6c9ed2415dc6402aeeae5abae80a20894840fc5598926721beaa13015859df1a

Resubmissions

26-05-2023 11:32

230526-nng4yaff9x 7

10-05-2021 12:23

210510-bzkexqlwbj 8

10-05-2021 12:10

210510-6t4bx42gea 1

10-05-2021 07:49

210510-j4bf3f86pe 8

Analysis

max time kernel
1800s
max time network
1802s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2023 11:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c9ed2415dc6402aeeae5abae80a20894840fc5598926721beaa13015859df1a.exe
Size

56KB
MD5

08a2b527c9754115cd96b522912470d7
SHA1

b800d4fe171c48726dee92b73e91040640d9bd7b
SHA256

6c9ed2415dc6402aeeae5abae80a20894840fc5598926721beaa13015859df1a
SHA512

bc2ade2d8a3db0dd574c871e70f49a421517ef3857e8465e71bcc667fbd9e74b9e1c99480158f1648c79cd4f2e15eb7dcc7c8e5c84cafee46e14bab5b8485aa3
SSDEEP

768:crA7OfYq31eyfvpGK/nD7iuiR3W85tRfXP2LBNNd:oAi0NK/D7ih59PRPP

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6c9ed2415dc6402aeeae5abae80a20894840fc5598926721beaa13015859df1a.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	6c9ed2415dc6402aeeae5abae80a20894840fc5598926721beaa13015859df1a.exe

Executes dropped EXE 1 IoCs

Processes:

Win01.exe

pid process

60 Win01.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046

pid	process
60	Win01.exe

Drops file in System32 directory 2 IoCs

Processes:

6c9ed2415dc6402aeeae5abae80a20894840fc5598926721beaa13015859df1a.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Win01.exe	6c9ed2415dc6402aeeae5abae80a20894840fc5598926721beaa13015859df1a.exe
File opened for modification	C:\Windows\SysWOW64\Win01.exe	6c9ed2415dc6402aeeae5abae80a20894840fc5598926721beaa13015859df1a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

6c9ed2415dc6402aeeae5abae80a20894840fc5598926721beaa13015859df1a.exe

description	pid	process	target process
PID 4872 wrote to memory of 60	4872	6c9ed2415dc6402aeeae5abae80a20894840fc5598926721beaa13015859df1a.exe	Win01.exe
PID 4872 wrote to memory of 60	4872	6c9ed2415dc6402aeeae5abae80a20894840fc5598926721beaa13015859df1a.exe	Win01.exe
PID 4872 wrote to memory of 60	4872	6c9ed2415dc6402aeeae5abae80a20894840fc5598926721beaa13015859df1a.exe	Win01.exe

C:\Users\Admin\AppData\Local\Temp\6c9ed2415dc6402aeeae5abae80a20894840fc5598926721beaa13015859df1a.exe
"C:\Users\Admin\AppData\Local\Temp\6c9ed2415dc6402aeeae5abae80a20894840fc5598926721beaa13015859df1a.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4872

C:\Windows\SysWOW64\Win01.exe
"C:\Windows\system32\Win01.exe"
2⤵
- Executes dropped EXE
PID:60

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Network Service Scanning

T1046

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Win01.exe
Filesize
56KB

MD5
08a2b527c9754115cd96b522912470d7

SHA1
b800d4fe171c48726dee92b73e91040640d9bd7b

SHA256
6c9ed2415dc6402aeeae5abae80a20894840fc5598926721beaa13015859df1a

SHA512
bc2ade2d8a3db0dd574c871e70f49a421517ef3857e8465e71bcc667fbd9e74b9e1c99480158f1648c79cd4f2e15eb7dcc7c8e5c84cafee46e14bab5b8485aa3

Download Submit
C:\Windows\SysWOW64\Win01.exe
Filesize
56KB

MD5
08a2b527c9754115cd96b522912470d7

SHA1
b800d4fe171c48726dee92b73e91040640d9bd7b

SHA256
6c9ed2415dc6402aeeae5abae80a20894840fc5598926721beaa13015859df1a

SHA512
bc2ade2d8a3db0dd574c871e70f49a421517ef3857e8465e71bcc667fbd9e74b9e1c99480158f1648c79cd4f2e15eb7dcc7c8e5c84cafee46e14bab5b8485aa3

Download Submit
C:\Windows\SysWOW64\Win01.exe
Filesize
56KB

MD5
08a2b527c9754115cd96b522912470d7

SHA1
b800d4fe171c48726dee92b73e91040640d9bd7b

SHA256
6c9ed2415dc6402aeeae5abae80a20894840fc5598926721beaa13015859df1a

SHA512
bc2ade2d8a3db0dd574c871e70f49a421517ef3857e8465e71bcc667fbd9e74b9e1c99480158f1648c79cd4f2e15eb7dcc7c8e5c84cafee46e14bab5b8485aa3

Download Submit
memory/60-142-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4872-133-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4872-143-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download