018a48a82f6db498a98111a5d4383d601beb34e25bc9fc1119f865a38de485c9

Analysis

max time kernel
112s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
23-05-2022 19:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

018a48a82f6db498a98111a5d4383d601beb34e25bc9fc1119f865a38de485c9.exe
Size

1.9MB
MD5

512721572ba9c81961af2f27c1fe5bf2
SHA1

28e68776af8501ff05d570bb0dfe22a02953eb96
SHA256

018a48a82f6db498a98111a5d4383d601beb34e25bc9fc1119f865a38de485c9
SHA512

3f7fa629d7c467098a14b9932081a61dad68d63692b7b7a297ec88da29bff93ee96cc2d36f63e9204423b241c7edc62ec28d723e83f491446526b972e444f6ca

Score

7^/10

bootkit persistence

Malware Config

Signatures

Loads dropped DLL 10 IoCs

Processes:

018a48a82f6db498a98111a5d4383d601beb34e25bc9fc1119f865a38de485c9.exe

pid	process
1860	018a48a82f6db498a98111a5d4383d601beb34e25bc9fc1119f865a38de485c9.exe
1860	018a48a82f6db498a98111a5d4383d601beb34e25bc9fc1119f865a38de485c9.exe
1860	018a48a82f6db498a98111a5d4383d601beb34e25bc9fc1119f865a38de485c9.exe
1860	018a48a82f6db498a98111a5d4383d601beb34e25bc9fc1119f865a38de485c9.exe
1860	018a48a82f6db498a98111a5d4383d601beb34e25bc9fc1119f865a38de485c9.exe
1860	018a48a82f6db498a98111a5d4383d601beb34e25bc9fc1119f865a38de485c9.exe
1860	018a48a82f6db498a98111a5d4383d601beb34e25bc9fc1119f865a38de485c9.exe
1860	018a48a82f6db498a98111a5d4383d601beb34e25bc9fc1119f865a38de485c9.exe
1860	018a48a82f6db498a98111a5d4383d601beb34e25bc9fc1119f865a38de485c9.exe
1860	018a48a82f6db498a98111a5d4383d601beb34e25bc9fc1119f865a38de485c9.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

018a48a82f6db498a98111a5d4383d601beb34e25bc9fc1119f865a38de485c9.exe

description ioc process

File opened for modification \??\PhysicalDrive0 018a48a82f6db498a98111a5d4383d601beb34e25bc9fc1119f865a38de485c9.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	\??\PhysicalDrive0	018a48a82f6db498a98111a5d4383d601beb34e25bc9fc1119f865a38de485c9.exe

Modifies registry class 3 IoCs

Processes:

018a48a82f6db498a98111a5d4383d601beb34e25bc9fc1119f865a38de485c9.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\metnsd\clsid	018a48a82f6db498a98111a5d4383d601beb34e25bc9fc1119f865a38de485c9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\metnsd	018a48a82f6db498a98111a5d4383d601beb34e25bc9fc1119f865a38de485c9.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\metnsd\clsid\SequenceID = 75d46c75d9448e4ea748c6bb7bf92b5b	018a48a82f6db498a98111a5d4383d601beb34e25bc9fc1119f865a38de485c9.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

018a48a82f6db498a98111a5d4383d601beb34e25bc9fc1119f865a38de485c9.exe

pid process

1860 018a48a82f6db498a98111a5d4383d601beb34e25bc9fc1119f865a38de485c9.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

018a48a82f6db498a98111a5d4383d601beb34e25bc9fc1119f865a38de485c9.exe

pid process

1860 018a48a82f6db498a98111a5d4383d601beb34e25bc9fc1119f865a38de485c9.exe

C:\Users\Admin\AppData\Local\Temp\018a48a82f6db498a98111a5d4383d601beb34e25bc9fc1119f865a38de485c9.exe
"C:\Users\Admin\AppData\Local\Temp\018a48a82f6db498a98111a5d4383d601beb34e25bc9fc1119f865a38de485c9.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1860

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsj6C5D.tmp\BDMDownload.dll
Filesize
158KB

MD5
b62367fe2d02b8f47914b088a006d50c

SHA1
3743c953e48e6f3f76689423ba9c1ed25e9f86d3

SHA256
cbd4c5b6b945620e8b65752dff5a0f0900fc5de2dda8daf3cdda68b1661420b7

SHA512
c010e3cc736ac1e10c6af44132d831df34d09bf1e7d1e96fb5c9f571cade04462d442c4b0fd84de92dc68d753a0beab0b4081122d53d516406f0d3c1ec1e0dbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj6C5D.tmp\BDMDownload.dll
Filesize
158KB

MD5
b62367fe2d02b8f47914b088a006d50c

SHA1
3743c953e48e6f3f76689423ba9c1ed25e9f86d3

SHA256
cbd4c5b6b945620e8b65752dff5a0f0900fc5de2dda8daf3cdda68b1661420b7

SHA512
c010e3cc736ac1e10c6af44132d831df34d09bf1e7d1e96fb5c9f571cade04462d442c4b0fd84de92dc68d753a0beab0b4081122d53d516406f0d3c1ec1e0dbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj6C5D.tmp\BDMNetGetInfo.dll
Filesize
314KB

