a9027c6070365053c3cb91261991c71f1d3a63707df8467e413847f344b3af4d

Analysis

max time kernel
291s
max time network
315s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
18-09-2022 14:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TrashMalwares-main/even0.5.exe
Size

2.2MB
MD5

fd458518fdea359c687c89a2042708de
SHA1

a7cca7d91a04f1377d37199f79eb32ebb1d4fe82
SHA256

5bea698d10011639e532025f83dc62bf9adc7bb424a0c58c803894937226e6fc
SHA512

3364926b3d0f3494dbb4827921cbd4c582a83cf54d291eead824c21ba07c195105e0af875448c4aff03cd0ca261668ee8bc07023e99879326b1f8edf5d7486cc
SSDEEP

49152:Fq+b0nArGa1U+nlhCXi4fRrjPZQDbyWrEWNhXa5JqN6G:Fq+bTPXCS4JrjhBWbXa5JqgG

Score

8^/10

bootkit persistence upx

Malware Config

Signatures

Executes dropped EXE 7 IoCs

Processes:

mbr.exenoise.exefirst.exesqmove.exeColorA.execircle.exeRandomLines.exe

pid process

1304 mbr.exe
2984 noise.exe
4172 first.exe
1576 sqmove.exe
1284 ColorA.exe
2028 circle.exe
1556 RandomLines.exe

pid	process
1304	mbr.exe
2984	noise.exe
4172	first.exe
1576	sqmove.exe
1284	ColorA.exe
2028	circle.exe
1556	RandomLines.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral20/memory/1712-132-0x0000000000400000-0x00000000008EF000-memory.dmp	upx
behavioral20/memory/1712-135-0x0000000000400000-0x00000000008EF000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

mbr.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	mbr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Local\\Temp\\E3CD.tmp\\mbr.exe"	mbr.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

mbr.exe

description ioc process

File opened for modification \??\PhysicalDrive0 mbr.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2016 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3552 timeout.exe
Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

3732 taskkill.exe
2336 taskkill.exe
5100 taskkill.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	mbr.exe

pid	process
2016	schtasks.exe

pid	process
3552	timeout.exe

pid	process
3732	taskkill.exe
2336	taskkill.exe
5100	taskkill.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

taskkill.exeAUDIODG.EXEtaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	3732	taskkill.exe
Token: 33	1280	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1280	AUDIODG.EXE
Token: SeDebugPrivilege	2336	taskkill.exe
Token: SeDebugPrivilege	5100	taskkill.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

even0.5.execmd.exembr.exe

description	pid	process	target process
PID 1712 wrote to memory of 4832	1712	even0.5.exe	cmd.exe
PID 1712 wrote to memory of 4832	1712	even0.5.exe	cmd.exe
PID 4832 wrote to memory of 1304	4832	cmd.exe	mbr.exe
PID 4832 wrote to memory of 1304	4832	cmd.exe	mbr.exe
PID 4832 wrote to memory of 1304	4832	cmd.exe	mbr.exe
PID 4832 wrote to memory of 2984	4832	cmd.exe	noise.exe
PID 4832 wrote to memory of 2984	4832	cmd.exe	noise.exe
PID 4832 wrote to memory of 2984	4832	cmd.exe	noise.exe
PID 1304 wrote to memory of 2016	1304	mbr.exe	schtasks.exe
PID 1304 wrote to memory of 2016	1304	mbr.exe	schtasks.exe
PID 1304 wrote to memory of 2016	1304	mbr.exe	schtasks.exe
PID 4832 wrote to memory of 4172	4832	cmd.exe	first.exe
PID 4832 wrote to memory of 4172	4832	cmd.exe	first.exe
PID 4832 wrote to memory of 4172	4832	cmd.exe	first.exe
PID 4832 wrote to memory of 3732	4832	cmd.exe	taskkill.exe
PID 4832 wrote to memory of 3732	4832	cmd.exe	taskkill.exe
PID 4832 wrote to memory of 1576	4832	cmd.exe	sqmove.exe
PID 4832 wrote to memory of 1576	4832	cmd.exe	sqmove.exe
PID 4832 wrote to memory of 1576	4832	cmd.exe	sqmove.exe
PID 4832 wrote to memory of 1284	4832	cmd.exe	ColorA.exe
PID 4832 wrote to memory of 1284	4832	cmd.exe	ColorA.exe
PID 4832 wrote to memory of 1284	4832	cmd.exe	ColorA.exe
PID 4832 wrote to memory of 2336	4832	cmd.exe	taskkill.exe
PID 4832 wrote to memory of 2336	4832	cmd.exe	taskkill.exe
PID 4832 wrote to memory of 5100	4832	cmd.exe	taskkill.exe
PID 4832 wrote to memory of 5100	4832	cmd.exe	taskkill.exe
PID 4832 wrote to memory of 2028	4832	cmd.exe	circle.exe
PID 4832 wrote to memory of 2028	4832	cmd.exe	circle.exe
PID 4832 wrote to memory of 2028	4832	cmd.exe	circle.exe
PID 4832 wrote to memory of 1556	4832	cmd.exe	RandomLines.exe
PID 4832 wrote to memory of 1556	4832	cmd.exe	RandomLines.exe
PID 4832 wrote to memory of 1556	4832	cmd.exe	RandomLines.exe
PID 4832 wrote to memory of 3552	4832	cmd.exe	timeout.exe
PID 4832 wrote to memory of 3552	4832	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\even0.5.exe
"C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\even0.5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\E3CD.tmp\E3CE.bat C:\Users\Admin\AppData\Local\Temp\TrashMalwares-main\even0.5.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4832

