6dd4003c624b28e3a59d3eb12c626ed53ad3c33dee309aba6d89e7d572f1f62f

General

Target

6dd4003c624b28e3a59d3eb12c626ed53ad3c33dee309aba6d89e7d572f1f62f.exe
Size

1.1MB
MD5

47536e7af4e011a8a1abfcf35ccf9af5
SHA1

c34672a1e201033acac6094ba51351666854c0c8
SHA256

6dd4003c624b28e3a59d3eb12c626ed53ad3c33dee309aba6d89e7d572f1f62f
SHA512

4eb5ab74444145c64acec7d7398ad2fd97cbce109753614e58245746b36ae835a98321a8940cde861de161fdb9c73e688280156514fc1c9706f2dfce6788485a
SSDEEP

12288:NjnUlzpA5wzd0R7crTSQ+4NNricVcdwdajrk5dfQvZl4MDB7Y5u8oxHTOqkrx:NrUlz10R7cXIbjqfIvVxHTOqk

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	6dd4003c624b28e3a59d3eb12c626ed53ad3c33dee309aba6d89e7d572f1f62f.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iFont.lnk	6dd4003c624b28e3a59d3eb12c626ed53ad3c33dee309aba6d89e7d572f1f62f.exe

Executes dropped EXE 1 IoCs

pid	Process
4364	iFont.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
772	PING.EXE
3516	PING.EXE

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
4948	6dd4003c624b28e3a59d3eb12c626ed53ad3c33dee309aba6d89e7d572f1f62f.exe
4948	6dd4003c624b28e3a59d3eb12c626ed53ad3c33dee309aba6d89e7d572f1f62f.exe
4948	6dd4003c624b28e3a59d3eb12c626ed53ad3c33dee309aba6d89e7d572f1f62f.exe
4948	6dd4003c624b28e3a59d3eb12c626ed53ad3c33dee309aba6d89e7d572f1f62f.exe
3100	iFont.exe
3100	iFont.exe
3100	iFont.exe
3100	iFont.exe
3100	iFont.exe
3100	iFont.exe
3100	iFont.exe
3100	iFont.exe
3100	iFont.exe
3100	iFont.exe
3100	iFont.exe
3100	iFont.exe
3100	iFont.exe
3100	iFont.exe
3100	iFont.exe
3100	iFont.exe
3100	iFont.exe
3100	iFont.exe
3100	iFont.exe
3100	iFont.exe
3100	iFont.exe
3100	iFont.exe
3100	iFont.exe
3100	iFont.exe
3100	iFont.exe
3100	iFont.exe
4364	iFont.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4948	6dd4003c624b28e3a59d3eb12c626ed53ad3c33dee309aba6d89e7d572f1f62f.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4948	6dd4003c624b28e3a59d3eb12c626ed53ad3c33dee309aba6d89e7d572f1f62f.exe
Token: SeDebugPrivilege	3100	iFont.exe
Token: SeDebugPrivilege	4364	iFont.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4948 wrote to memory of 3100	4948	6dd4003c624b28e3a59d3eb12c626ed53ad3c33dee309aba6d89e7d572f1f62f.exe	100
PID 4948 wrote to memory of 3100	4948	6dd4003c624b28e3a59d3eb12c626ed53ad3c33dee309aba6d89e7d572f1f62f.exe	100
PID 4948 wrote to memory of 3100	4948	6dd4003c624b28e3a59d3eb12c626ed53ad3c33dee309aba6d89e7d572f1f62f.exe	100
PID 3100 wrote to memory of 3056	3100	iFont.exe	101
PID 3100 wrote to memory of 3056	3100	iFont.exe	101
PID 3100 wrote to memory of 3056	3100	iFont.exe	101
PID 3056 wrote to memory of 772	3056	cmd.exe	103
PID 3056 wrote to memory of 772	3056	cmd.exe	103
PID 3056 wrote to memory of 772	3056	cmd.exe	103
PID 3056 wrote to memory of 3516	3056	cmd.exe	104
PID 3056 wrote to memory of 3516	3056	cmd.exe	104
PID 3056 wrote to memory of 3516	3056	cmd.exe	104
PID 3056 wrote to memory of 4364	3056	cmd.exe	105
PID 3056 wrote to memory of 4364	3056	cmd.exe	105
PID 3056 wrote to memory of 4364	3056	cmd.exe	105

