bc45d1b39b5fe9d7797afe66163a70d94e3a8d97a5b247ea455b8da3bace51dd

Analysis

max time kernel
69s
max time network
199s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29/12/2023, 23:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06de733516b833c1c230325027409ebf.exe
Size

125KB
MD5

06de733516b833c1c230325027409ebf
SHA1

f44f19115c0da5df33a0e790a2f7256def8331ea
SHA256

bc45d1b39b5fe9d7797afe66163a70d94e3a8d97a5b247ea455b8da3bace51dd
SHA512

67631e2041b298e9dcb0872a88ca210dd1ce7ef3f9bcf9823acd1dbc6e9eae542c8af621f120659acc2a9fdbdd1f627652834f4e67c2cfda4d368834e8ce0716
SSDEEP

3072:JfwNYprucJtwDkLqIIrI9gJWf9Dn0MMf0MCclsf2yn:1xu8w4LqIIrDQ1QMMf0fAsf2c

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	06de733516b833c1c230325027409ebf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	svchoct.exe

Executes dropped EXE 1 IoCs

pid	Process
1652	svchoct.exe

Loads dropped DLL 1 IoCs

pid	Process
1652	svchoct.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\inf\scsys16_081031.dll	06de733516b833c1c230325027409ebf.exe
File created	C:\Windows\SysWOW64\inf\svchoct.exe	06de733516b833c1c230325027409ebf.exe
File opened for modification	C:\Windows\SysWOW64\inf\svchoct.exe	06de733516b833c1c230325027409ebf.exe
File created	C:\Windows\SysWOW64\inf\sppdcrs081031.scr	06de733516b833c1c230325027409ebf.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\tawisys.ini	06de733516b833c1c230325027409ebf.exe
File created	C:\Windows\system\sgcxcxxaspf081031.exe	06de733516b833c1c230325027409ebf.exe
File created	C:\Windows\dcbdcatys32_081031a.dll	06de733516b833c1c230325027409ebf.exe
File created	C:\Windows\wftadfi16_081031a.dll	06de733516b833c1c230325027409ebf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1428	06de733516b833c1c230325027409ebf.exe
1428	06de733516b833c1c230325027409ebf.exe
1428	06de733516b833c1c230325027409ebf.exe
1428	06de733516b833c1c230325027409ebf.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1428	06de733516b833c1c230325027409ebf.exe
Token: SeDebugPrivilege	1428	06de733516b833c1c230325027409ebf.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1428 wrote to memory of 1652	1428	06de733516b833c1c230325027409ebf.exe	93
PID 1428 wrote to memory of 1652	1428	06de733516b833c1c230325027409ebf.exe	93
PID 1428 wrote to memory of 1652	1428	06de733516b833c1c230325027409ebf.exe	93
PID 1428 wrote to memory of 412	1428	06de733516b833c1c230325027409ebf.exe	95
PID 1428 wrote to memory of 412	1428	06de733516b833c1c230325027409ebf.exe	95
PID 1428 wrote to memory of 412	1428	06de733516b833c1c230325027409ebf.exe	95
PID 1652 wrote to memory of 4740	1652	svchoct.exe	98
PID 1652 wrote to memory of 4740	1652	svchoct.exe	98

C:\Users\Admin\AppData\Local\Temp\06de733516b833c1c230325027409ebf.exe
"C:\Users\Admin\AppData\Local\Temp\06de733516b833c1c230325027409ebf.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1428
- C:\Windows\SysWOW64\inf\svchoct.exe
  "C:\Windows\system32\inf\svchoct.exe" C:\Windows\wftadfi16_081031a.dll tan16d
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1652
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "c:\mylas3tecj.bat"
    3⤵
    PID:4740
  - - C:\Windows\system\sgcxcxxaspf081031.exe
      "C:\Windows\system\sgcxcxxaspf081031.exe" i
      4⤵
      PID:4372
    - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
        5⤵
        
        PID:4236
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4236 CREDAT:17410 /prefetch:2
        6⤵
        
        PID:4304
- C:\Windows\SysWOW64\cmd.exe
  cmd /c del "C:\Users\Admin\AppData\Local\Temp\06de733516b833c1c230325027409ebf.exe"
  2⤵
  PID:412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\MCZQJD7V\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Windows\SysWOW64\inf\svchoct.exe

Filesize
60KB

MD5
889b99c52a60dd49227c5e485a016679

SHA1
8fa889e456aa646a4d0a4349977430ce5fa5e2d7

SHA256
6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

SHA512
08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

Download Submit
C:\Windows\System\sgcxcxxaspf081031.exe

Filesize
83KB

MD5
0265fe9083136f5a573c527ab2e47aad

SHA1
c69564df64f17c932da8cf61c6a615e46215056d

SHA256
b76e34e4972ceae958ab9f5e0c70394e3163fab40b958876efc6128c16e5672a

SHA512
9dc0f86ad8315c5ad3e29333de9969eb078e1e6f69f834b3cb8380502f5a655bafcd11a1341a14467626b59f2b5f425ef0462aa9de0224b6d2c31249b3704092

