Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 22:52
Static task
static1
Behavioral task
behavioral1
Sample
c8aeab9d69faff3486bbd01383f76f837ef7ac7f25d1b0088add95c8ec35a247.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
c8aeab9d69faff3486bbd01383f76f837ef7ac7f25d1b0088add95c8ec35a247.exe
Resource
win10v2004-20220414-en
General
-
Target
c8aeab9d69faff3486bbd01383f76f837ef7ac7f25d1b0088add95c8ec35a247.exe
-
Size
815KB
-
MD5
21ce894ccbef788a1b2af896e2aaf2a0
-
SHA1
7ca645c7855bff3e2f1575d50f89a516b870d6de
-
SHA256
c8aeab9d69faff3486bbd01383f76f837ef7ac7f25d1b0088add95c8ec35a247
-
SHA512
6fa7a28936d70d2b94a89443988d8a81fe3c3cf6a91500ebf02c6c3962126e0c2e1a219c485c5dc90bc7d815f15533414d184056e675e348061e11cb82e22993
Score
6/10
Malware Config
Signatures
-
Writes to the Master Boot Record (MBR) ⋅ 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
TTPs:
Processes:
c8aeab9d69faff3486bbd01383f76f837ef7ac7f25d1b0088add95c8ec35a247.exedescription ioc process File opened for modification \??\PhysicalDrive0 c8aeab9d69faff3486bbd01383f76f837ef7ac7f25d1b0088add95c8ec35a247.exe -
TTPs:
Processes:
c8aeab9d69faff3486bbd01383f76f837ef7ac7f25d1b0088add95c8ec35a247.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\c8aeab9d69faff3486bbd01383f76f837ef7ac7f25d1b0088add95c8ec35a247.exe = "11000" c8aeab9d69faff3486bbd01383f76f837ef7ac7f25d1b0088add95c8ec35a247.exe Set value (int) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\7654.com\NumberOfSubdomains = "1" c8aeab9d69faff3486bbd01383f76f837ef7ac7f25d1b0088add95c8ec35a247.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total c8aeab9d69faff3486bbd01383f76f837ef7ac7f25d1b0088add95c8ec35a247.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\news.7654.com c8aeab9d69faff3486bbd01383f76f837ef7ac7f25d1b0088add95c8ec35a247.exe Set value (int) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\7654.com\Total = "63" c8aeab9d69faff3486bbd01383f76f837ef7ac7f25d1b0088add95c8ec35a247.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION c8aeab9d69faff3486bbd01383f76f837ef7ac7f25d1b0088add95c8ec35a247.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl c8aeab9d69faff3486bbd01383f76f837ef7ac7f25d1b0088add95c8ec35a247.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\7654.com c8aeab9d69faff3486bbd01383f76f837ef7ac7f25d1b0088add95c8ec35a247.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage c8aeab9d69faff3486bbd01383f76f837ef7ac7f25d1b0088add95c8ec35a247.exe Set value (int) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "63" c8aeab9d69faff3486bbd01383f76f837ef7ac7f25d1b0088add95c8ec35a247.exe Set value (int) \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\news.7654.com\ = "63" c8aeab9d69faff3486bbd01383f76f837ef7ac7f25d1b0088add95c8ec35a247.exe Key created \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main c8aeab9d69faff3486bbd01383f76f837ef7ac7f25d1b0088add95c8ec35a247.exe -
Suspicious behavior: EnumeratesProcesses ⋅ 2 IoCs
Processes:
c8aeab9d69faff3486bbd01383f76f837ef7ac7f25d1b0088add95c8ec35a247.exepid process 1788 c8aeab9d69faff3486bbd01383f76f837ef7ac7f25d1b0088add95c8ec35a247.exe 1788 c8aeab9d69faff3486bbd01383f76f837ef7ac7f25d1b0088add95c8ec35a247.exe -
Suspicious use of FindShellTrayWindow ⋅ 1 IoCs
Processes:
c8aeab9d69faff3486bbd01383f76f837ef7ac7f25d1b0088add95c8ec35a247.exepid process 1788 c8aeab9d69faff3486bbd01383f76f837ef7ac7f25d1b0088add95c8ec35a247.exe -
Suspicious use of SetWindowsHookEx ⋅ 7 IoCs
Processes:
c8aeab9d69faff3486bbd01383f76f837ef7ac7f25d1b0088add95c8ec35a247.exepid process 1788 c8aeab9d69faff3486bbd01383f76f837ef7ac7f25d1b0088add95c8ec35a247.exe 1788 c8aeab9d69faff3486bbd01383f76f837ef7ac7f25d1b0088add95c8ec35a247.exe 1788 c8aeab9d69faff3486bbd01383f76f837ef7ac7f25d1b0088add95c8ec35a247.exe 1788 c8aeab9d69faff3486bbd01383f76f837ef7ac7f25d1b0088add95c8ec35a247.exe 1788 c8aeab9d69faff3486bbd01383f76f837ef7ac7f25d1b0088add95c8ec35a247.exe 1788 c8aeab9d69faff3486bbd01383f76f837ef7ac7f25d1b0088add95c8ec35a247.exe 1788 c8aeab9d69faff3486bbd01383f76f837ef7ac7f25d1b0088add95c8ec35a247.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c8aeab9d69faff3486bbd01383f76f837ef7ac7f25d1b0088add95c8ec35a247.exePID:1788"C:\Users\Admin\AppData\Local\Temp\c8aeab9d69faff3486bbd01383f76f837ef7ac7f25d1b0088add95c8ec35a247.exe"Writes to the Master Boot Record (MBR)Modifies Internet Explorer settingsSuspicious behavior: EnumeratesProcessesSuspicious use of FindShellTrayWindowSuspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Replay Monitor
00:00
00:00
Downloads
-
memory/1788-54-0x0000000075DB1000-0x0000000075DB3000-memory.dmp
Loading data