Analysis
-
max time kernel
95s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 03:56
Static task
static1
Behavioral task
behavioral1
Sample
36ad848b9f71a8051a1b56f25273c59fae487a4a2c3497268604e59653b45258.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
36ad848b9f71a8051a1b56f25273c59fae487a4a2c3497268604e59653b45258.exe
Resource
win10v2004-20220414-en
General
-
Target
36ad848b9f71a8051a1b56f25273c59fae487a4a2c3497268604e59653b45258.exe
-
Size
1.3MB
-
MD5
347a1b04c19f69c508b584586420a0bb
-
SHA1
c4aa2e5fc8fe3ae1929acf1031a6de11dc5559ed
-
SHA256
36ad848b9f71a8051a1b56f25273c59fae487a4a2c3497268604e59653b45258
-
SHA512
b74e78ff57c6e09e94458697357f4efab19d63571ec8ea8d4639b3529fa4427007649a6295a3faae56bbf763a9eb0306e0cd67cb6eea04b67361598a62db7a20
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
downloader.exepid process 5024 downloader.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
downloader.exedescription ioc process File opened for modification \??\PhysicalDrive0 downloader.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
36ad848b9f71a8051a1b56f25273c59fae487a4a2c3497268604e59653b45258.exedownloader.execmd.exedescription pid process target process PID 4776 wrote to memory of 5024 4776 36ad848b9f71a8051a1b56f25273c59fae487a4a2c3497268604e59653b45258.exe downloader.exe PID 4776 wrote to memory of 5024 4776 36ad848b9f71a8051a1b56f25273c59fae487a4a2c3497268604e59653b45258.exe downloader.exe PID 4776 wrote to memory of 5024 4776 36ad848b9f71a8051a1b56f25273c59fae487a4a2c3497268604e59653b45258.exe downloader.exe PID 5024 wrote to memory of 3128 5024 downloader.exe cmd.exe PID 5024 wrote to memory of 3128 5024 downloader.exe cmd.exe PID 5024 wrote to memory of 3128 5024 downloader.exe cmd.exe PID 3128 wrote to memory of 3840 3128 cmd.exe systeminfo.exe PID 3128 wrote to memory of 3840 3128 cmd.exe systeminfo.exe PID 3128 wrote to memory of 3840 3128 cmd.exe systeminfo.exe PID 3128 wrote to memory of 2064 3128 cmd.exe findstr.exe PID 3128 wrote to memory of 2064 3128 cmd.exe findstr.exe PID 3128 wrote to memory of 2064 3128 cmd.exe findstr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\36ad848b9f71a8051a1b56f25273c59fae487a4a2c3497268604e59653b45258.exe"C:\Users\Admin\AppData\Local\Temp\36ad848b9f71a8051a1b56f25273c59fae487a4a2c3497268604e59653b45258.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSE227.tmp\downloader.exe.\downloader.exe %%S2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/k systeminfo | findstr /c:"Model:" /c:"Host Name" /c:"OS Name"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\systeminfo.exesysteminfo4⤵
- Gathers system information
-
C:\Windows\SysWOW64\findstr.exefindstr /c:"Model:" /c:"Host Name" /c:"OS Name"4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7zSE227.tmp\downloader.exeFilesize
3.1MB
MD5ad9566beec8757fe727f268e7bd2d43d
SHA19fc0c813965244403b93c657f43010ffc32b16bf
SHA256984024c2b82a9857f5450fc72615c7ba93b5a3f8fb7ce2de7e8c387ff78320dd
SHA51245288faef559466f1def1b69a760664ab47acd45e2b347927a23842f69361a403799d344c3ca78c934792d11b580e527a6958546933713bf28bb77a5932481ef
-
C:\Users\Admin\AppData\Local\Temp\7zSE227.tmp\downloader.exeFilesize
3.1MB
MD5ad9566beec8757fe727f268e7bd2d43d
SHA19fc0c813965244403b93c657f43010ffc32b16bf
SHA256984024c2b82a9857f5450fc72615c7ba93b5a3f8fb7ce2de7e8c387ff78320dd
SHA51245288faef559466f1def1b69a760664ab47acd45e2b347927a23842f69361a403799d344c3ca78c934792d11b580e527a6958546933713bf28bb77a5932481ef
-
memory/2064-135-0x0000000000000000-mapping.dmp
-
memory/3128-133-0x0000000000000000-mapping.dmp
-
memory/3840-134-0x0000000000000000-mapping.dmp
-
memory/5024-130-0x0000000000000000-mapping.dmp