c31103ee658b926ee2feb90cd148f183f2bdfa4b439236c0724abffb4d5fe8a6

Analysis

max time kernel
97s
max time network
104s
platform
windows7_x64
resource
win7-20220414-en
submitted
20-05-2022 03:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c31103ee658b926ee2feb90cd148f183f2bdfa4b439236c0724abffb4d5fe8a6.exe
Size

4.0MB
MD5

0b0925123ee395a6c62d9b9efb9fc9d6
SHA1

a682b1710b6db2bda445f123d5a0825e50d7361d
SHA256

c31103ee658b926ee2feb90cd148f183f2bdfa4b439236c0724abffb4d5fe8a6
SHA512

6c4221d56de814406d7b4c28d7d2b5314e1155d3fac7b328a6ddbadb1068b23b9fc81370547fa1bc3c172da79817d9c28e6c40967144530916515ade523e973b

Score

8^/10

bootkit persistence vmprotect

Malware Config

Signatures

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/480-55-0x0000000000400000-0x0000000000D9E000-memory.dmp	vmprotect
behavioral1/memory/480-57-0x0000000000400000-0x0000000000D9E000-memory.dmp	vmprotect

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

c31103ee658b926ee2feb90cd148f183f2bdfa4b439236c0724abffb4d5fe8a6.exe

description ioc process

File opened for modification \??\PhysicalDrive0 c31103ee658b926ee2feb90cd148f183f2bdfa4b439236c0724abffb4d5fe8a6.exe
Drops file in Windows directory 1 IoCs

Processes:

c31103ee658b926ee2feb90cd148f183f2bdfa4b439236c0724abffb4d5fe8a6.exe

description ioc process

File created C:\Windows\w90v9xal.sys c31103ee658b926ee2feb90cd148f183f2bdfa4b439236c0724abffb4d5fe8a6.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	c31103ee658b926ee2feb90cd148f183f2bdfa4b439236c0724abffb4d5fe8a6.exe

description	ioc	process
File created	C:\Windows\w90v9xal.sys	c31103ee658b926ee2feb90cd148f183f2bdfa4b439236c0724abffb4d5fe8a6.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

c31103ee658b926ee2feb90cd148f183f2bdfa4b439236c0724abffb4d5fe8a6.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main	c31103ee658b926ee2feb90cd148f183f2bdfa4b439236c0724abffb4d5fe8a6.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

c31103ee658b926ee2feb90cd148f183f2bdfa4b439236c0724abffb4d5fe8a6.exe

pid process

480 c31103ee658b926ee2feb90cd148f183f2bdfa4b439236c0724abffb4d5fe8a6.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

460

pid	process
460

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

c31103ee658b926ee2feb90cd148f183f2bdfa4b439236c0724abffb4d5fe8a6.exe

pid	process
480	c31103ee658b926ee2feb90cd148f183f2bdfa4b439236c0724abffb4d5fe8a6.exe
480	c31103ee658b926ee2feb90cd148f183f2bdfa4b439236c0724abffb4d5fe8a6.exe
480	c31103ee658b926ee2feb90cd148f183f2bdfa4b439236c0724abffb4d5fe8a6.exe
480	c31103ee658b926ee2feb90cd148f183f2bdfa4b439236c0724abffb4d5fe8a6.exe

C:\Users\Admin\AppData\Local\Temp\c31103ee658b926ee2feb90cd148f183f2bdfa4b439236c0724abffb4d5fe8a6.exe
"C:\Users\Admin\AppData\Local\Temp\c31103ee658b926ee2feb90cd148f183f2bdfa4b439236c0724abffb4d5fe8a6.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:480

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/480-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download
memory/480-55-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download
memory/480-57-0x0000000000400000-0x0000000000D9E000-memory.dmp

Filesize
9.6MB

Download