6be7871b1acc611b7703d1c0441e1cefb0024a5cde20bbcf9406fd8296e3b690

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
12-01-2023 19:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6be7871b1acc611b7703d1c0441e1cefb0024a5cde20bbcf9406fd8296e3b690.exe
Size

1.5MB
MD5

174800448060da1f551c0e234d0337f6
SHA1

5c395ac0840c2abba7e18afa1080b22a8bfc5d12
SHA256

6be7871b1acc611b7703d1c0441e1cefb0024a5cde20bbcf9406fd8296e3b690
SHA512

0ff91582a3d89ba03f76ca845aec9dfd540d17d9f34a5935b71a947e89e716f9cb3af2e8302bad68be48a6644b7ac4812945759134fcf17bc3d196b70d83ca2a
SSDEEP

24576:bOi2Q9NXw2/wPOjdGxYqfw+Jwz/S/6RZs8nVW6k5JHkARt7DBAqnN:bZTq24GjdGSgw+W7SCRnVQTEQ/BA8

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	6be7871b1acc611b7703d1c0441e1cefb0024a5cde20bbcf9406fd8296e3b690.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
13	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1680	timeout.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1976	taskkill.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
4816	6be7871b1acc611b7703d1c0441e1cefb0024a5cde20bbcf9406fd8296e3b690.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4816	6be7871b1acc611b7703d1c0441e1cefb0024a5cde20bbcf9406fd8296e3b690.exe
Token: SeDebugPrivilege	1976	taskkill.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4816 wrote to memory of 1120	4816	6be7871b1acc611b7703d1c0441e1cefb0024a5cde20bbcf9406fd8296e3b690.exe	83
PID 4816 wrote to memory of 1120	4816	6be7871b1acc611b7703d1c0441e1cefb0024a5cde20bbcf9406fd8296e3b690.exe	83
PID 4816 wrote to memory of 1120	4816	6be7871b1acc611b7703d1c0441e1cefb0024a5cde20bbcf9406fd8296e3b690.exe	83
PID 1120 wrote to memory of 3872	1120	cmd.exe	85
PID 1120 wrote to memory of 3872	1120	cmd.exe	85
PID 1120 wrote to memory of 3872	1120	cmd.exe	85
PID 1120 wrote to memory of 1976	1120	cmd.exe	86
PID 1120 wrote to memory of 1976	1120	cmd.exe	86
PID 1120 wrote to memory of 1976	1120	cmd.exe	86
PID 1120 wrote to memory of 1680	1120	cmd.exe	87
PID 1120 wrote to memory of 1680	1120	cmd.exe	87
PID 1120 wrote to memory of 1680	1120	cmd.exe	87

C:\Users\Admin\AppData\Local\Temp\6be7871b1acc611b7703d1c0441e1cefb0024a5cde20bbcf9406fd8296e3b690.exe
"C:\Users\Admin\AppData\Local\Temp\6be7871b1acc611b7703d1c0441e1cefb0024a5cde20bbcf9406fd8296e3b690.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4816
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpCF4B.tmp.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1120
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    PID:3872
- - C:\Windows\SysWOW64\taskkill.exe
    TaskKill /F /IM 4816
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1976
- - C:\Windows\SysWOW64\timeout.exe
    Timeout /T 2 /Nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1680

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpCF4B.tmp.bat

Filesize
57B

MD5
84c64a2b145d3c27c01968c9c822e9ae

SHA1
838869600f8a947fb30d2fdc8ca454148e92bc40

SHA256
a32567f05e5516f977d2fae40decadc39d7baac4ab8bde1971e9f93ddac1e1cc

SHA512
c5e742ff23d1838cd64d2bdfce43bf4aa9312e2cd303be3a4a0008fbcfc73a4a05c7da36462b18de311900d0221f52b2c123ef80e03958ddeb7819d8d82f4c0a

Download Submit
memory/1120-134-0x0000000000000000-mapping.dmp

Download
memory/1680-138-0x0000000000000000-mapping.dmp

Download
memory/1976-137-0x0000000000000000-mapping.dmp

Download
memory/3872-136-0x0000000000000000-mapping.dmp

Download
memory/4816-132-0x00000000005A0000-0x0000000000724000-memory.dmp

Filesize
1.5MB

Download
memory/4816-133-0x0000000005080000-0x00000000050E6000-memory.dmp

Filesize
408KB

Download