31e1f720cd49a019e77ab963ecd9d45ce8319aa6a27f0bf4f1956128c7e2bb2b

Analysis

max time kernel
83s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
03-10-2022 01:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31e1f720cd49a019e77ab963ecd9d45ce8319aa6a27f0bf4f1956128c7e2bb2b.exe
Size

88KB
MD5

098aa542acf1217d81b932416e11f1e0
SHA1

c966afa2cf87bf1aa98a073b80ac4b9768ac74ff
SHA256

31e1f720cd49a019e77ab963ecd9d45ce8319aa6a27f0bf4f1956128c7e2bb2b
SHA512

8ec69521df615f2411662bbb967d1876d10dfdb4d2b2ee79e6cad2ad90414d94ab85ec6229e7d17f53306e4bb18bfff82ec26da1592a04f95f47669b0c86fb42
SSDEEP

1536:qYTmwVUsW7dtJMHy0DxmJ9BGXpMMKvTd+x9yNvM4nvDzZJo3lA7eFuY3M:tS17XJiDxmJ9BYMMKvTd4EjnvZJo3KgM

Score

7^/10

bootkit persistence

Malware Config

Signatures

Loads dropped DLL 8 IoCs

Processes:

31e1f720cd49a019e77ab963ecd9d45ce8319aa6a27f0bf4f1956128c7e2bb2b.exe

pid	process
4100	31e1f720cd49a019e77ab963ecd9d45ce8319aa6a27f0bf4f1956128c7e2bb2b.exe
4100	31e1f720cd49a019e77ab963ecd9d45ce8319aa6a27f0bf4f1956128c7e2bb2b.exe
4100	31e1f720cd49a019e77ab963ecd9d45ce8319aa6a27f0bf4f1956128c7e2bb2b.exe
4100	31e1f720cd49a019e77ab963ecd9d45ce8319aa6a27f0bf4f1956128c7e2bb2b.exe
4100	31e1f720cd49a019e77ab963ecd9d45ce8319aa6a27f0bf4f1956128c7e2bb2b.exe
4100	31e1f720cd49a019e77ab963ecd9d45ce8319aa6a27f0bf4f1956128c7e2bb2b.exe
4100	31e1f720cd49a019e77ab963ecd9d45ce8319aa6a27f0bf4f1956128c7e2bb2b.exe
4100	31e1f720cd49a019e77ab963ecd9d45ce8319aa6a27f0bf4f1956128c7e2bb2b.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

31e1f720cd49a019e77ab963ecd9d45ce8319aa6a27f0bf4f1956128c7e2bb2b.exe

description ioc process

File opened for modification \??\PhysicalDrive0 31e1f720cd49a019e77ab963ecd9d45ce8319aa6a27f0bf4f1956128c7e2bb2b.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	\??\PhysicalDrive0	31e1f720cd49a019e77ab963ecd9d45ce8319aa6a27f0bf4f1956128c7e2bb2b.exe

C:\Users\Admin\AppData\Local\Temp\31e1f720cd49a019e77ab963ecd9d45ce8319aa6a27f0bf4f1956128c7e2bb2b.exe
"C:\Users\Admin\AppData\Local\Temp\31e1f720cd49a019e77ab963ecd9d45ce8319aa6a27f0bf4f1956128c7e2bb2b.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
PID:4100

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nstF7F2.tmp\NSISdl.dll
Filesize
14KB

MD5
6b85b2ff78fe0e04b5f0d4e996f0d62e

SHA1
4507dee0b963080cbd75c383fa4650c7b99907dc

SHA256
c7a033bb91be5487d93cc402d27e4e893ba39b37a121f60c9dbef5bdf02e52e7

SHA512
84cbe4c2ecefd5eaa01ba5c1063056aed5f62a6ced32876c591bfb2bbe8688a020d02573a5f419cac2362579021fe2b4c6abf7e5d619de8178028db49d53e84b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstF7F2.tmp\NSISdl.dll
Filesize
14KB

