Overview

overview

8

Static

static

31302655af...a4.exe

windows7_x64

1

31302655af...a4.exe

windows10-2004_x64

8

Analysis

  • max time kernel
    131s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    24-05-2022 14:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    31302655af916d773479844df1a3565aeb86de8ef1f23310e888bd436a16bba4.exe

  • Size

    534KB

  • MD5

    9873d96e49ac54a35710a82cda6d002a

  • SHA1

    0f8f5675ffbbc73489dcda0580455557f6d12dc7

  • SHA256

    31302655af916d773479844df1a3565aeb86de8ef1f23310e888bd436a16bba4

  • SHA512

    bdca9a62d296a41c85bef949d293cb4f597a64699e9c12869f6c25116e8330d7b2313578d27e763aafaff86f32cdba8a6c6428665dec778209bc5017fc6ace97

Score
8/10
bootkitpersistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\31302655af916d773479844df1a3565aeb86de8ef1f23310e888bd436a16bba4.exe
    "C:\Users\Admin\AppData\Local\Temp\31302655af916d773479844df1a3565aeb86de8ef1f23310e888bd436a16bba4.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4072
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\temp\mbrw7.cmd" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2644
      • C:\temp\MBRWRWIN.EXE
        C:\temp\mbrwrwin install overwrite C:\temp\rtmbr2.bin
        3⤵
        • Executes dropped EXE
        • Writes to the Master Boot Record (MBR)
        PID:4904

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\temp\MBRWRWIN.EXE
    Filesize

    68KB

    MD5

    8e01acb653132551547539c991f6b6f3

    SHA1

    334c96df03dba68b16ee8680e5592ef5e16a0531

    SHA256

    a21e6621a5ce7180e5ba8a98686ee5a3d5ef4d54c84e34992a725cc2fe7c4b46

    SHA512

    edb7f1ffe772ff11ece5409a01b9bab295d6d0141162c09f19ae4ccc70c84fa67b98a3f40a5ae15aec4b01c439431d6849aaacfb218402e3fa5d351f7f8e37f8

    Download Submit

  • C:\temp\MBRWRWIN.EXE
    Filesize

    68KB

    MD5

    8e01acb653132551547539c991f6b6f3

    SHA1

    334c96df03dba68b16ee8680e5592ef5e16a0531

    SHA256

    a21e6621a5ce7180e5ba8a98686ee5a3d5ef4d54c84e34992a725cc2fe7c4b46

    SHA512

    edb7f1ffe772ff11ece5409a01b9bab295d6d0141162c09f19ae4ccc70c84fa67b98a3f40a5ae15aec4b01c439431d6849aaacfb218402e3fa5d351f7f8e37f8

    Download Submit

  • C:\temp\mbrw7.cmd
    Filesize

    431B

    MD5

    fea96be7347f35cef12adeb79c14f376

    SHA1

    1282409cbcb6072422c67da84ac5701770e4547f

    SHA256

    5190558ac981b1754b8f51f32fa8ed826821dbff0655825bba6ff5114f6a8043

    SHA512

    a9e49436aa4c4602a1bb39a32cc64b0e91a1c9359fb7e9b0a94b77cc6733f0109b7dfd8661ed35052106825ce4186e90abd41356462f9b34e2ff8704627896cc

    Download Submit

  • C:\temp\rtmbr2.bin
    Filesize

    512B

    MD5

    a2300a68bb40d2be206ede2f3b8f938e

    SHA1

    99d40599c4cbb615700513b63a3845d5a38ce525

    SHA256

    395fb8d48eef4bcecf59678fb37f9c8629c8eb146d6769209a853411fbc4a241

    SHA512

    c1613e81d4630ae8733c7409cc2793319d41d333a3ce16ab4f4cffeb746167a8930220c102f9824a8b1fb90d6a0aa0fe56323acf841b0db5fd0ff5c5790ed734

    Download Submit

  • memory/2644-130-0x0000000000000000-mapping.dmp

    Download

  • memory/4904-132-0x0000000000000000-mapping.dmp

    Download