Analysis
-
max time kernel
147s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
26/11/2022, 23:36
Static task
static1
Behavioral task
behavioral1
Sample
9d14c92b681adb658c040d08c098e8adb277ca37ec9850eff15cb1161335cfdb.exe
Resource
win7-20220812-en
General
-
Target
9d14c92b681adb658c040d08c098e8adb277ca37ec9850eff15cb1161335cfdb.exe
-
Size
677KB
-
MD5
2a73e0d44381ae381096e16fe65bf261
-
SHA1
c3d74e27272eebdaab0ff7e9da176a6038803809
-
SHA256
9d14c92b681adb658c040d08c098e8adb277ca37ec9850eff15cb1161335cfdb
-
SHA512
646ea95c2b12e1b9030c0bcdf967380e8eb3c3b40b7174f8a3d4b84171b609fba1339610f21e01b14a1062d52a6fafbd499924dbdc082df3cfef2d8ae9c9b1c0
-
SSDEEP
12288:PaCS+UAgUwBx8QshoIjrmeJNZ+k/EwjOMeEB0LMDPfLFigRg+KbSB0Df7:CCS+UPUwBmogDJNwkJjOMe2PjRg7SuD
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1788 SixEngine.exe 1756 SixEngine.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 9d14c92b681adb658c040d08c098e8adb277ca37ec9850eff15cb1161335cfdb.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASUS Live Update.com.url SixEngine.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ASUS Live Update = "C:\\ProgramData\\SixEngine.exe" reg.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SixEngine.exe -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 9d14c92b681adb658c040d08c098e8adb277ca37ec9850eff15cb1161335cfdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum SixEngine.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 SixEngine.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 9d14c92b681adb658c040d08c098e8adb277ca37ec9850eff15cb1161335cfdb.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1788 set thread context of 1756 1788 SixEngine.exe 84 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1788 SixEngine.exe 1788 SixEngine.exe 1756 SixEngine.exe 1756 SixEngine.exe 1756 SixEngine.exe 1788 SixEngine.exe 1788 SixEngine.exe 1788 SixEngine.exe 1788 SixEngine.exe 1788 SixEngine.exe 1788 SixEngine.exe 1788 SixEngine.exe 1788 SixEngine.exe 1788 SixEngine.exe 1788 SixEngine.exe 1788 SixEngine.exe 1788 SixEngine.exe 1788 SixEngine.exe 1788 SixEngine.exe 1788 SixEngine.exe 1788 SixEngine.exe 1788 SixEngine.exe 1788 SixEngine.exe 1788 SixEngine.exe 1788 SixEngine.exe 1788 SixEngine.exe 1788 SixEngine.exe 1788 SixEngine.exe 1788 SixEngine.exe 1788 SixEngine.exe 1788 SixEngine.exe 1788 SixEngine.exe 1788 SixEngine.exe 1788 SixEngine.exe 1788 SixEngine.exe 1788 SixEngine.exe 1788 SixEngine.exe 1788 SixEngine.exe 1788 SixEngine.exe 1788 SixEngine.exe 1788 SixEngine.exe 1788 SixEngine.exe 1788 SixEngine.exe 1788 SixEngine.exe 1788 SixEngine.exe 1788 SixEngine.exe 1788 SixEngine.exe 1788 SixEngine.exe 1788 SixEngine.exe 1788 SixEngine.exe 1788 SixEngine.exe 1788 SixEngine.exe 1788 SixEngine.exe 1788 SixEngine.exe 1788 SixEngine.exe 1788 SixEngine.exe 1788 SixEngine.exe 1788 SixEngine.exe 1788 SixEngine.exe 1788 SixEngine.exe 1788 SixEngine.exe 1788 SixEngine.exe 1788 SixEngine.exe 1788 SixEngine.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1756 SixEngine.