b99564c3b07bf249af5d66b670ef15b93a5e807d869c99195855c9bdc94aa83c

Analysis

max time kernel
144s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19-09-2022 00:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b99564c3b07bf249af5d66b670ef15b93a5e807d869c99195855c9bdc94aa83c.exe
Size

146KB
MD5

e078d7b5e62599c67b5776c9c574a4a4
SHA1

3569e2206d16387b026dd272c1712e1d4734bed4
SHA256

b99564c3b07bf249af5d66b670ef15b93a5e807d869c99195855c9bdc94aa83c
SHA512

481a7b66ee30f498cf3875daae8fe83193066dcebc995790995356f58539726a3166f75562218b5211af4aa217f49a19008f1bf760455e20a1ef275380b03b50
SSDEEP

3072:Nyt0KfRpRMLEAoAu87qKLqfsR8ldGBgATU:NrKsEATOKGfnlYyAA

Score

7^/10

bootkit persistence

Malware Config

Signatures

Unexpected DNS network traffic destination 53 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	212.212.245.176
Destination IP	212.65.64.19
Destination IP	212.90.196.239
Destination IP	212.218.16.46
Destination IP	193.124.83.69
Destination IP	212.249.159.38
Destination IP	212.249.4.189
Destination IP	212.13.218.32
Destination IP	212.10.13.144
Destination IP	212.75.191.126
Destination IP	211.63.185.180
Destination IP	66.204.193.26
Destination IP	202.235.79.227
Destination IP	212.69.154.151
Destination IP	212.197.240.180
Destination IP	212.4.140.21
Destination IP	58.81.69.173
Destination IP	212.241.97.182
Destination IP	66.197.211.181
Destination IP	212.213.45.182
Destination IP	65.89.48.11
Destination IP	212.186.32.38
Destination IP	212.140.182.66
Destination IP	212.249.160.10
Destination IP	212.71.145.94
Destination IP	212.106.118.90
Destination IP	212.253.0.221
Destination IP	208.100.23.40
Destination IP	212.180.181.183
Destination IP	212.173.81.172
Destination IP	212.185.54.0
Destination IP	12.106.88.20
Destination IP	222.122.138.7
Destination IP	212.47.13.226
Destination IP	212.58.187.177
Destination IP	212.130.226.124
Destination IP	212.190.48.12
Destination IP	212.203.203.145
Destination IP	212.187.20.154
Destination IP	212.140.210.201
Destination IP	212.17.105.171
Destination IP	212.150.69.19
Destination IP	212.160.41.177
Destination IP	66.152.91.2
Destination IP	212.2.152.128
Destination IP	203.248.116.42
Destination IP	211.10.204.5
Destination IP	212.74.104.86
Destination IP	212.194.109.122
Destination IP	212.52.7.237
Destination IP	212.150.84.4
Destination IP	212.95.249.123
Destination IP	212.41.251.20

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	b99564c3b07bf249af5d66b670ef15b93a5e807d869c99195855c9bdc94aa83c.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1052	896	WerFault.exe	27

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
896	b99564c3b07bf249af5d66b670ef15b93a5e807d869c99195855c9bdc94aa83c.exe
896	b99564c3b07bf249af5d66b670ef15b93a5e807d869c99195855c9bdc94aa83c.exe
896	b99564c3b07bf249af5d66b670ef15b93a5e807d869c99195855c9bdc94aa83c.exe
896	b99564c3b07bf249af5d66b670ef15b93a5e807d869c99195855c9bdc94aa83c.exe
896	b99564c3b07bf249af5d66b670ef15b93a5e807d869c99195855c9bdc94aa83c.exe
896	b99564c3b07bf249af5d66b670ef15b93a5e807d869c99195855c9bdc94aa83c.exe
896	b99564c3b07bf249af5d66b670ef15b93a5e807d869c99195855c9bdc94aa83c.exe
896	b99564c3b07bf249af5d66b670ef15b93a5e807d869c99195855c9bdc94aa83c.exe
896	b99564c3b07bf249af5d66b670ef15b93a5e807d869c99195855c9bdc94aa83c.exe
896	b99564c3b07bf249af5d66b670ef15b93a5e807d869c99195855c9bdc94aa83c.exe
896	b99564c3b07bf249af5d66b670ef15b93a5e807d869c99195855c9bdc94aa83c.exe
896	b99564c3b07bf249af5d66b670ef15b93a5e807d869c99195855c9bdc94aa83c.exe
896	b99564c3b07bf249af5d66b670ef15b93a5e807d869c99195855c9bdc94aa83c.exe
896	b99564c3b07bf249af5d66b670ef15b93a5e807d869c99195855c9bdc94aa83c.exe
896	b99564c3b07bf249af5d66b670ef15b93a5e807d869c99195855c9bdc94aa83c.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 896 wrote to memory of 1052	896	b99564c3b07bf249af5d66b670ef15b93a5e807d869c99195855c9bdc94aa83c.exe	29
PID 896 wrote to memory of 1052	896	b99564c3b07bf249af5d66b670ef15b93a5e807d869c99195855c9bdc94aa83c.exe	29
PID 896 wrote to memory of 1052	896	b99564c3b07bf249af5d66b670ef15b93a5e807d869c99195855c9bdc94aa83c.exe	29
PID 896 wrote to memory of 1052	896	b99564c3b07bf249af5d66b670ef15b93a5e807d869c99195855c9bdc94aa83c.exe	29

C:\Users\Admin\AppData\Local\Temp\b99564c3b07bf249af5d66b670ef15b93a5e807d869c99195855c9bdc94aa83c.exe
"C:\Users\Admin\AppData\Local\Temp\b99564c3b07bf249af5d66b670ef15b93a5e807d869c99195855c9bdc94aa83c.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:896
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 896 -s 1708
  2⤵
  - Program crash
  PID:1052

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/896-54-0x0000000075E31000-0x0000000075E33000-memory.dmp

Filesize
8KB

Download
memory/896-55-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/896-57-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1052-56-0x0000000000000000-mapping.dmp

Download