Overview

overview

8

Static

static

5edbe1c8a1...8f.exe

windows7_x64

8

5edbe1c8a1...8f.exe

windows10-2004_x64

8

Analysis

  • max time kernel
    152s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    20-05-2022 03:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5edbe1c8a1323e88fdf95f31c9f72bb25d1ea67e71ac532540c79cf9f25d838f.exe

  • Size

    4.5MB

  • MD5

    5e5cb405fe00fce0170ff03b6c27de65

  • SHA1

    b71ba01901946acf3dd9c607b0ab744b9bb2d8b3

  • SHA256

    5edbe1c8a1323e88fdf95f31c9f72bb25d1ea67e71ac532540c79cf9f25d838f

  • SHA512

    272f1457cf8f843ca00281347fd25a29840e7711773dbd60e1b923df3f2040f7720cd17dfe5c5fc8262fe8e0e03fc0334ac9b99abe6dac8d193d214fb221dea0

Score
8/10
bootkitpersistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5edbe1c8a1323e88fdf95f31c9f72bb25d1ea67e71ac532540c79cf9f25d838f.exe
    "C:\Users\Admin\AppData\Local\Temp\5edbe1c8a1323e88fdf95f31c9f72bb25d1ea67e71ac532540c79cf9f25d838f.exe"
    1⤵
    • Checks BIOS information in registry
    • Checks computer location settings
    • Writes to the Master Boot Record (MBR)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4740
    • C:\Users\Admin\FutureXGame\Euro Truck Simulator 2 Trainer.exe
      "C:\Users\Admin\FutureXGame\Euro Truck Simulator 2 Trainer.exe"
      2⤵
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Writes to the Master Boot Record (MBR)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:4884

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

1
T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\FutureXGame\Euro Truck Simulator 2 Trainer.exe
    Filesize

    3.0MB

    MD5

    a622b7290f48eacb5310f08af996c3c6

    SHA1

    7d0dfdda1b879c31a480cdc03c0158382938c372

    SHA256

    8cb54573fcd40beddfbb0da292626d9a52606ca6cb534a9af0ee03517ec0dd27

    SHA512

    201b08dcb957b6b495a60707067411a26aff7144d85981669e17e52a764e2bc00b25d0f0d230c989c96ec3b7ba7936e74d5def655872dd86f233d3e065459800

    Download Submit
  • C:\Users\Admin\FutureXGame\Euro Truck Simulator 2 Trainer.exe
    Filesize

    3.0MB

    MD5

    a622b7290f48eacb5310f08af996c3c6

    SHA1

    7d0dfdda1b879c31a480cdc03c0158382938c372

    SHA256

    8cb54573fcd40beddfbb0da292626d9a52606ca6cb534a9af0ee03517ec0dd27

    SHA512

    201b08dcb957b6b495a60707067411a26aff7144d85981669e17e52a764e2bc00b25d0f0d230c989c96ec3b7ba7936e74d5def655872dd86f233d3e065459800

    Download Submit
  • C:\Users\Admin\FutureXGame\settings.txt
    Filesize

    181B

    MD5

    66f61eea90c02d341866435081d81fa9

    SHA1

    95f6ae37051fde1f98b7ae39fb6b298d63cb4d71

    SHA256

    4d66a95c7122f08d61713f4d68f5e75102a1d5b8215dc6cc30b66897208ded31

    SHA512

    5e44db87ef8170936c97bff9eed1dabfc8598ba1bace02e5299146956a8812af93c78bd8a768e15452bd6917b2ff2be37dbdf4389425994abae8e66ef5401a20

    Download Submit
  • memory/4740-133-0x00007FFBC3720000-0x00007FFBC41E1000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/4740-130-0x00007FFBE0EF0000-0x00007FFBE10E5000-memory.dmp
    Filesize

    2.0MB

    Download
  • memory/4740-132-0x0000000000380000-0x0000000000A02000-memory.dmp
    Filesize

    6.5MB

    Download
  • memory/4740-131-0x0000000000380000-0x0000000000A02000-memory.dmp
    Filesize

    6.5MB

    Download
  • memory/4884-134-0x0000000000000000-mapping.dmp
    Download
  • memory/4884-137-0x0000000000090000-0x00000000005C8000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4884-138-0x0000000000090000-0x00000000005C8000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/4884-139-0x00007FFBE0EF0000-0x00007FFBE10E5000-memory.dmp
    Filesize

    2.0MB

    Download
  • memory/4884-140-0x00007FFBC3720000-0x00007FFBC41E1000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/4884-142-0x000000002F410000-0x000000002FBB6000-memory.dmp
    Filesize

    7.6MB

    Download