Analysis

  • max time kernel
    151s
  • max time network
    50s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    20-05-2022 03:05

General

  • Target

    5edbe1c8a1323e88fdf95f31c9f72bb25d1ea67e71ac532540c79cf9f25d838f.exe

  • Size

    4.5MB

  • MD5

    5e5cb405fe00fce0170ff03b6c27de65

  • SHA1

    b71ba01901946acf3dd9c607b0ab744b9bb2d8b3

  • SHA256

    5edbe1c8a1323e88fdf95f31c9f72bb25d1ea67e71ac532540c79cf9f25d838f

  • SHA512

    272f1457cf8f843ca00281347fd25a29840e7711773dbd60e1b923df3f2040f7720cd17dfe5c5fc8262fe8e0e03fc0334ac9b99abe6dac8d193d214fb221dea0

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5edbe1c8a1323e88fdf95f31c9f72bb25d1ea67e71ac532540c79cf9f25d838f.exe
    "C:\Users\Admin\AppData\Local\Temp\5edbe1c8a1323e88fdf95f31c9f72bb25d1ea67e71ac532540c79cf9f25d838f.exe"
    1⤵
    • Checks BIOS information in registry
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:884
    • C:\Users\Admin\FutureXGame\Euro Truck Simulator 2 Trainer.exe
      "C:\Users\Admin\FutureXGame\Euro Truck Simulator 2 Trainer.exe"
      2⤵
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Deletes itself
      • Writes to the Master Boot Record (MBR)
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:544

Network

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Bootkit

1
T1067

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\FutureXGame\Euro Truck Simulator 2 Trainer.exe
    Filesize

    3.0MB

    MD5

    a622b7290f48eacb5310f08af996c3c6

    SHA1

    7d0dfdda1b879c31a480cdc03c0158382938c372

    SHA256

    8cb54573fcd40beddfbb0da292626d9a52606ca6cb534a9af0ee03517ec0dd27

    SHA512

    201b08dcb957b6b495a60707067411a26aff7144d85981669e17e52a764e2bc00b25d0f0d230c989c96ec3b7ba7936e74d5def655872dd86f233d3e065459800

  • C:\Users\Admin\FutureXGame\settings.txt
    Filesize

    180B

    MD5

    2d996111ced7bd92e7ae6766109f5b99

    SHA1

    3655d4037084c09009a764f5a645a53fa808513d

    SHA256

    d36fdac581ded058a6c5599bcdc2f590d1de364ea4d4d9948222eb77201c65c0

    SHA512

    f4eeb81c687863bc4e7c0b8b87c0de12455a55c51648a6e55df8aa25bb97a5b23358f73579e32837fc5f21395acef46a5c3b7d6522263bb3e7e25fc26e6c75c6

  • \Users\Admin\FutureXGame\Euro Truck Simulator 2 Trainer.exe
    Filesize

    3.0MB

    MD5

    a622b7290f48eacb5310f08af996c3c6

    SHA1

    7d0dfdda1b879c31a480cdc03c0158382938c372

    SHA256

    8cb54573fcd40beddfbb0da292626d9a52606ca6cb534a9af0ee03517ec0dd27

    SHA512

    201b08dcb957b6b495a60707067411a26aff7144d85981669e17e52a764e2bc00b25d0f0d230c989c96ec3b7ba7936e74d5def655872dd86f233d3e065459800

  • \Users\Admin\FutureXGame\Euro Truck Simulator 2 Trainer.exe
    Filesize

    3.0MB

    MD5

    a622b7290f48eacb5310f08af996c3c6

    SHA1

    7d0dfdda1b879c31a480cdc03c0158382938c372

    SHA256

    8cb54573fcd40beddfbb0da292626d9a52606ca6cb534a9af0ee03517ec0dd27

    SHA512

    201b08dcb957b6b495a60707067411a26aff7144d85981669e17e52a764e2bc00b25d0f0d230c989c96ec3b7ba7936e74d5def655872dd86f233d3e065459800

  • memory/544-66-0x0000000003236000-0x0000000003255000-memory.dmp
    Filesize

    124KB

  • memory/544-60-0x0000000000000000-mapping.dmp
  • memory/544-62-0x0000000077C50000-0x0000000077DF9000-memory.dmp
    Filesize

    1.7MB

  • memory/544-63-0x00000000001B0000-0x00000000006E8000-memory.dmp
    Filesize

    5.2MB

  • memory/544-64-0x00000000001B0000-0x00000000006E8000-memory.dmp
    Filesize

    5.2MB

  • memory/544-65-0x0000000024BC0000-0x0000000024EC6000-memory.dmp
    Filesize

    3.0MB

  • memory/544-69-0x000000002BA60000-0x000000002C206000-memory.dmp
    Filesize

    7.6MB

  • memory/884-58-0x0000000004E06000-0x0000000004E25000-memory.dmp
    Filesize

    124KB

  • memory/884-57-0x0000000024500000-0x0000000024802000-memory.dmp
    Filesize

    3.0MB

  • memory/884-54-0x0000000000D00000-0x0000000001382000-memory.dmp
    Filesize

    6.5MB

  • memory/884-56-0x0000000077C50000-0x0000000077DF9000-memory.dmp
    Filesize

    1.7MB

  • memory/884-55-0x0000000000D00000-0x0000000001382000-memory.dmp
    Filesize

    6.5MB