Analysis
-
max time kernel
126s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03-10-2022 02:13
Static task
static1
Behavioral task
behavioral1
Sample
f73882be9f2c415bba53237931ecb4041683acfcfa96ad9a27e7ab662684b180.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
f73882be9f2c415bba53237931ecb4041683acfcfa96ad9a27e7ab662684b180.exe
Resource
win10v2004-20220812-en
General
-
Target
f73882be9f2c415bba53237931ecb4041683acfcfa96ad9a27e7ab662684b180.exe
-
Size
469KB
-
MD5
367e055710aafdb153b0487b26fb0ef0
-
SHA1
c4ef0c0c9bf647893bf24d4ebcc0ce778e0afc94
-
SHA256
f73882be9f2c415bba53237931ecb4041683acfcfa96ad9a27e7ab662684b180
-
SHA512
2a7bce666dac94b7f8f0590870ad1fe952a0e71078fd6de4517fb17af991016a318cf3a00b8209676bdcbfc23af0c9c32c031358fde2ac1beafbe315d4776f8b
-
SSDEEP
12288:95k+q39RdHC+b/X3jAg82O9J9TxbWCFeMeYwqFI7W:9CltDHPj7c7NbWrMeYwqcW
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
GHFHGJHNSSJDW.exepid process 960 GHFHGJHNSSJDW.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 624 cmd.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
f73882be9f2c415bba53237931ecb4041683acfcfa96ad9a27e7ab662684b180.exeGHFHGJHNSSJDW.exedescription ioc process File opened for modification \??\PhysicalDrive0 f73882be9f2c415bba53237931ecb4041683acfcfa96ad9a27e7ab662684b180.exe File opened for modification \??\PhysicalDrive0 GHFHGJHNSSJDW.exe -
Drops file in Windows directory 3 IoCs
Processes:
f73882be9f2c415bba53237931ecb4041683acfcfa96ad9a27e7ab662684b180.exedescription ioc process File opened for modification C:\Windows\GHFHGJHNSSJDW.exe f73882be9f2c415bba53237931ecb4041683acfcfa96ad9a27e7ab662684b180.exe File created C:\Windows\HKFX2008.BAT f73882be9f2c415bba53237931ecb4041683acfcfa96ad9a27e7ab662684b180.exe File created C:\Windows\GHFHGJHNSSJDW.exe f73882be9f2c415bba53237931ecb4041683acfcfa96ad9a27e7ab662684b180.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
f73882be9f2c415bba53237931ecb4041683acfcfa96ad9a27e7ab662684b180.exeGHFHGJHNSSJDW.exedescription pid process Token: SeDebugPrivilege 2012 f73882be9f2c415bba53237931ecb4041683acfcfa96ad9a27e7ab662684b180.exe Token: SeDebugPrivilege 960 GHFHGJHNSSJDW.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
GHFHGJHNSSJDW.exepid process 960 GHFHGJHNSSJDW.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
GHFHGJHNSSJDW.exef73882be9f2c415bba53237931ecb4041683acfcfa96ad9a27e7ab662684b180.exedescription pid process target process PID 960 wrote to memory of 1704 960 GHFHGJHNSSJDW.exe IEXPLORE.EXE PID 960 wrote to memory of 1704 960 GHFHGJHNSSJDW.exe IEXPLORE.EXE PID 960 wrote to memory of 1704 960 GHFHGJHNSSJDW.exe IEXPLORE.EXE PID 960 wrote to memory of 1704 960 GHFHGJHNSSJDW.exe IEXPLORE.EXE PID 2012 wrote to memory of 624 2012 f73882be9f2c415bba53237931ecb4041683acfcfa96ad9a27e7ab662684b180.exe cmd.exe PID 2012 wrote to memory of 624 2012 f73882be9f2c415bba53237931ecb4041683acfcfa96ad9a27e7ab662684b180.exe cmd.exe PID 2012 wrote to memory of 624 2012 f73882be9f2c415bba53237931ecb4041683acfcfa96ad9a27e7ab662684b180.exe cmd.exe PID 2012 wrote to memory of 624 2012 f73882be9f2c415bba53237931ecb4041683acfcfa96ad9a27e7ab662684b180.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f73882be9f2c415bba53237931ecb4041683acfcfa96ad9a27e7ab662684b180.exe"C:\Users\Admin\AppData\Local\Temp\f73882be9f2c415bba53237931ecb4041683acfcfa96ad9a27e7ab662684b180.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\HKFX2008.BAT2⤵
- Deletes itself
-
C:\Windows\GHFHGJHNSSJDW.exeC:\Windows\GHFHGJHNSSJDW.exe1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\GHFHGJHNSSJDW.exeFilesize
469KB
MD5367e055710aafdb153b0487b26fb0ef0
SHA1c4ef0c0c9bf647893bf24d4ebcc0ce778e0afc94
SHA256f73882be9f2c415bba53237931ecb4041683acfcfa96ad9a27e7ab662684b180
SHA5122a7bce666dac94b7f8f0590870ad1fe952a0e71078fd6de4517fb17af991016a318cf3a00b8209676bdcbfc23af0c9c32c031358fde2ac1beafbe315d4776f8b
-
C:\Windows\GHFHGJHNSSJDW.exeFilesize
469KB
MD5367e055710aafdb153b0487b26fb0ef0
SHA1c4ef0c0c9bf647893bf24d4ebcc0ce778e0afc94
SHA256f73882be9f2c415bba53237931ecb4041683acfcfa96ad9a27e7ab662684b180
SHA5122a7bce666dac94b7f8f0590870ad1fe952a0e71078fd6de4517fb17af991016a318cf3a00b8209676bdcbfc23af0c9c32c031358fde2ac1beafbe315d4776f8b
-
C:\Windows\HKFX2008.BATFilesize
254B
MD5865d230ef518f60b9b97d9e363067bb7
SHA16943a8d22a7cb62201af82c968061c01478a065d
SHA256ea412ca90fbfdb0ea2dab8b9450a1e88bb7f752038662df3320cad7c68f96f71
SHA5122cab143f9537d049c1edcc143f71ff93f6cbab807cc26d005838b88914f8c01afe16bf7b2ca2393cb1a8672ee8c59e3078ba475c410f9524800409addcf1c779
-
memory/624-60-0x0000000000000000-mapping.dmp
-
memory/960-63-0x0000000001CB0000-0x0000000001CEA000-memory.dmpFilesize
232KB
-
memory/960-62-0x0000000000400000-0x00000000004E4000-memory.dmpFilesize
912KB
-
memory/960-64-0x0000000000400000-0x00000000004E4000-memory.dmpFilesize
912KB
-
memory/2012-54-0x00000000758C1000-0x00000000758C3000-memory.dmpFilesize
8KB
-
memory/2012-55-0x0000000000400000-0x00000000004E4000-memory.dmpFilesize
912KB
-
memory/2012-56-0x00000000002F0000-0x000000000032A000-memory.dmpFilesize
232KB