C:\Users\Admin\AppData\Local\Temp\6dd4003c624b28e3a59d3eb12c626ed53ad3c33dee309aba6d89e7d572f1f62f.exe
"C:\Users\Admin\AppData\Local\Temp\6dd4003c624b28e3a59d3eb12c626ed53ad3c33dee309aba6d89e7d572f1f62f.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4948
- C:\Users\Admin\AppData\Local\Temp\iFont.exe
  "C:\Users\Admin\AppData\Local\Temp\iFont.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3100
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c ping 127.0.0.1 -n 26 > nul && copy "C:\Users\Admin\AppData\Local\Temp\iFont.exe" "C:\Users\Admin\AppData\Local\iFont.exe" && ping 127.0.0.1 -n 26 > nul && "C:\Users\Admin\AppData\Local\iFont.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3056
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 26
      4⤵
      Runs ping.exe
      PID:772
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 26
      4⤵
      Runs ping.exe
      PID:3516
  - - C:\Users\Admin\AppData\Local\iFont.exe
      "C:\Users\Admin\AppData\Local\iFont.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4072 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
1⤵
PID:1928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\iFont.exe.log

Filesize
1KB

MD5
cc82803ce7afbf6041074676af07924f

SHA1
231a608fce48b82868d08a39dad5ac13c955bf3d

SHA256
5467350d290b94cacfabfc9cd79c2f26f64c94eb8d719113597098dc6016154d

SHA512
4f13d21b1dd8be23b51e5410a57db81f37d3326c944937b6546ca02de018b8b1b7921dd81cb4584fe42e734cf0ab073f8b9079b12c5a9e6193116c677ceb624f

Download Submit
C:\Users\Admin\AppData\Local\iFont.exe

Filesize
1.1MB

MD5
47536e7af4e011a8a1abfcf35ccf9af5

SHA1
c34672a1e201033acac6094ba51351666854c0c8

SHA256
6dd4003c624b28e3a59d3eb12c626ed53ad3c33dee309aba6d89e7d572f1f62f

SHA512
4eb5ab74444145c64acec7d7398ad2fd97cbce109753614e58245746b36ae835a98321a8940cde861de161fdb9c73e688280156514fc1c9706f2dfce6788485a

Download Submit
memory/3100-12-0x0000000074F30000-0x00000000756E0000-memory.dmp

Filesize
7.7MB

Download
memory/3100-19-0x0000000074F30000-0x00000000756E0000-memory.dmp

Filesize
7.7MB

Download
memory/3100-17-0x0000000074F30000-0x00000000756E0000-memory.dmp

Filesize
7.7MB

Download
memory/3100-16-0x0000000074F30000-0x00000000756E0000-memory.dmp

Filesize
7.7MB

Download
memory/3100-13-0x0000000074F30000-0x00000000756E0000-memory.dmp

Filesize
7.7MB

Download
memory/4364-26-0x0000000000650000-0x000000000076E000-memory.dmp

Filesize
1.1MB

Download
memory/4948-5-0x0000000074F3E000-0x0000000074F3F000-memory.dmp

Filesize
4KB

Download
memory/4948-9-0x0000000074F30000-0x00000000756E0000-memory.dmp

Filesize
7.7MB

Download
memory/4948-11-0x0000000007DD0000-0x00000000082FC000-memory.dmp

Filesize
5.2MB

Download
memory/4948-8-0x0000000006680000-0x000000000668A000-memory.dmp

Filesize
40KB

Download
memory/4948-7-0x00000000065A0000-0x00000000065E4000-memory.dmp

Filesize
272KB

Download
memory/4948-15-0x0000000074F30000-0x00000000756E0000-memory.dmp

Filesize
7.7MB

Download
memory/4948-6-0x0000000074F30000-0x00000000756E0000-memory.dmp

Filesize
7.7MB

Download
memory/4948-0-0x0000000074F3E000-0x0000000074F3F000-memory.dmp

Filesize
4KB

Download
memory/4948-4-0x0000000005190000-0x000000000522C000-memory.dmp

Filesize
624KB

Download
memory/4948-3-0x00000000050D0000-0x0000000005162000-memory.dmp

Filesize
584KB

Download
memory/4948-2-0x0000000005740000-0x0000000005CE4000-memory.dmp

Filesize
5.6MB

Download
memory/4948-1-0x0000000000D10000-0x0000000000E2E000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing