eaf6b9966123c5a09ad610e2bff659110a8a23f0178bb693cc4a2f375742816e

Analysis

max time kernel
132s
max time network
122s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19-09-2022 18:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eaf6b9966123c5a09ad610e2bff659110a8a23f0178bb693cc4a2f375742816e.exe
Size

1.2MB
MD5

34c95948578fc5abf9377112cb759f64
SHA1

8f48d608e396c5ef35ef85aa44ffe6b8511cabf6
SHA256

eaf6b9966123c5a09ad610e2bff659110a8a23f0178bb693cc4a2f375742816e
SHA512

4df7aee2563fd7b73cd4b65e1221b036d4f514680d92ec864d6916d4debbc0c745d1e0c6acb5b543f932fbbf982a6e3129ef9593ad9b34560df828b43ac42aa4
SSDEEP

24576:TL2gPr39qoj5l6gludTpyaJG9A5HPe3fHQmXqw1wi9D9E2A+:f2uqLgWT/JGe5dmawai9D9TA+

Score

8^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1116	WORDºÍ~1.EXE
1788	SERVER.exe
1236	fsmgmter.exe

Loads dropped DLL 4 IoCs

pid	Process
1948	eaf6b9966123c5a09ad610e2bff659110a8a23f0178bb693cc4a2f375742816e.exe
1948	eaf6b9966123c5a09ad610e2bff659110a8a23f0178bb693cc4a2f375742816e.exe
1948	eaf6b9966123c5a09ad610e2bff659110a8a23f0178bb693cc4a2f375742816e.exe
1948	eaf6b9966123c5a09ad610e2bff659110a8a23f0178bb693cc4a2f375742816e.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	eaf6b9966123c5a09ad610e2bff659110a8a23f0178bb693cc4a2f375742816e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	eaf6b9966123c5a09ad610e2bff659110a8a23f0178bb693cc4a2f375742816e.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	SERVER.exe
File opened for modification	\??\PhysicalDrive0	fsmgmter.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\fsmgmter.exe	SERVER.exe
File opened for modification	C:\Windows\fsmgmter.exe	SERVER.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1788	SERVER.exe
Token: SeDebugPrivilege	1236	fsmgmter.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1236	fsmgmter.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1116	WORDºÍ~1.EXE
1116	WORDºÍ~1.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 1116	1948	eaf6b9966123c5a09ad610e2bff659110a8a23f0178bb693cc4a2f375742816e.exe	28
PID 1948 wrote to memory of 1116	1948	eaf6b9966123c5a09ad610e2bff659110a8a23f0178bb693cc4a2f375742816e.exe	28
PID 1948 wrote to memory of 1116	1948	eaf6b9966123c5a09ad610e2bff659110a8a23f0178bb693cc4a2f375742816e.exe	28
PID 1948 wrote to memory of 1116	1948	eaf6b9966123c5a09ad610e2bff659110a8a23f0178bb693cc4a2f375742816e.exe	28
PID 1948 wrote to memory of 1788	1948	eaf6b9966123c5a09ad610e2bff659110a8a23f0178bb693cc4a2f375742816e.exe	29
PID 1948 wrote to memory of 1788	1948	eaf6b9966123c5a09ad610e2bff659110a8a23f0178bb693cc4a2f375742816e.exe	29
PID 1948 wrote to memory of 1788	1948	eaf6b9966123c5a09ad610e2bff659110a8a23f0178bb693cc4a2f375742816e.exe	29
PID 1948 wrote to memory of 1788	1948	eaf6b9966123c5a09ad610e2bff659110a8a23f0178bb693cc4a2f375742816e.exe	29
PID 1236 wrote to memory of 1184	1236	fsmgmter.exe	31
PID 1236 wrote to memory of 1184	1236	fsmgmter.exe	31
PID 1236 wrote to memory of 1184	1236	fsmgmter.exe	31
PID 1236 wrote to memory of 1184	1236	fsmgmter.exe	31

C:\Users\Admin\AppData\Local\Temp\eaf6b9966123c5a09ad610e2bff659110a8a23f0178bb693cc4a2f375742816e.exe
"C:\Users\Admin\AppData\Local\Temp\eaf6b9966123c5a09ad610e2bff659110a8a23f0178bb693cc4a2f375742816e.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WORDºÍ~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WORDºÍ~1.EXE
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1116
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SERVER.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SERVER.exe
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1788

C:\Windows\fsmgmter.exe
C:\Windows\fsmgmter.exe
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1236
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:1184

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SERVER.exe

Filesize
468KB

MD5
591b3ae9dfec8765958d3c96cb7a2968

SHA1
319c2a08f0d77102431b00c65f39856d2481e6bc

SHA256
97f284d87b374bebd5bb3787f45099b31b4e4fd8165616fb30abaff4b793d493

SHA512
ebd1ee94be3488856dbed30b25809bf35cb30ddfb4866e000ad38c407dbee770159fff7448492abad54e30b0657c8b1ffc520b8d92ec99b0ea793ca68baec74d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SERVER.exe

Filesize
468KB

MD5
591b3ae9dfec8765958d3c96cb7a2968

SHA1
319c2a08f0d77102431b00c65f39856d2481e6bc

SHA256
97f284d87b374bebd5bb3787f45099b31b4e4fd8165616fb30abaff4b793d493

SHA512
ebd1ee94be3488856dbed30b25809bf35cb30ddfb4866e000ad38c407dbee770159fff7448492abad54e30b0657c8b1ffc520b8d92ec99b0ea793ca68baec74d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\WORDºÍ~1.EXE