C:\Users\Admin\AppData\Local\Temp\E3CD.tmp\mbr.exe
mbr.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:1304

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Windows Update" /ru SYSTEM /SC ONSTART /TR "C:\Users\Admin\AppData\Local\Temp\E3CD.tmp\mbr.exe"
4⤵
- Creates scheduled task(s)
PID:2016

C:\Users\Admin\AppData\Local\Temp\E3CD.tmp\noise.exe
noise.exe
3⤵
- Executes dropped EXE
PID:2984

C:\Users\Admin\AppData\Local\Temp\E3CD.tmp\first.exe
first.exe
3⤵
- Executes dropped EXE
PID:4172

C:\Windows\system32\taskkill.exe
taskkill /f /im first.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3732

C:\Users\Admin\AppData\Local\Temp\E3CD.tmp\ColorA.exe
ColorA.exe
3⤵
- Executes dropped EXE
PID:1284

C:\Users\Admin\AppData\Local\Temp\E3CD.tmp\sqmove.exe
sqmove.exe
3⤵
- Executes dropped EXE
PID:1576

C:\Windows\system32\taskkill.exe
taskkill /f /im sqmove.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2336

C:\Windows\system32\taskkill.exe
taskkill /f /im ColorA.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5100

C:\Users\Admin\AppData\Local\Temp\E3CD.tmp\circle.exe
circle.exe
3⤵
- Executes dropped EXE
PID:2028

C:\Users\Admin\AppData\Local\Temp\E3CD.tmp\RandomLines.exe
RandomLines.exe
3⤵
- Executes dropped EXE
PID:1556

C:\Windows\system32\timeout.exe
timeout 30
3⤵
- Delays execution with timeout.exe
PID:3552

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x394 0x38c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1280

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E3CD.tmp\ColorA.exe
Filesize
107KB

MD5
d50fbc1a509ef70153d458aa657a1416

SHA1
1f92309b9fa0d1ea78c8a67745a4caf763313089

SHA256
f41d9fdcdcebf89ea570158e5d00aff3a7f31970e92b929258777a1bb52d328d

SHA512
48504f06a2f510d85ac4acb6f71b5e4137c08abcc11aef0daadfe29624025b499df93f4389033ab3cc082a0146a251634725026958988c5bedf1bf5382573901

Download Submit
C:\Users\Admin\AppData\Local\Temp\E3CD.tmp\ColorA.exe
Filesize
107KB

MD5
d50fbc1a509ef70153d458aa657a1416

SHA1
1f92309b9fa0d1ea78c8a67745a4caf763313089

SHA256
f41d9fdcdcebf89ea570158e5d00aff3a7f31970e92b929258777a1bb52d328d

SHA512
48504f06a2f510d85ac4acb6f71b5e4137c08abcc11aef0daadfe29624025b499df93f4389033ab3cc082a0146a251634725026958988c5bedf1bf5382573901

Download Submit
C:\Users\Admin\AppData\Local\Temp\E3CD.tmp\E3CE.bat
Filesize
961B

MD5
3af8d731d94403314f4a25b755017754

SHA1
7369b107c14544ca5478b530dd368e521895e69a

SHA256
c7b7dd49a28e96cf6f1cc6e33ebfc9163256c54838c03e32f3eb01784348d714

SHA512
7802e9bb8eb06a9b0d37225570d5f443d9f01c4db54a4b13a7871570fdddae53cef5310d33e72374294b9f979c39666cb1dd5584317c76c6b984182fb7313c83

