Overview

overview

6

Static

static

0186d0e775...ad.exe

windows7_x64

6

0186d0e775...ad.exe

windows10-2004_x64

6

Analysis

  • max time kernel
    91s
  • max time network
    102s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    23-05-2022 19:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0186d0e7750fabbc65de6bd8785cb79d010d0f4ef5815536437a370edd5714ad.exe

  • Size

    3.1MB

  • MD5

    f52a6a1592de052e54a1675ee7b820e5

  • SHA1

    12552e8d5929a266064738c3465807a68752032f

  • SHA256

    0186d0e7750fabbc65de6bd8785cb79d010d0f4ef5815536437a370edd5714ad

  • SHA512

    d899b888af992251beb42010e9745d407f62a5f18854c6b23caf8e77d54917487bf1d2a70249ead82331a6c515f50078c4fb6985eaac2f356b9f2021f288bda2

Score
6/10
bootkitpersistence

Malware Config

Signatures

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0186d0e7750fabbc65de6bd8785cb79d010d0f4ef5815536437a370edd5714ad.exe
    "C:\Users\Admin\AppData\Local\Temp\0186d0e7750fabbc65de6bd8785cb79d010d0f4ef5815536437a370edd5714ad.exe"
    1⤵
    • Writes to the Master Boot Record (MBR)
    • Suspicious behavior: EnumeratesProcesses
    PID:3232
  • C:\Users\Admin\AppData\Local\Temp\0186d0e7750fabbc65de6bd8785cb79d010d0f4ef5815536437a370edd5714ad.exe
    "C:\Users\Admin\AppData\Local\Temp\0186d0e7750fabbc65de6bd8785cb79d010d0f4ef5815536437a370edd5714ad.exe" -downpower -msgwndname=wpssetup_message_E56B7AC
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:4168

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

1
T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\tempinstall.ini
    Filesize

    64B

    MD5

    6642f848f69fc2d3757806f14b21ff1f

    SHA1

    b4b5b48a1170c39d58e06fd6ccd1d873000f5b4b

    SHA256

    f5f267dcdc0ad721da2b3aa0dcb4fe9609e2f499c094414a7a36900f4aa864f0

    SHA512

    a4be399ab662e8238f623f5304a6d75bdc960bf55ec500d572f23a802e8b2047229109350902bced77e7d2759e4b9002fb44648c0f9a5dfd42917b98636f206a

    Download Submit
  • C:\Users\Admin\AppData\Local\tempinstall.ini
    Filesize

    316B

    MD5

    24eb6accceb9492c295d627fb62b3b3f

    SHA1

    fe88497c2d5c363af163ff0095cf682038a9dbed

    SHA256

    3c5c80b9671aa76822792e6b9335542ce8ee46df706a550f9fe90de9296f5b1b

    SHA512

    a9ba6451f396f6dd34bd366e2907956e239cbd13e299a8965ebc109f9f9ea09efdcf9fbc5dc0b7ecf37ec8c72f6d1d57b947dfc5b45638ac43950d53a4c91927

    Download Submit
  • C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log
    Filesize

    216B

    MD5

    a37fc3b2472e110e2b554486cad90f76

    SHA1

    f921fce6a7ff481c6d1ed5ad6a762cf04956a5ea

    SHA256

    ff6fed0fb24b20da324088b38fdc8034471d15e9eeb3f3417264f90778200d39

    SHA512

    75778133710c25573283fc7af42cbee5f462f9808c7071f8f9e3e1d0aa9fdd1473c011d2be1e189252bacb2004d7776f0aa5a563243e00731dc801fa505fbf6e

    Download Submit
  • C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpssetup.log
    Filesize

    260B

    MD5

    ed7ad7bde57f97d0df82a6be7d74f17c

    SHA1

    69fc57b79d2519c322ab3f03a57d43f220a6ad40

    SHA256

    55a4cd19255c999c97ef8317ee9b2a9aaff380bdc8a9210003cde136bcb96bfb

    SHA512

    2943cfdd91294006bb5aa6868aedfd621b9372d443a59afc8ff261902be35bcf722545d54eaee0e9241c202040db30f00a737b583c4cb2fc6d37644bb951fc63

    Download Submit