6e5c679014346a1a2cb5f10b0bbff4f2d0db4b667a83766cb096133ded30aa47

Analysis

max time kernel
70s
max time network
76s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
05-07-2023 03:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

G64Installer.exe
Size

54.8MB
MD5

1cb8153f33041ab0b611fe9562832244
SHA1

385aadcc91428224b0978fea8cb782177515b9b8
SHA256

6e5c679014346a1a2cb5f10b0bbff4f2d0db4b667a83766cb096133ded30aa47
SHA512

412b2846cb1b6017cea273697c2820a0b6f0e509e74bcbe2e9c13dbaed6e2033c0936ed28706702d0aacf8592f3c4d84de5f3a76c6ef84b807d9ebdd5c5aa047
SSDEEP

393216:iiiX9+E6qcEtQbwtOr23GLp+F1P10VoyxpW/fIrFIqqwa2ncpLZfD5mY0UIPGQem:Ed0wkr91QkoynWXIJInwZofD53G

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

G64Installer.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Control Panel\International\Geo\Nation	G64Installer.exe

Loads dropped DLL 2 IoCs

Processes:

G64Installer.exe

pid process

396 G64Installer.exe
396 G64Installer.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4400 396 WerFault.exe G64Installer.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

G64Installer.exe

description pid process

Token: SeDebugPrivilege 396 G64Installer.exe

pid	process
396	G64Installer.exe
396	G64Installer.exe

pid	pid_target	process	target process
4400	396	WerFault.exe	G64Installer.exe

description	pid	process
Token: SeDebugPrivilege	396	G64Installer.exe

C:\Users\Admin\AppData\Local\Temp\G64Installer.exe
"C:\Users\Admin\AppData\Local\Temp\G64Installer.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:396

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 396 -s 2500
2⤵
- Program crash
PID:4400

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 412 -p 396 -ip 396
1⤵
PID:3852

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\.net\G64Installer\k7Nk50MksecLkKxyFmbR7iQyQH3J8RE=\libHarfBuzzSharp.dll
Filesize
893KB

MD5
36c3a408bb7653aa8068f1f8adee899a

SHA1
5cde588b7502328372195a12e6a6a241dd63a3a8

SHA256
77c88a847a8c704e91a1454d5d024d2d05de57bfd351851c2b27f572ba62ea75

SHA512
ce17ddb41c46ea4304a9f7df88c044bb68216c4821e50473998d31a93f62d5d229f08b1223d650cf78c6517b5df2f2fcf8f17ec64045c350b797c0580bff1857

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\G64Installer\k7Nk50MksecLkKxyFmbR7iQyQH3J8RE=\libSkiaSharp.dll
Filesize
9.0MB

MD5
a37383e17c6b43619b1833e5b926059f

SHA1
2aeb3d3ccd2b94c2287a47e883a0df14c2aff531

SHA256
f9bec5382fc6edf3096e10c894277deea78c81ec58916dade8a6730bd3450aa2

SHA512
83b3284fa5d6f3a3cd79c97e5437c2b8164fc57fd59bc68719da960583e361a8f271fa653a2332dce5ca848ac2e1029ef5d04ff32510489cc3cb5c83dc88c6e1

Download Submit
memory/396-135-0x0000000180000000-0x0000000180A20000-memory.dmp

Filesize
10.1MB

Download