c6f9bf01583b17a4dbbee494ebdd901aa3b12723ebef43d5e39fbbb7936b2e23

Analysis

max time kernel
162s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09-04-2024 22:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a03af0f09818c405bea61cc21b6581f.exe
Size

106KB
MD5

6a03af0f09818c405bea61cc21b6581f
SHA1

ef577f8861f1f126f5afd7a02ad1e033f93b6e66
SHA256

c6f9bf01583b17a4dbbee494ebdd901aa3b12723ebef43d5e39fbbb7936b2e23
SHA512

c7947facd23c6779a4f5fc824b64c8429a6a30756396d65c9d0246b4fc68ffdd86501f9d0f50d56f396b6c75ad3d07f92008b982560d0f3bd8a0373e1563cf0f
SSDEEP

3072:oGqIGRpTa9p1om9PW/pqqsFUCN3R9MI+I0ZfG:oGHGRpO9p1om9+xs3NBBSG

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	6a03af0f09818c405bea61cc21b6581f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	6a03af0f09818c405bea61cc21b6581f.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	6a03af0f09818c405bea61cc21b6581f.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	6a03af0f09818c405bea61cc21b6581f.exe
File opened (read-only)	\??\T:	6a03af0f09818c405bea61cc21b6581f.exe
File opened (read-only)	\??\U:	6a03af0f09818c405bea61cc21b6581f.exe
File opened (read-only)	\??\I:	6a03af0f09818c405bea61cc21b6581f.exe
File opened (read-only)	\??\K:	6a03af0f09818c405bea61cc21b6581f.exe
File opened (read-only)	\??\L:	6a03af0f09818c405bea61cc21b6581f.exe
File opened (read-only)	\??\M:	6a03af0f09818c405bea61cc21b6581f.exe
File opened (read-only)	\??\O:	6a03af0f09818c405bea61cc21b6581f.exe
File opened (read-only)	\??\R:	6a03af0f09818c405bea61cc21b6581f.exe
File opened (read-only)	\??\W:	6a03af0f09818c405bea61cc21b6581f.exe
File opened (read-only)	\??\E:	6a03af0f09818c405bea61cc21b6581f.exe
File opened (read-only)	\??\G:	6a03af0f09818c405bea61cc21b6581f.exe
File opened (read-only)	\??\J:	6a03af0f09818c405bea61cc21b6581f.exe
File opened (read-only)	\??\N:	6a03af0f09818c405bea61cc21b6581f.exe
File opened (read-only)	\??\Q:	6a03af0f09818c405bea61cc21b6581f.exe
File opened (read-only)	\??\A:	6a03af0f09818c405bea61cc21b6581f.exe
File opened (read-only)	\??\B:	6a03af0f09818c405bea61cc21b6581f.exe
File opened (read-only)	\??\H:	6a03af0f09818c405bea61cc21b6581f.exe
File opened (read-only)	\??\S:	6a03af0f09818c405bea61cc21b6581f.exe
File opened (read-only)	\??\V:	6a03af0f09818c405bea61cc21b6581f.exe
File opened (read-only)	\??\X:	6a03af0f09818c405bea61cc21b6581f.exe
File opened (read-only)	\??\Y:	6a03af0f09818c405bea61cc21b6581f.exe
File opened (read-only)	\??\Z:	6a03af0f09818c405bea61cc21b6581f.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\danish beastiality gay licking femdom .avi.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\norwegian gay hardcore [bangbus] fishy (Anniston).avi.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\trambling full movie granny .zip.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\german horse [milf] nipples .rar.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\lingerie blowjob [bangbus] .zip.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\brasilian sperm blowjob hidden ejaculation .mpeg.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Program Files\Common Files\microsoft shared\spanish handjob public titts fishy .mpg.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Program Files\Microsoft Office\root\Templates\malaysia fucking licking 40+ .zip.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\indian fetish lesbian feet .rar.exe	6a03af0f09818c405bea61cc21b6581f.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\tyrkish cumshot full movie circumcision (Samantha,Ashley).mpg.exe	6a03af0f09818c405bea61cc21b6581f.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\mssrv.exe	6a03af0f09818c405bea61cc21b6581f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1636	6a03af0f09818c405bea61cc21b6581f.exe
1636	6a03af0f09818c405bea61cc21b6581f.exe
416	6a03af0f09818c405bea61cc21b6581f.exe
416	6a03af0f09818c405bea61cc21b6581f.exe
1636	6a03af0f09818c405bea61cc21b6581f.exe
1636	6a03af0f09818c405bea61cc21b6581f.exe
2528	6a03af0f09818c405bea61cc21b6581f.exe
2528	6a03af0f09818c405bea61cc21b6581f.exe
416	6a03af0f09818c405bea61cc21b6581f.exe
2552	6a03af0f09818c405bea61cc21b6581f.exe
416	6a03af0f09818c405bea61cc21b6581f.exe
2552	6a03af0f09818c405bea61cc21b6581f.exe
1636	6a03af0f09818c405bea61cc21b6581f.exe
1636	6a03af0f09818c405bea61cc21b6581f.exe
2528	6a03af0f09818c405bea61cc21b6581f.exe
2528	6a03af0f09818c405bea61cc21b6581f.exe
416	6a03af0f09818c405bea61cc21b6581f.exe
2552	6a03af0f09818c405bea61cc21b6581f.exe
416	6a03af0f09818c405bea61cc21b6581f.exe
2552	6a03af0f09818c405bea61cc21b6581f.exe
1636	6a03af0f09818c405bea61cc21b6581f.exe
1636	6a03af0f09818c405bea61cc21b6581f.exe
2528	6a03af0f09818c405bea61cc21b6581f.exe
2528	6a03af0f09818c405bea61cc21b6581f.exe
2552	6a03af0f09818c405bea61cc21b6581f.exe
416	6a03af0f09818c405bea61cc21b6581f.exe
2552	6a03af0f09818c405bea61cc21b6581f.exe
416	6a03af0f09818c405bea61cc21b6581f.exe
1636	6a03af0f09818c405bea61cc21b6581f.exe
1636	6a03af0f09818c405bea61cc21b6581f.exe
2528	6a03af0f09818c405bea61cc21b6581f.exe
2528	6a03af0f09818c405bea61cc21b6581f.exe
416	6a03af0f09818c405bea61cc21b6581f.exe
2552	6a03af0f09818c405bea61cc21b6581f.exe
2552	6a03af0f09818c405bea61cc21b6581f.exe
416	6a03af0f09818c405bea61cc21b6581f.exe
1636	6a03af0f09818c405bea61cc21b6581f.exe
1636	6a03af0f09818c405bea61cc21b6581f.exe
2528	6a03af0f09818c405bea61cc21b6581f.exe
2528	6a03af0f09818c405bea61cc21b6581f.exe
416	6a03af0f09818c405bea61cc21b6581f.exe
416	6a03af0f09818c405bea61cc21b6581f.exe
2552	6a03af0f09818c405bea61cc21b6581f.exe
2552	6a03af0f09818c405bea61cc21b6581f.exe
1636	6a03af0f09818c405bea61cc21b6581f.exe
1636	6a03af0f09818c405bea61cc21b6581f.exe
2528	6a03af0f09818c405bea61cc21b6581f.exe
2528	6a03af0f09818c405bea61cc21b6581f.exe
416	6a03af0f09818c405bea61cc21b6581f.exe
2552	6a03af0f09818c405bea61cc21b6581f.exe
416	6a03af0f09818c405bea61cc21b6581f.exe
2552	6a03af0f09818c405bea61cc21b6581f.exe
1636	6a03af0f09818c405bea61cc21b6581f.exe
1636	6a03af0f09818c405bea61cc21b6581f.exe
2528	6a03af0f09818c405bea61cc21b6581f.exe
2528	6a03af0f09818c405bea61cc21b6581f.exe
416	6a03af0f09818c405bea61cc21b6581f.exe
1636	6a03af0f09818c405bea61cc21b6581f.exe
416	6a03af0f09818c405bea61cc21b6581f.exe
1636	6a03af0f09818c405bea61cc21b6581f.exe
2552	6a03af0f09818c405bea61cc21b6581f.exe
2552	6a03af0f09818c405bea61cc21b6581f.exe
2528	6a03af0f09818c405bea61cc21b6581f.exe
2528	6a03af0f09818c405bea61cc21b6581f.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 416	1636	6a03af0f09818c405bea61cc21b6581f.exe	98
PID 1636 wrote to memory of 416	1636	6a03af0f09818c405bea61cc21b6581f.exe	98
PID 1636 wrote to memory of 416	1636	6a03af0f09818c405bea61cc21b6581f.exe	98
PID 1636 wrote to memory of 2528	1636	6a03af0f09818c405bea61cc21b6581f.exe	99
PID 1636 wrote to memory of 2528	1636	6a03af0f09818c405bea61cc21b6581f.exe	99
PID 1636 wrote to memory of 2528	1636	6a03af0f09818c405bea61cc21b6581f.exe	99
PID 416 wrote to memory of 2552	416	6a03af0f09818c405bea61cc21b6581f.exe	100
PID 416 wrote to memory of 2552	416	6a03af0f09818c405bea61cc21b6581f.exe	100
PID 416 wrote to memory of 2552	416	6a03af0f09818c405bea61cc21b6581f.exe	100

