6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc

Analysis

max time kernel
153s
max time network
171s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2023, 22:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
Size

4.8MB
MD5

94fba165e0ef10a01074a4da417f30da
SHA1

3d6bfb2cb44346c4b4814b87d51547505ddeb9d4
SHA256

6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc
SHA512

235a45b0176614c832d3cf33a5b1236432cce03caf12e7bbcd743036460c0cd09604267e0e0b8ab7a3e35bcc214dac0c3082213ed6912747ab6b93e12321dcca
SSDEEP

98304:DtWHJOc0fbD5nSSyqIW++Cbc0vpcyBd6Mb6w/5b5l4bXJFb9:DS6X4SyqIz+CEyBd6Mbf/5mXJR9

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4508	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4244	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
4244	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
4244	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
4244	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
4244	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
4244	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
4244	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
4244	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
4244	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
4244	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
4244	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
4244	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
4244	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
4244	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
4244	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
4244	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
4244	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
4244	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
4244	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
4244	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
4244	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
4244	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
4244	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
4244	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
4244	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
4244	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
4244	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
4244	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
4244	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
4244	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
4244	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
4244	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
4244	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
4244	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
4244	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
4244	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
4244	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
4244	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
4244	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
4244	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
4244	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
4244	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
4244	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
4244	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
4244	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
4244	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
4244	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
4244	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
4244	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
4244	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
4244	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
4244	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
4244	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
4244	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
4244	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
4244	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
4244	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
4244	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
4244	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
4244	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
4244	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
4244	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
4244	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
4244	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4244	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
4244	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4244 wrote to memory of 4352	4244	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe	86
PID 4244 wrote to memory of 4352	4244	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe	86
PID 4352 wrote to memory of 4440	4352	cmd.exe	88
PID 4352 wrote to memory of 4440	4352	cmd.exe	88
PID 4244 wrote to memory of 4932	4244	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe	89
PID 4244 wrote to memory of 4932	4244	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe	89
PID 4932 wrote to memory of 4508	4932	cmd.exe	91
PID 4932 wrote to memory of 4508	4932	cmd.exe	91
PID 4244 wrote to memory of 1512	4244	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe	93
PID 4244 wrote to memory of 1512	4244	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe	93
PID 1512 wrote to memory of 4604	1512	cmd.exe	95
PID 1512 wrote to memory of 4604	1512	cmd.exe	95
PID 4244 wrote to memory of 4140	4244	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe	96
PID 4244 wrote to memory of 4140	4244	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe	96
PID 4140 wrote to memory of 2388	4140	cmd.exe	98
PID 4140 wrote to memory of 2388	4140	cmd.exe	98
PID 4244 wrote to memory of 2688	4244	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe	99
PID 4244 wrote to memory of 2688	4244	6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe	99
PID 2688 wrote to memory of 3080	2688	cmd.exe	101
PID 2688 wrote to memory of 3080	2688	cmd.exe	101

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe
"C:\Users\Admin\AppData\Local\Temp\6ecf0b4d93185d93dae2d5429184d436e976b79f5dfab376c343e795bc8f99cc.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4244
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c expand *.cab /f:* .\
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4352
- - C:\Windows\system32\expand.exe
    expand *.cab /f:* .\
    3⤵
    PID:4440
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c schtasks /create /xml ASOS.xml /ru "system" /tn ASOS1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4932
- - C:\Windows\system32\schtasks.exe
    schtasks /create /xml ASOS.xml /ru "system" /tn ASOS1
    3⤵
    - Creates scheduled task(s)
    PID:4508
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c schtasks /change /tn ASOS1 /ru "system" /tr "'C:\Users\Admin\AppData\Local\Temp\unpacksos\1\\Launcher.exe' SRManagerSOS.exe 1 "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1512
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn ASOS1 /ru "system" /tr "'C:\Users\Admin\AppData\Local\Temp\unpacksos\1\\Launcher.exe' SRManagerSOS.exe 1 "
    3⤵
    PID:4604
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c schtasks /run /tn ASOS1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4140
- - C:\Windows\system32\schtasks.exe
    schtasks /run /tn ASOS1
    3⤵
    PID:2388
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c schtasks /delete /f /tn ASOS1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\system32\schtasks.exe
    schtasks /delete /f /tn ASOS1
    3⤵
    PID:3080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\unpack1.log

Filesize
4KB

MD5
a16b674c6327a76a1d70147edf6676b2

SHA1
6f996d88332c5a85291a42cc0cdeebc5170c197b

SHA256
cdd709ad2016839623c7d58a7aa83e6ac948b842bc070a8096a7403d480b38c4

SHA512
65b31fe73862e4f15ea295334d98ed93a034c3d5f7cc681b9c41aa47fab5445a7e98baf9d32ed80a0290be805fd4b89876da86b15c6a6d4bf8fc4acac54f7005

Download Submit