Analysis
-
max time kernel
152s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
02-11-2023 17:40
Behavioral task
behavioral1
Sample
c06bf8b777e415cc575ab00824829a163e030f35d0fd64b97fa7192622990adf.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
c06bf8b777e415cc575ab00824829a163e030f35d0fd64b97fa7192622990adf.exe
Resource
win10v2004-20231023-en
General
-
Target
c06bf8b777e415cc575ab00824829a163e030f35d0fd64b97fa7192622990adf.exe
-
Size
1.4MB
-
MD5
df961c19d7e4d7e1358fd444d6a74747
-
SHA1
af473f3a9ccfca6fc82962307a279af30012e019
-
SHA256
c06bf8b777e415cc575ab00824829a163e030f35d0fd64b97fa7192622990adf
-
SHA512
44aed831f23aa9338142338b13a5df5dcade59ee7b24caaf966fd402b902900d199a9dbc1710b70b1538e64e4c0af36fc8df5d340bafa1e0630b19c399f8a242
-
SSDEEP
12288:31seJzWz1l+LIi0TJEEoDttoNI999/sEDIo:3GDz1hnEEoDttoC
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation c06bf8b777e415cc575ab00824829a163e030f35d0fd64b97fa7192622990adf.exe -
resource yara_rule behavioral2/memory/4612-0-0x0000000000100000-0x0000000000197000-memory.dmp upx behavioral2/memory/4612-20-0x0000000000100000-0x0000000000197000-memory.dmp upx behavioral2/memory/4612-21-0x0000000000100000-0x0000000000197000-memory.dmp upx -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\WindowsShell74758.log c06bf8b777e415cc575ab00824829a163e030f35d0fd64b97fa7192622990adf.exe File opened for modification C:\Windows\WindowSystemNewUpdate48.log rrinstaller.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4612 c06bf8b777e415cc575ab00824829a163e030f35d0fd64b97fa7192622990adf.exe Token: SeDebugPrivilege 4236 rrinstaller.exe Token: SeIncBasePriorityPrivilege 4612 c06bf8b777e415cc575ab00824829a163e030f35d0fd64b97fa7192622990adf.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4612 wrote to memory of 4236 4612 c06bf8b777e415cc575ab00824829a163e030f35d0fd64b97fa7192622990adf.exe 87 PID 4612 wrote to memory of 4236 4612 c06bf8b777e415cc575ab00824829a163e030f35d0fd64b97fa7192622990adf.exe 87 PID 4612 wrote to memory of 4236 4612 c06bf8b777e415cc575ab00824829a163e030f35d0fd64b97fa7192622990adf.exe 87 PID 4612 wrote to memory of 4236 4612 c06bf8b777e415cc575ab00824829a163e030f35d0fd64b97fa7192622990adf.exe 87 PID 4612 wrote to memory of 4236 4612 c06bf8b777e415cc575ab00824829a163e030f35d0fd64b97fa7192622990adf.exe 87 PID 4612 wrote to memory of 4236 4612 c06bf8b777e415cc575ab00824829a163e030f35d0fd64b97fa7192622990adf.exe 87 PID 4612 wrote to memory of 1336 4612 c06bf8b777e415cc575ab00824829a163e030f35d0fd64b97fa7192622990adf.exe 94 PID 4612 wrote to memory of 1336 4612 c06bf8b777e415cc575ab00824829a163e030f35d0fd64b97fa7192622990adf.exe 94 PID 4612 wrote to memory of 1336 4612 c06bf8b777e415cc575ab00824829a163e030f35d0fd64b97fa7192622990adf.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\c06bf8b777e415cc575ab00824829a163e030f35d0fd64b97fa7192622990adf.exe"C:\Users\Admin\AppData\Local\Temp\c06bf8b777e415cc575ab00824829a163e030f35d0fd64b97fa7192622990adf.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\Windows\SysWOW64\rrinstaller.exe"C:\Windows\SysWOW64\rrinstaller.exe"2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4236
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\C06BF8~1.EXE > nul2⤵PID:1336
-