bbc164be644fa50cc91ec3dcc9bc47151dd0414e19293f9d7e83fd82e63d5de4

Analysis

max time kernel
38s
max time network
42s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
26-10-2022 03:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bbc164be644fa50cc91ec3dcc9bc47151dd0414e19293f9d7e83fd82e63d5de4.exe
Size

4.2MB
MD5

6bb93c6d326587b5ebe0c379af6d13f3
SHA1

d28f45d077a927b854f1d3772ed3af9854022365
SHA256

bbc164be644fa50cc91ec3dcc9bc47151dd0414e19293f9d7e83fd82e63d5de4
SHA512

eae302343cd00e50677277d160f5b86a8ac096c428791fa970b14d5622b05394bc0691d85ed0e3f76a7b5620459a951366a8571c83e16db0be2897d4f2f416dd
SSDEEP

98304:fbZEvgC7LsdDS+76umcnxk2w2DJoLo/r2:lEvd7LsdDS+wjD08Oy

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	bbc164be644fa50cc91ec3dcc9bc47151dd0414e19293f9d7e83fd82e63d5de4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	bbc164be644fa50cc91ec3dcc9bc47151dd0414e19293f9d7e83fd82e63d5de4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	bbc164be644fa50cc91ec3dcc9bc47151dd0414e19293f9d7e83fd82e63d5de4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	bbc164be644fa50cc91ec3dcc9bc47151dd0414e19293f9d7e83fd82e63d5de4.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
576	bbc164be644fa50cc91ec3dcc9bc47151dd0414e19293f9d7e83fd82e63d5de4.exe

C:\Users\Admin\AppData\Local\Temp\bbc164be644fa50cc91ec3dcc9bc47151dd0414e19293f9d7e83fd82e63d5de4.exe
"C:\Users\Admin\AppData\Local\Temp\bbc164be644fa50cc91ec3dcc9bc47151dd0414e19293f9d7e83fd82e63d5de4.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/576-54-0x0000000075911000-0x0000000075913000-memory.dmp

Filesize
8KB

Download
memory/576-55-0x0000000000400000-0x0000000000C7F000-memory.dmp

Filesize
8.5MB

Download
memory/576-57-0x0000000002C40000-0x0000000002D80000-memory.dmp

Filesize
1.2MB

Download
memory/576-56-0x0000000002C40000-0x0000000002D80000-memory.dmp

Filesize
1.2MB

Download
memory/576-60-0x0000000002C40000-0x0000000002D80000-memory.dmp

Filesize
1.2MB

Download
memory/576-59-0x0000000002C40000-0x0000000002D80000-memory.dmp

Filesize
1.2MB

Download
memory/576-58-0x0000000002C40000-0x0000000002D80000-memory.dmp

Filesize
1.2MB

Download
memory/576-64-0x0000000002C40000-0x0000000002D80000-memory.dmp

Filesize
1.2MB

Download
memory/576-63-0x0000000002C40000-0x0000000002D80000-memory.dmp

Filesize
1.2MB

Download
memory/576-62-0x0000000002C40000-0x0000000002D80000-memory.dmp

Filesize
1.2MB

Download
memory/576-61-0x0000000002C40000-0x0000000002D80000-memory.dmp

Filesize
1.2MB

Download
memory/576-66-0x0000000002C40000-0x0000000002D80000-memory.dmp

Filesize
1.2MB

Download
memory/576-67-0x0000000000D60000-0x0000000000D63000-memory.dmp

Filesize
12KB

Download
memory/576-68-0x0000000000400000-0x0000000000C7F000-memory.dmp

Filesize
8.5MB

Download