Analysis
-
max time kernel
97s -
max time network
104s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 03:04
Static task
static1
Behavioral task
behavioral1
Sample
c31103ee658b926ee2feb90cd148f183f2bdfa4b439236c0724abffb4d5fe8a6.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
c31103ee658b926ee2feb90cd148f183f2bdfa4b439236c0724abffb4d5fe8a6.exe
Resource
win10v2004-20220414-en
General
-
Target
c31103ee658b926ee2feb90cd148f183f2bdfa4b439236c0724abffb4d5fe8a6.exe
-
Size
4.0MB
-
MD5
0b0925123ee395a6c62d9b9efb9fc9d6
-
SHA1
a682b1710b6db2bda445f123d5a0825e50d7361d
-
SHA256
c31103ee658b926ee2feb90cd148f183f2bdfa4b439236c0724abffb4d5fe8a6
-
SHA512
6c4221d56de814406d7b4c28d7d2b5314e1155d3fac7b328a6ddbadb1068b23b9fc81370547fa1bc3c172da79817d9c28e6c40967144530916515ade523e973b
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/480-55-0x0000000000400000-0x0000000000D9E000-memory.dmp vmprotect behavioral1/memory/480-57-0x0000000000400000-0x0000000000D9E000-memory.dmp vmprotect -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
c31103ee658b926ee2feb90cd148f183f2bdfa4b439236c0724abffb4d5fe8a6.exedescription ioc process File opened for modification \??\PhysicalDrive0 c31103ee658b926ee2feb90cd148f183f2bdfa4b439236c0724abffb4d5fe8a6.exe -
Drops file in Windows directory 1 IoCs
Processes:
c31103ee658b926ee2feb90cd148f183f2bdfa4b439236c0724abffb4d5fe8a6.exedescription ioc process File created C:\Windows\w90v9xal.sys c31103ee658b926ee2feb90cd148f183f2bdfa4b439236c0724abffb4d5fe8a6.exe -
Processes:
c31103ee658b926ee2feb90cd148f183f2bdfa4b439236c0724abffb4d5fe8a6.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main c31103ee658b926ee2feb90cd148f183f2bdfa4b439236c0724abffb4d5fe8a6.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
c31103ee658b926ee2feb90cd148f183f2bdfa4b439236c0724abffb4d5fe8a6.exepid process 480 c31103ee658b926ee2feb90cd148f183f2bdfa4b439236c0724abffb4d5fe8a6.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 460 -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
c31103ee658b926ee2feb90cd148f183f2bdfa4b439236c0724abffb4d5fe8a6.exepid process 480 c31103ee658b926ee2feb90cd148f183f2bdfa4b439236c0724abffb4d5fe8a6.exe 480 c31103ee658b926ee2feb90cd148f183f2bdfa4b439236c0724abffb4d5fe8a6.exe 480 c31103ee658b926ee2feb90cd148f183f2bdfa4b439236c0724abffb4d5fe8a6.exe 480 c31103ee658b926ee2feb90cd148f183f2bdfa4b439236c0724abffb4d5fe8a6.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c31103ee658b926ee2feb90cd148f183f2bdfa4b439236c0724abffb4d5fe8a6.exe"C:\Users\Admin\AppData\Local\Temp\c31103ee658b926ee2feb90cd148f183f2bdfa4b439236c0724abffb4d5fe8a6.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx