Overview

overview

8

Static

static

8

0e7d6b63d8...5c.exe

windows7-x64

6

0e7d6b63d8...5c.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    152s
  • max time network
    161s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/09/2022, 12:12

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    0e7d6b63d861c3636d65895531ade02c724458e86dc8d37b1afabff1e13e6b5c.exe

  • Size

    6.1MB

  • MD5

    d98937a2f7ecd006b3e558d99d25b496

  • SHA1

    face3450c838788cdfeda5b342bca935c1d2929a

  • SHA256

    0e7d6b63d861c3636d65895531ade02c724458e86dc8d37b1afabff1e13e6b5c

  • SHA512

    2d5653e730cf34942856f210e9480ec454561e039424d0bb1bdf9896be7551200ab719b89b7f7431c176857a1353c4695ef55cfd97ddc044c5609594db0a604b

  • SSDEEP

    24576:HYGT5+s+NDjXNhDJDSz5RxKje6oROuIWKYZXJ1GhEF:4GgDn9hDm5XOHk64H

Score
6/10
bootkitpersistence

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 52 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 22 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0e7d6b63d861c3636d65895531ade02c724458e86dc8d37b1afabff1e13e6b5c.exe
    "C:\Users\Admin\AppData\Local\Temp\0e7d6b63d861c3636d65895531ade02c724458e86dc8d37b1afabff1e13e6b5c.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Writes to the Master Boot Record (MBR)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:2024
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Suspicious use of FindShellTrayWindow
    PID:4152
  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
    "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:3480
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Suspicious use of FindShellTrayWindow
    PID:4024
  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
    "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:552
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Suspicious use of FindShellTrayWindow
    PID:3800
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Suspicious use of FindShellTrayWindow
    PID:2244
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Suspicious use of FindShellTrayWindow
    PID:3424
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Suspicious use of FindShellTrayWindow
    PID:4752

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/2024-132-0x0000000000400000-0x0000000000A28000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/2024-134-0x0000000000400000-0x0000000000A28000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/2024-135-0x0000000002750000-0x0000000002755000-memory.dmp

          Filesize

          20KB

          Download

        • memory/2024-136-0x0000000000400000-0x0000000000A28000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/2024-137-0x0000000000400000-0x0000000000A28000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/2024-138-0x0000000000400000-0x0000000000A28000-memory.dmp

          Filesize

          6.2MB

          Download