6b74a08710bd5d1dc876201f9082454ea063ba850960c6428fbcd05a2ca0f95c

Analysis

max time kernel
144s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
21/03/2023, 14:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b74a08710bd5d1dc876201f9082454ea063ba850960c6428fbcd05a2ca0f95c.exe
Size

1.4MB
MD5

d9c95ed4b981469e6634f4952854b04a
SHA1

c627cf5ca0b350efa15118e09bc8e5eb77c491b7
SHA256

6b74a08710bd5d1dc876201f9082454ea063ba850960c6428fbcd05a2ca0f95c
SHA512

de2ca7f00dce0c5478a5ac7e3f563d7456e253a1c972caa2a00e1a14b55c45164c3b3235fa085c2a3a607c604aad7e78282f60bc7821018bed859fd82a2ca0d6
SSDEEP

24576:gJr8tE+gHqgnD7qAxYhApgkvfTgMjNaq7/H1eV9u1OXBwjL0oywMEoNX:gJ4NqdYhUjtj0q7/H1eV9U9fywMFX

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	6b74a08710bd5d1dc876201f9082454ea063ba850960c6428fbcd05a2ca0f95c.exe

Loads dropped DLL 2 IoCs

pid	Process
1224	msiexec.exe
1224	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2152 wrote to memory of 1224	2152	6b74a08710bd5d1dc876201f9082454ea063ba850960c6428fbcd05a2ca0f95c.exe	86
PID 2152 wrote to memory of 1224	2152	6b74a08710bd5d1dc876201f9082454ea063ba850960c6428fbcd05a2ca0f95c.exe	86
PID 2152 wrote to memory of 1224	2152	6b74a08710bd5d1dc876201f9082454ea063ba850960c6428fbcd05a2ca0f95c.exe	86

C:\Users\Admin\AppData\Local\Temp\6b74a08710bd5d1dc876201f9082454ea063ba850960c6428fbcd05a2ca0f95c.exe
"C:\Users\Admin\AppData\Local\Temp\6b74a08710bd5d1dc876201f9082454ea063ba850960c6428fbcd05a2ca0f95c.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2152
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\System32\msiexec.exe" -Y .\X1QQ.Ps
  2⤵
  - Loads dropped DLL
  PID:1224

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\X1QQ.Ps

Filesize
1.2MB

MD5
0c4cd71af505a4586891b830fff416af

SHA1
0900a10a42422af91c1d5d8b79cffcf4f34ec219

SHA256
5cfc5a678a52a5d248ad674ee9bbd454e3e70061cc423e28c0d8cc19f89bc90b

SHA512
108651a1249b0ff257b7345c18de305825852270cc8b7d241ac1b1743234bd3da235270a98b136732679b3a9d44f949547955c52e8116fb648406f5037953db2

Download Submit
C:\Users\Admin\AppData\Local\Temp\X1Qq.Ps

Filesize
1.2MB

MD5
0c4cd71af505a4586891b830fff416af

SHA1
0900a10a42422af91c1d5d8b79cffcf4f34ec219

SHA256
5cfc5a678a52a5d248ad674ee9bbd454e3e70061cc423e28c0d8cc19f89bc90b

SHA512
108651a1249b0ff257b7345c18de305825852270cc8b7d241ac1b1743234bd3da235270a98b136732679b3a9d44f949547955c52e8116fb648406f5037953db2

Download Submit
C:\Users\Admin\AppData\Local\Temp\X1Qq.Ps

Filesize
1.2MB

MD5
0c4cd71af505a4586891b830fff416af

SHA1
0900a10a42422af91c1d5d8b79cffcf4f34ec219

SHA256
5cfc5a678a52a5d248ad674ee9bbd454e3e70061cc423e28c0d8cc19f89bc90b

SHA512
108651a1249b0ff257b7345c18de305825852270cc8b7d241ac1b1743234bd3da235270a98b136732679b3a9d44f949547955c52e8116fb648406f5037953db2

Download Submit
memory/1224-138-0x0000000002730000-0x0000000002860000-memory.dmp

Filesize
1.2MB

Download
memory/1224-139-0x0000000002730000-0x0000000002860000-memory.dmp

Filesize
1.2MB

Download
memory/1224-141-0x0000000000750000-0x0000000000756000-memory.dmp

Filesize
24KB

Download
memory/1224-142-0x0000000002610000-0x00000000026F6000-memory.dmp

Filesize
920KB

Download
memory/1224-143-0x0000000002AA0000-0x0000000002B70000-memory.dmp

Filesize
832KB

Download
memory/1224-146-0x0000000002AA0000-0x0000000002B70000-memory.dmp

Filesize
832KB

Download
memory/1224-147-0x0000000002AA0000-0x0000000002B70000-memory.dmp

Filesize
832KB

Download