6b198ef17c5b52b52cb68f437c9e8238a0d225239279837176ef54b646ea7644

Analysis

max time kernel
147s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2023, 19:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6b198ef17c5b52b52cb68f437c9e8238a0d225239279837176ef54b646ea7644.exe
Size

12.6MB
MD5

311d9e31d3a7596ddf1f870dd531834d
SHA1

ba53764381cc32354b94aa4c6bbc0396a2bec11e
SHA256

6b198ef17c5b52b52cb68f437c9e8238a0d225239279837176ef54b646ea7644
SHA512

5eb269ee2a2fd19676e45989e299913ccfafc23895df943f4a6758fb026adf19a267bdda38ff442515e84398e35fdb6fdbb7f2ff301e4b33a5122318bb7bd1e6
SSDEEP

196608:EJYTgM7tWqt/06024m7zoxrCwrV0l51J2tyj02fii1J4zSlYYvHSPus/d:rTiV2p7zoxrTCJJx02fp4WuGsV

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\caksnfhbxp.sys	rar_gyrwbl.exe
File created	C:\Windows\system32\drivers\dwhfkaazkc.sys	rar_ueulsb.exe

Executes dropped EXE 4 IoCs

pid	Process
1524	6b198ef17c5b52b52cb68f437c9e8238a0d225239279837176ef54b646ea7644.exe
3736	6b198ef17c5b52b52cb68f437c9e8238a0d225239279837176ef54b646ea7644.exe
2032	rar_gyrwbl.exe
3340	rar_ueulsb.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	6b198ef17c5b52b52cb68f437c9e8238a0d225239279837176ef54b646ea7644.exe
File opened (read-only)	\??\K:	6b198ef17c5b52b52cb68f437c9e8238a0d225239279837176ef54b646ea7644.exe
File opened (read-only)	\??\O:	6b198ef17c5b52b52cb68f437c9e8238a0d225239279837176ef54b646ea7644.exe
File opened (read-only)	\??\S:	6b198ef17c5b52b52cb68f437c9e8238a0d225239279837176ef54b646ea7644.exe
File opened (read-only)	\??\W:	6b198ef17c5b52b52cb68f437c9e8238a0d225239279837176ef54b646ea7644.exe
File opened (read-only)	\??\X:	6b198ef17c5b52b52cb68f437c9e8238a0d225239279837176ef54b646ea7644.exe
File opened (read-only)	\??\A:	6b198ef17c5b52b52cb68f437c9e8238a0d225239279837176ef54b646ea7644.exe
File opened (read-only)	\??\M:	6b198ef17c5b52b52cb68f437c9e8238a0d225239279837176ef54b646ea7644.exe
File opened (read-only)	\??\U:	6b198ef17c5b52b52cb68f437c9e8238a0d225239279837176ef54b646ea7644.exe
File opened (read-only)	\??\V:	6b198ef17c5b52b52cb68f437c9e8238a0d225239279837176ef54b646ea7644.exe
File opened (read-only)	\??\F:	6b198ef17c5b52b52cb68f437c9e8238a0d225239279837176ef54b646ea7644.exe
File opened (read-only)	\??\P:	6b198ef17c5b52b52cb68f437c9e8238a0d225239279837176ef54b646ea7644.exe
File opened (read-only)	\??\Q:	6b198ef17c5b52b52cb68f437c9e8238a0d225239279837176ef54b646ea7644.exe
File opened (read-only)	\??\B:	6b198ef17c5b52b52cb68f437c9e8238a0d225239279837176ef54b646ea7644.exe
File opened (read-only)	\??\G:	6b198ef17c5b52b52cb68f437c9e8238a0d225239279837176ef54b646ea7644.exe
File opened (read-only)	\??\I:	6b198ef17c5b52b52cb68f437c9e8238a0d225239279837176ef54b646ea7644.exe
File opened (read-only)	\??\J:	6b198ef17c5b52b52cb68f437c9e8238a0d225239279837176ef54b646ea7644.exe
File opened (read-only)	\??\L:	6b198ef17c5b52b52cb68f437c9e8238a0d225239279837176ef54b646ea7644.exe
File opened (read-only)	\??\N:	6b198ef17c5b52b52cb68f437c9e8238a0d225239279837176ef54b646ea7644.exe
File opened (read-only)	\??\Y:	6b198ef17c5b52b52cb68f437c9e8238a0d225239279837176ef54b646ea7644.exe
File opened (read-only)	\??\Z:	6b198ef17c5b52b52cb68f437c9e8238a0d225239279837176ef54b646ea7644.exe
File opened (read-only)	\??\H:	6b198ef17c5b52b52cb68f437c9e8238a0d225239279837176ef54b646ea7644.exe
File opened (read-only)	\??\R:	6b198ef17c5b52b52cb68f437c9e8238a0d225239279837176ef54b646ea7644.exe
File opened (read-only)	\??\T:	6b198ef17c5b52b52cb68f437c9e8238a0d225239279837176ef54b646ea7644.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
3736	6b198ef17c5b52b52cb68f437c9e8238a0d225239279837176ef54b646ea7644.exe
3736	6b198ef17c5b52b52cb68f437c9e8238a0d225239279837176ef54b646ea7644.exe
3736	6b198ef17c5b52b52cb68f437c9e8238a0d225239279837176ef54b646ea7644.exe
3736	6b198ef17c5b52b52cb68f437c9e8238a0d225239279837176ef54b646ea7644.exe
3736	6b198ef17c5b52b52cb68f437c9e8238a0d225239279837176ef54b646ea7644.exe
3736	6b198ef17c5b52b52cb68f437c9e8238a0d225239279837176ef54b646ea7644.exe
3736	6b198ef17c5b52b52cb68f437c9e8238a0d225239279837176ef54b646ea7644.exe
3736	6b198ef17c5b52b52cb68f437c9e8238a0d225239279837176ef54b646ea7644.exe
3340	rar_ueulsb.exe
2032	rar_gyrwbl.exe
2032	rar_gyrwbl.exe
2032	rar_gyrwbl.exe
3340	rar_ueulsb.exe
2032	rar_gyrwbl.exe
2032	rar_gyrwbl.exe
3340	rar_ueulsb.exe
2032	rar_gyrwbl.exe
3340	rar_ueulsb.exe
2032	rar_gyrwbl.exe
2032	rar_gyrwbl.exe
3340	rar_ueulsb.exe
3340	rar_ueulsb.exe
3340	rar_ueulsb.exe
3340	rar_ueulsb.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
672	Process not Found

