4d69b81fc7c088aa0fbc249f7d85ac80a42c1f18b0d13371287a9daef21ec4e1

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
11/07/2023, 13:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6bf0755935ca6exeexeexeex.exe
Size

36KB
MD5

f6bf0755935ca693186e0b8b823d13c7
SHA1

b63d6b453d25e476279c51e11862eecb498b82d7
SHA256

4d69b81fc7c088aa0fbc249f7d85ac80a42c1f18b0d13371287a9daef21ec4e1
SHA512

597f8b24cbc3b2ee077f8e786e89e1420e4bbca63f6d2994299e6c677a1c20bda1aba0a9e39592241f805c3153b92ad8bfae7f62f24466abca27d6153c4f928c
SSDEEP

768:bIDOw9UiaCHfjnE0Sf88AvvP1oghYvm9/6DBJ:bIDOw9a0Dwo3P1ojvUSDBJ

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Control Panel\International\Geo\Nation	f6bf0755935ca6exeexeexeex.exe

Executes dropped EXE 1 IoCs

pid	Process
5064	lossy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 5064	2256	f6bf0755935ca6exeexeexeex.exe	84
PID 2256 wrote to memory of 5064	2256	f6bf0755935ca6exeexeexeex.exe	84
PID 2256 wrote to memory of 5064	2256	f6bf0755935ca6exeexeexeex.exe	84

C:\Users\Admin\AppData\Local\Temp\f6bf0755935ca6exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\f6bf0755935ca6exeexeexeex.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Users\Admin\AppData\Local\Temp\lossy.exe
  "C:\Users\Admin\AppData\Local\Temp\lossy.exe"
  2⤵
  - Executes dropped EXE
  PID:5064

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lossy.exe

Filesize
36KB

MD5
2dbbe4bb37252e18b97793d6f2a40bc0

SHA1
3b571a49a410c8a91d25c40611e8022040bef3c1

SHA256
1729038415b06a5b343c71b9ac611526fca2519a4a8d8394567b099ec8178bd3

SHA512
9af94d86fbfb94df0e277aab8bd1594cc3632e6492ae93a4efcfc6b247038f884026b82d0690779fc992b00201f517a1fc0511024ded0399f6927d1ab79ec03e

Download Submit
C:\Users\Admin\AppData\Local\Temp\lossy.exe

Filesize
36KB

MD5
2dbbe4bb37252e18b97793d6f2a40bc0

SHA1
3b571a49a410c8a91d25c40611e8022040bef3c1

SHA256
1729038415b06a5b343c71b9ac611526fca2519a4a8d8394567b099ec8178bd3

SHA512
9af94d86fbfb94df0e277aab8bd1594cc3632e6492ae93a4efcfc6b247038f884026b82d0690779fc992b00201f517a1fc0511024ded0399f6927d1ab79ec03e

Download Submit
C:\Users\Admin\AppData\Local\Temp\lossy.exe

Filesize
36KB

MD5
2dbbe4bb37252e18b97793d6f2a40bc0

SHA1
3b571a49a410c8a91d25c40611e8022040bef3c1

SHA256
1729038415b06a5b343c71b9ac611526fca2519a4a8d8394567b099ec8178bd3

SHA512
9af94d86fbfb94df0e277aab8bd1594cc3632e6492ae93a4efcfc6b247038f884026b82d0690779fc992b00201f517a1fc0511024ded0399f6927d1ab79ec03e

Download Submit
memory/2256-134-0x00000000006D0000-0x00000000006D6000-memory.dmp

Filesize
24KB

Download
memory/2256-135-0x0000000002210000-0x0000000002216000-memory.dmp

Filesize
24KB

Download
memory/5064-150-0x0000000001FD0000-0x0000000001FD6000-memory.dmp

Filesize
24KB

Download