b077deb3ec41ab5b06408b314e9c4e35da.exe Token: SeDebugPrivilege 3432 SixEngine.exe Token: SeDebugPrivilege 4536 SixEngine.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 60 wrote to memory of 3464 60 d6cf37735c4abba3704e6416656872b077deb3ec41ab5b06408b314e9c4e35da.exe 87 PID 60 wrote to memory of 3464 60 d6cf37735c4abba3704e6416656872b077deb3ec41ab5b06408b314e9c4e35da.exe 87 PID 60 wrote to memory of 3464 60 d6cf37735c4abba3704e6416656872b077deb3ec41ab5b06408b314e9c4e35da.exe 87 PID 3464 wrote to memory of 2204 3464 cmd.exe 89 PID 3464 wrote to memory of 2204 3464 cmd.exe 89 PID 3464 wrote to memory of 2204 3464 cmd.exe 89 PID 60 wrote to memory of 3432 60 d6cf37735c4abba3704e6416656872b077deb3ec41ab5b06408b314e9c4e35da.exe 90 PID 60 wrote to memory of 3432 60 d6cf37735c4abba3704e6416656872b077deb3ec41ab5b06408b314e9c4e35da.exe 90 PID 60 wrote to memory of 3432 60 d6cf37735c4abba3704e6416656872b077deb3ec41ab5b06408b314e9c4e35da.exe 90 PID 3432 wrote to memory of 4536 3432 SixEngine.exe 91 PID 3432 wrote to memory of 4536 3432 SixEngine.exe 91 PID 3432 wrote to memory of 4536 3432 SixEngine.exe 91 PID 3432 wrote to memory of 4536 3432 SixEngine.exe 91 PID 3432 wrote to memory of 4536 3432 SixEngine.exe 91 PID 3432 wrote to memory of 4536 3432 SixEngine.exe 91 PID 3432 wrote to memory of 4536 3432 SixEngine.exe 91 PID 3432 wrote to memory of 4536 3432 SixEngine.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\d6cf37735c4abba3704e6416656872b077deb3ec41ab5b06408b314e9c4e35da.exe"C:\Users\Admin\AppData\Local\Temp\d6cf37735c4abba3704e6416656872b077deb3ec41ab5b06408b314e9c4e35da.exe"1⤵
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:60 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ASUS Live Update" /t REG_SZ /d "C:\ProgramData\SixEngine.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:3464 -
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ASUS Live Update" /t REG_SZ /d "C:\ProgramData\SixEngine.exe"3⤵
- Adds Run key to start application
PID:2204
-
-
-
C:\ProgramData\SixEngine.exeC:\ProgramData\SixEngine.exe2⤵
- Executes dropped EXE
- Drops startup file
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3432 -
C:\ProgramData\SixEngine.exe"C:\ProgramData\SixEngine.exe"3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4536
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
799KB
MD5c5857e5300ee814283aef378678bf693
SHA134f0bda19405d0da0eda788985806d3298dba6bb
SHA256d6cf37735c4abba3704e6416656872b077deb3ec41ab5b06408b314e9c4e35da
SHA512bd98f151acebc7d8938c47ad297f48dc4eefe187ba616e8cc18828005a1dd2dedaa957cffb415551b9ac780f4d5b545214cb3d1a404ae017a0cac1c2f2dd778c
-
Filesize
799KB
MD5c5857e5300ee814283aef378678bf693
SHA134f0bda19405d0da0eda788985806d3298dba6bb
SHA256d6cf37735c4abba3704e6416656872b077deb3ec41ab5b06408b314e9c4e35da
SHA512bd98f151acebc7d8938c47ad297f48dc4eefe187ba616e8cc18828005a1dd2dedaa957cffb415551b9ac780f4d5b545214cb3d1a404ae017a0cac1c2f2dd778c
-
Filesize
799KB
MD5c5857e5300ee814283aef378678bf693
SHA134f0bda19405d0da0eda788985806d3298dba6bb
SHA256d6cf37735c4abba3704e6416656872b077deb3ec41ab5b06408b314e9c4e35da
SHA512bd98f151acebc7d8938c47ad297f48dc4eefe187ba616e8cc18828005a1dd2dedaa957cffb415551b9ac780f4d5b545214cb3d1a404ae017a0cac1c2f2dd778c