6a4a5f8cfab03293281591a6c10f874d9599558925bc5eead70fe14fda6bc91a

Analysis

max time kernel
146s
max time network
179s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2022 00:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a4a5f8cfab03293281591a6c10f874d9599558925bc5eead70fe14fda6bc91a.exe
Size

122KB
MD5

de3abc441c3093de4c2a54b0e9cf828e
SHA1

260247cb09238b20188b04f71f7a0058cb9c45e6
SHA256

6a4a5f8cfab03293281591a6c10f874d9599558925bc5eead70fe14fda6bc91a
SHA512

e091b7b03b3ad94039b99c1eed65b4f3ec9ca2c2ed8bbc870622aea1a91252ca6bdfb15f8143772d46d236ca3c7f78ddd8a6608403764bc6f40ad1d3bd0791d1
SSDEEP

3072:tnDHH47khTSHz4dwqKdM6i4JGpZh37uLjudqz9d0k2:tDn440zt46i4EruLork2

Score

8^/10

persistence vmprotect

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

6a4a5f8cfab03293281591a6c10f874d9599558925bc5eead70fe14fda6bc91a.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\IPv6NetBrowsSvc\Parameters\ServiceDll = "C:\\Windows\\IPv6NetBrowsSvc.dll"	6a4a5f8cfab03293281591a6c10f874d9599558925bc5eead70fe14fda6bc91a.exe

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
\??\c:\windows\ipv6netbrowssvc.dll	vmprotect
C:\Windows\IPv6NetBrowsSvc.dll	vmprotect
behavioral2/memory/1216-136-0x0000000000B70000-0x0000000000BAE000-memory.dmp	vmprotect
behavioral2/memory/2172-137-0x0000000075520000-0x000000007555E000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6a4a5f8cfab03293281591a6c10f874d9599558925bc5eead70fe14fda6bc91a.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	6a4a5f8cfab03293281591a6c10f874d9599558925bc5eead70fe14fda6bc91a.exe

Loads dropped DLL 1 IoCs

Processes:

svchost.exe

pid process

2172 svchost.exe

pid	process
2172	svchost.exe

Drops file in Windows directory 2 IoCs

Processes:

6a4a5f8cfab03293281591a6c10f874d9599558925bc5eead70fe14fda6bc91a.exe

description	ioc	process
File created	C:\Windows\IPv6NetBrowsSvc.dll	6a4a5f8cfab03293281591a6c10f874d9599558925bc5eead70fe14fda6bc91a.exe
File opened for modification	C:\Windows\IPv6NetBrowsSvc.dll	6a4a5f8cfab03293281591a6c10f874d9599558925bc5eead70fe14fda6bc91a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

6a4a5f8cfab03293281591a6c10f874d9599558925bc5eead70fe14fda6bc91a.exe

description	pid	process	target process
PID 1216 wrote to memory of 1088	1216	6a4a5f8cfab03293281591a6c10f874d9599558925bc5eead70fe14fda6bc91a.exe	cmd.exe
PID 1216 wrote to memory of 1088	1216	6a4a5f8cfab03293281591a6c10f874d9599558925bc5eead70fe14fda6bc91a.exe	cmd.exe
PID 1216 wrote to memory of 1088	1216	6a4a5f8cfab03293281591a6c10f874d9599558925bc5eead70fe14fda6bc91a.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\6a4a5f8cfab03293281591a6c10f874d9599558925bc5eead70fe14fda6bc91a.exe
"C:\Users\Admin\AppData\Local\Temp\6a4a5f8cfab03293281591a6c10f874d9599558925bc5eead70fe14fda6bc91a.exe"
1⤵
- Sets DLL path for service in the registry
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240575796.bat" "
  2⤵
  PID:1088

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k ipv6srvs -s IPv6NetBrowsSvc
1⤵
- Loads dropped DLL
PID:2172

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\240575796.bat

Filesize
239B

MD5
33fdc01cb9d3277a1760c5f5d49305ab

SHA1
f7c7a6613d3c4bbf07ea810172d73623ff4317da

SHA256
c42ad84d9d998ecb665f0a176ec1ef62e872da26cba398eefa0b6a2cc1da7ae5

SHA512
37330d36be4bedf33523abed61de1170f068ed83165c7717d9d22e8613243405c1ef2d6504d792683a06f6d16bb501cb1299c7c659776052d56598737b75740a

Download Submit
C:\Windows\IPv6NetBrowsSvc.dll

Filesize
122KB

MD5
0dd215fbdc6e7bf775a736d9edb21684

SHA1
2805979013e1f8c5ec5faff0d458d9215a85d875

SHA256
e244d56be4020b52c0c9dd92f9ab1fe1a73b2cf6ed998aabfd1fdbdfbcb1bc54

SHA512
57214d1d505ff9db912f90fbcafef045fecf2481cb411e95b2e249e446658a4c1f61dcceccf6d3377fe0fe6d6dea3f279586cdee5384952a481d254903e1bad7

Download Submit
\??\c:\windows\ipv6netbrowssvc.dll

Filesize
122KB

MD5
0dd215fbdc6e7bf775a736d9edb21684

SHA1
2805979013e1f8c5ec5faff0d458d9215a85d875

SHA256
e244d56be4020b52c0c9dd92f9ab1fe1a73b2cf6ed998aabfd1fdbdfbcb1bc54

SHA512
57214d1d505ff9db912f90fbcafef045fecf2481cb411e95b2e249e446658a4c1f61dcceccf6d3377fe0fe6d6dea3f279586cdee5384952a481d254903e1bad7

Download Submit
memory/1088-138-0x0000000000000000-mapping.dmp

Download
memory/1216-132-0x0000000000B71000-0x0000000000B74000-memory.dmp

Filesize
12KB

Download
memory/1216-136-0x0000000000B70000-0x0000000000BAE000-memory.dmp

Filesize
248KB

Download
memory/2172-135-0x0000000075521000-0x0000000075524000-memory.dmp

Filesize
12KB

Download
memory/2172-137-0x0000000075520000-0x000000007555E000-memory.dmp

Filesize
248KB

Download