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2748	6b198ef17c5b52b52cb68f437c9e8238a0d225239279837176ef54b646ea7644.exe
2748	6b198ef17c5b52b52cb68f437c9e8238a0d225239279837176ef54b646ea7644.exe
2748	6b198ef17c5b52b52cb68f437c9e8238a0d225239279837176ef54b646ea7644.exe
2748	6b198ef17c5b52b52cb68f437c9e8238a0d225239279837176ef54b646ea7644.exe
2748	6b198ef17c5b52b52cb68f437c9e8238a0d225239279837176ef54b646ea7644.exe
1524	6b198ef17c5b52b52cb68f437c9e8238a0d225239279837176ef54b646ea7644.exe
1524	6b198ef17c5b52b52cb68f437c9e8238a0d225239279837176ef54b646ea7644.exe
1524	6b198ef17c5b52b52cb68f437c9e8238a0d225239279837176ef54b646ea7644.exe
1524	6b198ef17c5b52b52cb68f437c9e8238a0d225239279837176ef54b646ea7644.exe
1524	6b198ef17c5b52b52cb68f437c9e8238a0d225239279837176ef54b646ea7644.exe
3736	6b198ef17c5b52b52cb68f437c9e8238a0d225239279837176ef54b646ea7644.exe
3736	6b198ef17c5b52b52cb68f437c9e8238a0d225239279837176ef54b646ea7644.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 1524	2748	6b198ef17c5b52b52cb68f437c9e8238a0d225239279837176ef54b646ea7644.exe	85
PID 2748 wrote to memory of 1524	2748	6b198ef17c5b52b52cb68f437c9e8238a0d225239279837176ef54b646ea7644.exe	85
PID 2748 wrote to memory of 1524	2748	6b198ef17c5b52b52cb68f437c9e8238a0d225239279837176ef54b646ea7644.exe	85
PID 1524 wrote to memory of 3736	1524	6b198ef17c5b52b52cb68f437c9e8238a0d225239279837176ef54b646ea7644.exe	90
PID 1524 wrote to memory of 3736	1524	6b198ef17c5b52b52cb68f437c9e8238a0d225239279837176ef54b646ea7644.exe	90
PID 1524 wrote to memory of 3736	1524	6b198ef17c5b52b52cb68f437c9e8238a0d225239279837176ef54b646ea7644.exe	90
PID 3736 wrote to memory of 2032	3736	6b198ef17c5b52b52cb68f437c9e8238a0d225239279837176ef54b646ea7644.exe	94
PID 3736 wrote to memory of 2032	3736	6b198ef17c5b52b52cb68f437c9e8238a0d225239279837176ef54b646ea7644.exe	94
PID 3736 wrote to memory of 3340	3736	6b198ef17c5b52b52cb68f437c9e8238a0d225239279837176ef54b646ea7644.exe	91
PID 3736 wrote to memory of 3340	3736	6b198ef17c5b52b52cb68f437c9e8238a0d225239279837176ef54b646ea7644.exe	91

