Overview

overview

8

Static

static

942ccb0c34...5e.exe

windows7-x64

8

942ccb0c34...5e.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    48s
  • max time network
    53s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    19-09-2022 03:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    942ccb0c34ccc46b3f5b9566614932f7cb33bc93f09b0bd67a429a6b91c6125e.exe

  • Size

    552KB

  • MD5

    c1dca394e84edbea87941342072c82cc

  • SHA1

    32b4f5aff7fbe60b21efe6a71263cb702d0030e1

  • SHA256

    942ccb0c34ccc46b3f5b9566614932f7cb33bc93f09b0bd67a429a6b91c6125e

  • SHA512

    2f525867ae31599e9f9cb7c155958220859419a3fe2d4fbd5024648c7c5aae0a2e2dccb4afc3784a2b56090b693d9fbf9a6fc304b1700158a47da33cc4b2cfc5

  • SSDEEP

    12288:60vQwJcJmLoMIOABV2AWzj6b7MP+Dd2dvI4MW7K7yRLVVZLVMq:663Jwr3VgO7MP+h2/N7KwnIq

Score
8/10
bootkitpersistence

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 46 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\942ccb0c34ccc46b3f5b9566614932f7cb33bc93f09b0bd67a429a6b91c6125e.exe
    "C:\Users\Admin\AppData\Local\Temp\942ccb0c34ccc46b3f5b9566614932f7cb33bc93f09b0bd67a429a6b91c6125e.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1288
    • C:\Users\Admin\AppData\Local\Temp\EmailSpiderEasy.exe
      "C:\Users\Admin\AppData\Local\Temp\EmailSpiderEasy.exe"
      2⤵
      • Executes dropped EXE
      • Writes to the Master Boot Record (MBR)
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:1304
    • C:\Windows\SysWOW64\what.exe
      "C:\Windows\System32\what.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:672
      • C:\Windows\SysWOW64\what.exe
        C:\Windows\SysWOW64\what.exe
        3⤵
        • Executes dropped EXE
        PID:1912

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\EmailSpiderEasy.exe
    Filesize

    347KB

    MD5

    ed8b282b6cd370827713b10d84d81678

    SHA1

    b21318b05c39c7353544212bd174fef78a44af77

    SHA256

    e9fb07c8434da7ee1576b82ad967ab0d5b9921c66eaf19556965dbf64ec71b54

    SHA512

    eb800985588831605e1e3ecb671fd501c0c5e9b4502d231eca4ce250341278e65cac8c8509ac105bbb0fa8a4c94669f5a042d6f9a3ba1f4ee67ee9efb7aab4e6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\EmailSpiderEasy.exe
    Filesize

    347KB

    MD5

    ed8b282b6cd370827713b10d84d81678

    SHA1

    b21318b05c39c7353544212bd174fef78a44af77

    SHA256

    e9fb07c8434da7ee1576b82ad967ab0d5b9921c66eaf19556965dbf64ec71b54

    SHA512

    eb800985588831605e1e3ecb671fd501c0c5e9b4502d231eca4ce250341278e65cac8c8509ac105bbb0fa8a4c94669f5a042d6f9a3ba1f4ee67ee9efb7aab4e6

    Download Submit

  • C:\Windows\SysWOW64\what.exe
    Filesize

    168KB

    MD5

    be6e32476c201e2061668d4912db06b0

    SHA1

    d546fc531097c9e973d56468360a10a25f5f4213

    SHA256

    cafcbbb032950c399b21b804a9d1a93c6c595f8838a30da87535f45616f1ca93

    SHA512

    dd053375289cc34078179d6ba17311fb9939243e37680967e13769460491e7903eb098f186e0c02eff2f0ff198a1162bb3063009d25aca28438e8ca128bdf178

    Download Submit

  • C:\Windows\SysWOW64\what.exe
    Filesize

    168KB

    MD5

    be6e32476c201e2061668d4912db06b0

    SHA1

    d546fc531097c9e973d56468360a10a25f5f4213

    SHA256

    cafcbbb032950c399b21b804a9d1a93c6c595f8838a30da87535f45616f1ca93

    SHA512

    dd053375289cc34078179d6ba17311fb9939243e37680967e13769460491e7903eb098f186e0c02eff2f0ff198a1162bb3063009d25aca28438e8ca128bdf178

