Analysis
-
max time kernel
29s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
24-05-2022 14:00
Static task
static1
Behavioral task
behavioral1
Sample
962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe
Resource
win10v2004-20220414-en
General
-
Target
962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe
-
Size
7.4MB
-
MD5
7a0f69ced2a8a66b3132d6c38613a8e3
-
SHA1
34c9a1895103b2825211d5819abdf168a72a7b68
-
SHA256
962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05
-
SHA512
e111145f4c9b7144936d0a43e1e485d2132eaee19b3975a2a00e5c1eb930cdb01385d8d8073bf172ce60dc5cbcf5f11766b6bb62957c337bf3ba2598249e11a9
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
Processes:
ComInfo.dllShowDrive.dl_ShowEFI.dl_Getptw.dllpid process 1812 ComInfo.dll 4616 ShowDrive.dl_ 2680 ShowEFI.dl_ 4340 Getptw.dll -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exeShowDrive.dl_description ioc process File opened (read-only) \??\y: 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe File opened (read-only) \??\e: 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe File opened (read-only) \??\f: 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe File opened (read-only) \??\n: 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe File opened (read-only) \??\t: 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe File opened (read-only) \??\v: 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe File opened (read-only) \??\w: 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe File opened (read-only) \??\j: 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe File opened (read-only) \??\k: 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe File opened (read-only) \??\o: 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe File opened (read-only) \??\p: 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe File opened (read-only) \??\q: 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe File opened (read-only) \??\r: 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe File opened (read-only) \??\g: 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe File opened (read-only) \??\l: 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe File opened (read-only) \??\x: 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe File opened (read-only) \??\D: ShowDrive.dl_ File opened (read-only) \??\u: 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe File opened (read-only) \??\z: 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe File opened (read-only) \??\a: 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe File opened (read-only) \??\b: 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe File opened (read-only) \??\h: 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe File opened (read-only) \??\i: 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe File opened (read-only) \??\m: 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe File opened (read-only) \??\s: 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
ComInfo.dllShowEFI.dl_Getptw.dlldescription ioc process File opened for modification \??\PhysicalDrive0 ComInfo.dll File opened for modification \??\PhysicalDrive0 ShowEFI.dl_ File opened for modification \??\PhysicalDrive0 Getptw.dll -
NTFS ADS 1 IoCs
Processes:
ComInfo.dlldescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Temp\winmgmts:{impersonationLevel=impersonate}!\root\cimv2 ComInfo.dll -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Getptw.dll962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exepid process 4340 Getptw.dll 4340 Getptw.dll 4340 Getptw.dll 4340 Getptw.dll 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exepid process 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe -
Suspicious use of FindShellTrayWindow 10 IoCs
Processes:
962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exeComInfo.dllpid process 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe 1812 ComInfo.dll 1812 ComInfo.dll 1812 ComInfo.dll 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe -
Suspicious use of SendNotifyMessage 10 IoCs
Processes:
962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exeComInfo.dllpid process 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe 1812 ComInfo.dll 1812 ComInfo.dll 1812 ComInfo.dll 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.execmd.execmd.execmd.exedescription pid process target process PID 1580 wrote to memory of 1812 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe ComInfo.dll PID 1580 wrote to memory of 1812 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe ComInfo.dll PID 1580 wrote to memory of 1812 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe ComInfo.dll PID 1580 wrote to memory of 4708 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe cmd.exe PID 1580 wrote to memory of 4708 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe cmd.exe PID 1580 wrote to memory of 4708 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe cmd.exe PID 4708 wrote to memory of 4616 4708 cmd.exe ShowDrive.dl_ PID 4708 wrote to memory of 4616 4708 cmd.exe ShowDrive.dl_ PID 4708 wrote to memory of 4616 4708 cmd.exe ShowDrive.dl_ PID 1580 wrote to memory of 4564 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe cmd.exe PID 1580 wrote to memory of 4564 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe cmd.exe PID 1580 wrote to memory of 4564 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe cmd.exe PID 4564 wrote to memory of 2680 4564 cmd.exe ShowEFI.dl_ PID 4564 wrote to memory of 2680 4564 cmd.exe ShowEFI.dl_ PID 1580 wrote to memory of 4696 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe cmd.exe PID 1580 wrote to memory of 4696 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe cmd.exe PID 1580 wrote to memory of 4696 1580 962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe cmd.exe PID 4696 wrote to memory of 4340 4696 cmd.exe Getptw.dll PID 4696 wrote to memory of 4340 4696 cmd.exe Getptw.dll PID 4696 wrote to memory of 4340 4696 cmd.exe Getptw.dll
Processes
-
C:\Users\Admin\AppData\Local\Temp\962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe"C:\Users\Admin\AppData\Local\Temp\962c826c4f851b29d1140cfc73c379fe72f13a1ac04e0f549cc15a8440321b05.exe"1⤵
- Enumerates connected drives
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\WININST~144\ComInfo.dllC:\Users\Admin\AppData\Roaming\WININST~144\ComInfo.dll2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- NTFS ADS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WININST~144\Getptw.dll -a/part2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WININST~144\ShowEFI.dl_2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WININST~144\ShowDrive.dl_ *2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\WININST~144\Getptw.dllC:\Users\Admin\AppData\Roaming\WININST~144\Getptw.dll -a/part1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\WININST~144\ShowEFI.dl_C:\Users\Admin\AppData\Roaming\WININST~144\ShowEFI.dl_1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
-
C:\Users\Admin\AppData\Roaming\WININST~144\ShowDrive.dl_C:\Users\Admin\AppData\Roaming\WININST~144\ShowDrive.dl_ *1⤵
- Executes dropped EXE
- Enumerates connected drives
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\WININST~144\ComInfo.dll
-
C:\Users\Admin\AppData\Roaming\WININST~144\ComInfo.dll
-
C:\Users\Admin\AppData\Roaming\WININST~144\Computer.dll
-
C:\Users\Admin\AppData\Roaming\WININST~144\Computer.dll
-
C:\Users\Admin\AppData\Roaming\WININST~144\Getptw.dll
-
C:\Users\Admin\AppData\Roaming\WININST~144\Getptw.dll
-
C:\Users\Admin\AppData\Roaming\WININST~144\ShowDrive.dl_
-
C:\Users\Admin\AppData\Roaming\WININST~144\ShowDrive.dl_
-
C:\Users\Admin\AppData\Roaming\WININST~144\ShowEFI.dl_
-
C:\Users\Admin\AppData\Roaming\WININST~144\ShowEFI.dl_
-
memory/1812-130-0x0000000000000000-mapping.dmp
-
memory/2680-138-0x0000000000000000-mapping.dmp
-
memory/4340-142-0x0000000000000000-mapping.dmp
-
memory/4564-137-0x0000000000000000-mapping.dmp
-
memory/4616-134-0x0000000000000000-mapping.dmp
-
memory/4696-141-0x0000000000000000-mapping.dmp
-
memory/4708-133-0x0000000000000000-mapping.dmp