Overview

overview

10

Static

static

8c92dfd98d...in.exe

windows7_x64

8

8c92dfd98d...in.exe

windows10_x64

10

Analysis

  • max time kernel
    119s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-en-20211014
  • submitted
    02-11-2021 07:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8c92dfd98d0da124299b28d92ad7b50d6b622e6078992df74a5e7b41261ad008.bin.exe

  • Size

    6.0MB

  • MD5

    36439a5f029df1777b51a34bd454b9d2

  • SHA1

    66ab3a5c3f35fad196b07bc91930bcc171b0132f

  • SHA256

    8c92dfd98d0da124299b28d92ad7b50d6b622e6078992df74a5e7b41261ad008

  • SHA512

    e412f202184412e39e8fed102b042c68e7b65eeb6545096481db3e62e5dfdf641031736f616e1cf7e61e59705473af37a1e7c0c13762cbdc5a6aa5acaace8da9

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of WriteProcessMemory 47 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8c92dfd98d0da124299b28d92ad7b50d6b622e6078992df74a5e7b41261ad008.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\8c92dfd98d0da124299b28d92ad7b50d6b622e6078992df74a5e7b41261ad008.bin.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1232
    • C:\Users\Admin\AppData\Local\Temp\is-F8OJC.tmp\8c92dfd98d0da124299b28d92ad7b50d6b622e6078992df74a5e7b41261ad008.bin.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-F8OJC.tmp\8c92dfd98d0da124299b28d92ad7b50d6b622e6078992df74a5e7b41261ad008.bin.tmp" /SL5="$40102,5451459,831488,C:\Users\Admin\AppData\Local\Temp\8c92dfd98d0da124299b28d92ad7b50d6b622e6078992df74a5e7b41261ad008.bin.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:620
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C mountvol P: /D
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1648
        • C:\Windows\SysWOW64\mountvol.exe
          mountvol P: /D
          4⤵
          • Enumerates connected drives
          PID:1656
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C bcdedit /set {bootmgr} path \EFI\Boot\bareflank.efi
        3⤵
          PID:1832
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /C setx /m PATH "%PATH%C:\Users\Admin\AppData\Local\Temp\is-ID8PO.tmp"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1400
          • C:\Windows\SysWOW64\setx.exe
            setx /m PATH "C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\C:\Users\Admin\AppData\Local\Temp\is-ID8PO.tmp"
            4⤵
              PID:1664
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-ID8PO.tmp\devcon.exe" remove "ROOT\bareflank""
            3⤵
              PID:1048
            • C:\Windows\SysWOW64\cmd.exe
              "cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-ID8PO.tmp\devcon.exe" install "C:\Users\Admin\AppData\Local\Temp\is-ID8PO.tmp\bareflank.inf" "ROOT\bareflank""
              3⤵
                PID:2044
              • C:\Windows\SysWOW64\cmd.exe
                "cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-ID8PO.tmp\devcon.exe" remove "ROOT\bfbuilder""
                3⤵
                  PID:1408
                • C:\Windows\SysWOW64\cmd.exe
                  "cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-ID8PO.tmp\devcon.exe" install "C:\Users\Admin\AppData\Local\Temp\is-ID8PO.tmp\bfbuilder.inf" "ROOT\bfbuilder""
                  3⤵
                    PID:644
                  • C:\Users\Admin\AppData\Roaming\wsqmcons.exe
                    "C:\Users\Admin\AppData\Roaming\wsqmcons.exe"
                    3⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    PID:988

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • memory/620-63-0x0000000000240000-0x0000000000241000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1232-58-0x0000000000400000-0x00000000004D8000-memory.dmp

                Filesize

                864KB

                Download

              • memory/1232-55-0x0000000075821000-0x0000000075823000-memory.dmp

                Filesize

                8KB

                Download