Filesize
736KB

MD5
50e97727ab59ff9701689c37bde72e84

SHA1
ad2b82722e3110b167f7d3c37212c355e1f87a05

SHA256
c7f8c646d9c14c58bcd1c0ceae7b74fa5c4cede7b0d782e69a90e53aedcde034

SHA512
7f708a0255e0647aea1dd50a98bd97969baa19d6403abbb9a5e17d68858ac10c4d66badbab292b962cfca421a1252045232c9926308563e01a237044196eb71a

Download Submit
C:\Windows\fsmgmter.exe

Filesize
468KB

MD5
591b3ae9dfec8765958d3c96cb7a2968

SHA1
319c2a08f0d77102431b00c65f39856d2481e6bc

SHA256
97f284d87b374bebd5bb3787f45099b31b4e4fd8165616fb30abaff4b793d493

SHA512
ebd1ee94be3488856dbed30b25809bf35cb30ddfb4866e000ad38c407dbee770159fff7448492abad54e30b0657c8b1ffc520b8d92ec99b0ea793ca68baec74d

Download Submit
C:\Windows\fsmgmter.exe

Filesize
468KB

MD5
591b3ae9dfec8765958d3c96cb7a2968

SHA1
319c2a08f0d77102431b00c65f39856d2481e6bc

SHA256
97f284d87b374bebd5bb3787f45099b31b4e4fd8165616fb30abaff4b793d493

SHA512
ebd1ee94be3488856dbed30b25809bf35cb30ddfb4866e000ad38c407dbee770159fff7448492abad54e30b0657c8b1ffc520b8d92ec99b0ea793ca68baec74d

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\SERVER.exe

Filesize
468KB

MD5
591b3ae9dfec8765958d3c96cb7a2968

SHA1
319c2a08f0d77102431b00c65f39856d2481e6bc

SHA256
97f284d87b374bebd5bb3787f45099b31b4e4fd8165616fb30abaff4b793d493

SHA512
ebd1ee94be3488856dbed30b25809bf35cb30ddfb4866e000ad38c407dbee770159fff7448492abad54e30b0657c8b1ffc520b8d92ec99b0ea793ca68baec74d

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\SERVER.exe

Filesize
468KB

MD5
591b3ae9dfec8765958d3c96cb7a2968

SHA1
319c2a08f0d77102431b00c65f39856d2481e6bc

SHA256
97f284d87b374bebd5bb3787f45099b31b4e4fd8165616fb30abaff4b793d493

SHA512
ebd1ee94be3488856dbed30b25809bf35cb30ddfb4866e000ad38c407dbee770159fff7448492abad54e30b0657c8b1ffc520b8d92ec99b0ea793ca68baec74d

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\WORDºÍ~1.EXE

Filesize
736KB

MD5
50e97727ab59ff9701689c37bde72e84

SHA1
ad2b82722e3110b167f7d3c37212c355e1f87a05

SHA256
c7f8c646d9c14c58bcd1c0ceae7b74fa5c4cede7b0d782e69a90e53aedcde034

SHA512
7f708a0255e0647aea1dd50a98bd97969baa19d6403abbb9a5e17d68858ac10c4d66badbab292b962cfca421a1252045232c9926308563e01a237044196eb71a

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\WORDºÍ~1.EXE

Filesize
736KB

MD5
50e97727ab59ff9701689c37bde72e84

SHA1
ad2b82722e3110b167f7d3c37212c355e1f87a05

SHA256
c7f8c646d9c14c58bcd1c0ceae7b74fa5c4cede7b0d782e69a90e53aedcde034

SHA512
7f708a0255e0647aea1dd50a98bd97969baa19d6403abbb9a5e17d68858ac10c4d66badbab292b962cfca421a1252045232c9926308563e01a237044196eb71a

Download Submit
memory/1116-58-0x0000000076031000-0x0000000076033000-memory.dmp

Filesize
8KB

Download
memory/1116-63-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/1116-65-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/1116-66-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/1236-81-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/1236-82-0x0000000000330000-0x000000000036A000-memory.dmp

Filesize
232KB

Download
memory/1236-83-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/1788-76-0x0000000000280000-0x00000000002BA000-memory.dmp

Filesize
232KB

Download
memory/1788-75-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/1948-73-0x0000000003260000-0x0000000003344000-memory.dmp

Filesize
912KB

Download
memory/1948-74-0x0000000003260000-0x0000000003344000-memory.dmp

Filesize
912KB

Download
memory/1948-64-0x0000000003260000-0x0000000003318000-memory.dmp

Filesize
736KB

Download
memory/1948-62-0x0000000003260000-0x0000000003318000-memory.dmp

Filesize
736KB

Download
memory/1948-80-0x0000000001000000-0x000000000120B000-memory.dmp

Filesize
2.0MB

Download
memory/1948-61-0x0000000003260000-0x0000000003318000-memory.dmp

Filesize
736KB

Download
memory/1948-60-0x00000000001E0000-0x0000000000234000-memory.dmp

Filesize
336KB

Download
memory/1948-59-0x0000000001000000-0x000000000120B000-memory.dmp

Filesize
2.0MB

Download