Overview

overview

8

Static

static

6b17d4914b...65.exe

windows7_x64

8

6b17d4914b...65.exe

windows10-2004_x64

8

Analysis

  • max time kernel
    176s
  • max time network
    191s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    24-05-2022 18:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6b17d4914b225ecceea6b2af8f1571da12c09e7434af37f025fba6076fcf1565.exe

  • Size

    3.6MB

  • MD5

    9ecc50f5d5bac02c24a7e2deeb4a21a7

  • SHA1

    e63b36ed4e21ca374cdb9092e5c1d7b515ba2e2f

  • SHA256

    6b17d4914b225ecceea6b2af8f1571da12c09e7434af37f025fba6076fcf1565

  • SHA512

    6d59630b340c368d21ce3d92473000615d22d2989a777afdab1b439a809f14e9a926489e10d584331c1d464c1b59335de2e3c4692a355238066986f47e2a6fd4

Score
8/10
bootkitpersistence

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in Windows directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6b17d4914b225ecceea6b2af8f1571da12c09e7434af37f025fba6076fcf1565.exe
    "C:\Users\Admin\AppData\Local\Temp\6b17d4914b225ecceea6b2af8f1571da12c09e7434af37f025fba6076fcf1565.exe"
    1⤵
    • Writes to the Master Boot Record (MBR)
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1080
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn godzilla_client /tr "'C:\Users\Admin\AppData\Local\Temp\Godzilla.exe'" /sc minute /mo 30 /f
      2⤵
      • Creates scheduled task(s)
      PID:1540
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn godzilla_console /tr "'C:\Users\Admin\AppData\Local\Temp\GodzillaConsole.exe'" /sc onlogon /f
      2⤵
      • Creates scheduled task(s)
      PID:228
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn aehcb /tr "'C:\Windows\aehcb.exe'" /sc onlogon /delay 0005:00 /f /rl highest
      2⤵
      • Creates scheduled task(s)
      PID:3044
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /delete /tn wmvdspapp /f
      2⤵
        PID:2620
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /run /tn godzilla_console
        2⤵
          PID:4880
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /run /tn godzilla_console
          2⤵
            PID:5080
        • C:\Users\Admin\AppData\Local\Temp\GodzillaConsole.exe
          C:\Users\Admin\AppData\Local\Temp\GodzillaConsole.exe
          1⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:3680

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\GodzillaConsole.exe
          Filesize

          3.5MB

          MD5

          55d46eb91f28c9f54b65967c9acc7702

          SHA1

          de7dcc245b967be6cc92dcce0ade92bb973139e8

          SHA256

          4b239922d5b61ad53cc9d63c73e4f67446b6162890797f01ddf5928027ea2ebf

          SHA512

          4b6484f56a2bbac40245901f2941aab7fe9b1b98a01ec886f714e86a51927d18b1be229f70366483469ba06f713a3b2e8f1f766b6cb857174b9de90954aa4032

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\GodzillaConsole.exe
          Filesize

          3.5MB

          MD5

          55d46eb91f28c9f54b65967c9acc7702

          SHA1

          de7dcc245b967be6cc92dcce0ade92bb973139e8

          SHA256

          4b239922d5b61ad53cc9d63c73e4f67446b6162890797f01ddf5928027ea2ebf

          SHA512

          4b6484f56a2bbac40245901f2941aab7fe9b1b98a01ec886f714e86a51927d18b1be229f70366483469ba06f713a3b2e8f1f766b6cb857174b9de90954aa4032

          Download Submit

        • memory/228-131-0x0000000000000000-mapping.dmp

          Download

        • memory/1540-130-0x0000000000000000-mapping.dmp

          Download

        • memory/2620-133-0x0000000000000000-mapping.dmp

          Download

        • memory/3044-132-0x0000000000000000-mapping.dmp

          Download

        • memory/4880-134-0x0000000000000000-mapping.dmp

          Download

        • memory/5080-135-0x0000000000000000-mapping.dmp

          Download