Download Submit
C:\Users\Admin\AppData\Local\Temp\E3CD.tmp\RandomLines.exe
Filesize
103KB

MD5
50caeee44dc92a147cf95fd82eb6e299

SHA1
a6619a150a31f4c1b4913884123f5b5334e23489

SHA256
81b9a2e3e9ee39f05b585ad871696a946837fcf784d3d4ecd4b9caea16560a1e

SHA512
e009de28d24abbecac2b20c4dcbbe4bd2de461c0d3140043d1ef6db3e4807d13723fb1916bc9bd1a636cfdc4bb3e102ecae645e783901ebdf9996e9bcdd9466b

Download Submit
C:\Users\Admin\AppData\Local\Temp\E3CD.tmp\RandomLines.exe
Filesize
103KB

MD5
50caeee44dc92a147cf95fd82eb6e299

SHA1
a6619a150a31f4c1b4913884123f5b5334e23489

SHA256
81b9a2e3e9ee39f05b585ad871696a946837fcf784d3d4ecd4b9caea16560a1e

SHA512
e009de28d24abbecac2b20c4dcbbe4bd2de461c0d3140043d1ef6db3e4807d13723fb1916bc9bd1a636cfdc4bb3e102ecae645e783901ebdf9996e9bcdd9466b

Download Submit
C:\Users\Admin\AppData\Local\Temp\E3CD.tmp\circle.exe
Filesize
12KB

MD5
ed169e40a69cf73fd3ac59215b24063f

SHA1
32d49462e74e6c08b941d8cd530a5f3c0f3b5764

SHA256
b8ffde2fc69292ffa1a704a1cf977eedfc86277a61d4937245d218d22674178c

SHA512
f949a7b9b5dae91f887e7ce9bb45f7500534873d3baab5f5c2b1c31b1e185e70278ceb9d4f03f495460e0fb96399239fa678b0b4750ee870cbaa6333ab5ebb6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\E3CD.tmp\circle.exe
Filesize
12KB

MD5
ed169e40a69cf73fd3ac59215b24063f

SHA1
32d49462e74e6c08b941d8cd530a5f3c0f3b5764

SHA256
b8ffde2fc69292ffa1a704a1cf977eedfc86277a61d4937245d218d22674178c

SHA512
f949a7b9b5dae91f887e7ce9bb45f7500534873d3baab5f5c2b1c31b1e185e70278ceb9d4f03f495460e0fb96399239fa678b0b4750ee870cbaa6333ab5ebb6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\E3CD.tmp\first.exe
Filesize
14KB

MD5
abea08a9dc66b456b81195f60ef1e1ea

SHA1
6bff4f1d6ac07d79ff641767e0a2095653eba186

SHA256
097c392a453d809f098e19b24a5bdb574e92c392b2fe04458b841774621d5f74

SHA512
babf1fdbcfacf1898c00b1dbb0c3542a35e1a45417ad141057eb294244b0810e02f0c7a4c80727f6409c0cea9f6015b1781127bb06dfe74bc68d606c6db3583b

Download Submit
C:\Users\Admin\AppData\Local\Temp\E3CD.tmp\first.exe
Filesize
14KB

MD5
abea08a9dc66b456b81195f60ef1e1ea

SHA1
6bff4f1d6ac07d79ff641767e0a2095653eba186

SHA256
097c392a453d809f098e19b24a5bdb574e92c392b2fe04458b841774621d5f74

SHA512
babf1fdbcfacf1898c00b1dbb0c3542a35e1a45417ad141057eb294244b0810e02f0c7a4c80727f6409c0cea9f6015b1781127bb06dfe74bc68d606c6db3583b

Download Submit
C:\Users\Admin\AppData\Local\Temp\E3CD.tmp\mbr.exe
Filesize
101KB

MD5
271e7d0009044cebb57ac0beac9bd1c8

SHA1
c2b86434f0ed2e1ed100c1930a56c33ad94595d8

SHA256
24d37ddd57c3f9b0b9374f10660f8e551a5d802567a757314b8ea1505ac3cdb7

SHA512
b92c497ee171371e003f2e8ba18ff7033e36f042c2d01e3de0035913d284a8a012342bfeddd85a36681701686a688ee0642d377fd38ab2230fe6e56a83d27234

Download Submit
C:\Users\Admin\AppData\Local\Temp\E3CD.tmp\mbr.exe
Filesize
101KB

