Analysis
-
max time kernel
43s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
23-05-2022 19:17
Static task
static1
Behavioral task
behavioral1
Sample
0186d0e7750fabbc65de6bd8785cb79d010d0f4ef5815536437a370edd5714ad.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
0186d0e7750fabbc65de6bd8785cb79d010d0f4ef5815536437a370edd5714ad.exe
Resource
win10v2004-20220414-en
General
-
Target
0186d0e7750fabbc65de6bd8785cb79d010d0f4ef5815536437a370edd5714ad.exe
-
Size
3.1MB
-
MD5
f52a6a1592de052e54a1675ee7b820e5
-
SHA1
12552e8d5929a266064738c3465807a68752032f
-
SHA256
0186d0e7750fabbc65de6bd8785cb79d010d0f4ef5815536437a370edd5714ad
-
SHA512
d899b888af992251beb42010e9745d407f62a5f18854c6b23caf8e77d54917487bf1d2a70249ead82331a6c515f50078c4fb6985eaac2f356b9f2021f288bda2
Malware Config
Signatures
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
0186d0e7750fabbc65de6bd8785cb79d010d0f4ef5815536437a370edd5714ad.exedescription ioc process File opened for modification \??\PhysicalDrive0 0186d0e7750fabbc65de6bd8785cb79d010d0f4ef5815536437a370edd5714ad.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
0186d0e7750fabbc65de6bd8785cb79d010d0f4ef5815536437a370edd5714ad.exe0186d0e7750fabbc65de6bd8785cb79d010d0f4ef5815536437a370edd5714ad.exepid process 2040 0186d0e7750fabbc65de6bd8785cb79d010d0f4ef5815536437a370edd5714ad.exe 1444 0186d0e7750fabbc65de6bd8785cb79d010d0f4ef5815536437a370edd5714ad.exe 2040 0186d0e7750fabbc65de6bd8785cb79d010d0f4ef5815536437a370edd5714ad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0186d0e7750fabbc65de6bd8785cb79d010d0f4ef5815536437a370edd5714ad.exe"C:\Users\Admin\AppData\Local\Temp\0186d0e7750fabbc65de6bd8785cb79d010d0f4ef5815536437a370edd5714ad.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\0186d0e7750fabbc65de6bd8785cb79d010d0f4ef5815536437a370edd5714ad.exe"C:\Users\Admin\AppData\Local\Temp\0186d0e7750fabbc65de6bd8785cb79d010d0f4ef5815536437a370edd5714ad.exe" -downpower -msgwndname=wpssetup_message_6BE4A51⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\tempinstall.iniFilesize
316B
MD524eb6accceb9492c295d627fb62b3b3f
SHA1fe88497c2d5c363af163ff0095cf682038a9dbed
SHA2563c5c80b9671aa76822792e6b9335542ce8ee46df706a550f9fe90de9296f5b1b
SHA512a9ba6451f396f6dd34bd366e2907956e239cbd13e299a8965ebc109f9f9ea09efdcf9fbc5dc0b7ecf37ec8c72f6d1d57b947dfc5b45638ac43950d53a4c91927
-
C:\Users\Admin\AppData\Local\tempinstall.iniFilesize
64B
MD56b21ab79ddd291d80de611dcec8e8993
SHA190925214668989b3ae98c727aba50254e6a96c44
SHA2568fba47780448bb4fbb8aadaae8c86b3021c040b753d881f95595493e814615b9
SHA5125998e29cbfe19ff9e97cb6362c4f3e9b5eb05ceeaecdb3e256d0fa7ca12e5fd47c958f2c606b37eed79ace86712b48355ed946d475d421b06cefab00dc86fa45
-
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.logFilesize
216B
MD55dc2aea6e65db01bcc51ba6b3193edec
SHA19361b3ff90110f03b66fffc37dd5ca0313727a04
SHA2561e45951f62bb71fdf11a79ada29bf63f9a7568b90b27d522293938412fa7b71b
SHA5129dc2b704ca9c855d3f96e2042d140cb5deb273728a2709c66b5644e97b6c6a41f9e733f7e0735f6ed042e26195a00e1915ade6e41adc852582a233aec73a0812
-
C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.logFilesize
307B
MD56500c87d32d8767e618431cb9db2f2d4
SHA142611227feced0284c23eb4f61fcfbe5b94809ce
SHA256f6748afbd27daa6a5012a57688aa09894a0ef6d2e62e48ddfe4300a050aca2a5
SHA5120fbd812f4e54716f41b0b088f7e19354e8fae401bb0cdebcde18fef4805e2538517492a78e7a760abe5aa6a22c3e831bf78c0966b9759c6f7cf1b77e87359ddd
-
memory/2040-54-0x0000000075B71000-0x0000000075B73000-memory.dmpFilesize
8KB