Overview

overview

8

Static

static

1

8422ac9d56...ef.exe

windows7_x64

8

8422ac9d56...ef.exe

windows10-2004_x64

8

Analysis

  • max time kernel
    83s
  • max time network
    83s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    20-05-2022 07:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8422ac9d56c8fc3c44779138cfc8232eccd095b0ad1ed7845b4086048567ecef.exe

  • Size

    6.9MB

  • MD5

    beb22f15ac607a40121ad82cf5316408

  • SHA1

    2a2150c16b50c51f4009ba71b64f03aadc6ac936

  • SHA256

    8422ac9d56c8fc3c44779138cfc8232eccd095b0ad1ed7845b4086048567ecef

  • SHA512

    96d4c5e1053d28e6656ca1431f09b9676b8fad1acd635fbacc14347a26df3ab4b408ab1ed1a503616cd8ce5e7b024de41c85bb0a9391eb5e1df99f4f22cf663b

Score
8/10
bootkitpersistence

Malware Config

Signatures

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 6 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in System32 directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NSIS installer 12 IoCs
    installer
  • Modifies data under HKEY_USERS 64 IoCs
  • Runs ping.exe 1 TTPs 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8422ac9d56c8fc3c44779138cfc8232eccd095b0ad1ed7845b4086048567ecef.exe
    "C:\Users\Admin\AppData\Local\Temp\8422ac9d56c8fc3c44779138cfc8232eccd095b0ad1ed7845b4086048567ecef.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1948
    • C:\Users\Admin\AppData\Local\Temp\uvwxyzFiddlerSetup_5.0.20194.41348.exe
      "C:\Users\Admin\AppData\Local\Temp\uvwxyzFiddlerSetup_5.0.20194.41348.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1120
      • C:\Users\Admin\AppData\Local\Temp\nsdA20.tmp\FiddlerSetup.exe
        "C:\Users\Admin\AppData\Local\Temp\nsdA20.tmp\FiddlerSetup.exe" /D=
        3⤵
        • Executes dropped EXE
        PID:1168
    • C:\Users\Admin\AppData\Local\Temp\tuvwxyz1.exe
      "C:\Users\Admin\AppData\Local\Temp\tuvwxyz1.exe"
      2⤵
      • Executes dropped EXE
      PID:1488
    • C:\Users\Admin\AppData\Local\Temp\lmnopqrstuvwxyz_RJ-Fiddler.exe
      "C:\Users\Admin\AppData\Local\Temp\lmnopqrstuvwxyz_RJ-Fiddler.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1420
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c ping -n 3 127.1 >nul & del /q C:\Users\Admin\AppData\Local\Temp\lmnopqrstuvwxyz_RJ-Fiddler.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1036
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 3 127.1
          4⤵
          • Runs ping.exe
          PID:1892
  • C:\Users\Admin\AppData\Local\Temp\RJ-Fiddler.exe
    C:\Users\Admin\AppData\Local\Temp\RJ-Fiddler.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    • Suspicious use of WriteProcessMemory
    PID:1484
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic BaseBoard get SerialNumber
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1016
    • C:\Users\Admin\AppData\Local\Temp\~RJ-Fiddler.exe
      "C:\Users\Admin\AppData\Local\Temp\~RJ-Fiddler.exe"
      2⤵
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      • Suspicious use of WriteProcessMemory
      PID:1600
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c ping -n 3 127.1 >nul & del /q C:\Users\Admin\AppData\Local\Temp\~RJ-Fiddler.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1980
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 3 127.1
          4⤵
          • Runs ping.exe
          PID:1648
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ping -n 3 127.1 >nul & del /q C:\Users\Admin\AppData\Local\Temp\RJ-Fiddler.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1288
      • C:\Windows\SysWOW64\PING.EXE
        ping -n 3 127.1
        3⤵
        • Runs ping.exe
        PID:1368

