Overview

overview

8

Static

static

b3143e7024...42.exe

windows7-x64

6

b3143e7024...42.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    151s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 13:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b3143e7024d865b78e66199e722b4159342558e78eb25777fcecdb70ec406442.exe

  • Size

    797KB

  • MD5

    c58e180db9fd235c65cb2ad13733cf0f

  • SHA1

    627466a8010e3d36a87afaa16c64593b14b64fbf

  • SHA256

    b3143e7024d865b78e66199e722b4159342558e78eb25777fcecdb70ec406442

  • SHA512

    175634a10cd63fb180b273b00763bc16dcd5352cc29c642d2711b4d880af6ac4e380dd5fd5a5f67220685338d2dce48b36e095ff41f5fe203780b66e9eb1978a

  • SSDEEP

    24576:QL7BphknxWn2E8QCCPS4o/PhbXstzc9evNJ0JeZ/r:o7B/kxACCatNkzgev70Jet

Score
8/10
bootkitpersistence

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in System32 directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 8 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b3143e7024d865b78e66199e722b4159342558e78eb25777fcecdb70ec406442.exe
    "C:\Users\Admin\AppData\Local\Temp\b3143e7024d865b78e66199e722b4159342558e78eb25777fcecdb70ec406442.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Writes to the Master Boot Record (MBR)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:3812
  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
    "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:4136
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1448
    • C:\Windows\explorer.exe
      explorer.exe /LOADSAVEDWINDOWS
      2⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3868
  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
    "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
    1⤵
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:5056
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:4268
    • C:\Windows\explorer.exe
      explorer.exe /LOADSAVEDWINDOWS
      2⤵
      • Modifies Installed Components in the registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:5060
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 5060 -s 2748
        3⤵
        • Program crash
        PID:924
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Suspicious use of FindShellTrayWindow
    PID:2228
  • C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -pss -s 444 -p 5060 -ip 5060
    1⤵
      PID:4124
    • C:\Windows\system32\sihost.exe
      sihost.exe
      1⤵
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:3568
      • C:\Windows\explorer.exe
        explorer.exe /LOADSAVEDWINDOWS
        2⤵
        • Modifies registry class
        PID:4128
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:2732
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
      1⤵
        PID:976
      • C:\Windows\system32\sihost.exe
        sihost.exe
        1⤵
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:392
        • C:\Windows\explorer.exe
          explorer.exe /LOADSAVEDWINDOWS
          2⤵
          • Modifies Installed Components in the registry
          • Enumerates connected drives
          • Checks SCSI registry key(s)
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of SetWindowsHookEx
          PID:2136
      • C:\Windows\system32\sihost.exe
        sihost.exe
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:4012
        • C:\Windows\explorer.exe
          explorer.exe /LOADSAVEDWINDOWS
          2⤵
          • Modifies registry class
          PID:3996
      • C:\Windows\System32\rundll32.exe
        C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
        1⤵
          PID:4184

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\IconCache.db
          Filesize

          15KB

          MD5

          84cf04709bf2bfdbc2e6e90f76448cf4

          SHA1

          de272fb9a826f95cdf3c77cc6dfacb37b7e5aacd

          SHA256

          650b9d8ae0e4ddd4332bad65d08747632d38c6cf6cf504c59edd0a82721b7711

          SHA512

          3151ae295f1ec4f6519872db31e8b4d44028604f11fb3d4eb9f3d1ad2ce5f807967f049085807f1c82df0826a11c4ee575cd7bde49709e629a8fa96f771595db

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat
          Filesize

          1022B

          MD5

          fef887ef25b166c4556b08e8658fe640

          SHA1

          5eece3c7574417577a5c062ed61d933313be1ead

          SHA256

          28acc8fc796133f63814d940128356328c7dcff693913b672f1c3ebe9989c90f

          SHA512

          a87a642359c3961ed0ecb2db378a6ca62da6bda412fdf3bc69f645fde4cf7d518ec29c3cb3f352526a227a5d04cbc077817f80e23ea3a5aa65b75e87e6fb52d4

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat
          Filesize

          1022B

          MD5

          fef887ef25b166c4556b08e8658fe640

          SHA1

          5eece3c7574417577a5c062ed61d933313be1ead

          SHA256

          28acc8fc796133f63814d940128356328c7dcff693913b672f1c3ebe9989c90f

          SHA512

          a87a642359c3961ed0ecb2db378a6ca62da6bda412fdf3bc69f645fde4cf7d518ec29c3cb3f352526a227a5d04cbc077817f80e23ea3a5aa65b75e87e6fb52d4

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
          Filesize

          28KB

          MD5

          fa1fe4199691cf42de97a4d43892b726

          SHA1

          65f036403ca5be7a2b03ad5dc5994fb3df977073

          SHA256

          5b87192768dfed03e16cbbb51b75983b4e865b5e735383073442098f390a8092

          SHA512

          e52fdffef687fbe1a48aec3a01776f86a6c4780a91efbb4b1601bda7d45f396dd25b2ac8cd3f1944429cd9d528a0f293c1e36b571f695d9acbfb1a3d9cf73f03

          Download Submit
        • memory/2136-141-0x0000000000000000-mapping.dmp
          Download
        • memory/3812-134-0x00000000029A0000-0x00000000029A7000-memory.dmp
          Filesize

          28KB

          Download
        • memory/3812-135-0x0000000000400000-0x0000000000B08000-memory.dmp
          Filesize

          7.0MB

          Download
        • memory/3812-136-0x0000000000400000-0x0000000000B08000-memory.dmp
          Filesize

          7.0MB

          Download
        • memory/3812-132-0x0000000000400000-0x0000000000B08000-memory.dmp
          Filesize

          7.0MB

          Download
        • memory/3868-137-0x0000000000000000-mapping.dmp
          Download
        • memory/3996-142-0x0000000000000000-mapping.dmp
          Download
        • memory/4128-139-0x0000000000000000-mapping.dmp
          Download
        • memory/5060-138-0x0000000000000000-mapping.dmp
          Download