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4848 9d14c92b681adb658c040d08c098e8adb277ca37ec9850eff15cb1161335cfdb.exe Token: SeDebugPrivilege 1788 SixEngine.exe Token: SeDebugPrivilege 1756 SixEngine.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 4848 wrote to memory of 908 4848 9d14c92b681adb658c040d08c098e8adb277ca37ec9850eff15cb1161335cfdb.exe 80 PID 4848 wrote to memory of 908 4848 9d14c92b681adb658c040d08c098e8adb277ca37ec9850eff15cb1161335cfdb.exe 80 PID 4848 wrote to memory of 908 4848 9d14c92b681adb658c040d08c098e8adb277ca37ec9850eff15cb1161335cfdb.exe 80 PID 908 wrote to memory of 64 908 cmd.exe 82 PID 908 wrote to memory of 64 908 cmd.exe 82 PID 908 wrote to memory of 64 908 cmd.exe 82 PID 4848 wrote to memory of 1788 4848 9d14c92b681adb658c040d08c098e8adb277ca37ec9850eff15cb1161335cfdb.exe 83 PID 4848 wrote to memory of 1788 4848 9d14c92b681adb658c040d08c098e8adb277ca37ec9850eff15cb1161335cfdb.exe 83 PID 4848 wrote to memory of 1788 4848 9d14c92b681adb658c040d08c098e8adb277ca37ec9850eff15cb1161335cfdb.exe 83 PID 1788 wrote to memory of 1756 1788 SixEngine.exe 84 PID 1788 wrote to memory of 1756 1788 SixEngine.exe 84 PID 1788 wrote to memory of 1756 1788 SixEngine.exe 84 PID 1788 wrote to memory of 1756 1788 SixEngine.exe 84 PID 1788 wrote to memory of 1756 1788 SixEngine.exe 84 PID 1788 wrote to memory of 1756 1788 SixEngine.exe 84 PID 1788 wrote to memory of 1756 1788 SixEngine.exe 84 PID 1788 wrote to memory of 1756 1788 SixEngine.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\9d14c92b681adb658c040d08c098e8adb277ca37ec9850eff15cb1161335cfdb.exe"C:\Users\Admin\AppData\Local\Temp\9d14c92b681adb658c040d08c098e8adb277ca37ec9850eff15cb1161335cfdb.exe"1⤵
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ASUS Live Update" /t REG_SZ /d "C:\ProgramData\SixEngine.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "ASUS Live Update" /t REG_SZ /d "C:\ProgramData\SixEngine.exe"3⤵
- Adds Run key to start application
PID:64
-
-
-
C:\ProgramData\SixEngine.exeC:\ProgramData\SixEngine.exe2⤵
- Executes dropped EXE
- Drops startup file
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\ProgramData\SixEngine.exe"C:\ProgramData\SixEngine.exe"3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1756
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
677KB
MD52a73e0d44381ae381096e16fe65bf261
SHA1c3d74e27272eebdaab0ff7e9da176a6038803809
SHA2569d14c92b681adb658c040d08c098e8adb277ca37ec9850eff15cb1161335cfdb
SHA512646ea95c2b12e1b9030c0bcdf967380e8eb3c3b40b7174f8a3d4b84171b609fba1339610f21e01b14a1062d52a6fafbd499924dbdc082df3cfef2d8ae9c9b1c0
-
Filesize
677KB
MD52a73e0d44381ae381096e16fe65bf261
SHA1c3d74e27272eebdaab0ff7e9da176a6038803809
SHA2569d14c92b681adb658c040d08c098e8adb277ca37ec9850eff15cb1161335cfdb
SHA512646ea95c2b12e1b9030c0bcdf967380e8eb3c3b40b7174f8a3d4b84171b609fba1339610f21e01b14a1062d52a6fafbd499924dbdc082df3cfef2d8ae9c9b1c0
-
Filesize
677KB
MD52a73e0d44381ae381096e16fe65bf261
SHA1c3d74e27272eebdaab0ff7e9da176a6038803809
SHA2569d14c92b681adb658c040d08c098e8adb277ca37ec9850eff15cb1161335cfdb
SHA512646ea95c2b12e1b9030c0bcdf967380e8eb3c3b40b7174f8a3d4b84171b609fba1339610f21e01b14a1062d52a6fafbd499924dbdc082df3cfef2d8ae9c9b1c0