Overview

overview

8

Static

static

e9d74c565a...8e.exe

windows7-x64

6

e9d74c565a...8e.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    151s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 12:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e9d74c565a50e4ca146e265be8ccc26eb25f7fb1febc3cd8df8f4d6f49a7248e.exe

  • Size

    841KB

  • MD5

    78f23b424c0f5076dcc1e3bee2db5134

  • SHA1

    9d683fa2858af6792c1bddfa34434c74e82f8963

  • SHA256

    e9d74c565a50e4ca146e265be8ccc26eb25f7fb1febc3cd8df8f4d6f49a7248e

  • SHA512

    4b200eff294d8e04decc2ef77582de464c7afcab3baad4bd4020f86120d6729b9933acaf658bd6bab62fd91c42859a0cd40ae963fd1a162f9f9f4145c1d5353b

  • SSDEEP

    12288:LTIsNfmZsmqGXryg3ivlm25mqITQhH7Atk/SoTmiXwkQKx+YoLo8:LTIstm2mjXr7g32QFgk6gmiTQKx

Score
8/10
bootkitpersistence

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 26 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 11 IoCs
  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 59 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e9d74c565a50e4ca146e265be8ccc26eb25f7fb1febc3cd8df8f4d6f49a7248e.exe
    "C:\Users\Admin\AppData\Local\Temp\e9d74c565a50e4ca146e265be8ccc26eb25f7fb1febc3cd8df8f4d6f49a7248e.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Writes to the Master Boot Record (MBR)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:4996
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 728
      2⤵
      • Program crash
      PID:1684
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 784
      2⤵
      • Program crash
      PID:2936
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 1216
      2⤵
      • Program crash
      PID:204
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 1224
      2⤵
      • Program crash
      PID:3220
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 1212
      2⤵
      • Program crash
      PID:4364
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 1400
      2⤵
      • Program crash
      PID:2744
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 1228
      2⤵
      • Program crash
      PID:1512
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 1376
      2⤵
      • Program crash
      PID:2112
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 1448
      2⤵
      • Program crash
      PID:4452
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 2004
      2⤵
      • Program crash
      PID:3124
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 1404
      2⤵
      • Program crash
      PID:4076
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4996 -ip 4996
    1⤵
      PID:1332
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4996 -ip 4996
      1⤵
        PID:3932
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4996 -ip 4996
        1⤵
          PID:1852
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4996 -ip 4996
          1⤵
            PID:776
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4996 -ip 4996
            1⤵
              PID:3536
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4996 -ip 4996
              1⤵
                PID:2000
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4996 -ip 4996
                1⤵
                  PID:4232
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4996 -ip 4996
                  1⤵
                    PID:748
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4996 -ip 4996
                    1⤵
                      PID:3752
                    • C:\Windows\system32\sihost.exe
                      sihost.exe
                      1⤵
                      • Suspicious use of FindShellTrayWindow
                      • Suspicious use of WriteProcessMemory
                      PID:5012
                      • C:\Windows\explorer.exe
                        explorer.exe /LOADSAVEDWINDOWS
                        2⤵
                        • Modifies Installed Components in the registry
                        • Enumerates connected drives
                        • Checks SCSI registry key(s)
                        • Modifies Internet Explorer settings
                        • Modifies registry class
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of FindShellTrayWindow
                        • Suspicious use of SendNotifyMessage
                        • Suspicious use of SetWindowsHookEx
                        PID:736
                    • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
                      "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
                      1⤵
                      • Modifies data under HKEY_USERS
                      • Suspicious use of SetWindowsHookEx
                      PID:4388
                    • C:\Windows\system32\sihost.exe
                      sihost.exe
                      1⤵
                      • Suspicious use of WriteProcessMemory
                      PID:1160
                      • C:\Windows\explorer.exe
                        explorer.exe /LOADSAVEDWINDOWS
                        2⤵
                        • Modifies registry class
                        PID:1744
                    • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
                      "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
                      1⤵
                      • Modifies data under HKEY_USERS
                      • Suspicious use of SetWindowsHookEx
                      PID:2824
                    • C:\Windows\System32\rundll32.exe
                      C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
                      1⤵
                        PID:3124
                      • C:\Windows\system32\sihost.exe
                        sihost.exe
                        1⤵
                        • Suspicious use of FindShellTrayWindow
                        • Suspicious use of WriteProcessMemory
                        PID:1840
                        • C:\Windows\explorer.exe
                          explorer.exe /LOADSAVEDWINDOWS
                          2⤵
                          • Modifies Installed Components in the registry
                          • Enumerates connected drives
                          • Checks SCSI registry key(s)
                          • Modifies registry class
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of FindShellTrayWindow
                          • Suspicious use of SendNotifyMessage
                          PID:4748
                      • C:\Windows\system32\sihost.exe
                        sihost.exe
                        1⤵
                        • Suspicious use of FindShellTrayWindow
                        • Suspicious use of WriteProcessMemory
                        PID:3768
                        • C:\Windows\explorer.exe
                          explorer.exe /LOADSAVEDWINDOWS
                          2⤵
                          • Modifies Installed Components in the registry
                          • Enumerates connected drives
                          • Checks SCSI registry key(s)
                          • Modifies registry class
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of FindShellTrayWindow
                          • Suspicious use of SendNotifyMessage
                          PID:4296
                      • C:\Windows\system32\sihost.exe
                        sihost.exe
                        1⤵
                        • Suspicious use of FindShellTrayWindow
                        • Suspicious use of WriteProcessMemory
                        PID:4544
                        • C:\Windows\explorer.exe
                          explorer.exe /LOADSAVEDWINDOWS
                          2⤵
                          • Modifies Installed Components in the registry
                          • Enumerates connected drives
                          • Checks SCSI registry key(s)
                          • Modifies registry class
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of FindShellTrayWindow
                          • Suspicious use of SendNotifyMessage
                          PID:3884
                      • C:\Windows\system32\sihost.exe
                        sihost.exe
                        1⤵
                          PID:3096
                        • C:\Windows\system32\WerFault.exe
                          C:\Windows\system32\WerFault.exe -pss -s 548 -p 3884 -ip 3884
                          1⤵
                            PID:4524
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4996 -ip 4996
                            1⤵
                              PID:4008
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4996 -ip 4996
                              1⤵
                                PID:3864

