Overview

overview

7

Static

static

3

6c9567cf5b...0a.exe

windows7-x64

3

6c9567cf5b...0a.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    164s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/11/2023, 11:37

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    6c9567cf5b559dd406f168c01be143265c0097cedeb3a7520991bc0c5aeb450a.exe

  • Size

    10.0MB

  • MD5

    249c7214165e4ff600c5edb5a71ddc0e

  • SHA1

    6d851fb0efe0774eb34261e4e68a8f070e2cb0fe

  • SHA256

    6c9567cf5b559dd406f168c01be143265c0097cedeb3a7520991bc0c5aeb450a

  • SHA512

    427b851b91e1645230946a33918f2f0c335677536eb1624148e27e8b0dd5c7ba29aa4a176d6dc69d6d0a0911e187b2fcc17ee25077cbd392596354bbaad704f8

  • SSDEEP

    196608:/edyFDvIoGFtsTB0C1ddt687PeofkkEhjL6Xi4E79UcGfbX9ivm:UuDxMsjb9WG1OL6XmipNT

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\6c9567cf5b559dd406f168c01be143265c0097cedeb3a7520991bc0c5aeb450a.exe
    "C:\Users\Admin\AppData\Local\Temp\6c9567cf5b559dd406f168c01be143265c0097cedeb3a7520991bc0c5aeb450a.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2752
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c C:\Windows\system32\expand.exe *.cab /f:* .\
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4536
      • C:\Windows\system32\expand.exe
        C:\Windows\system32\expand.exe *.cab /f:* .\
        3⤵
          PID:3660
      • C:\Windows\system32\cmd.exe
        "C:\Windows\sysnative\cmd.exe" /c schtasks /create /xml ASOS.xml /ru "system" /tn ASOS1
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2632
        • C:\Windows\system32\schtasks.exe
          schtasks /create /xml ASOS.xml /ru "system" /tn ASOS1
          3⤵
          • Creates scheduled task(s)
          PID:1688
      • C:\Windows\system32\cmd.exe
        "C:\Windows\sysnative\cmd.exe" /c schtasks /change /tn ASOS1 /ru "system" /tr "'C:\Users\Admin\AppData\Local\Temp\unpacksos\1\\Launcher.exe' SRManagerSOS.exe 1 "
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2872
        • C:\Windows\system32\schtasks.exe
          schtasks /change /tn ASOS1 /ru "system" /tr "'C:\Users\Admin\AppData\Local\Temp\unpacksos\1\\Launcher.exe' SRManagerSOS.exe 1 "
          3⤵
            PID:3604
        • C:\Windows\system32\cmd.exe
          "C:\Windows\sysnative\cmd.exe" /c schtasks /run /tn ASOS1
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1136
          • C:\Windows\system32\schtasks.exe
            schtasks /run /tn ASOS1
            3⤵
              PID:1952
          • C:\Windows\system32\cmd.exe
            "C:\Windows\sysnative\cmd.exe" /c schtasks /delete /f /tn ASOS1
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:780
            • C:\Windows\system32\schtasks.exe
              schtasks /delete /f /tn ASOS1
              3⤵
                PID:1652

          Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\unpack1.log
                  Filesize

                  4KB

                  MD5

                  e7f5d860865487eb0d1f7f4db0ff93c3

                  SHA1

                  a3eb539127446d5fb857d909b49819056f1141c2

                  SHA256

                  46677b51b264785447d32c46559a010f39159f984168064948317a5d75972b68

                  SHA512

                  14e60d5597a741a5442c01a4197526d765c83ac442d3bc9af819aff2834b79c8208a1035154d5ecda811524c14fa64a95a3362ea434f545455ba5f55efcbad04

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\unpack1.log
                  Filesize

                  978B

                  MD5

                  75920349903203a8689a63174d4f615d

                  SHA1

                  95a4748f981f8e395f86e1f212f5690919ba2257

                  SHA256

                  18fc67d764d1afbbbd2af913e98c87d8ee8bec79871ba6493adc618b656bb3fa

                  SHA512

                  a56de185122756413f0c560eabab825b6e65d206121db847d22c4b1608a8d8dff167e78bd205f2831fd0d139a687e673f3983a4f5efecfd75fb08c4ee3db8c30

                  Download Submit