Overview

overview

6

Static

static

0186d0e775...ad.exe

windows7_x64

6

0186d0e775...ad.exe

windows10-2004_x64

6

Analysis

  • max time kernel
    43s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    23-05-2022 19:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0186d0e7750fabbc65de6bd8785cb79d010d0f4ef5815536437a370edd5714ad.exe

  • Size

    3.1MB

  • MD5

    f52a6a1592de052e54a1675ee7b820e5

  • SHA1

    12552e8d5929a266064738c3465807a68752032f

  • SHA256

    0186d0e7750fabbc65de6bd8785cb79d010d0f4ef5815536437a370edd5714ad

  • SHA512

    d899b888af992251beb42010e9745d407f62a5f18854c6b23caf8e77d54917487bf1d2a70249ead82331a6c515f50078c4fb6985eaac2f356b9f2021f288bda2

Score
6/10
bootkitpersistence

Malware Config

Signatures

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0186d0e7750fabbc65de6bd8785cb79d010d0f4ef5815536437a370edd5714ad.exe
    "C:\Users\Admin\AppData\Local\Temp\0186d0e7750fabbc65de6bd8785cb79d010d0f4ef5815536437a370edd5714ad.exe"
    1⤵
    • Writes to the Master Boot Record (MBR)
    • Suspicious behavior: EnumeratesProcesses
    PID:2040
  • C:\Users\Admin\AppData\Local\Temp\0186d0e7750fabbc65de6bd8785cb79d010d0f4ef5815536437a370edd5714ad.exe
    "C:\Users\Admin\AppData\Local\Temp\0186d0e7750fabbc65de6bd8785cb79d010d0f4ef5815536437a370edd5714ad.exe" -downpower -msgwndname=wpssetup_message_6BE4A5
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:1444

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

1
T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\tempinstall.ini
    Filesize

    316B

    MD5

    24eb6accceb9492c295d627fb62b3b3f

    SHA1

    fe88497c2d5c363af163ff0095cf682038a9dbed

    SHA256

    3c5c80b9671aa76822792e6b9335542ce8ee46df706a550f9fe90de9296f5b1b

    SHA512

    a9ba6451f396f6dd34bd366e2907956e239cbd13e299a8965ebc109f9f9ea09efdcf9fbc5dc0b7ecf37ec8c72f6d1d57b947dfc5b45638ac43950d53a4c91927

    Download Submit
  • C:\Users\Admin\AppData\Local\tempinstall.ini
    Filesize

    64B

    MD5

    6b21ab79ddd291d80de611dcec8e8993

    SHA1

    90925214668989b3ae98c727aba50254e6a96c44

    SHA256

    8fba47780448bb4fbb8aadaae8c86b3021c040b753d881f95595493e814615b9

    SHA512

    5998e29cbfe19ff9e97cb6362c4f3e9b5eb05ceeaecdb3e256d0fa7ca12e5fd47c958f2c606b37eed79ace86712b48355ed946d475d421b06cefab00dc86fa45

    Download Submit
  • C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log
    Filesize

    216B

    MD5

    5dc2aea6e65db01bcc51ba6b3193edec

    SHA1

    9361b3ff90110f03b66fffc37dd5ca0313727a04

    SHA256

    1e45951f62bb71fdf11a79ada29bf63f9a7568b90b27d522293938412fa7b71b

    SHA512

    9dc2b704ca9c855d3f96e2042d140cb5deb273728a2709c66b5644e97b6c6a41f9e733f7e0735f6ed042e26195a00e1915ade6e41adc852582a233aec73a0812

    Download Submit
  • C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log
    Filesize

    307B

    MD5

    6500c87d32d8767e618431cb9db2f2d4

    SHA1

    42611227feced0284c23eb4f61fcfbe5b94809ce

    SHA256

    f6748afbd27daa6a5012a57688aa09894a0ef6d2e62e48ddfe4300a050aca2a5

    SHA512

    0fbd812f4e54716f41b0b088f7e19354e8fae401bb0cdebcde18fef4805e2538517492a78e7a760abe5aa6a22c3e831bf78c0966b9759c6f7cf1b77e87359ddd

    Download Submit
  • memory/2040-54-0x0000000075B71000-0x0000000075B73000-memory.dmp
    Filesize

    8KB

    Download