Overview

overview

8

Static

static

5357fbff13...de.exe

windows7_x64

8

5357fbff13...de.exe

windows10-2004_x64

8

Analysis

  • max time kernel
    139s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    20-05-2022 18:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exe

  • Size

    2.0MB

  • MD5

    c8cba838e87f76326dff14153ffa7070

  • SHA1

    91cd18b7dad6f3e1cbc08fd0c6ac8e552f0b3590

  • SHA256

    5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde

  • SHA512

    2e83f2f8ed6f4688781f3636b41b95040f414d0dc141e66037b039b6d4895c0a56552ef1ad0503356f533753aef8840b312fe81415128853994c14532d401194

Score
8/10
aspackv2bootkitevasionpersistencetrojan

Malware Config

Signatures

  • ASPack v2.12-2.42 2 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Executes dropped EXE 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 49 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exe
    "C:\Users\Admin\AppData\Local\Temp\5357fbff137b5ad83b0ae7a2eb9f9762844987d888d29c3afec372568f525fde.exe"
    1⤵
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Writes to the Master Boot Record (MBR)
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3164
    • C:\Users\Admin\AppData\Local\Temp\CoQAwD.exe
      C:\Users\Admin\AppData\Local\Temp\CoQAwD.exe
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:4476
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7d662544.bat" "
        3⤵
          PID:572
    • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
      "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{D5E8041D-920F-45e9-B8FB-B1DEB82C6E5E} -Embedding
      1⤵
        PID:4564
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -startmediumtab -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4444
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4444 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1248

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Bootkit

      1
      T1067

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Query Registry

      3
      T1012

      System Information Discovery

      5
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        471B

        MD5

        fa526918a211e850a6078fb1d00b2045

        SHA1

        75bad6b9476e0655e6a2947a682e81df689682f3

        SHA256

        396b94c667643afa59d155ef4d812da6f4d67dd50cec97194e1ca3a1b3ece3fe

        SHA512

        27a3e00ba0e478d8a79cbbd134ef7beaff7fde2fc57aecfaf022806af41c2a85183fda3e1abc2dec38d27a7f22960db3549721b8d821ea659a5592b430de1ed6

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C
        Filesize

        1KB

        MD5

        74d7d8843e51e7b4951bd6471e8f34e5

        SHA1

        349f5f1421abc2ced8daa30b29dbc35432e6c95f

        SHA256

        a3b50edef3090d49dfe0e0b927c862c360c670cf26ddadb152c004c19d17cb19

        SHA512

        1bf70c84fa0fdbb42442a44beec539b73586b5183386e0c10fdb672b270cb58cf7db4b3107a9b727c3b66e68e0fc52fadeccef0295ea2d79f4cae6ca88ca5086

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        434B

        MD5

        6eaeb152405600a7b19a7c749459ff58

        SHA1

        7b8ab541d4c98166ea394b59c758f22a5a1c5279

        SHA256

        f8cabadace76db0d854de596b6cc344c6247044a70d457fb79f3f2b355ddf29c

        SHA512

        895300ecfa111172b57bf260977d4801d7f4ca97e24eddde5fac90fc5962aa1db1e286009f43c842d69c67faaa7d2d18bbe7b1cdb72e1056e2a9b7c02ce0e657

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C
        Filesize

        492B

        MD5

        647915081ec2762ce9a9a73fd2746837

        SHA1

        842109e95343abcebcf6ff1c2a2218daf3c51dc5

        SHA256

        38c51da636283c1cd30c63e7c27f989d16b963ce598f22d80144c5193d8fd63a

        SHA512

        02798b08b7584b482c111e0ca300b5f7bff4df8a2ea4a1c265a6860eef5805103f9ee5f7cd22d0ca7684a72d5f4df5b8dc28ce0825395ab40a3eb1ca39aa04ba

        Download Submit
      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\jnqp20o\imagestore.dat
        Filesize

        1KB

        MD5

        8224c930c119e5c61591b20e3cbcf329

        SHA1

        e210b6b4b5038062b6da8b82136b6b4c31013df4

        SHA256

        09b2284fbe7f2821d2913741b3555f1218255c3df0808b06856c10a12c16530e

        SHA512

        925714330eb3e40f8a4e5955aec90bf5e57f5d393dc275d6c774f508926633f6d053da5730ad7818c9d2fe1f1f0bd98408c4a4481a4ee9acfcdf049f88fdfcd8

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\7d662544.bat
        Filesize

        187B

        MD5

        9cf3e34179cee3ca65b24ae018aaf1e9

        SHA1

        9477624f3ce25273335592ff6648fa244fe8059a

        SHA256

        7ccab45835b391ced2fa347587c8b0bd634bdf8dd903ebebaa63d4d363e9512e

        SHA512

        33d4b4520dd5c180f0e86445e0108b932aac5558cf966f64b12cf8c8d09d53f4aa9bbb402c81ec63168b4a2aa0053f4482eb177c942719f715a11bff503ab110

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\CoQAwD.exe
        Filesize

        15KB

        MD5

        56b2c3810dba2e939a8bb9fa36d3cf96

        SHA1

        99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

        SHA256

        4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

        SHA512

        27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\CoQAwD.exe
        Filesize

        15KB

        MD5

        56b2c3810dba2e939a8bb9fa36d3cf96

        SHA1

        99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

        SHA256

        4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

        SHA512

        27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

        Download Submit
      • memory/572-133-0x0000000000000000-mapping.dmp
        Download
      • memory/4476-130-0x0000000000000000-mapping.dmp
        Download
      • memory/4476-134-0x00000000009F0000-0x00000000009F9000-memory.dmp
        Filesize

        36KB

        Download