MD5
271e7d0009044cebb57ac0beac9bd1c8

SHA1
c2b86434f0ed2e1ed100c1930a56c33ad94595d8

SHA256
24d37ddd57c3f9b0b9374f10660f8e551a5d802567a757314b8ea1505ac3cdb7

SHA512
b92c497ee171371e003f2e8ba18ff7033e36f042c2d01e3de0035913d284a8a012342bfeddd85a36681701686a688ee0642d377fd38ab2230fe6e56a83d27234

Download Submit
C:\Users\Admin\AppData\Local\Temp\E3CD.tmp\noise.exe
Filesize
102KB

MD5
3c285eec317672f7eb27ec27244cbe59

SHA1
3bd2512ea461dd67babad9b398128c70a3dde059

SHA256
81cbb8c54d2dfdda281e37aff08f9f98afab3f415fbe3c7b5242c1b85495e715

SHA512
590ec0ed53848bee0ae82e0ecc62c48d66f0380ca04c6e425cc97bdd05f1b2cddeecf2e58d58dbfee4872500a425b7d5d1401f955d65d891114f61cd7baaf5d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\E3CD.tmp\noise.exe
Filesize
102KB

MD5
3c285eec317672f7eb27ec27244cbe59

SHA1
3bd2512ea461dd67babad9b398128c70a3dde059

SHA256
81cbb8c54d2dfdda281e37aff08f9f98afab3f415fbe3c7b5242c1b85495e715

SHA512
590ec0ed53848bee0ae82e0ecc62c48d66f0380ca04c6e425cc97bdd05f1b2cddeecf2e58d58dbfee4872500a425b7d5d1401f955d65d891114f61cd7baaf5d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\E3CD.tmp\noise.wav
Filesize
1.0MB

MD5
cdc6c78486f27876fca2f9ce090fe2df

SHA1
5b2655c058b1a0415e00c207839113b863b0a750

SHA256
31be0f1ab83ae8bddccd657ca78c57ee26e2ac3b3a87637e3adc6405f018b399

SHA512
3f80524dbcfd2f1e756710f2f21cb498268da7528077833ed01b4f2030aa0df0f0528a69a6b516ad1e5988174d1395ae189981e707127bea0acdfa6be0477f2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\E3CD.tmp\sqmove.exe
Filesize
14KB

MD5
8ad1da4c2b678ffbc0f5d95adfeb5c9b

SHA1
4cf9fdf8eebb45bdd490f2f48ddc0352dfcbcb40

SHA256
6caad2810e0d398ef80f5aa63f8f9ed09dbc5b6bb169e43b7319fe9a1eea85f2

SHA512
8114960930dbb72a5892b2d594c526c8bf5f0b4df00e575b7823bc5e53723aab52e7edca72fd9c898bc4f87f88ebef4b938827b07d45523630d6de9cf9599d03

Download Submit
C:\Users\Admin\AppData\Local\Temp\E3CD.tmp\sqmove.exe
Filesize
14KB

MD5
8ad1da4c2b678ffbc0f5d95adfeb5c9b

SHA1
4cf9fdf8eebb45bdd490f2f48ddc0352dfcbcb40

SHA256
6caad2810e0d398ef80f5aa63f8f9ed09dbc5b6bb169e43b7319fe9a1eea85f2

SHA512
8114960930dbb72a5892b2d594c526c8bf5f0b4df00e575b7823bc5e53723aab52e7edca72fd9c898bc4f87f88ebef4b938827b07d45523630d6de9cf9599d03

Download Submit
memory/1284-151-0x0000000000000000-mapping.dmp

Download
memory/1304-136-0x0000000000000000-mapping.dmp

Download
memory/1556-158-0x0000000000000000-mapping.dmp

Download
memory/1576-148-0x0000000000000000-mapping.dmp

Download
memory/1712-132-0x0000000000400000-0x00000000008EF000-memory.dmp

Filesize
4.9MB

Download
memory/1712-135-0x0000000000400000-0x00000000008EF000-memory.dmp

Filesize
4.9MB

Download
memory/2016-142-0x0000000000000000-mapping.dmp

Download
memory/2028-156-0x0000000000000000-mapping.dmp

Download
memory/2336-154-0x0000000000000000-mapping.dmp

Download
memory/2984-139-0x0000000000000000-mapping.dmp

Download
memory/3552-161-0x0000000000000000-mapping.dmp

Download
memory/3732-147-0x0000000000000000-mapping.dmp

Download
memory/4172-143-0x0000000000000000-mapping.dmp

Download
memory/4832-133-0x0000000000000000-mapping.dmp

Download
memory/5100-155-0x0000000000000000-mapping.dmp

Download