806c6f10cf3ff2ddcfb8a3c9bb9f418c30b63b6eff5a62e94548d5156694b599

General

Target

806c6f10cf3ff2ddcfb8a3c9bb9f418c30b63b6eff5a62e94548d5156694b599.exe
Size

5.8MB
MD5

d8cc96a6cfa21dc89f5f1c252d0120f4
SHA1

06a654dbbd0525a03b78a177b7ec3ece1cf5f233
SHA256

806c6f10cf3ff2ddcfb8a3c9bb9f418c30b63b6eff5a62e94548d5156694b599
SHA512

f4131996d6a3df9617a6734ff8a31ad3ec47ab85f991c99ab57be05ccbd475d34f371fba7669d9c869118ef9619549ca14b70438e629b4d250f06f4087a2d80d
SSDEEP

98304:SuaSBtYKUEkxXk+b7FCOT7cZpyas3pY0Mv/QsiCZs4IiU1pANyNxd:feEky+T7kWYT/QF7pANyN

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

Processes:

msiexec.exe

flow pid process

26 3572 msiexec.exe
27 3572 msiexec.exe

flow	pid	process
26	3572	msiexec.exe
27	3572	msiexec.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

806c6f10cf3ff2ddcfb8a3c9bb9f418c30b63b6eff5a62e94548d5156694b599.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	806c6f10cf3ff2ddcfb8a3c9bb9f418c30b63b6eff5a62e94548d5156694b599.exe

Executes dropped EXE 1 IoCs

Processes:

CShell.exe

pid process

3844 CShell.exe

pid	process
3844	CShell.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe

Drops file in Windows directory 3 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\e5673cd.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5673cd.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msiexec.exe

pid process

3572 msiexec.exe
3572 msiexec.exe

pid	process
3572	msiexec.exe
3572	msiexec.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	4104	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4104	msiexec.exe
Token: SeSecurityPrivilege	3572	msiexec.exe
Token: SeCreateTokenPrivilege	4104	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4104	msiexec.exe
Token: SeLockMemoryPrivilege	4104	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4104	msiexec.exe
Token: SeMachineAccountPrivilege	4104	msiexec.exe
Token: SeTcbPrivilege	4104	msiexec.exe
Token: SeSecurityPrivilege	4104	msiexec.exe
Token: SeTakeOwnershipPrivilege	4104	msiexec.exe
Token: SeLoadDriverPrivilege	4104	msiexec.exe
Token: SeSystemProfilePrivilege	4104	msiexec.exe
Token: SeSystemtimePrivilege	4104	msiexec.exe
Token: SeProfSingleProcessPrivilege	4104	msiexec.exe
Token: SeIncBasePriorityPrivilege	4104	msiexec.exe
Token: SeCreatePagefilePrivilege	4104	msiexec.exe
Token: SeCreatePermanentPrivilege	4104	msiexec.exe
Token: SeBackupPrivilege	4104	msiexec.exe
Token: SeRestorePrivilege	4104	msiexec.exe
Token: SeShutdownPrivilege	4104	msiexec.exe
Token: SeDebugPrivilege	4104	msiexec.exe
Token: SeAuditPrivilege	4104	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4104	msiexec.exe
Token: SeChangeNotifyPrivilege	4104	msiexec.exe
Token: SeRemoteShutdownPrivilege	4104	msiexec.exe
Token: SeUndockPrivilege	4104	msiexec.exe
Token: SeSyncAgentPrivilege	4104	msiexec.exe
Token: SeEnableDelegationPrivilege	4104	msiexec.exe
Token: SeManageVolumePrivilege	4104	msiexec.exe
Token: SeImpersonatePrivilege	4104	msiexec.exe
Token: SeCreateGlobalPrivilege	4104	msiexec.exe
Token: SeRestorePrivilege	3572	msiexec.exe
Token: SeTakeOwnershipPrivilege	3572	msiexec.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