C:\Users\Admin\AppData\Local\Temp\6a03af0f09818c405bea61cc21b6581f.exe
"C:\Users\Admin\AppData\Local\Temp\6a03af0f09818c405bea61cc21b6581f.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Users\Admin\AppData\Local\Temp\6a03af0f09818c405bea61cc21b6581f.exe
  "C:\Users\Admin\AppData\Local\Temp\6a03af0f09818c405bea61cc21b6581f.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:416
- - C:\Users\Admin\AppData\Local\Temp\6a03af0f09818c405bea61cc21b6581f.exe
    "C:\Users\Admin\AppData\Local\Temp\6a03af0f09818c405bea61cc21b6581f.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2552
- C:\Users\Admin\AppData\Local\Temp\6a03af0f09818c405bea61cc21b6581f.exe
  "C:\Users\Admin\AppData\Local\Temp\6a03af0f09818c405bea61cc21b6581f.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1416 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
1⤵
PID:2264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\indian fetish lesbian feet .rar.exe

Filesize
1.6MB

MD5
b03805d350489a68dec9dcbc6a45f4a5

SHA1
b6e9b4991610cfd5fdde926ce65048a301b3c759

SHA256
17267da8a7351d2ef3705cafabef74160ed9348c3f8c8f62fe0799d44a33e729

SHA512
186f6803059fd32df7e767861b71378393ea1d3c7493ff5dc42d456ba0dd5243f96bb075d78c4d3d83e244b7985c66878c7960fff78dfd79b757d7e3d722b8b2

Download Submit