Analysis
-
max time kernel
35s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 03:56
Static task
static1
Behavioral task
behavioral1
Sample
36ad848b9f71a8051a1b56f25273c59fae487a4a2c3497268604e59653b45258.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
36ad848b9f71a8051a1b56f25273c59fae487a4a2c3497268604e59653b45258.exe
Resource
win10v2004-20220414-en
General
-
Target
36ad848b9f71a8051a1b56f25273c59fae487a4a2c3497268604e59653b45258.exe
-
Size
1.3MB
-
MD5
347a1b04c19f69c508b584586420a0bb
-
SHA1
c4aa2e5fc8fe3ae1929acf1031a6de11dc5559ed
-
SHA256
36ad848b9f71a8051a1b56f25273c59fae487a4a2c3497268604e59653b45258
-
SHA512
b74e78ff57c6e09e94458697357f4efab19d63571ec8ea8d4639b3529fa4427007649a6295a3faae56bbf763a9eb0306e0cd67cb6eea04b67361598a62db7a20
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
downloader.exepid process 956 downloader.exe -
Loads dropped DLL 3 IoCs
Processes:
36ad848b9f71a8051a1b56f25273c59fae487a4a2c3497268604e59653b45258.exedownloader.exepid process 764 36ad848b9f71a8051a1b56f25273c59fae487a4a2c3497268604e59653b45258.exe 956 downloader.exe 956 downloader.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
downloader.exedescription ioc process File opened for modification \??\PhysicalDrive0 downloader.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
36ad848b9f71a8051a1b56f25273c59fae487a4a2c3497268604e59653b45258.exedownloader.execmd.exedescription pid process target process PID 764 wrote to memory of 956 764 36ad848b9f71a8051a1b56f25273c59fae487a4a2c3497268604e59653b45258.exe downloader.exe PID 764 wrote to memory of 956 764 36ad848b9f71a8051a1b56f25273c59fae487a4a2c3497268604e59653b45258.exe downloader.exe PID 764 wrote to memory of 956 764 36ad848b9f71a8051a1b56f25273c59fae487a4a2c3497268604e59653b45258.exe downloader.exe PID 764 wrote to memory of 956 764 36ad848b9f71a8051a1b56f25273c59fae487a4a2c3497268604e59653b45258.exe downloader.exe PID 764 wrote to memory of 956 764 36ad848b9f71a8051a1b56f25273c59fae487a4a2c3497268604e59653b45258.exe downloader.exe PID 764 wrote to memory of 956 764 36ad848b9f71a8051a1b56f25273c59fae487a4a2c3497268604e59653b45258.exe downloader.exe PID 764 wrote to memory of 956 764 36ad848b9f71a8051a1b56f25273c59fae487a4a2c3497268604e59653b45258.exe downloader.exe PID 956 wrote to memory of 1752 956 downloader.exe cmd.exe PID 956 wrote to memory of 1752 956 downloader.exe cmd.exe PID 956 wrote to memory of 1752 956 downloader.exe cmd.exe PID 956 wrote to memory of 1752 956 downloader.exe cmd.exe PID 956 wrote to memory of 1752 956 downloader.exe cmd.exe PID 956 wrote to memory of 1752 956 downloader.exe cmd.exe PID 956 wrote to memory of 1752 956 downloader.exe cmd.exe PID 1752 wrote to memory of 1244 1752 cmd.exe systeminfo.exe PID 1752 wrote to memory of 1244 1752 cmd.exe systeminfo.exe PID 1752 wrote to memory of 1244 1752 cmd.exe systeminfo.exe PID 1752 wrote to memory of 1244 1752 cmd.exe systeminfo.exe PID 1752 wrote to memory of 1244 1752 cmd.exe systeminfo.exe PID 1752 wrote to memory of 1244 1752 cmd.exe systeminfo.exe PID 1752 wrote to memory of 1244 1752 cmd.exe systeminfo.exe PID 1752 