Overview

overview

7

Static

static

3

0b6d6c864a...18.exe

windows7-x64

7

0b6d6c864a...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/11/2023, 02:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0b6d6c864ad381d1651da19a7ada03e2f44bf1260715364983c3aad403ec6e18.exe

  • Size

    1.2MB

  • MD5

    a1ef9acfab2f8452de7d9505244d0151

  • SHA1

    96733b186ac3cf3b80f57a1c1332282f10783e01

  • SHA256

    0b6d6c864ad381d1651da19a7ada03e2f44bf1260715364983c3aad403ec6e18

  • SHA512

    cb29adc0de5e9268cfce0f18361f4055cc88bb969c78a318b36eb93fb19a94253d36207e264fcf9500a1be06cbd45db9ccdded2237bb05e47a27ada61fd2f349

  • SSDEEP

    24576:GHXXX/XXXFqIIIcXXX5j2XXXcXXXfXXXxXXXLIII+Ph2kkkkK4kXkkkkkkkkhLXI:G9qIIIUjfIIIAbazR0vKLXZR

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0b6d6c864ad381d1651da19a7ada03e2f44bf1260715364983c3aad403ec6e18.exe
    "C:\Users\Admin\AppData\Local\Temp\0b6d6c864ad381d1651da19a7ada03e2f44bf1260715364983c3aad403ec6e18.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2032
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\0B6D6C~1.EXE > nul
      2⤵
        PID:2608
    • C:\Windows\Debug\uauhost.exe
      C:\Windows\Debug\uauhost.exe
      1⤵
      • Executes dropped EXE
      • Checks processor information in registry
      PID:2280

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\Debug\uauhost.exe
      Filesize

      1.2MB

      MD5

      50e2afdd015c31095e21d998c6bdc21f

      SHA1

      cff78c19b8905101e38a0155435cd0a4f96f3943

      SHA256

      baebe20f65837f9e2d2cf53aa67c02ad930214a557f7aacc80351f5dc3ec9f98

      SHA512

      9e4223cc353cd79a7105f20f7605067ab6a528609b97ed5d6c39cc3aa55adc4c54af76a28ba27bcd435821cf905948b3d81beb8060acf617a164219299325428

      Download Submit

    • C:\Windows\debug\uauhost.exe
      Filesize

      1.2MB

      MD5

      50e2afdd015c31095e21d998c6bdc21f

      SHA1

      cff78c19b8905101e38a0155435cd0a4f96f3943

      SHA256

      baebe20f65837f9e2d2cf53aa67c02ad930214a557f7aacc80351f5dc3ec9f98

      SHA512

      9e4223cc353cd79a7105f20f7605067ab6a528609b97ed5d6c39cc3aa55adc4c54af76a28ba27bcd435821cf905948b3d81beb8060acf617a164219299325428

      Download Submit