Analysis

  • max time kernel
    152s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-11-2023 17:40

General

  • Target

    c06bf8b777e415cc575ab00824829a163e030f35d0fd64b97fa7192622990adf.exe

  • Size

    1.4MB

  • MD5

    df961c19d7e4d7e1358fd444d6a74747

  • SHA1

    af473f3a9ccfca6fc82962307a279af30012e019

  • SHA256

    c06bf8b777e415cc575ab00824829a163e030f35d0fd64b97fa7192622990adf

  • SHA512

    44aed831f23aa9338142338b13a5df5dcade59ee7b24caaf966fd402b902900d199a9dbc1710b70b1538e64e4c0af36fc8df5d340bafa1e0630b19c399f8a242

  • SSDEEP

    12288:31seJzWz1l+LIi0TJEEoDttoNI999/sEDIo:3GDz1hnEEoDttoC

Score
7/10
upx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c06bf8b777e415cc575ab00824829a163e030f35d0fd64b97fa7192622990adf.exe
    "C:\Users\Admin\AppData\Local\Temp\c06bf8b777e415cc575ab00824829a163e030f35d0fd64b97fa7192622990adf.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4612
    • C:\Windows\SysWOW64\rrinstaller.exe
      "C:\Windows\SysWOW64\rrinstaller.exe"
      2⤵
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:4236
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\C06BF8~1.EXE > nul
      2⤵
        PID:1336

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/4236-2-0x0000000001000000-0x0000000001067000-memory.dmp

      Filesize

      412KB

    • memory/4236-4-0x0000000001300000-0x000000000131B000-memory.dmp

      Filesize

      108KB

    • memory/4236-6-0x0000000001300000-0x000000000131B000-memory.dmp

      Filesize

      108KB

    • memory/4236-7-0x0000000001300000-0x000000000131B000-memory.dmp

      Filesize

      108KB

    • memory/4236-8-0x0000000010000000-0x0000000010057000-memory.dmp

      Filesize

      348KB

    • memory/4612-0-0x0000000000100000-0x0000000000197000-memory.dmp

      Filesize

      604KB

    • memory/4612-20-0x0000000000100000-0x0000000000197000-memory.dmp

      Filesize

      604KB

    • memory/4612-21-0x0000000000100000-0x0000000000197000-memory.dmp

      Filesize

      604KB