Download Submit
C:\Windows\dcbdcatys32_081031a.dll

Filesize
75KB

MD5
821cfc3b74d3c8cf4c0ea1e86a7e6738

SHA1
ccc8b22094f197735980f8ffba79f2e881a1d7e2

SHA256
643dcad6681156396e39f4e8cdc7aa04413aef57729fefe1d20e2cb9807dbeb1

SHA512
310e48a5abc54721d131e6dc5078f2b8018f8c33dd80dcb3e153eb8b6b45b13777eeb2559ef1e601dd22812f659ffdee324959b53bfe32c6c85f91e8c1ec0544

Download Submit
C:\Windows\system\sgcxcxxaspf081031.exe

Filesize
85KB

MD5
ecc56060045735bb5f3c8e87635416b6

SHA1
43c02e1c1d20018bd3a7aebb1842a52d37a0a60f

SHA256
dd4dc93da978420375d5379f5557c68de40295d47235c8a05ba474bc37476e15

SHA512
19f0ba59c5aa1cd3dfee93a26a786d5dbb5a48f3ffc2899fc933a16f0973bc357f6552d6b9534b873afa9360443a6ccffcf8969e37102e6e2184fe315a526715

Download Submit
C:\Windows\tawisys.ini

Filesize
493B

MD5
4bde68546f96f1c95aa4049be9e4ac15

SHA1
938960409b69960fd8fdf2b95e0a124d7c09152c

SHA256
1f2c267cd102427fc9d42fe52ab8f9a383453f150091598fa6cd2e3f2e6321cc

SHA512
fa5ea3dbe89dcf7832d6d89703579c06a461d38aed3d949949e163edb875ac7a16a9448804ec752b94fbe373338ff37f7eec227801dab3a4bf1a44eb3a8c625a

Download Submit
C:\Windows\tawisys.ini

Filesize
133B

MD5
a6db1e8dde64ea08c7d6f87dfae0659b

SHA1
2e9736671005b74378b55b5e2a7c113b157c7674

SHA256
6991cd984ea49a5ca921100f070f9d5f896b2eac09f1941c5dc71cd2eae865f9

SHA512
63f6926e0df074644c1afc891172d0efc31f21884f1b3e1d938fc0f2991213a97541c70442a88d21316219b691f9372cab71b4419e6343c57102bb37c424589a

Download Submit
C:\Windows\tawisys.ini

Filesize
384B

MD5
54ff5757f35eaad8e7825b2a505d52ed

SHA1
8cbc6af5e4624ce6a669356687fa893c6f37feab

SHA256
51f689afda97caa1d76a892b536df283e901bebf810388c8f894e92cb3fe26cb

SHA512
9c89f49c2cad54f51de66f53ec4aecbb8404fe57232ad9e5103bc77fb3bb4c1d6999eb11206feeae18202daec1c5de6481051418907e25da32ac339166ae10e7

Download Submit
C:\Windows\tawisys.ini

Filesize
433B

MD5
a9118da50564a5acf4a31b0027bfda52

SHA1
78b5a15130a64e4844ee59db019788b4879805c5

SHA256
68aa5c1cc071cf85ccd20ebdec52873ebcaa9fad12f17b6c5ba877a7c9375cb0

SHA512
90128ace921ff52ae0bcd475a0c061c2bed8e021382605407337494dc6521233c245fc57595edc8827ce720d36b64e2ea9457cce31a2f5ae14ea140233cf4b05

Download Submit
C:\Windows\wftadfi16_081031a.dll

Filesize
35KB

MD5
1f3c7bbc3ed1ab0a6a1227c474794795

SHA1
959c8dbae0f6d095c52db313621594007c240f6f

SHA256
bdd681626bb48dce9d47fdc11a55829ce9310c670645f38bdf5517151df0de86

SHA512
6358035aabf42c4fbc57bd6a5de7c8891a5c40f7b13c024fc3b4794aa25b850f06d5a772501e2cfe86a6b85bde722453a75ea2df738aa172929289fb79b6c525

Download Submit
\??\c:\mylas3tecj.bat

Filesize
53B

MD5
bca4ca71372f6348ddefbf634480e550

SHA1
308445a751b17ec507f4b6dca4d306174ee53aaf

SHA256
e4508b9e86b93904e90d62e3f1c83ab6b2e9694841ddc21b6e105f77efc7d313

SHA512
9227558b2332bc03ebc60fc942a83018bac83ded7e83765229641ce2ac800c7b6eeeba3490f8e88c44beeca141e93f3f1f48c18d3a92a88c0e947fbb91c3a779

Download Submit
memory/1652-66-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1652-58-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1652-111-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download