5aa2a4b41857e176fdf1721e7a45b28e7bed8754f9b3f10e7ac5ff8d234cf26a

Analysis

max time kernel
161s
max time network
239s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23/11/2022, 19:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5aa2a4b41857e176fdf1721e7a45b28e7bed8754f9b3f10e7ac5ff8d234cf26a.exe
Size

170KB
MD5

fc3bdfec5907968cc35af7ed8eb49784
SHA1

2e34767187c03733e07f7882a3490d9bfa1aebd3
SHA256

5aa2a4b41857e176fdf1721e7a45b28e7bed8754f9b3f10e7ac5ff8d234cf26a
SHA512

b7ab999b2d04366de12799a843d06d4971ace3826c6d5194db547cc15437c90ce01ca65a7b9997d7bcf96ec6264f35ef305604a87d3921aba933b9706f51c3af
SSDEEP

3072:ReWfjw5CsqDbgXu6dbrePqNdLn+BvU5clFIW2ZZdYbi9mbF:h85Csq6breAEU5ciW2ZZNy

Score

7^/10

bootkit persistence

Malware Config

Signatures

Unexpected DNS network traffic destination 64 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	64.206.17.112
Destination IP	64.114.139.71
Destination IP	82.204.218.100
Destination IP	64.7.116.207
Destination IP	64.5.99.50
Destination IP	198.107.0.14
Destination IP	64.247.166.85
Destination IP	64.78.18.62
Destination IP	64.2.216.94
Destination IP	194.87.0.9
Destination IP	64.85.144.1
Destination IP	64.53.69.239
Destination IP	82.204.218.100
Destination IP	80.237.244.50
Destination IP	64.116.212.185
Destination IP	64.22.59.195
Destination IP	64.218.158.104
Destination IP	64.40.130.43
Destination IP	213.219.245.120
Destination IP	64.95.75.61
Destination IP	64.38.223.8
Destination IP	64.247.166.85
Destination IP	202.235.79.227
Destination IP	64.64.93.178
Destination IP	64.231.53.173
Destination IP	64.4.239.39
Destination IP	64.71.146.175
Destination IP	64.22.59.195
Destination IP	64.69.131.138
Destination IP	64.130.108.208
Destination IP	64.71.146.175
Destination IP	164.42.157.2
Destination IP	64.130.108.208
Destination IP	64.231.53.173
Destination IP	64.210.47.56
Destination IP	64.87.84.171
Destination IP	64.111.115.120
Destination IP	64.107.180.10
Destination IP	64.5.99.50
Destination IP	64.84.146.183
Destination IP	64.95.75.61
Destination IP	211.115.194.2
Destination IP	64.204.109.7
Destination IP	64.234.197.187
Destination IP	64.184.104.165
Destination IP	64.204.109.7
Destination IP	64.130.54.160
Destination IP	64.202.5.56
Destination IP	64.207.14.21
Destination IP	64.197.42.209
Destination IP	64.38.223.8
Destination IP	213.219.245.120
Destination IP	64.197.42.209
Destination IP	64.170.57.164
Destination IP	202.235.79.227
Destination IP	64.202.5.56
Destination IP	64.175.230.147
Destination IP	64.207.14.21
Destination IP	64.210.30.203
Destination IP	64.87.84.171
Destination IP	64.2.216.94
Destination IP	64.124.108.97
Destination IP	198.107.0.14
Destination IP	64.207.82.216

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	5aa2a4b41857e176fdf1721e7a45b28e7bed8754f9b3f10e7ac5ff8d234cf26a.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1960	5aa2a4b41857e176fdf1721e7a45b28e7bed8754f9b3f10e7ac5ff8d234cf26a.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1960	5aa2a4b41857e176fdf1721e7a45b28e7bed8754f9b3f10e7ac5ff8d234cf26a.exe

