Overview

overview

7

Static

static

3

6fbc979fac...fa.exe

windows7-x64

6

6fbc979fac...fa.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/01/2024, 15:05

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    6fbc979fac89d10a30d96847e6aeecfa.exe

  • Size

    43KB

  • MD5

    6fbc979fac89d10a30d96847e6aeecfa

  • SHA1

    ae6ffcdde795bdeb5cbc0e8d92e29c22ae5f313f

  • SHA256

    66917fde7d1b93fb1283838e63aa522a1028bb13107b54e65a705ea0fbfcbca4

  • SHA512

    67b7bd4b1aabb1c0d071c4d6e770cd447b7c0b3a7a9ea704f05f6b4d90d1a4fae5d5e051f18b3a57c4dee2a09417aa3ef83bf5e432464e2b6f353fb998b9dfd2

  • SSDEEP

    768:uZNu8/7gteP3yD6xn8ZGI6maG9LXAEFYAWBm2u/6oR0pKXCgKh/:l8OePC+x8ZGI6maG9LjvWs/MKyHN

Score
7/10
persistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6fbc979fac89d10a30d96847e6aeecfa.exe
    "C:\Users\Admin\AppData\Local\Temp\6fbc979fac89d10a30d96847e6aeecfa.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:1012
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\delself.bat" "
      2⤵
        PID:1324

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\delself.bat
            Filesize

            202B

            MD5

            5720554e579c200731cf4758172d2efc

            SHA1

            65a0611fd71cf4bb3ba1a1a325de56ea3d2f5f28

            SHA256

            3acffe96e12ab72189ea88089b6b9a2723e7b4ee52dde8435e8ce0f8f1972373

            SHA512

            6a19bf539f571a99a90594ed2f99264d0fef4e0791db8c00552a5a56d442ab960198bafa1f7cc283ef4c1d31ff252b23e9d35efaf031321992670f600cb50c07

            Download Submit

          • memory/1012-0-0x0000000000400000-0x0000000000416000-memory.dmp

            Filesize

            88KB

            Download

          • memory/1012-1-0x0000000000400000-0x0000000000416000-memory.dmp

            Filesize

            88KB

            Download

          • memory/1012-2-0x0000000002020000-0x000000000202A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/1012-5-0x0000000000400000-0x0000000000416000-memory.dmp

            Filesize

            88KB

            Download