a9027c6070365053c3cb91261991c71f1d3a63707df8467e413847f344b3af4d

Analysis

max time kernel
150s
max time network
176s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
18-09-2022 14:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TrashMalwares-main/SuperWacker.exe
Size

335KB
MD5

57e07c87d9ad4831c2f54584b8805901
SHA1

e8701ced964d08f7d4be70814e457f292bf798ca
SHA256

38cd530d4c48b9e3e9ba7a43f5c34404ead13237f7db093142103a94b82ff5b0
SHA512

85632a293b5c05ebff197ca1667a50c3b0a4d35c0bbc469af82764447dbc73111395fa213a6903a5f1447fb809a2ae49584b2fe54549f6782a990638602aa5eb
SSDEEP

6144:6D4m3lEo62uPK9T9rak9gora16oTllf28gO:6DX3juZk9goratll7gO

Score

8^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 5 IoCs

Processes:

mbr.execircle.exewaves.execircle.exebsod.exe

pid process

4616 mbr.exe
4496 circle.exe
4500 waves.exe
540 circle.exe
2452 bsod.exe

pid	process
4616	mbr.exe
4496	circle.exe
4500	waves.exe
540	circle.exe
2452	bsod.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SuperWacker.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	SuperWacker.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

mbr.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run	mbr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3160.tmp\\mbr.exe"	mbr.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

mbr.exe

description ioc process

File opened for modification \??\PhysicalDrive0 mbr.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

216 schtasks.exe
Delays execution with timeout.exe 3 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exe

pid process

532 timeout.exe
256 timeout.exe
2828 timeout.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

2572 taskkill.exe
3708 taskkill.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

taskkill.exetaskkill.exebsod.exe

description pid process

Token: SeDebugPrivilege 2572 taskkill.exe
Token: SeDebugPrivilege 3708 taskkill.exe
Token: SeShutdownPrivilege 2452 bsod.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	mbr.exe

pid	process
216	schtasks.exe

pid	process
532	timeout.exe
256	timeout.exe
2828	timeout.exe

pid	process
2572	taskkill.exe
3708	taskkill.exe

description	pid	process
Token: SeDebugPrivilege	2572	taskkill.exe
Token: SeDebugPrivilege	3708	taskkill.exe
Token: SeShutdownPrivilege	2452	bsod.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

SuperWacker.execmd.exembr.exe

description	pid	process	target process
PID 3352 wrote to memory of 3700	3352	SuperWacker.exe	cmd.exe
PID 3352 wrote to memory of 3700	3352	SuperWacker.exe	cmd.exe
PID 3700 wrote to memory of 4616	3700	cmd.exe	mbr.exe
PID 3700 wrote to memory of 4616	3700	cmd.exe	mbr.exe
PID 3700 wrote to memory of 4616	3700	cmd.exe	mbr.exe
PID 3700 wrote to memory of 4496	3700	cmd.exe	circle.exe
PID 3700 wrote to memory of 4496	3700	cmd.exe	circle.exe
PID 3700 wrote to memory of 4496	3700	cmd.exe	circle.exe
PID 3700 wrote to memory of 256	3700	cmd.exe	timeout.exe
PID 3700 wrote to memory of 256	3700	cmd.exe	timeout.exe
PID 4616 wrote to memory of 216	4616	mbr.exe	schtasks.exe
PID 4616 wrote to memory of 216	4616	mbr.exe	schtasks.exe
PID 4616 wrote to memory of 216	4616	mbr.exe	schtasks.exe
PID 3700 wrote to memory of 2572	3700	cmd.exe	taskkill.exe
PID 3700 wrote to memory of 2572	3700	cmd.exe	taskkill.exe
PID 3700 wrote to memory of 4500	3700	cmd.exe	waves.exe
PID 3700 wrote to memory of 4500	3700	cmd.exe	waves.exe
PID 3700 wrote to memory of 4500	3700	cmd.exe	waves.exe
PID 3700 wrote to memory of 2828	3700	cmd.exe	timeout.exe
PID 3700 wrote to memory of 2828	3700	cmd.exe	timeout.exe
PID 3700 wrote to memory of 3708	3700	cmd.exe	taskkill.exe
PID 3700 wrote to memory of 3708	3700	cmd.exe	taskkill.exe
PID 3700 wrote to memory of 540	3700	cmd.exe	circle.exe
PID 3700 wrote to memory of 540	3700	cmd.exe	circle.exe
PID 3700 wrote to memory of 540	3700	cmd.exe	circle.exe
PID 3700 wrote to memory of 532	3700	cmd.exe	timeout.exe
PID 3700 wrote to memory of 532	3700	cmd.exe	timeout.exe
PID 3700 wrote to memory of 2452	3700	cmd.exe	bsod.exe
PID 3700 wrote to memory of 2452	3700	cmd.exe	bsod.exe
PID 3700 wrote to memory of 2452	3700	cmd.exe	bsod.exe