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

1
T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RJ-Fiddler.exe
    Filesize

    306KB

    MD5

    6d0e581f0ea82c4b097563c9dcb4f133

    SHA1

    19bf6dab6a1c0e2122dd16fe6d72e12083cb0d2b

    SHA256

    3e6c4e569c9254a2d8e3d8ceccba13dc8b0e65b2172c2e9e1d3bf1a1b18e56f0

    SHA512

    90f53a0838ca3a1f32d79ecc765f7866b6683bc0407920f67596779b8f423098d0b03926e190ad42bd51c101f898ccd8dfcafafe71b723796363e105c54de610

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\RJ-Fiddler.exe
    Filesize

    306KB

    MD5

    6d0e581f0ea82c4b097563c9dcb4f133

    SHA1

    19bf6dab6a1c0e2122dd16fe6d72e12083cb0d2b

    SHA256

    3e6c4e569c9254a2d8e3d8ceccba13dc8b0e65b2172c2e9e1d3bf1a1b18e56f0

    SHA512

    90f53a0838ca3a1f32d79ecc765f7866b6683bc0407920f67596779b8f423098d0b03926e190ad42bd51c101f898ccd8dfcafafe71b723796363e105c54de610

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\lmnopqrstuvwxyz_RJ-Fiddler.exe
    Filesize

    306KB

    MD5

    6d0e581f0ea82c4b097563c9dcb4f133

    SHA1

    19bf6dab6a1c0e2122dd16fe6d72e12083cb0d2b

    SHA256

    3e6c4e569c9254a2d8e3d8ceccba13dc8b0e65b2172c2e9e1d3bf1a1b18e56f0

    SHA512

    90f53a0838ca3a1f32d79ecc765f7866b6683bc0407920f67596779b8f423098d0b03926e190ad42bd51c101f898ccd8dfcafafe71b723796363e105c54de610

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\lmnopqrstuvwxyz_RJ-Fiddler.exe
    Filesize

    306KB

    MD5

    6d0e581f0ea82c4b097563c9dcb4f133

    SHA1

    19bf6dab6a1c0e2122dd16fe6d72e12083cb0d2b

    SHA256

    3e6c4e569c9254a2d8e3d8ceccba13dc8b0e65b2172c2e9e1d3bf1a1b18e56f0

    SHA512

    90f53a0838ca3a1f32d79ecc765f7866b6683bc0407920f67596779b8f423098d0b03926e190ad42bd51c101f898ccd8dfcafafe71b723796363e105c54de610

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\nsdA20.tmp\FiddlerSetup.exe
    Filesize

    3.1MB

    MD5

    155b1deb7ed05cfe46d415abc04daeb6

    SHA1

    c6218cfc31c96a01c016d69dcb310a05b58e7af7

    SHA256

    e80053a204a56c1cd3f7d91bd84a1b5aacf8681591dcaa621c77a07e71b4a34c

    SHA512

    9214a0e132e7dfba99df0297dbc274f43507cf7bf00a4033cf71253be91f3039f485c29da6c429fb338afa3eb76fdcb1939637ecccbe9ffab7a2d5799b8a398b

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\nsdA20.tmp\FiddlerSetup.exe
    Filesize

    3.1MB

    MD5

    155b1deb7ed05cfe46d415abc04daeb6

    SHA1

    c6218cfc31c96a01c016d69dcb310a05b58e7af7

    SHA256

    e80053a204a56c1cd3f7d91bd84a1b5aacf8681591dcaa621c77a07e71b4a34c

    SHA512

    9214a0e132e7dfba99df0297dbc274f43507cf7bf00a4033cf71253be91f3039f485c29da6c429fb338afa3eb76fdcb1939637ecccbe9ffab7a2d5799b8a398b

