Overview

overview

10

Static

static

4619b93690...fe.exe

windows7_x64

10

4619b93690...fe.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-05-2022 00:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe

  • Size

    1.6MB

  • MD5

    58cf8209f97252b8126cf3ba13f6cb92

  • SHA1

    954fddb2a43eef8f0a4f16d02e8599b2b2ea81fe

  • SHA256

    4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe

  • SHA512

    f6cb4a9aee03420c085b6e13fcdca5512512dc8cd7ceae4429e4a5140b6ba673b80f496b92c296a39879386e758a4ae27a0bf1a7462e2f3202f2cf64221d2e06

Score
10/10
bootkitevasionpersistencesuricatatrojanupx

Malware Config

Signatures

  • suricata: ET MALWARE Possible Windows executable sent when remote host claims to send a Text File

    suricata: ET MALWARE Possible Windows executable sent when remote host claims to send a Text File

    suricata
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Downloads MZ/PE file
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Modifies registry class 14 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe
    "C:\Users\Admin\AppData\Local\Temp\4619b93690b485ea54369d0379e3a8ffc367cff19438a46be124e39c871a0cfe.exe"
    1⤵
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • Writes to the Master Boot Record (MBR)
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1808

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

1
T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\kdb_semrjgj.dll
    Filesize

    36.6MB

    MD5

    cf20e3f69ae844fd027ce759f0aa560c

    SHA1

    2d5079bf74c4cdc226c605a9e82bd803ff577648

    SHA256

    f9cce6e4026f7be00fbf665bdc9e433baf0932ddf8bf660bcacbc61a4b44748a

    SHA512

    49dae81fe0b2a47c548674ec2dea8c4a9a956308daf6ee6a7448ec373ca07094e0d04cd9dc88c527778d91aa8b13ecd6045eddf60d79a8c061f9530ac1b70015

    Download Submit
  • memory/1808-54-0x0000000075BD1000-0x0000000075BD3000-memory.dmp
    Filesize

    8KB

    Download