C:\Users\Admin\AppData\Local\Temp\6b198ef17c5b52b52cb68f437c9e8238a0d225239279837176ef54b646ea7644.exe
"C:\Users\Admin\AppData\Local\Temp\6b198ef17c5b52b52cb68f437c9e8238a0d225239279837176ef54b646ea7644.exe"
1⤵
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2748
- F:\ÁúÈË´«Ëµ\6b198ef17c5b52b52cb68f437c9e8238a0d225239279837176ef54b646ea7644.exe
  F:\ÁúÈË´«Ëµ\6b198ef17c5b52b52cb68f437c9e8238a0d225239279837176ef54b646ea7644.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1524
- - F:\ÁúÈË´«Ëµ\6b198ef17c5b52b52cb68f437c9e8238a0d225239279837176ef54b646ea7644.exe
    "F:\ÁúÈË´«Ëµ\6b198ef17c5b52b52cb68f437c9e8238a0d225239279837176ef54b646ea7644.exe" d
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3736
  - - C:\Users\Admin\AppData\Local\Temp\rar_ueulsb.exe
      C:\Users\Admin\AppData\Local\Temp\rar_ueulsb.exe msg_ctayki.jpg
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:3340
  - - C:\Users\Admin\AppData\Local\Temp\rar_gyrwbl.exe
      C:\Users\Admin\AppData\Local\Temp\rar_gyrwbl.exe msg_jasxlz.jpg
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1d8f320f64cb4ce5959bd27dbe4f0431.txt

Filesize
11B

MD5
7a8776b2b65ab103932bbc8ea59ca0fd

SHA1
2dd7423fa9793ec829ff6cb35f3101b051ba1047

SHA256
66259f51a7f0bec3119a6a183485ddbb6ce3d92de5904edf8463980769d355e2

SHA512
b5237f5d7f2bbe17bb841a503281c6019f6a393d333081330d7538168360e0d55b188ee63472706e302484f0f1df3e81660b14de1b98f6fb30704345b4083296

Download Submit
C:\Users\Admin\AppData\Local\Temp\93c6cde56957801783dee5d3630466c2.ini

Filesize
5KB

MD5
6ef81088e338683845d2ba716f87f282

SHA1
769ac4f0d57b79a909fc769b3abf45aa1374b37b

SHA256
893b2b12e9902c13020fdca100931b1cf24ff031b246a85d56e5f77c1028d652

SHA512
4b3d6cb5e80d4fa095aa95a188fb394da65e711e0c65629f51668247ac4ac53253641e904bed747ffb6b29f094cd84ef5b6741181cc6b7f170e030f4876f9862

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg_ctayki.jpg

Filesize
402KB

MD5
b526c779625f4e073f7cd695beab26a0

SHA1
2c9af45c9b154968c21d92aa461e7ee4b8c90af3

SHA256
62d33a207ee917a99a135049afe9b7252c42445b777fc5fcc2f3ce8858604b63

SHA512
99a2f2939d8dd0da85839a71eae33197566891358f466f1e2d2d2b1fcebe4f4f7957a441eda08cbf5bc03f115b0b0b6136cf6ad346cf5895d18abb510761e4f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg_jasxlz.jpg

Filesize
402KB

MD5
b526c779625f4e073f7cd695beab26a0

SHA1
2c9af45c9b154968c21d92aa461e7ee4b8c90af3

SHA256
62d33a207ee917a99a135049afe9b7252c42445b777fc5fcc2f3ce8858604b63

SHA512
99a2f2939d8dd0da85839a71eae33197566891358f466f1e2d2d2b1fcebe4f4f7957a441eda08cbf5bc03f115b0b0b6136cf6ad346cf5895d18abb510761e4f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\rar_gyrwbl.exe