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tuvwxyz1.exe
    Filesize

    88KB

    MD5

    07425b50abc3dd6e236984b2e725b8e0

    SHA1

    cd87a8c3fb38196fb55d6b6e6477dfc4f8915ba5

    SHA256

    7be986cd9f9ab980d596a68ead4dcc8f6d592c7d33f9d1caacb9e175e25702a1

    SHA512

    40e3d754748eee6a567e60ae86a0ea5da8d05fe06a16e2757d93556a09a58adbb9602aa9bbf751a9e4a1faf2b79ed4569f971691f55b94c03d8d19e7d13f05f7

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\uvwxyzFiddlerSetup_5.0.20194.41348.exe
    Filesize

    6.3MB

    MD5

    53782906aa3c7de6b164349a5cad123f

    SHA1

    8bb213d8d34a944b2103a5bba387da52c8c1d926

    SHA256

    2afe37ab5cdb7df4a80fcbe85b9298f509df064173e6a4ee7008e5d409bc6172

    SHA512

    3e736093ddca8fe283bc4dce95d6383e8f25248664f4815b2b3bf1916f6531bdb508303014e1ceea109a93ae08275d8c4c1ff5dbb4e9771d63cd3a1640eab741

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\uvwxyzFiddlerSetup_5.0.20194.41348.exe
    Filesize

    6.3MB

    MD5

    53782906aa3c7de6b164349a5cad123f

    SHA1

    8bb213d8d34a944b2103a5bba387da52c8c1d926

    SHA256

    2afe37ab5cdb7df4a80fcbe85b9298f509df064173e6a4ee7008e5d409bc6172

    SHA512

    3e736093ddca8fe283bc4dce95d6383e8f25248664f4815b2b3bf1916f6531bdb508303014e1ceea109a93ae08275d8c4c1ff5dbb4e9771d63cd3a1640eab741

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\~RJ-Fiddler.exe
    Filesize

    306KB

    MD5

    6d0e581f0ea82c4b097563c9dcb4f133

    SHA1

    19bf6dab6a1c0e2122dd16fe6d72e12083cb0d2b

    SHA256

    3e6c4e569c9254a2d8e3d8ceccba13dc8b0e65b2172c2e9e1d3bf1a1b18e56f0

    SHA512

    90f53a0838ca3a1f32d79ecc765f7866b6683bc0407920f67596779b8f423098d0b03926e190ad42bd51c101f898ccd8dfcafafe71b723796363e105c54de610

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\~RJ-Fiddler.exe
    Filesize

    306KB

    MD5

    6d0e581f0ea82c4b097563c9dcb4f133

    SHA1

    19bf6dab6a1c0e2122dd16fe6d72e12083cb0d2b

    SHA256

    3e6c4e569c9254a2d8e3d8ceccba13dc8b0e65b2172c2e9e1d3bf1a1b18e56f0

    SHA512

    90f53a0838ca3a1f32d79ecc765f7866b6683bc0407920f67596779b8f423098d0b03926e190ad42bd51c101f898ccd8dfcafafe71b723796363e105c54de610

    Download Submit
  • \Users\Admin\AppData\Local\Temp\lmnopqrstuvwxyz_RJ-Fiddler.exe
    Filesize

    306KB

    MD5

    6d0e581f0ea82c4b097563c9dcb4f133

    SHA1

    19bf6dab6a1c0e2122dd16fe6d72e12083cb0d2b

    SHA256

    3e6c4e569c9254a2d8e3d8ceccba13dc8b0e65b2172c2e9e1d3bf1a1b18e56f0

    SHA512

    90f53a0838ca3a1f32d79ecc765f7866b6683bc0407920f67596779b8f423098d0b03926e190ad42bd51c101f898ccd8dfcafafe71b723796363e105c54de610

    Download Submit
  • \Users\Admin\AppData\Local\Temp\nsdA20.tmp\FiddlerSetup.exe
    Filesize

    3.1MB

    MD5

    155b1deb7ed05cfe46d415abc04daeb6

    SHA1

    c6218cfc31c96a01c016d69dcb310a05b58e7af7

    SHA256

    e80053a204a56c1cd3f7d91bd84a1b5aacf8681591dcaa621c77a07e71b4a34c

    SHA512

    9214a0e132e7dfba99df0297dbc274f43507cf7bf00a4033cf71253be91f3039f485c29da6c429fb338afa3eb76fdcb1939637ecccbe9ffab7a2d5799b8a398b

