ecf6da9a04d2f21d508fe861e115ba17cd77e9b3ab053e10a4eff93b54c48d9d

Analysis

max time kernel
122s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
20/10/2022, 00:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ecf6da9a04d2f21d508fe861e115ba17cd77e9b3ab053e10a4eff93b54c48d9d.exe
Size

76KB
MD5

9238a0085d674a8336538565583bc3b0
SHA1

7e8e987760b91e7169df12e6774909975d90bac6
SHA256

ecf6da9a04d2f21d508fe861e115ba17cd77e9b3ab053e10a4eff93b54c48d9d
SHA512

dc489cb9b852239b854fbcdf8a9d1d6440e1387d5662974e88128216a5950b0425200119a26346c8ca7a465ce25dd74b1fc9bfb46e958c53f0673157de424983
SSDEEP

1536:TRYpHXbpdF1XJfHM3S0DamJnM+YbAFQ8rYsqP34:1Y3dFNJPmDamJnbYkF7r44

Score

7^/10

bootkit persistence

Malware Config

Signatures

Loads dropped DLL 8 IoCs

pid	Process
1856	ecf6da9a04d2f21d508fe861e115ba17cd77e9b3ab053e10a4eff93b54c48d9d.exe
1856	ecf6da9a04d2f21d508fe861e115ba17cd77e9b3ab053e10a4eff93b54c48d9d.exe
1856	ecf6da9a04d2f21d508fe861e115ba17cd77e9b3ab053e10a4eff93b54c48d9d.exe
1856	ecf6da9a04d2f21d508fe861e115ba17cd77e9b3ab053e10a4eff93b54c48d9d.exe
1856	ecf6da9a04d2f21d508fe861e115ba17cd77e9b3ab053e10a4eff93b54c48d9d.exe
1856	ecf6da9a04d2f21d508fe861e115ba17cd77e9b3ab053e10a4eff93b54c48d9d.exe
1856	ecf6da9a04d2f21d508fe861e115ba17cd77e9b3ab053e10a4eff93b54c48d9d.exe
1856	ecf6da9a04d2f21d508fe861e115ba17cd77e9b3ab053e10a4eff93b54c48d9d.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	ecf6da9a04d2f21d508fe861e115ba17cd77e9b3ab053e10a4eff93b54c48d9d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

C:\Users\Admin\AppData\Local\Temp\ecf6da9a04d2f21d508fe861e115ba17cd77e9b3ab053e10a4eff93b54c48d9d.exe
"C:\Users\Admin\AppData\Local\Temp\ecf6da9a04d2f21d508fe861e115ba17cd77e9b3ab053e10a4eff93b54c48d9d.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
PID:1856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nswB22F.tmp\Md5dll.dll

Filesize
8KB

MD5
a7d710e78711d5ab90e4792763241754

SHA1
f31cecd926c5d497aba163a17b75975ec34beb13

SHA256
9b05dd603f13c196f3f21c43f48834208fed2294f7090fcd1334931014611fb2

SHA512
f0ca2d6f9a8aeac84ef8b051154a041adffc46e3e9aced142e9c7bf5f7272b047e1db421d38cb2d9182d7442bee3dd806618b019ec042a23ae0e71671d2943c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswB22F.tmp\Md5dll.dll

Filesize
8KB

MD5
a7d710e78711d5ab90e4792763241754

SHA1
f31cecd926c5d497aba163a17b75975ec34beb13

SHA256
9b05dd603f13c196f3f21c43f48834208fed2294f7090fcd1334931014611fb2

SHA512
f0ca2d6f9a8aeac84ef8b051154a041adffc46e3e9aced142e9c7bf5f7272b047e1db421d38cb2d9182d7442bee3dd806618b019ec042a23ae0e71671d2943c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswB22F.tmp\NSISdl.dll

Filesize
14KB

MD5
f0419089787f4bd9d422c9d1933e0932

SHA1
000235068a70817d5e2897b684188433cb9c4c9b

SHA256
1ac04e7a5efe274d9cdfe51162719d93d765c5cd565a2bcfadec3e9618baa086

SHA512
ebd3f38fe268687269bdb3d6a814dfff8659d3655cea692fc914be42a78d8b82f3d2d7af9267359d97c4d6af68ae03d8e6e5374c774a02f356b103b1a6e09ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswB22F.tmp\NSISdl.dll

Filesize
14KB

MD5
f0419089787f4bd9d422c9d1933e0932

SHA1
000235068a70817d5e2897b684188433cb9c4c9b

SHA256
1ac04e7a5efe274d9cdfe51162719d93d765c5cd565a2bcfadec3e9618baa086

SHA512
ebd3f38fe268687269bdb3d6a814dfff8659d3655cea692fc914be42a78d8b82f3d2d7af9267359d97c4d6af68ae03d8e6e5374c774a02f356b103b1a6e09ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswB22F.tmp\NSISdl.dll

Filesize
14KB

MD5
f0419089787f4bd9d422c9d1933e0932

SHA1
000235068a70817d5e2897b684188433cb9c4c9b

SHA256
1ac04e7a5efe274d9cdfe51162719d93d765c5cd565a2bcfadec3e9618baa086

SHA512
ebd3f38fe268687269bdb3d6a814dfff8659d3655cea692fc914be42a78d8b82f3d2d7af9267359d97c4d6af68ae03d8e6e5374c774a02f356b103b1a6e09ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswB22F.tmp\System.dll

Filesize
11KB

MD5
f55b41485cbaf292389a52f8e4f0594b

SHA1
89e9b0d1291fa78a40cab358553c447cbbeaa130

SHA256
f16bc2ceb7a6bc7df0955530e72b0aa072ce27650c5cf7b33fd4ea82dea196fc

SHA512
938e8661b8cf418608156dc813c1eb0cc3fa5efa9483061a152bb103c4d821d5c6a82d4c110729e9686f99ccd4da188aebb38a85a01d8ecadb34bb9f6ba60d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswB22F.tmp\xID.dll

Filesize
3KB

MD5
76d2faad042161f24b6c9c78de3bd265

SHA1
12518e1ba9e96dc202e6c12267650e52f1058664

SHA256
0b31ee64cab09f19e672b3d7f7d11516fe1cd373c2e2861a955b84d054c0507f

SHA512
cea11e232eabf2d525b09cae03e8f8a0b83f92a718f8cf92308d7f31bd4f92ab96c34c1107dbed14517f17ee41a84afd3433f42148edebfbaeca78a517b7e508

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswB22F.tmp\xID.dll

Filesize
3KB

MD5
76d2faad042161f24b6c9c78de3bd265

SHA1
12518e1ba9e96dc202e6c12267650e52f1058664

SHA256
0b31ee64cab09f19e672b3d7f7d11516fe1cd373c2e2861a955b84d054c0507f

SHA512
cea11e232eabf2d525b09cae03e8f8a0b83f92a718f8cf92308d7f31bd4f92ab96c34c1107dbed14517f17ee41a84afd3433f42148edebfbaeca78a517b7e508

Download Submit
memory/1856-140-0x00000000022C1000-0x00000000022C4000-memory.dmp

Filesize
12KB

Download