C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\SuperWacker.exe
"C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\SuperWacker.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3352

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\3160.tmp\3161.bat C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\SuperWacker.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3700

C:\Users\Admin\AppData\Local\Temp\3160.tmp\mbr.exe
mbr.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:4616

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Windows Update" /ru SYSTEM /SC ONSTART /TR "C:\Users\Admin\AppData\Local\Temp\3160.tmp\mbr.exe"
4⤵
- Creates scheduled task(s)
PID:216

C:\Users\Admin\AppData\Local\Temp\3160.tmp\circle.exe
circle.exe
3⤵
- Executes dropped EXE
PID:4496

C:\Windows\system32\timeout.exe
timeout 6
3⤵
- Delays execution with timeout.exe
PID:256

C:\Windows\system32\taskkill.exe
taskkill /f /im cricle.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2572

C:\Users\Admin\AppData\Local\Temp\3160.tmp\waves.exe
waves.exe
3⤵
- Executes dropped EXE
PID:4500

C:\Windows\system32\timeout.exe
timeout 70
3⤵
- Delays execution with timeout.exe
PID:2828

C:\Windows\system32\taskkill.exe
taskkill /f /im waves.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3708

C:\Users\Admin\AppData\Local\Temp\3160.tmp\circle.exe
circle.exe
3⤵
- Executes dropped EXE
PID:540

C:\Windows\system32\timeout.exe
timeout 70
3⤵
- Delays execution with timeout.exe
PID:532

C:\Users\Admin\AppData\Local\Temp\3160.tmp\bsod.exe
bsod.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2452

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3160.tmp\3161.bat
Filesize
187B

MD5
a9342e412034e05dd5c28ad409eaf4bc

SHA1
2d08249b9a48f07026ad4a34b318a9f41bcb3f74

SHA256
0cb6b7129654719a014dca360e330b2b225d36c8d2279af101dbd401d2c277b4

SHA512
e1dfac8087819cccfafe596bcc4379d2273c6049056080e4deb1772f7c4a63185ce21835f5f9523137b690e3be66933e816fec24d7c7785a09b38beb4aa259c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\3160.tmp\bsod.exe
Filesize
102KB

MD5
30c6ece6db96626bae93be86db0990e1

SHA1
02a452be27b46474fca6d82580ffe76133aff5a3

SHA256
b1459f6ade9be379c20ce8fdf65f425e241ab96c8e799de25c352b7dd0978d47

SHA512
96b866a0d965f268ce5453156866b39972a59478ce25f5c228659f774643d2739b4f0081077f19bc55a3f1ef18091a2b1a16053a69588f3e15a583ab9b7136f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\3160.tmp\bsod.exe
Filesize
102KB

MD5
30c6ece6db96626bae93be86db0990e1

SHA1
02a452be27b46474fca6d82580ffe76133aff5a3

SHA256
b1459f6ade9be379c20ce8fdf65f425e241ab96c8e799de25c352b7dd0978d47

SHA512
96b866a0d965f268ce5453156866b39972a59478ce25f5c228659f774643d2739b4f0081077f19bc55a3f1ef18091a2b1a16053a69588f3e15a583ab9b7136f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\3160.tmp\circle.exe
Filesize
12KB

MD5
ed169e40a69cf73fd3ac59215b24063f

SHA1
32d49462e74e6c08b941d8cd530a5f3c0f3b5764

SHA256
b8ffde2fc69292ffa1a704a1cf977eedfc86277a61d4937245d218d22674178c

SHA512
f949a7b9b5dae91f887e7ce9bb45f7500534873d3baab5f5c2b1c31b1e185e70278ceb9d4f03f495460e0fb96399239fa678b0b4750ee870cbaa6333ab5ebb6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\3160.tmp\circle.exe
Filesize
12KB