    Download Submit

  • C:\Windows\SysWOW64\what.exe
    Filesize

    168KB

    MD5

    be6e32476c201e2061668d4912db06b0

    SHA1

    d546fc531097c9e973d56468360a10a25f5f4213

    SHA256

    cafcbbb032950c399b21b804a9d1a93c6c595f8838a30da87535f45616f1ca93

    SHA512

    dd053375289cc34078179d6ba17311fb9939243e37680967e13769460491e7903eb098f186e0c02eff2f0ff198a1162bb3063009d25aca28438e8ca128bdf178

    Download Submit

  • \Users\Admin\AppData\Local\Temp\EmailSpiderEasy.exe
    Filesize

    347KB

    MD5

    ed8b282b6cd370827713b10d84d81678

    SHA1

    b21318b05c39c7353544212bd174fef78a44af77

    SHA256

    e9fb07c8434da7ee1576b82ad967ab0d5b9921c66eaf19556965dbf64ec71b54

    SHA512

    eb800985588831605e1e3ecb671fd501c0c5e9b4502d231eca4ce250341278e65cac8c8509ac105bbb0fa8a4c94669f5a042d6f9a3ba1f4ee67ee9efb7aab4e6

    Download Submit

  • \Users\Admin\AppData\Local\Temp\EmailSpiderEasy.exe
    Filesize

    347KB

    MD5

    ed8b282b6cd370827713b10d84d81678

    SHA1

    b21318b05c39c7353544212bd174fef78a44af77

    SHA256

    e9fb07c8434da7ee1576b82ad967ab0d5b9921c66eaf19556965dbf64ec71b54

    SHA512

    eb800985588831605e1e3ecb671fd501c0c5e9b4502d231eca4ce250341278e65cac8c8509ac105bbb0fa8a4c94669f5a042d6f9a3ba1f4ee67ee9efb7aab4e6

    Download Submit

  • \Windows\SysWOW64\what.exe
    Filesize

    168KB

    MD5

    be6e32476c201e2061668d4912db06b0

    SHA1

    d546fc531097c9e973d56468360a10a25f5f4213

    SHA256

    cafcbbb032950c399b21b804a9d1a93c6c595f8838a30da87535f45616f1ca93

    SHA512

    dd053375289cc34078179d6ba17311fb9939243e37680967e13769460491e7903eb098f186e0c02eff2f0ff198a1162bb3063009d25aca28438e8ca128bdf178

    Download Submit

  • \Windows\SysWOW64\what.exe
    Filesize

    168KB

    MD5

    be6e32476c201e2061668d4912db06b0

    SHA1

    d546fc531097c9e973d56468360a10a25f5f4213

    SHA256

    cafcbbb032950c399b21b804a9d1a93c6c595f8838a30da87535f45616f1ca93

    SHA512

    dd053375289cc34078179d6ba17311fb9939243e37680967e13769460491e7903eb098f186e0c02eff2f0ff198a1162bb3063009d25aca28438e8ca128bdf178

    Download Submit

  • memory/672-63-0x0000000000000000-mapping.dmp

    Download

  • memory/1288-56-0x0000000075FE1000-0x0000000075FE3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1304-75-0x00000000003D0000-0x0000000000400000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1304-69-0x00000000005D0000-0x00000000005D4000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1304-70-0x0000000000400000-0x00000000004C5000-memory.dmp

    Filesize

    788KB

    Download

  • memory/1304-59-0x0000000000000000-mapping.dmp

    Download

  • memory/1304-68-0x00000000003D0000-0x0000000000400000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1304-76-0x0000000000400000-0x00000000004C5000-memory.dmp

    Filesize

    788KB

    Download

  • memory/1304-77-0x00000000003D0000-0x0000000000400000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1304-78-0x0000000000400000-0x00000000004C5000-memory.dmp

    Filesize

    788KB

    Download

  • memory/1912-72-0x0000000029130000-0x000000002914D000-memory.dmp

    Filesize

    116KB

    Download

  • memory/1912-73-0x000000002914128C-mapping.dmp

    Download