Overview

overview

8

Static

static

8cada52737...a9.exe

windows7_x64

8cada52737...a9.exe

windows10-2004_x64

8

Analysis

  • max time kernel
    63s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    24-05-2022 22:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8cada527372c8a1699f35cfd9c4efc8893d0be5f2e26e7519dce17c98b5e37a9.exe

  • Size

    10KB

  • MD5

    6a374f5c80594bd2696965881866c49c

  • SHA1

    ddde5d34985844974cc408f637c4ac53258148e3

  • SHA256

    8cada527372c8a1699f35cfd9c4efc8893d0be5f2e26e7519dce17c98b5e37a9

  • SHA512

    23e71a102a2e064d3be78a3ed56bc853e4345f004dcf88b055bc97e80fddf9fd8a1f348a5c024272dfaee157cf24fb888214a34763fb03cda33829d6cfdc75f2

Score
8/10
bootkitpersistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Modifies data under HKEY_USERS 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8cada527372c8a1699f35cfd9c4efc8893d0be5f2e26e7519dce17c98b5e37a9.exe
    "C:\Users\Admin\AppData\Local\Temp\8cada527372c8a1699f35cfd9c4efc8893d0be5f2e26e7519dce17c98b5e37a9.exe"
    1⤵
    • Writes to the Master Boot Record (MBR)
    • Suspicious use of WriteProcessMemory
    PID:2316
    • C:\Users\Admin\AppData\Local\Temp\sys3.exe
      C:\Users\Admin\AppData\Local\Temp\\sys3.exe
      2⤵
      • Executes dropped EXE
      • Writes to the Master Boot Record (MBR)
      • Suspicious use of AdjustPrivilegeToken
      PID:424
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x4 /state0:0xa3a01055 /state1:0x41c64e6d
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:4396

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\sys3.exe
    Filesize

    10KB

    MD5

    6a374f5c80594bd2696965881866c49c

    SHA1

    ddde5d34985844974cc408f637c4ac53258148e3

    SHA256

    8cada527372c8a1699f35cfd9c4efc8893d0be5f2e26e7519dce17c98b5e37a9

    SHA512

    23e71a102a2e064d3be78a3ed56bc853e4345f004dcf88b055bc97e80fddf9fd8a1f348a5c024272dfaee157cf24fb888214a34763fb03cda33829d6cfdc75f2

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\sys3.exe
    Filesize

    10KB

    MD5

    6a374f5c80594bd2696965881866c49c

    SHA1

    ddde5d34985844974cc408f637c4ac53258148e3

    SHA256

    8cada527372c8a1699f35cfd9c4efc8893d0be5f2e26e7519dce17c98b5e37a9

    SHA512

    23e71a102a2e064d3be78a3ed56bc853e4345f004dcf88b055bc97e80fddf9fd8a1f348a5c024272dfaee157cf24fb888214a34763fb03cda33829d6cfdc75f2

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\systm.txt
    Filesize

    102B

    MD5

    04b7e6dc204f3622539ca8b791c8f934

    SHA1

    0052b5ed3b7ec45c745e467a977649f819741b40

    SHA256

    085df340b6aad77fc93204cf53e2c4e22cdad35df84f6d8d4ebf07e964741d64

    SHA512

    67c5e7029cead1044b3f9ca1cd0fd58bed46e4cfe4c459cdeb6a944ca14f84f7e05620a19df65b1e9cd70722f6b6c50374ff5c9eb6176421e6b87945dcd70dff

    Download Submit
  • memory/424-130-0x0000000000000000-mapping.dmp
    Download
  • memory/2316-133-0x000000002AA00000-0x000000002AA05000-memory.dmp
    Filesize

    20KB

    Download