                              Network

                              MITRE ATT&CK Matrix ATT&CK v6

                              Initial Access

                              Execution

                              Persistence

                              Registry Run Keys / Startup Folder

                              2
                              T1060

                              Bootkit

                              1
                              T1067

                              Privilege Escalation

                              Defense Evasion

                              Modify Registry

                              3
                              T1112

                              Credential Access

                              Discovery

                              Query Registry

                              2
                              T1012

                              Peripheral Device Discovery

                              2
                              T1120

                              System Information Discovery

                              3
                              T1082

                              Lateral Movement

                              Collection

                              Exfiltration

                              Command and Control

                              Impact

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63
                                Filesize

                                1KB

                                MD5

                                2dacc72dec4834fe615738e2b526ce7b

                                SHA1

                                e367401f19839947c998f746ca790a2c314ba818

                                SHA256

                                9d29aecda90d650c09230302df0e15ee3b447d7a0a46625c6866a0f654449822

                                SHA512

                                bcd80368033fc64be9a4bd359721227d83eaed287f8d111cdd2ba519c37f2ad3e0cabde975bf07e73d68e41a4c085788da41748aa019dd548ce829525a641c91

                                Download Submit
                              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63
                                Filesize

                                434B

                                MD5

                                860ee737536f1e0be60b91f81f4a7fc7

                                SHA1

                                cf2b3364376f0c0b78cfb8e5f568d3becf0f710f

                                SHA256

                                085c1f3daf2a4a17a4eb88077007f9178570d40989535b5c37a4861b3e923115

                                SHA512

                                35fdd1555051a25756a02707a97d9f47d13e5331022757a4636fc9e1d9ae01971e12ed4d39396addb0e7553a6a698702212edc9b9240247f031960296b547a08

                                Download Submit
                              • C:\Users\Admin\AppData\Local\IconCache.db
                                Filesize

                                12KB

                                MD5

                                6370cce6c066a452ae7b7587e9f6608a

                                SHA1

                                176ed47ccf793ef48c52b42f7cfc8701938fbad4

                                SHA256

                                85c74f4f9dd07896205a87c159294ee9ee7f02950e632e4d7cd53792dd0914b6

                                SHA512

                                5aaaf2f38afb6dfccb318c0318f41efba375929ab0206e5b7c3438dd9d2a7c77ca07993435e7f36d6db6d2913d804edf4fc6d92ab67b5af6c113cc3f3aacfca9

                                Download Submit
                              • C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat
                                Filesize

                                1016B

                                MD5

                                0e4048ae343932ec4deecd5c28d41120

                                SHA1

                                d8cba17ad7c4a6c0b69b6e45291bdf64d83fa724

                                SHA256

                                d12b37982d443bb314d593362d052eba684b200eca1454a7d149d357efe27970

                                SHA512

                                bd7e2eaf99267bea7be01b6c3cac74e5a0c8337fcf0215c62cea4192f9b6bc0ede3a733d282750693b0c3c7cbb96b63614e12ad5928ceda17fe9c064dec411c9

                                Download Submit
                              • C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat
                                Filesize

                                1016B

                                MD5

                                0e4048ae343932ec4deecd5c28d41120

                                SHA1

                                d8cba17ad7c4a6c0b69b6e45291bdf64d83fa724

                                SHA256

                                d12b37982d443bb314d593362d052eba684b200eca1454a7d149d357efe27970

                                SHA512

                                bd7e2eaf99267bea7be01b6c3cac74e5a0c8337fcf0215c62cea4192f9b6bc0ede3a733d282750693b0c3c7cbb96b63614e12ad5928ceda17fe9c064dec411c9

                                Download Submit
                              • C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat
                                Filesize

                                1016B

                                MD5

                                0e4048ae343932ec4deecd5c28d41120

                                SHA1

                                d8cba17ad7c4a6c0b69b6e45291bdf64d83fa724

                                SHA256

                                d12b37982d443bb314d593362d052eba684b200eca1454a7d149d357efe27970

                                SHA512

                                bd7e2eaf99267bea7be01b6c3cac74e5a0c8337fcf0215c62cea4192f9b6bc0ede3a733d282750693b0c3c7cbb96b63614e12ad5928ceda17fe9c064dec411c9

                                Download Submit
                              • memory/736-136-0x0000000000000000-mapping.dmp
                                Download
                              • memory/1744-137-0x0000000000000000-mapping.dmp
                                Download
                              • memory/3884-145-0x0000000000000000-mapping.dmp
                                Download
                              • memory/4296-143-0x0000000000000000-mapping.dmp
                                Download
                              • memory/4748-138-0x0000000000000000-mapping.dmp
                                Download
                              • memory/4996-132-0x0000000000400000-0x0000000000A33000-memory.dmp
                                Filesize

                                6.2MB

                                Download
                              • memory/4996-135-0x0000000000400000-0x0000000000A33000-memory.dmp
                                Filesize

                                6.2MB

                                Download
                              • memory/4996-134-0x0000000000400000-0x0000000000A33000-memory.dmp
                                Filesize

                                6.2MB

                                Download