Overview
overview
8Static
static
8DSDOS.bat
windows7_x64
1DSDOS.bat
windows10-2004_x64
1DSDOS.exe
windows7_x64
DSDOS.exe
windows10-2004_x64
DSWIN.bat
windows7_x64
6DSWIN.bat
windows10-2004_x64
6DSWIN.exe
windows7_x64
6DSWIN.exe
windows10-2004_x64
6MANUAL.pdf
windows7_x64
1MANUAL.pdf
windows10-2004_x64
1SETUP.exe
windows7_x64
6SETUP.exe
windows10-2004_x64
7Analysis
-
max time kernel
44s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 04:52
Static task
static1
Behavioral task
behavioral1
Sample
DSDOS.bat
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
DSDOS.bat
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
DSDOS.exe
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
DSDOS.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral5
Sample
DSWIN.bat
Resource
win7-20220414-en
Behavioral task
behavioral6
Sample
DSWIN.bat
Resource
win10v2004-20220414-en
Behavioral task
behavioral7
Sample
DSWIN.exe
Resource
win7-20220414-en
Behavioral task
behavioral8
Sample
DSWIN.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral9
Sample
MANUAL.pdf
Resource
win7-20220414-en
Behavioral task
behavioral10
Sample
MANUAL.pdf
Resource
win10v2004-20220414-en
Behavioral task
behavioral11
Sample
SETUP.exe
Resource
win7-20220414-en
Behavioral task
behavioral12
Sample
SETUP.exe
Resource
win10v2004-20220414-en
General
-
Target
DSWIN.bat
-
Size
23B
-
MD5
a07cec4db198a3c6116451c44f0380a9
-
SHA1
513e3f7454296dc6a41864835582c21ff1d931aa
-
SHA256
98286d0be9363406f2d9cc903265b10601f1332fc800e7a5de578b39bee5d29d
-
SHA512
e69eb4059212636755206b9e6de488bace276a2af51af147ff3b57bfbe129eac82c68da7a70a827cf256693d7f9c5892a4ad3850dbc09c0f0d11ebf70c82aec0
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 20 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
DSWIN.EXEdescription ioc process File opened (read-only) \??\E: DSWIN.EXE File opened (read-only) \??\G: DSWIN.EXE File opened (read-only) \??\H: DSWIN.EXE File opened (read-only) \??\I: DSWIN.EXE File opened (read-only) \??\K: DSWIN.EXE File opened (read-only) \??\T: DSWIN.EXE File opened (read-only) \??\X: DSWIN.EXE File opened (read-only) \??\J: DSWIN.EXE File opened (read-only) \??\M: DSWIN.EXE File opened (read-only) \??\R: DSWIN.EXE File opened (read-only) \??\U: DSWIN.EXE File opened (read-only) \??\V: DSWIN.EXE File opened (read-only) \??\N: DSWIN.EXE File opened (read-only) \??\O: DSWIN.EXE File opened (read-only) \??\P: DSWIN.EXE File opened (read-only) \??\S: DSWIN.EXE File opened (read-only) \??\W: DSWIN.EXE File opened (read-only) \??\F: DSWIN.EXE File opened (read-only) \??\L: DSWIN.EXE File opened (read-only) \??\Q: DSWIN.EXE -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
DSWIN.EXEdescription ioc process File opened for modification \??\PHYSICALDRIVE0 DSWIN.EXE -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
DSWIN.EXEpid process 2000 DSWIN.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
cmd.exedescription pid process target process PID 1684 wrote to memory of 2000 1684 cmd.exe DSWIN.EXE PID 1684 wrote to memory of 2000 1684 cmd.exe DSWIN.EXE PID 1684 wrote to memory of 2000 1684 cmd.exe DSWIN.EXE PID 1684 wrote to memory of 2000 1684 cmd.exe DSWIN.EXE
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\DSWIN.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DSWIN.EXEdswin.exe2⤵
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: CmdExeWriteProcessMemorySpam