Analysis
-
max time kernel
34s -
max time network
86s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
24-05-2022 15:31
Static task
static1
Behavioral task
behavioral1
Sample
e275434786c74dc8e568e156d6e7de940c5c3e93ddd6180f175ac691bd6a85c2.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
e275434786c74dc8e568e156d6e7de940c5c3e93ddd6180f175ac691bd6a85c2.exe
Resource
win10v2004-20220414-en
General
-
Target
e275434786c74dc8e568e156d6e7de940c5c3e93ddd6180f175ac691bd6a85c2.exe
-
Size
1.3MB
-
MD5
e94789d1b75d6520283673c75aabddb2
-
SHA1
6b34ff2a184980cd36ed962b24610201ce2e9708
-
SHA256
e275434786c74dc8e568e156d6e7de940c5c3e93ddd6180f175ac691bd6a85c2
-
SHA512
b48f690de562ba2115de6b38868aaece4ccf9b9fdd2934120d5211bdc969291d38e5bbdb0817d8a579853d05feac7096119f27fd297044ab3a9fc83f0f77e6de
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
downloader.exepid process 828 downloader.exe -
Loads dropped DLL 3 IoCs
Processes:
e275434786c74dc8e568e156d6e7de940c5c3e93ddd6180f175ac691bd6a85c2.exedownloader.exepid process 1704 e275434786c74dc8e568e156d6e7de940c5c3e93ddd6180f175ac691bd6a85c2.exe 828 downloader.exe 828 downloader.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
downloader.exedescription ioc process File opened for modification \??\PhysicalDrive0 downloader.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
e275434786c74dc8e568e156d6e7de940c5c3e93ddd6180f175ac691bd6a85c2.exedownloader.execmd.exedescription pid process target process PID 1704 wrote to memory of 828 1704 e275434786c74dc8e568e156d6e7de940c5c3e93ddd6180f175ac691bd6a85c2.exe downloader.exe PID 1704 wrote to memory of 828 1704 e275434786c74dc8e568e156d6e7de940c5c3e93ddd6180f175ac691bd6a85c2.exe downloader.exe PID 1704 wrote to memory of 828 1704 e275434786c74dc8e568e156d6e7de940c5c3e93ddd6180f175ac691bd6a85c2.exe downloader.exe PID 1704 wrote to memory of 828 1704 e275434786c74dc8e568e156d6e7de940c5c3e93ddd6180f175ac691bd6a85c2.exe downloader.exe PID 1704 wrote to memory of 828 1704 e275434786c74dc8e568e156d6e7de940c5c3e93ddd6180f175ac691bd6a85c2.exe downloader.exe PID 1704 wrote to memory of 828 1704 e275434786c74dc8e568e156d6e7de940c5c3e93ddd6180f175ac691bd6a85c2.exe downloader.exe PID 1704 wrote to memory of 828 1704 e275434786c74dc8e568e156d6e7de940c5c3e93ddd6180f175ac691bd6a85c2.exe downloader.exe PID 828 wrote to memory of 2032 828 downloader.exe cmd.exe PID 828 wrote to memory of 2032 828 downloader.exe cmd.exe PID 828 wrote to memory of 2032 828 downloader.exe cmd.exe PID 828 wrote to memory of 2032 828 downloader.exe cmd.exe PID 828 wrote to memory of 2032 828 downloader.exe cmd.exe PID 828 wrote to memory of 2032 828 downloader.exe cmd.exe PID 828 wrote to memory of 2032 828 downloader.exe cmd.exe PID 2032 wrote to memory of 2028 2032 cmd.exe systeminfo.exe PID 2032 wrote to memory of 2028 2032 cmd.exe systeminfo.exe PID 2032 wrote to memory of 2028 2032 cmd.exe systeminfo.exe PID 2032 wrote to memory of 2028 2032 cmd.exe systeminfo.exe PID 2032 wrote to memory of 2028 2032 cmd.exe systeminfo.exe PID 2032 wrote to memory of 2028 2032 cmd.exe systeminfo.exe PID 2032 wrote to memory of 2028 2032 cmd.exe