Overview

overview

8

Static

static

5357fbff13...de.exe

windows7_x64

8

5357fbff13...de.exe

windows10-2004_x64

8

Analysis

  • max time kernel
    138s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    20-05-2022 18:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exe

  • Size

    2.0MB

  • MD5

    c8cba838e87f76326dff14153ffa7070

  • SHA1

    91cd18b7dad6f3e1cbc08fd0c6ac8e552f0b3590

  • SHA256

    5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde

  • SHA512

    2e83f2f8ed6f4688781f3636b41b95040f414d0dc141e66037b039b6d4895c0a56552ef1ad0503356f533753aef8840b312fe81415128853994c14532d401194

Score
8/10
aspackv2bootkitevasionpersistencetrojan

Malware Config

Signatures

  • ASPack v2.12-2.42 4 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Executes dropped EXE 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 46 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exe
    "C:\Users\Admin\AppData\Local\Temp\5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exe"
    1⤵
    • Checks BIOS information in registry
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • Writes to the Master Boot Record (MBR)
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:388
    • C:\Users\Admin\AppData\Local\Temp\CoQAwD.exe
      C:\Users\Admin\AppData\Local\Temp\CoQAwD.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:1916
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\69ed2ecb.bat" "
        3⤵
          PID:1532
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -startmediumtab -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:320
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:320 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1908

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Bootkit

    1
    T1067

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    4
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C
      Filesize

      1KB

      MD5

      74d7d8843e51e7b4951bd6471e8f34e5

      SHA1

      349f5f1421abc2ced8daa30b29dbc35432e6c95f

      SHA256

      a3b50edef3090d49dfe0e0b927c862c360c670cf26ddadb152c004c19d17cb19

      SHA512

      1bf70c84fa0fdbb42442a44beec539b73586b5183386e0c10fdb672b270cb58cf7db4b3107a9b727c3b66e68e0fc52fadeccef0295ea2d79f4cae6ca88ca5086

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      087fc191b2248d1f3ea537c76e0a6e3a

      SHA1

      98c728ec05d12410ba91648aa0af3aa82eda2b08

      SHA256

      e1569a9836e64be72e8779b07666cca8445f488944bb055a3864e251433f147f

      SHA512

      3704d7cda4fc3156fa0f7c61ac557a22d37f92fb0bf0592d0dd594c66150d93bbffa68993e09d0cc8298962271dc7b43782e2662df12a96fd537060f96851b32

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C
      Filesize

      492B

      MD5

      23ddf6d75278840afe90e582f8d15aac

      SHA1

      9361909c7148b377ea2e40633762d8e14dfc9816

      SHA256

      fe92f64764107c513d77c597ce9bcc0d4381e39913ce894ca9b45e0e1bab4f6d

      SHA512

      36c649229fc17c8b4af4c6833fed72a9462210b294087144464981f5d5fdb63ad3d6e37ff2774dddf2fc5ade1c7eb2d127cefda1a0514e29f39f851e6968ac3a

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\ezmz917\imagestore.dat
      Filesize

      5KB

      MD5

      e060e56adb718637aeae705375cd8efd

      SHA1

      dd062e2b046b9d8e01a64a605f600fa57f8e04f1

      SHA256

      db0a678c441e1424cb95a06b179d9771f7a2ba1f6f23c93260ef90684b36c20d

      SHA512

      6aadc7d97b5e7748e763b0958973ee7674727b5def023d727506306c39c00598bb7cbabeea9117127d46a1896f0d4a85b509ce1838346c2b071fe52a7fadc54e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\69ed2ecb.bat
      Filesize

      187B

      MD5

      296f0a38fd3d3262f0d1d18c51a2660d

      SHA1

      a0d0f8152377cd768a193fbe2884ad847288965d

      SHA256

      64a7ffb3e5e1467c8df3319f682f11cc19c1cea45be519444007846c0817ad14

      SHA512

      1f9783d82bd502252d8be28d7b83e33821a04db966fe33c9b9c8753020d5f88b47ed1981fc0d8b58e15addd8922e10a5b276fa3d969b23b54f148d047d56fe66

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\CoQAwD.exe
      Filesize

      15KB

      MD5

      56b2c3810dba2e939a8bb9fa36d3cf96

      SHA1

      99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

      SHA256

      4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

      SHA512

      27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\CoQAwD.exe
      Filesize

      15KB

      MD5

      56b2c3810dba2e939a8bb9fa36d3cf96

      SHA1

      99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

      SHA256

      4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

      SHA512

      27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\IPOM61HD.txt
      Filesize

      606B

      MD5

      9ede860668f418c458198043a121e2f6

      SHA1

      599b91033df961e1682642729c48bfca7ca24942

      SHA256

      6dcc7f27661ac20c1fcd783fa7f18b063ef8cfc06f3d65f5c1d97b0fed54c4e1

      SHA512

      dc4a8b1fac5e6ae2348c4136bb7421f6e033b5f6f2b7d001d797412055cde1502b7fcdb5f911ceab71afffa337dfae51e664482dca8d30a5dbd4a57911401d1c

      Download Submit
    • \Users\Admin\AppData\Local\Temp\CoQAwD.exe
      Filesize

      15KB

      MD5

      56b2c3810dba2e939a8bb9fa36d3cf96

      SHA1

      99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

      SHA256

      4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

      SHA512

      27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

      Download Submit
    • \Users\Admin\AppData\Local\Temp\CoQAwD.exe
      Filesize

      15KB

      MD5

      56b2c3810dba2e939a8bb9fa36d3cf96

      SHA1

      99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

      SHA256

      4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

      SHA512

      27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

      Download Submit
    • memory/388-54-0x0000000076C81000-0x0000000076C83000-memory.dmp
      Filesize

      8KB

      Download
    • memory/388-74-0x0000000000080000-0x0000000000089000-memory.dmp
      Filesize

      36KB

      Download
    • memory/1532-66-0x0000000000000000-mapping.dmp
      Download
    • memory/1916-57-0x0000000000000000-mapping.dmp
      Download
    • memory/1916-67-0x0000000000FC0000-0x0000000000FC9000-memory.dmp
      Filesize

      36KB

      Download