MD5
ed169e40a69cf73fd3ac59215b24063f

SHA1
32d49462e74e6c08b941d8cd530a5f3c0f3b5764

SHA256
b8ffde2fc69292ffa1a704a1cf977eedfc86277a61d4937245d218d22674178c

SHA512
f949a7b9b5dae91f887e7ce9bb45f7500534873d3baab5f5c2b1c31b1e185e70278ceb9d4f03f495460e0fb96399239fa678b0b4750ee870cbaa6333ab5ebb6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\3160.tmp\circle.exe
Filesize
12KB

MD5
ed169e40a69cf73fd3ac59215b24063f

SHA1
32d49462e74e6c08b941d8cd530a5f3c0f3b5764

SHA256
b8ffde2fc69292ffa1a704a1cf977eedfc86277a61d4937245d218d22674178c

SHA512
f949a7b9b5dae91f887e7ce9bb45f7500534873d3baab5f5c2b1c31b1e185e70278ceb9d4f03f495460e0fb96399239fa678b0b4750ee870cbaa6333ab5ebb6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\3160.tmp\mbr.exe
Filesize
101KB

MD5
52e2c0513dc998dcb486a87dcaebd040

SHA1
fda3c535c9a9425e8e0d2f2be3584280f4d15dc9

SHA256
095d1eba5b8f50305a0ad75c8b1879b872437ef7e884588944953bc63005430e

SHA512
5ec0d3ffe423af847800186e3932460674eef8a38f887623d32e47c02aec971571dd46c0f8a157ab16a5ffe020a89ba25e40e62326081915f04de6c202a58d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\3160.tmp\mbr.exe
Filesize
101KB

MD5
52e2c0513dc998dcb486a87dcaebd040

SHA1
fda3c535c9a9425e8e0d2f2be3584280f4d15dc9

SHA256
095d1eba5b8f50305a0ad75c8b1879b872437ef7e884588944953bc63005430e

SHA512
5ec0d3ffe423af847800186e3932460674eef8a38f887623d32e47c02aec971571dd46c0f8a157ab16a5ffe020a89ba25e40e62326081915f04de6c202a58d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\3160.tmp\waves.exe
Filesize
41KB

MD5
d8e680ae1d2edd79fc67b784b3a47921

SHA1
c17dc567d2734a0e15c9d1d59808d56d1ae2da25

SHA256
df6dcaef3930c089873e74f85ec7f6bf390f84bb173be3323d0b79262c4ee6d4

SHA512
96bd83a8d79adc9235f0e7f16fdecfa0e084facc163765737d2a8c89eaaaad04daed561e90a299eba9303043e0b6bdbba63bc2af8a875ec435d585ec84013fba

Download Submit
C:\Users\Admin\AppData\Local\Temp\3160.tmp\waves.exe
Filesize
41KB

MD5
d8e680ae1d2edd79fc67b784b3a47921

SHA1
c17dc567d2734a0e15c9d1d59808d56d1ae2da25

SHA256
df6dcaef3930c089873e74f85ec7f6bf390f84bb173be3323d0b79262c4ee6d4

SHA512
96bd83a8d79adc9235f0e7f16fdecfa0e084facc163765737d2a8c89eaaaad04daed561e90a299eba9303043e0b6bdbba63bc2af8a875ec435d585ec84013fba

Download Submit
memory/216-141-0x0000000000000000-mapping.dmp

Download
memory/256-139-0x0000000000000000-mapping.dmp

Download
memory/532-150-0x0000000000000000-mapping.dmp

Download
memory/540-148-0x0000000000000000-mapping.dmp

Download
memory/2452-151-0x0000000000000000-mapping.dmp

Download
memory/2572-142-0x0000000000000000-mapping.dmp

Download
memory/2828-146-0x0000000000000000-mapping.dmp

Download
memory/3700-132-0x0000000000000000-mapping.dmp

Download
memory/3708-147-0x0000000000000000-mapping.dmp

Download
memory/4496-136-0x0000000000000000-mapping.dmp

Download
memory/4500-143-0x0000000000000000-mapping.dmp

Download
memory/4616-134-0x0000000000000000-mapping.dmp

Download