systeminfo.exe PID 2032 wrote to memory of 1808 2032 cmd.exe findstr.exe PID 2032 wrote to memory of 1808 2032 cmd.exe findstr.exe PID 2032 wrote to memory of 1808 2032 cmd.exe findstr.exe PID 2032 wrote to memory of 1808 2032 cmd.exe findstr.exe PID 2032 wrote to memory of 1808 2032 cmd.exe findstr.exe PID 2032 wrote to memory of 1808 2032 cmd.exe findstr.exe PID 2032 wrote to memory of 1808 2032 cmd.exe findstr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e275434786c74dc8e568e156d6e7de940c5c3e93ddd6180f175ac691bd6a85c2.exe"C:\Users\Admin\AppData\Local\Temp\e275434786c74dc8e568e156d6e7de940c5c3e93ddd6180f175ac691bd6a85c2.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSB3E5.tmp\downloader.exe.\downloader.exe %%S2⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/k systeminfo | findstr /c:"Model:" /c:"Host Name" /c:"OS Name"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\findstr.exefindstr /c:"Model:" /c:"Host Name" /c:"OS Name"4⤵
-
C:\Windows\SysWOW64\systeminfo.exesysteminfo4⤵
- Gathers system information
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7zSB3E5.tmp\downloader.exeFilesize
44KB
MD5e4a71382cdc6b91ba0e62fc6d442b7b7
SHA1702815153f22f61ed2a4035cd959a602d395f04d
SHA2560a29f047924a301df22759a1d71f6b863994a67c982cf5523c95547f66ae8bcd
SHA512feef6d6346110272f8786822611acfb717e8d7ba4240ed7e0b6a6eea2f64c0e4690d2f18a0ddbbfcf672066bd8e9104b0765a0f1e41d91b3ba1a826d9e2e3611
-
C:\Users\Admin\AppData\Local\Temp\7zSB3E5.tmp\downloader.exeFilesize
60KB
MD56779ded002d2eded26f730325db32106
SHA1070548cfa3b0b77d9cc6c6db12870f86d0ad3de0
SHA2568f9b4bbe4bc16345435df272b69e1debe12a47611d845492b05ba31f412401b5
SHA51241ee5ac5f27692acb96a3b17836a24016049ac089d32500483bfe348435d7a839fb3c27d4f9a1abd29073c5b53100b86634af251e235b7f33492b74c8a94f436
-
\Users\Admin\AppData\Local\Temp\7zSB3E5.tmp\downloader.exeFilesize
71KB
MD5b5b300b8e74732e5a12adcde960d06ad
SHA1f90987a9e56ed8756a08fcae63e32e3bdac4386b
SHA256a1703041cba69b61fad14a517e60572f52d33e7c21357a817154dfb07c082e9c
SHA512b0e4c8f66282f6a07cb9deeb0a4a5cb24d9c1eb6c5eed12ceac8338fdba2342f9b8572a8b3caebddbcaa56ee5609c7aedbac66f3f4f11722301af8ce98213fd6
-
\Users\Admin\AppData\Local\Temp\7zSB3E5.tmp\downloader.exeFilesize
73KB
MD5e66b8bea3f965a3ca5a13f0bfd793e23
SHA106634b2ba347de9d81338a1d18e49997c4df26a4
SHA256d3da2aafdd18f66e759b0b892d367a2eb25043e1aa13e144e02c7d9a5c4e51f2
SHA5121ba9fb04dcd6863ec0bfdf20e007084b41ce44acdc533737b6423bc18b22b513104067b7bd1ab20dfeb9093bea2f6b13952f69272e32d0a118931b36344fa2aa
-
\Users\Admin\AppData\Local\Temp\7zSB3E5.tmp\downloader.exeFilesize
57KB
MD5e639236d8784dd65fd4d4af02a529638
SHA1c6778408231f455af2dbdb0b9e61e319dccc3eaa
SHA2569c631da047369ff9afdda337ced8274fc816e04f791dd59f98fc28f5f88661b9
SHA51258ec109b0513ce2ab91031457d3d6d20db4af0e0ef6879bddc19db6622887f92ac02a8da2bde9d25dc7235ef307c60ea1fec58ed862832017a634a35bda4f9fa
-
memory/828-56-0x0000000000000000-mapping.dmp
-
memory/1704-54-0x0000000075781000-0x0000000075783000-memory.dmpFilesize
8KB
-
memory/1808-65-0x0000000000000000-mapping.dmp
-
memory/2028-64-0x0000000000000000-mapping.dmp
-
memory/2032-62-0x0000000000000000-mapping.dmp