6be7871b1acc611b7703d1c0441e1cefb0024a5cde20bbcf9406fd8296e3b690

Analysis

max time kernel
65s
max time network
81s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
12-01-2023 19:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6be7871b1acc611b7703d1c0441e1cefb0024a5cde20bbcf9406fd8296e3b690.exe
Size

1.5MB
MD5

174800448060da1f551c0e234d0337f6
SHA1

5c395ac0840c2abba7e18afa1080b22a8bfc5d12
SHA256

6be7871b1acc611b7703d1c0441e1cefb0024a5cde20bbcf9406fd8296e3b690
SHA512

0ff91582a3d89ba03f76ca845aec9dfd540d17d9f34a5935b71a947e89e716f9cb3af2e8302bad68be48a6644b7ac4812945759134fcf17bc3d196b70d83ca2a
SSDEEP

24576:bOi2Q9NXw2/wPOjdGxYqfw+Jwz/S/6RZs8nVW6k5JHkARt7DBAqnN:bZTq24GjdGSgw+W7SCRnVQTEQ/BA8

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2028	timeout.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2000	taskkill.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1740	6be7871b1acc611b7703d1c0441e1cefb0024a5cde20bbcf9406fd8296e3b690.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1740	6be7871b1acc611b7703d1c0441e1cefb0024a5cde20bbcf9406fd8296e3b690.exe
Token: SeDebugPrivilege	2000	taskkill.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 1924	1740	6be7871b1acc611b7703d1c0441e1cefb0024a5cde20bbcf9406fd8296e3b690.exe	29
PID 1740 wrote to memory of 1924	1740	6be7871b1acc611b7703d1c0441e1cefb0024a5cde20bbcf9406fd8296e3b690.exe	29
PID 1740 wrote to memory of 1924	1740	6be7871b1acc611b7703d1c0441e1cefb0024a5cde20bbcf9406fd8296e3b690.exe	29
PID 1740 wrote to memory of 1924	1740	6be7871b1acc611b7703d1c0441e1cefb0024a5cde20bbcf9406fd8296e3b690.exe	29
PID 1924 wrote to memory of 1684	1924	cmd.exe	31
PID 1924 wrote to memory of 1684	1924	cmd.exe	31
PID 1924 wrote to memory of 1684	1924	cmd.exe	31
PID 1924 wrote to memory of 1684	1924	cmd.exe	31
PID 1924 wrote to memory of 2000	1924	cmd.exe	32
PID 1924 wrote to memory of 2000	1924	cmd.exe	32
PID 1924 wrote to memory of 2000	1924	cmd.exe	32
PID 1924 wrote to memory of 2000	1924	cmd.exe	32
PID 1924 wrote to memory of 2028	1924	cmd.exe	33
PID 1924 wrote to memory of 2028	1924	cmd.exe	33
PID 1924 wrote to memory of 2028	1924	cmd.exe	33
PID 1924 wrote to memory of 2028	1924	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\6be7871b1acc611b7703d1c0441e1cefb0024a5cde20bbcf9406fd8296e3b690.exe
"C:\Users\Admin\AppData\Local\Temp\6be7871b1acc611b7703d1c0441e1cefb0024a5cde20bbcf9406fd8296e3b690.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp293B.tmp.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1924
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    PID:1684
- - C:\Windows\SysWOW64\taskkill.exe
    TaskKill /F /IM 1740
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2000
- - C:\Windows\SysWOW64\timeout.exe
    Timeout /T 2 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:2028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp293B.tmp.bat

Filesize
57B

MD5
d15b7034edab8c2a3630ca65706068c9

SHA1
e3e86d0ca21fa65d653281724dfd9495c8d88cc9

SHA256
c02e823daf4396b9f96a330135cb2104666bab845c9072bc94a2d20419ac03da

SHA512
8cb1cd52bc627991db982ab95e190b9cbfebca015d45159d626bc02c019fb7ac306309dc65f38d22a0c1039707946bffba2d524de268fbcac9c16ca048a088f5

Download Submit
memory/1684-58-0x0000000000000000-mapping.dmp

Download
memory/1740-54-0x00000000000A0000-0x0000000000224000-memory.dmp

Filesize
1.5MB

Download
memory/1740-55-0x00000000767C1000-0x00000000767C3000-memory.dmp

Filesize
8KB

Download
memory/1924-56-0x0000000000000000-mapping.dmp

Download
memory/2000-59-0x0000000000000000-mapping.dmp

Download
memory/2028-60-0x0000000000000000-mapping.dmp

Download