Filesize
184KB

MD5
5088a9c819d48f39cba2f321da0daa2b

SHA1
a685b428fb97416985e728a32048476ce79b9f85

SHA256
0815a68dfeb1aaa1027f9201111907d2d87efe3826ba6318a7699c702e84fff9

SHA512
91979b941482c2bdd6414957807cb559a676fa433ed3b41668a08a4a68195069789c095b2fd29eeb800ef158481d9ec16165bfd4a73624904c0757672585996e

Download Submit
C:\Users\Admin\AppData\Local\Temp\rar_gyrwbl.exe

Filesize
184KB

MD5
5088a9c819d48f39cba2f321da0daa2b

SHA1
a685b428fb97416985e728a32048476ce79b9f85

SHA256
0815a68dfeb1aaa1027f9201111907d2d87efe3826ba6318a7699c702e84fff9

SHA512
91979b941482c2bdd6414957807cb559a676fa433ed3b41668a08a4a68195069789c095b2fd29eeb800ef158481d9ec16165bfd4a73624904c0757672585996e

Download Submit
C:\Users\Admin\AppData\Local\Temp\rar_ueulsb.exe

Filesize
184KB

MD5
5088a9c819d48f39cba2f321da0daa2b

SHA1
a685b428fb97416985e728a32048476ce79b9f85

SHA256
0815a68dfeb1aaa1027f9201111907d2d87efe3826ba6318a7699c702e84fff9

SHA512
91979b941482c2bdd6414957807cb559a676fa433ed3b41668a08a4a68195069789c095b2fd29eeb800ef158481d9ec16165bfd4a73624904c0757672585996e

Download Submit
C:\Users\Admin\AppData\Local\Temp\rar_ueulsb.exe

Filesize
184KB

MD5
5088a9c819d48f39cba2f321da0daa2b

SHA1
a685b428fb97416985e728a32048476ce79b9f85

SHA256
0815a68dfeb1aaa1027f9201111907d2d87efe3826ba6318a7699c702e84fff9

SHA512
91979b941482c2bdd6414957807cb559a676fa433ed3b41668a08a4a68195069789c095b2fd29eeb800ef158481d9ec16165bfd4a73624904c0757672585996e

Download Submit
F:\ÁúÈË´«Ëµ\6b198ef17c5b52b52cb68f437c9e8238a0d225239279837176ef54b646ea7644.exe

Filesize
12.6MB

MD5
311d9e31d3a7596ddf1f870dd531834d

SHA1
ba53764381cc32354b94aa4c6bbc0396a2bec11e

SHA256
6b198ef17c5b52b52cb68f437c9e8238a0d225239279837176ef54b646ea7644

SHA512
5eb269ee2a2fd19676e45989e299913ccfafc23895df943f4a6758fb026adf19a267bdda38ff442515e84398e35fdb6fdbb7f2ff301e4b33a5122318bb7bd1e6

Download Submit
F:\ÁúÈË´«Ëµ\6b198ef17c5b52b52cb68f437c9e8238a0d225239279837176ef54b646ea7644.exe

Filesize
12.6MB

MD5
311d9e31d3a7596ddf1f870dd531834d

SHA1
ba53764381cc32354b94aa4c6bbc0396a2bec11e

SHA256
6b198ef17c5b52b52cb68f437c9e8238a0d225239279837176ef54b646ea7644

SHA512
5eb269ee2a2fd19676e45989e299913ccfafc23895df943f4a6758fb026adf19a267bdda38ff442515e84398e35fdb6fdbb7f2ff301e4b33a5122318bb7bd1e6

Download Submit
F:\ÁúÈË´«Ëµ\6b198ef17c5b52b52cb68f437c9e8238a0d225239279837176ef54b646ea7644.exe

Filesize
12.6MB

MD5
311d9e31d3a7596ddf1f870dd531834d

SHA1
ba53764381cc32354b94aa4c6bbc0396a2bec11e

SHA256
6b198ef17c5b52b52cb68f437c9e8238a0d225239279837176ef54b646ea7644

SHA512
5eb269ee2a2fd19676e45989e299913ccfafc23895df943f4a6758fb026adf19a267bdda38ff442515e84398e35fdb6fdbb7f2ff301e4b33a5122318bb7bd1e6