MD5
6b85b2ff78fe0e04b5f0d4e996f0d62e

SHA1
4507dee0b963080cbd75c383fa4650c7b99907dc

SHA256
c7a033bb91be5487d93cc402d27e4e893ba39b37a121f60c9dbef5bdf02e52e7

SHA512
84cbe4c2ecefd5eaa01ba5c1063056aed5f62a6ced32876c591bfb2bbe8688a020d02573a5f419cac2362579021fe2b4c6abf7e5d619de8178028db49d53e84b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstF7F2.tmp\NSISdl.dll
Filesize
14KB

MD5
6b85b2ff78fe0e04b5f0d4e996f0d62e

SHA1
4507dee0b963080cbd75c383fa4650c7b99907dc

SHA256
c7a033bb91be5487d93cc402d27e4e893ba39b37a121f60c9dbef5bdf02e52e7

SHA512
84cbe4c2ecefd5eaa01ba5c1063056aed5f62a6ced32876c591bfb2bbe8688a020d02573a5f419cac2362579021fe2b4c6abf7e5d619de8178028db49d53e84b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstF7F2.tmp\System.dll
Filesize
10KB

MD5
1a7a1f7fd0acd2ebe7722d56357a56da

SHA1
d6e952df2d3c33b923685087509eda5be1c53bdf

SHA256
3b2f46ecabea3457a0e29847974ced9f26d617449812e485543d28d645cdd060

SHA512
cf02e30108ea7e584b5b01a8347142927973f0b4b25a03020075cafb2badbee4eec3bb7c4c5785928f4d1e86248983904f33c0df363ee5c4c53a973c7beb39aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstF7F2.tmp\md5dll.dll
Filesize
8KB

MD5
a7d710e78711d5ab90e4792763241754

SHA1
f31cecd926c5d497aba163a17b75975ec34beb13

SHA256
9b05dd603f13c196f3f21c43f48834208fed2294f7090fcd1334931014611fb2

SHA512
f0ca2d6f9a8aeac84ef8b051154a041adffc46e3e9aced142e9c7bf5f7272b047e1db421d38cb2d9182d7442bee3dd806618b019ec042a23ae0e71671d2943c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstF7F2.tmp\md5dll.dll
Filesize
8KB

MD5
a7d710e78711d5ab90e4792763241754

SHA1
f31cecd926c5d497aba163a17b75975ec34beb13

SHA256
9b05dd603f13c196f3f21c43f48834208fed2294f7090fcd1334931014611fb2

SHA512
f0ca2d6f9a8aeac84ef8b051154a041adffc46e3e9aced142e9c7bf5f7272b047e1db421d38cb2d9182d7442bee3dd806618b019ec042a23ae0e71671d2943c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstF7F2.tmp\xID.dll
Filesize
3KB

MD5
76d2faad042161f24b6c9c78de3bd265

SHA1
12518e1ba9e96dc202e6c12267650e52f1058664

SHA256
0b31ee64cab09f19e672b3d7f7d11516fe1cd373c2e2861a955b84d054c0507f

SHA512
cea11e232eabf2d525b09cae03e8f8a0b83f92a718f8cf92308d7f31bd4f92ab96c34c1107dbed14517f17ee41a84afd3433f42148edebfbaeca78a517b7e508

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstF7F2.tmp\xID.dll
Filesize
3KB

MD5
76d2faad042161f24b6c9c78de3bd265

SHA1
12518e1ba9e96dc202e6c12267650e52f1058664

SHA256
0b31ee64cab09f19e672b3d7f7d11516fe1cd373c2e2861a955b84d054c0507f

SHA512
cea11e232eabf2d525b09cae03e8f8a0b83f92a718f8cf92308d7f31bd4f92ab96c34c1107dbed14517f17ee41a84afd3433f42148edebfbaeca78a517b7e508

Download Submit
memory/4100-140-0x00000000023C1000-0x00000000023C4000-memory.dmp

Filesize
12KB

Download