wrote to memory of 1736 1752 cmd.exe findstr.exe PID 1752 wrote to memory of 1736 1752 cmd.exe findstr.exe PID 1752 wrote to memory of 1736 1752 cmd.exe findstr.exe PID 1752 wrote to memory of 1736 1752 cmd.exe findstr.exe PID 1752 wrote to memory of 1736 1752 cmd.exe findstr.exe PID 1752 wrote to memory of 1736 1752 cmd.exe findstr.exe PID 1752 wrote to memory of 1736 1752 cmd.exe findstr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\36ad848b9f71a8051a1b56f25273c59fae487a4a2c3497268604e59653b45258.exe"C:\Users\Admin\AppData\Local\Temp\36ad848b9f71a8051a1b56f25273c59fae487a4a2c3497268604e59653b45258.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS22ED.tmp\downloader.exe.\downloader.exe %%S2⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/k systeminfo | findstr /c:"Model:" /c:"Host Name" /c:"OS Name"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\systeminfo.exesysteminfo4⤵
- Gathers system information
-
C:\Windows\SysWOW64\findstr.exefindstr /c:"Model:" /c:"Host Name" /c:"OS Name"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7zS22ED.tmp\downloader.exeFilesize
3.1MB
MD5ad9566beec8757fe727f268e7bd2d43d
SHA19fc0c813965244403b93c657f43010ffc32b16bf
SHA256984024c2b82a9857f5450fc72615c7ba93b5a3f8fb7ce2de7e8c387ff78320dd
SHA51245288faef559466f1def1b69a760664ab47acd45e2b347927a23842f69361a403799d344c3ca78c934792d11b580e527a6958546933713bf28bb77a5932481ef
-
C:\Users\Admin\AppData\Local\Temp\7zS22ED.tmp\downloader.exeFilesize
3.1MB
MD5ad9566beec8757fe727f268e7bd2d43d
SHA19fc0c813965244403b93c657f43010ffc32b16bf
SHA256984024c2b82a9857f5450fc72615c7ba93b5a3f8fb7ce2de7e8c387ff78320dd
SHA51245288faef559466f1def1b69a760664ab47acd45e2b347927a23842f69361a403799d344c3ca78c934792d11b580e527a6958546933713bf28bb77a5932481ef
-
\Users\Admin\AppData\Local\Temp\7zS22ED.tmp\downloader.exeFilesize
3.1MB
MD5ad9566beec8757fe727f268e7bd2d43d
SHA19fc0c813965244403b93c657f43010ffc32b16bf
SHA256984024c2b82a9857f5450fc72615c7ba93b5a3f8fb7ce2de7e8c387ff78320dd
SHA51245288faef559466f1def1b69a760664ab47acd45e2b347927a23842f69361a403799d344c3ca78c934792d11b580e527a6958546933713bf28bb77a5932481ef
-
\Users\Admin\AppData\Local\Temp\7zS22ED.tmp\downloader.exeFilesize
3.1MB
MD5ad9566beec8757fe727f268e7bd2d43d
SHA19fc0c813965244403b93c657f43010ffc32b16bf
SHA256984024c2b82a9857f5450fc72615c7ba93b5a3f8fb7ce2de7e8c387ff78320dd
SHA51245288faef559466f1def1b69a760664ab47acd45e2b347927a23842f69361a403799d344c3ca78c934792d11b580e527a6958546933713bf28bb77a5932481ef
-
\Users\Admin\AppData\Local\Temp\7zS22ED.tmp\downloader.exeFilesize
3.1MB
MD5ad9566beec8757fe727f268e7bd2d43d
SHA19fc0c813965244403b93c657f43010ffc32b16bf
SHA256984024c2b82a9857f5450fc72615c7ba93b5a3f8fb7ce2de7e8c387ff78320dd
SHA51245288faef559466f1def1b69a760664ab47acd45e2b347927a23842f69361a403799d344c3ca78c934792d11b580e527a6958546933713bf28bb77a5932481ef
-
memory/764-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmpFilesize
8KB
-
memory/956-56-0x0000000000000000-mapping.dmp
-
memory/1244-64-0x0000000000000000-mapping.dmp
-
memory/1736-65-0x0000000000000000-mapping.dmp
-
memory/1752-62-0x0000000000000000-mapping.dmp