Download Submit
memory/1524-145-0x0000000000400000-0x000000000096D000-memory.dmp

Filesize
5.4MB

Download
memory/1524-302-0x00000000001C0000-0x00000000001C3000-memory.dmp

Filesize
12KB

Download
memory/1524-151-0x0000000000400000-0x000000000096D000-memory.dmp

Filesize
5.4MB

Download
memory/1524-303-0x0000000000400000-0x000000000096D000-memory.dmp

Filesize
5.4MB

Download
memory/1524-400-0x0000000000400000-0x000000000096D000-memory.dmp

Filesize
5.4MB

Download
memory/1524-149-0x0000000000400000-0x000000000096D000-memory.dmp

Filesize
5.4MB

Download
memory/1524-146-0x00000000001C0000-0x00000000001C3000-memory.dmp

Filesize
12KB

Download
memory/2032-345-0x0000000180000000-0x000000018001B000-memory.dmp

Filesize
108KB

Download
memory/2748-152-0x0000000000400000-0x000000000096D000-memory.dmp

Filesize
5.4MB

Download
memory/2748-150-0x00000000001C0000-0x00000000001C3000-memory.dmp

Filesize
12KB

Download
memory/2748-138-0x0000000000400000-0x000000000096D000-memory.dmp

Filesize
5.4MB

Download
memory/2748-137-0x0000000000400000-0x000000000096D000-memory.dmp

Filesize
5.4MB

Download
memory/2748-134-0x00000000001C0000-0x00000000001C3000-memory.dmp

Filesize
12KB

Download
memory/2748-133-0x0000000000400000-0x000000000096D000-memory.dmp

Filesize
5.4MB

Download
memory/3736-311-0x00000000038A0000-0x000000000393D000-memory.dmp

Filesize
628KB

Download
memory/3736-312-0x00000000038A0000-0x000000000393D000-memory.dmp

Filesize
628KB

Download
memory/3736-315-0x00000000038A0000-0x000000000393D000-memory.dmp

Filesize
628KB

Download
memory/3736-317-0x00000000038A0000-0x000000000393D000-memory.dmp

Filesize
628KB

Download
memory/3736-320-0x00000000038A0000-0x000000000393D000-memory.dmp

Filesize
628KB

Download
memory/3736-323-0x00000000038A0000-0x000000000393D000-memory.dmp

Filesize
628KB

Download
memory/3736-324-0x00000000038A0000-0x000000000393D000-memory.dmp

Filesize
628KB

Download
memory/3736-328-0x00000000038A0000-0x000000000393D000-memory.dmp

Filesize
628KB

Download
memory/3736-330-0x00000000038A0000-0x000000000393D000-memory.dmp

Filesize
628KB

Download
memory/3736-333-0x00000000038A0000-0x000000000393D000-memory.dmp

Filesize
628KB

Download
memory/3736-334-0x00000000038A0000-0x000000000393D000-memory.dmp

Filesize
628KB

Download
memory/3736-337-0x00000000038A0000-0x000000000393D000-memory.dmp

Filesize
628KB

Download
memory/3736-313-0x00000000038A0000-0x000000000393D000-memory.dmp

Filesize
628KB

Download
memory/3736-307-0x00000000038A0000-0x000000000393D000-memory.dmp

Filesize
628KB

Download
memory/3736-309-0x00000000038A0000-0x000000000393D000-memory.dmp

Filesize
628KB

Download
memory/3736-308-0x00000000038A0000-0x000000000393D000-memory.dmp

Filesize
628KB

Download
memory/3736-306-0x0000000000A00000-0x0000000000B00000-memory.dmp

Filesize
1024KB

Download
memory/3736-301-0x0000000000400000-0x000000000096D000-memory.dmp

Filesize
5.4MB

Download
memory/3736-298-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/3736-361-0x00000000038A0000-0x000000000393D000-memory.dmp

Filesize
628KB

Download
memory/3736-363-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/3736-364-0x0000000000400000-0x000000000096D000-memory.dmp

Filesize
5.4MB

Download
memory/3736-366-0x0000000000A00000-0x0000000000B00000-memory.dmp

Filesize
1024KB

Download
memory/3736-378-0x0000000000400000-0x000000000096D000-memory.dmp

Filesize
5.4MB

Download
memory/3736-297-0x0000000000400000-0x000000000096D000-memory.dmp

Filesize
5.4MB

Download