Overview

overview

8

Static

static

1876358d80...1f.exe

windows7_x64

8

1876358d80...1f.exe

windows10-2004_x64

8

Analysis

  • max time kernel
    67s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    24-05-2022 23:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1876358d802ba9302a612ea85f1761bd3e885b4528e26a1f735617520bbc1c1f.exe

  • Size

    4.9MB

  • MD5

    cc23b55bb153f037f69c4d37df0f0b92

  • SHA1

    60a5a0033f40380fab71d4af93601e431d157e01

  • SHA256

    1876358d802ba9302a612ea85f1761bd3e885b4528e26a1f735617520bbc1c1f

  • SHA512

    d56fd352e417e00a71d19f9a46b43398cf7640b59970759baf502a81e714a06f3d826a67982cd38200466d84962e1819c3f54208603578764b80b1626128f5e8

Score
8/10
bootkitpersistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1876358d802ba9302a612ea85f1761bd3e885b4528e26a1f735617520bbc1c1f.exe
    "C:\Users\Admin\AppData\Local\Temp\1876358d802ba9302a612ea85f1761bd3e885b4528e26a1f735617520bbc1c1f.exe"
    1⤵
    • Checks BIOS information in registry
    • Checks computer location settings
    • Writes to the Master Boot Record (MBR)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3460
    • C:\Users\Admin\FutureXGame\Grand Theft Auto V Trainer.exe
      "C:\Users\Admin\FutureXGame\Grand Theft Auto V Trainer.exe"
      2⤵
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Writes to the Master Boot Record (MBR)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1644

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\FutureXGame\Grand Theft Auto V Trainer.exe
    Filesize

    3.3MB

    MD5

    508a010138f2f34b7ce88e49ca63cfc3

    SHA1

    7a922683dc2fad141b19fe62ac0cae550bb411f6

    SHA256

    b8f2ab2d9a6e88c7cc77164107d8136a37dddcd017a25c30c3cc12eb3ac993c7

    SHA512

    9d75c0795a1c60cbd73f1a69265fea83ad098d3c46e11ea75d6d198c8b10b85bcb28ca64e90405fba3993388406fb576ce74a7e926d4608ad282f317af593dee

    Download Submit

  • C:\Users\Admin\FutureXGame\Grand Theft Auto V Trainer.exe
    Filesize

    3.3MB

    MD5

    508a010138f2f34b7ce88e49ca63cfc3

    SHA1

    7a922683dc2fad141b19fe62ac0cae550bb411f6

    SHA256

    b8f2ab2d9a6e88c7cc77164107d8136a37dddcd017a25c30c3cc12eb3ac993c7

    SHA512

    9d75c0795a1c60cbd73f1a69265fea83ad098d3c46e11ea75d6d198c8b10b85bcb28ca64e90405fba3993388406fb576ce74a7e926d4608ad282f317af593dee

    Download Submit

  • C:\Users\Admin\FutureXGame\settings.txt
    Filesize

    181B

    MD5

    f3fbb023d43cf38fc1e3721549869fc5

    SHA1

    35fdb32f765ef6ac1b635bec7b37670233932007

    SHA256

    3169eaf554fbf9b3095dbb87c36f7fec461d3c8cd686cd374c661adcd98f4b62

    SHA512

    1b880395c35a69f4edbe30c4c47123679497c31633d0d9f1d8cdb191e0d43b4cd456091af4cee6978dea75bb50a5aff4b11e6478c801004ea098ce9d63732ba0

    Download Submit

  • memory/1644-139-0x00007FFA16AD0000-0x00007FFA16CC5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1644-134-0x0000000000000000-mapping.dmp

    Download

  • memory/1644-137-0x0000000000C60000-0x0000000001234000-memory.dmp

    Filesize

    5.8MB

    Download

  • memory/1644-138-0x0000000000C60000-0x0000000001234000-memory.dmp

    Filesize

    5.8MB

    Download

  • memory/1644-140-0x00007FF9F8710000-0x00007FF9F91D1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1644-142-0x000000002F680000-0x000000002FE26000-memory.dmp

    Filesize

    7.6MB

    Download

  • memory/3460-133-0x00007FF9F8710000-0x00007FF9F91D1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3460-132-0x00007FFA16AD0000-0x00007FFA16CC5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3460-130-0x0000000000050000-0x0000000000740000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3460-131-0x0000000000050000-0x0000000000740000-memory.dmp

    Filesize

    6.9MB

    Download