MD5
12f98be1d919784370eb0f87e78b60d8

SHA1
d07de2227b2ec68545be0adeb042af457d68f9e2

SHA256
63e34375374ae6cc695c0bc03f1f9aad67e068fc51962fd25edbf2fbeceda9f9

SHA512
ab2fcdd3eb7b58f044a855b5cae744bc1b3be599cf0d22ee93ccce2e97cb3bc1f36ea2c1ed75013c76f8c9e4071ba29710595c3a57cda2470885ee9293fc2d8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj6C5D.tmp\BDMNetGetInfo.dll
Filesize
314KB

MD5
12f98be1d919784370eb0f87e78b60d8

SHA1
d07de2227b2ec68545be0adeb042af457d68f9e2

SHA256
63e34375374ae6cc695c0bc03f1f9aad67e068fc51962fd25edbf2fbeceda9f9

SHA512
ab2fcdd3eb7b58f044a855b5cae744bc1b3be599cf0d22ee93ccce2e97cb3bc1f36ea2c1ed75013c76f8c9e4071ba29710595c3a57cda2470885ee9293fc2d8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj6C5D.tmp\BDMSkin.dll
Filesize
563KB

MD5
8612ba3611017bbf3c7f42ea327dd995

SHA1
edbc1bb6e8d4d843db8e9bd503ecb3cc16694844

SHA256
20e6467af690686bed4fb1e38334a1277bc65ccab582619baf9082318d7df87d

SHA512
c203ffc08d252e40b05b7a14ab4cced6fd2b7b1b08fd114ed779707e4e9f21b700f5da07565a0bec07413b53cb84cc1254fb0e0cc82168116d50045770fad16c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj6C5D.tmp\BDMSkin.dll
Filesize
414KB

MD5
2de72f4e25b825145dcf0962c116280e

SHA1
87dc7abfb372a3d1f4be613b275f0b884d61d698

SHA256
c330f3871a6d3ca8733517a39d529fc56cf76766f4a0d1f709037f07c889d1c6

SHA512
8464456d05341e70f6414fba569fe3fb92764f01e9c87f3ac95d8c4186a8c91a9ba248fc259437d798ae478fe7dd16e0ba905a4dba87bc3f9e210d5d96ad1728

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj6C5D.tmp\System.dll
Filesize
18KB

MD5
1c951bbcbc780046d6be1079a04870a4

SHA1
a5bae7d838973154e6fac69b1c5ff7d2cda01906

SHA256
d23676fbcf76355d1af68e7b32964b837243349920921b2ec74d97554809a65e

SHA512
62c3686baed2232f7d8ddc8f48a41761812b5b2a67f3a689b7a43275f077842366abc13c7e8259613bfd9df25cf467e4001337c1454aec910abce121d551e2d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj6C5D.tmp\dl.dll
Filesize
319KB

MD5
82ff49c388d9fabf716b215f4ce78663

SHA1
dff2c5f4c28a27840d138c2530ab39ffc924a53e

SHA256
83b2a2bd37719a7b295fdd2ccbb3310603cc85f20b92d79f601cb2cf114eca6d

SHA512
2dd2d69303e483a94cb9c3bac342ea93fa08de9452f5f2c6f8e45da27ca245801a419ac11809de83147b6d914f08793777b437f14da18782d07c3991c63d947c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj6C5D.tmp\dl.dll
Filesize
267KB

MD5
98c1fa12ddfee2c955bba01114535dda

SHA1
9f2074b82d8f03fb988dfdc23cbab8ca8c309ae1

SHA256
bd63190c13a62e558a87bcb4f4659254b00da59d131b0b01b185eab4fff3f399

SHA512
81f32856ed16d3d9d5bdd09c1be7e45a85f05d0ddf20e1664b957c48f25d9e7400d3aecd6e34463689bb7dc2ec165374d264201b07c7849fcd69b054f42018c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj6C5D.tmp\tmp_stdh2.dll
Filesize
683KB

MD5
7d85efa8cc156871bc6b4e73eaa7f971

SHA1
b926ba3d8db3bf53619e3d6ee840a920413786bd

SHA256
fffb264ccbff2dd29de22a447cdd1562feb2a61c7ffad206aee06802585ee710

SHA512
144fa1a568e09a2181836b5157045f966d18d584de637d65b15ef5e0ac92c440793e2f776bf2c03e5c600784949e5b519b86b5305087c992ea5c7909ca34a685

Download Submit
memory/1860-134-0x0000000003220000-0x0000000003377000-memory.dmp

Filesize
1.3MB

Download
memory/1860-147-0x0000000006450000-0x000000000663D000-memory.dmp

Filesize
1.9MB

Download
memory/1860-138-0x00000000059B0000-0x00000000059FF000-memory.dmp

Filesize
316KB

Download