    Download Submit
  • \Users\Admin\AppData\Local\Temp\tuvwxyz1.exe
    Filesize

    88KB

    MD5

    07425b50abc3dd6e236984b2e725b8e0

    SHA1

    cd87a8c3fb38196fb55d6b6e6477dfc4f8915ba5

    SHA256

    7be986cd9f9ab980d596a68ead4dcc8f6d592c7d33f9d1caacb9e175e25702a1

    SHA512

    40e3d754748eee6a567e60ae86a0ea5da8d05fe06a16e2757d93556a09a58adbb9602aa9bbf751a9e4a1faf2b79ed4569f971691f55b94c03d8d19e7d13f05f7

    Download Submit
  • \Users\Admin\AppData\Local\Temp\tuvwxyz1.exe
    Filesize

    88KB

    MD5

    07425b50abc3dd6e236984b2e725b8e0

    SHA1

    cd87a8c3fb38196fb55d6b6e6477dfc4f8915ba5

    SHA256

    7be986cd9f9ab980d596a68ead4dcc8f6d592c7d33f9d1caacb9e175e25702a1

    SHA512

    40e3d754748eee6a567e60ae86a0ea5da8d05fe06a16e2757d93556a09a58adbb9602aa9bbf751a9e4a1faf2b79ed4569f971691f55b94c03d8d19e7d13f05f7

    Download Submit
  • \Users\Admin\AppData\Local\Temp\uvwxyzFiddlerSetup_5.0.20194.41348.exe
    Filesize

    6.3MB

    MD5

    53782906aa3c7de6b164349a5cad123f

    SHA1

    8bb213d8d34a944b2103a5bba387da52c8c1d926

    SHA256

    2afe37ab5cdb7df4a80fcbe85b9298f509df064173e6a4ee7008e5d409bc6172

    SHA512

    3e736093ddca8fe283bc4dce95d6383e8f25248664f4815b2b3bf1916f6531bdb508303014e1ceea109a93ae08275d8c4c1ff5dbb4e9771d63cd3a1640eab741

    Download Submit
  • \Users\Admin\AppData\Local\Temp\~RJ-Fiddler.exe
    Filesize

    306KB

    MD5

    6d0e581f0ea82c4b097563c9dcb4f133

    SHA1

    19bf6dab6a1c0e2122dd16fe6d72e12083cb0d2b

    SHA256

    3e6c4e569c9254a2d8e3d8ceccba13dc8b0e65b2172c2e9e1d3bf1a1b18e56f0

    SHA512

    90f53a0838ca3a1f32d79ecc765f7866b6683bc0407920f67596779b8f423098d0b03926e190ad42bd51c101f898ccd8dfcafafe71b723796363e105c54de610

    Download Submit
  • memory/1016-79-0x0000000000000000-mapping.dmp
    Download
  • memory/1036-77-0x0000000000000000-mapping.dmp
    Download
  • memory/1120-56-0x0000000000000000-mapping.dmp
    Download
  • memory/1168-71-0x0000000000000000-mapping.dmp
    Download
  • memory/1288-85-0x0000000000000000-mapping.dmp
    Download
  • memory/1368-86-0x0000000000000000-mapping.dmp
    Download
  • memory/1420-66-0x0000000000000000-mapping.dmp
    Download
  • memory/1488-61-0x0000000000000000-mapping.dmp
    Download
  • memory/1600-82-0x0000000000000000-mapping.dmp
    Download
  • memory/1648-88-0x0000000000000000-mapping.dmp
    Download
  • memory/1892-78-0x0000000000000000-mapping.dmp
    Download
  • memory/1948-54-0x0000000076721000-0x0000000076723000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1980-87-0x0000000000000000-mapping.dmp
    Download