806c6f10cf3ff2ddcfb8a3c9bb9f418c30b63b6eff5a62e94548d5156694b599.exeCShell.exe

description	pid	process	target process
PID 2020 wrote to memory of 3844	2020	806c6f10cf3ff2ddcfb8a3c9bb9f418c30b63b6eff5a62e94548d5156694b599.exe	CShell.exe
PID 2020 wrote to memory of 3844	2020	806c6f10cf3ff2ddcfb8a3c9bb9f418c30b63b6eff5a62e94548d5156694b599.exe	CShell.exe
PID 2020 wrote to memory of 3844	2020	806c6f10cf3ff2ddcfb8a3c9bb9f418c30b63b6eff5a62e94548d5156694b599.exe	CShell.exe
PID 3844 wrote to memory of 4104	3844	CShell.exe	msiexec.exe
PID 3844 wrote to memory of 4104	3844	CShell.exe	msiexec.exe
PID 3844 wrote to memory of 4104	3844	CShell.exe	msiexec.exe

C:\Users\Admin\AppData\Local\Temp\806c6f10cf3ff2ddcfb8a3c9bb9f418c30b63b6eff5a62e94548d5156694b599.exe
"C:\Users\Admin\AppData\Local\Temp\806c6f10cf3ff2ddcfb8a3c9bb9f418c30b63b6eff5a62e94548d5156694b599.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2020

C:\Users\Admin\AppData\Local\Temp\RarSFX0\CShell.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\CShell.exe" APPLICATIONFOLDER="D:\Apps\CShell" /qn
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3844

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /i "C:\ProgramData\ClassicShellSetup64_4_3_1.msi" APPLICATIONFOLDER="D:\Apps\CShell" /qn
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4104

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3572

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ClassicShellSetup64_4_3_1.msi
Filesize
4.9MB

MD5
3a9ced12ba930d535142b39784ea08d6

SHA1
f2f9292bbe66ad212d86a3fbb86c48096dbdc319

SHA256
a23720f2f68e0100794db619339df333a2e889a21d198337012cbd4f1d6861e3

SHA512
4c9ee8c1afb24bfc38af92e3b40675b968574662622059187ff64192af29aebd1ff798b8e974393e80506ee1117216a0a1f20d7c13602919e6ffa121602df1d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\CShell.exe
Filesize
7.0MB

MD5
da9085c5a9749d328b5ab13e69153deb

SHA1
cae9bc13eb12cac63a3cca40a0678c3ed83e50ec

SHA256
9c880e40fd90beaf67ba7f7293c37b5dd37816d20ea6317797b01448b58a4d58

SHA512
c0ba3dc821c483a2b07600892e61103124362c0af20256464e718090140ddee2153152f8fd667eb7bcc8bef429ccbd5234b87b640b032120546087aa9f88984d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\CShell.exe
Filesize
7.0MB

MD5
da9085c5a9749d328b5ab13e69153deb

SHA1
cae9bc13eb12cac63a3cca40a0678c3ed83e50ec

SHA256
9c880e40fd90beaf67ba7f7293c37b5dd37816d20ea6317797b01448b58a4d58

SHA512
c0ba3dc821c483a2b07600892e61103124362c0af20256464e718090140ddee2153152f8fd667eb7bcc8bef429ccbd5234b87b640b032120546087aa9f88984d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\CShell.exe
Filesize
7.0MB

MD5
da9085c5a9749d328b5ab13e69153deb

SHA1
cae9bc13eb12cac63a3cca40a0678c3ed83e50ec

SHA256
9c880e40fd90beaf67ba7f7293c37b5dd37816d20ea6317797b01448b58a4d58

SHA512
c0ba3dc821c483a2b07600892e61103124362c0af20256464e718090140ddee2153152f8fd667eb7bcc8bef429ccbd5234b87b640b032120546087aa9f88984d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads