Overview

overview

8

Static

static

1876358d80...1f.exe

windows7_x64

8

1876358d80...1f.exe

windows10-2004_x64

8

Analysis

  • max time kernel
    152s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    24-05-2022 23:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1876358d802ba9302a612ea85f1761bd3e885b4528e26a1f735617520bbc1c1f.exe

  • Size

    4.9MB

  • MD5

    cc23b55bb153f037f69c4d37df0f0b92

  • SHA1

    60a5a0033f40380fab71d4af93601e431d157e01

  • SHA256

    1876358d802ba9302a612ea85f1761bd3e885b4528e26a1f735617520bbc1c1f

  • SHA512

    d56fd352e417e00a71d19f9a46b43398cf7640b59970759baf502a81e714a06f3d826a67982cd38200466d84962e1819c3f54208603578764b80b1626128f5e8

Score
8/10
bootkitpersistence

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1876358d802ba9302a612ea85f1761bd3e885b4528e26a1f735617520bbc1c1f.exe
    "C:\Users\Admin\AppData\Local\Temp\1876358d802ba9302a612ea85f1761bd3e885b4528e26a1f735617520bbc1c1f.exe"
    1⤵
    • Checks BIOS information in registry
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1556
    • C:\Users\Admin\FutureXGame\Grand Theft Auto V Trainer.exe
      "C:\Users\Admin\FutureXGame\Grand Theft Auto V Trainer.exe"
      2⤵
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Deletes itself
      • Writes to the Master Boot Record (MBR)
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:900

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\FutureXGame\Grand Theft Auto V Trainer.exe
    Filesize

    3.0MB

    MD5

    6e5c1e732060f141b44f4fce99974539

    SHA1

    d9d001255351d186aca29da791d677ec6c2894ad

    SHA256

    6a0056dfb5988b22545109ea429d643a0f4fe28f596e41399fe09c3de6e8207b

    SHA512

    356f02c2a17fd68fe5ddca3ca0bd9f0c00692cba3c1e2895544af0859831bd58cca276392a596ac72d8f18594a099c63aadbd44d72d098dd609b7b1ea8e0b5e4

    Download Submit

  • C:\Users\Admin\FutureXGame\settings.txt
    Filesize

    181B

    MD5

    06a3d0e8cf3679968f95be6a58c1e7dd

    SHA1

    7c8780a36a10261c2eb84bba11211004b32604ca

    SHA256

    53a4f054d1f8546e2e8864beb51c2b018919f96ce74b8908eb22ef7564d89c3e

    SHA512

    6522c350ce5cd96743aa58435731c3952cb54fb921aba629549916c05b52207f495cd8411dbab6da5cd04952ddb203f05de9e9a172754d2399163658bca35831

    Download Submit

  • \Users\Admin\FutureXGame\Grand Theft Auto V Trainer.exe
    Filesize

    2.8MB

    MD5

    b4ec0929c11826e79ec801d853ec61ac

    SHA1

    05bada69769c5c938862dfc0f33d388a416eb1d6

    SHA256

    faf1b2b563a7b72deec5cfcf1bafc4a152c37229cb4b7b4b4ad4ecdcf6e064b1

    SHA512

    c9f81ed54e7322181404a6aa7db2f49f4bc197d10b30e686a565aff31cac45c39120b3fce3a18348f653e17fa99db11c63fa67d53c4768e9cb4f9856a9610ae9

    Download Submit

  • \Users\Admin\FutureXGame\Grand Theft Auto V Trainer.exe
    Filesize

    2.8MB

    MD5

    8688c868a4b49f0ede1a792966fbb4d5

    SHA1

    f82ef680e234df83f0362281da3b9e42784cd111

    SHA256

    65a7292b939261aa6af37df8a96716a86789e340eb09a08c6685731970d621ef

    SHA512

    7ffe260e63cf12134b98803a3a92945a5d7452d29d5b4b0d1a808f8d6f60479d3c3c8a8da1cd92ff4824e45f0003d608c11e825f9913153ccc438c8c5c352e68

    Download Submit

  • memory/900-62-0x0000000076ED0000-0x0000000077079000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/900-60-0x0000000000000000-mapping.dmp

    Download

  • memory/900-63-0x0000000000EB0000-0x0000000001484000-memory.dmp

    Filesize

    5.8MB

    Download

  • memory/900-64-0x0000000000EB0000-0x0000000001484000-memory.dmp

    Filesize

    5.8MB

    Download

  • memory/900-65-0x0000000024F50000-0x0000000025256000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/900-67-0x00000000246C6000-0x00000000246E5000-memory.dmp

    Filesize

    124KB

    Download

  • memory/900-69-0x000000002C390000-0x000000002CB36000-memory.dmp

    Filesize

    7.6MB

    Download

  • memory/1556-58-0x0000000003AC6000-0x0000000003AE5000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1556-57-0x0000000024C50000-0x0000000024F9A000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/1556-54-0x0000000076ED0000-0x0000000077079000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1556-56-0x0000000000B20000-0x0000000001210000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1556-55-0x0000000000B20000-0x0000000001210000-memory.dmp

    Filesize

    6.9MB

    Download