Suspicious use of SetWindowsHookEx 51 IoCs

pid	Process
1960	5aa2a4b41857e176fdf1721e7a45b28e7bed8754f9b3f10e7ac5ff8d234cf26a.exe
1960	5aa2a4b41857e176fdf1721e7a45b28e7bed8754f9b3f10e7ac5ff8d234cf26a.exe
1960	5aa2a4b41857e176fdf1721e7a45b28e7bed8754f9b3f10e7ac5ff8d234cf26a.exe
1960	5aa2a4b41857e176fdf1721e7a45b28e7bed8754f9b3f10e7ac5ff8d234cf26a.exe
1960	5aa2a4b41857e176fdf1721e7a45b28e7bed8754f9b3f10e7ac5ff8d234cf26a.exe
1960	5aa2a4b41857e176fdf1721e7a45b28e7bed8754f9b3f10e7ac5ff8d234cf26a.exe
1960	5aa2a4b41857e176fdf1721e7a45b28e7bed8754f9b3f10e7ac5ff8d234cf26a.exe
1960	5aa2a4b41857e176fdf1721e7a45b28e7bed8754f9b3f10e7ac5ff8d234cf26a.exe
1960	5aa2a4b41857e176fdf1721e7a45b28e7bed8754f9b3f10e7ac5ff8d234cf26a.exe
1960	5aa2a4b41857e176fdf1721e7a45b28e7bed8754f9b3f10e7ac5ff8d234cf26a.exe
1960	5aa2a4b41857e176fdf1721e7a45b28e7bed8754f9b3f10e7ac5ff8d234cf26a.exe
1960	5aa2a4b41857e176fdf1721e7a45b28e7bed8754f9b3f10e7ac5ff8d234cf26a.exe
1960	5aa2a4b41857e176fdf1721e7a45b28e7bed8754f9b3f10e7ac5ff8d234cf26a.exe
1960	5aa2a4b41857e176fdf1721e7a45b28e7bed8754f9b3f10e7ac5ff8d234cf26a.exe
1960	5aa2a4b41857e176fdf1721e7a45b28e7bed8754f9b3f10e7ac5ff8d234cf26a.exe
1960	5aa2a4b41857e176fdf1721e7a45b28e7bed8754f9b3f10e7ac5ff8d234cf26a.exe
1960	5aa2a4b41857e176fdf1721e7a45b28e7bed8754f9b3f10e7ac5ff8d234cf26a.exe
1960	5aa2a4b41857e176fdf1721e7a45b28e7bed8754f9b3f10e7ac5ff8d234cf26a.exe
1960	5aa2a4b41857e176fdf1721e7a45b28e7bed8754f9b3f10e7ac5ff8d234cf26a.exe
1960	5aa2a4b41857e176fdf1721e7a45b28e7bed8754f9b3f10e7ac5ff8d234cf26a.exe
1960	5aa2a4b41857e176fdf1721e7a45b28e7bed8754f9b3f10e7ac5ff8d234cf26a.exe
1960	5aa2a4b41857e176fdf1721e7a45b28e7bed8754f9b3f10e7ac5ff8d234cf26a.exe
1960	5aa2a4b41857e176fdf1721e7a45b28e7bed8754f9b3f10e7ac5ff8d234cf26a.exe
1960	5aa2a4b41857e176fdf1721e7a45b28e7bed8754f9b3f10e7ac5ff8d234cf26a.exe
1960	5aa2a4b41857e176fdf1721e7a45b28e7bed8754f9b3f10e7ac5ff8d234cf26a.exe
1960	5aa2a4b41857e176fdf1721e7a45b28e7bed8754f9b3f10e7ac5ff8d234cf26a.exe
1960	5aa2a4b41857e176fdf1721e7a45b28e7bed8754f9b3f10e7ac5ff8d234cf26a.exe
1960	5aa2a4b41857e176fdf1721e7a45b28e7bed8754f9b3f10e7ac5ff8d234cf26a.exe
1960	5aa2a4b41857e176fdf1721e7a45b28e7bed8754f9b3f10e7ac5ff8d234cf26a.exe
1960	5aa2a4b41857e176fdf1721e7a45b28e7bed8754f9b3f10e7ac5ff8d234cf26a.exe
1960	5aa2a4b41857e176fdf1721e7a45b28e7bed8754f9b3f10e7ac5ff8d234cf26a.exe
1960	5aa2a4b41857e176fdf1721e7a45b28e7bed8754f9b3f10e7ac5ff8d234cf26a.exe
1960	5aa2a4b41857e176fdf1721e7a45b28e7bed8754f9b3f10e7ac5ff8d234cf26a.exe
1960	5aa2a4b41857e176fdf1721e7a45b28e7bed8754f9b3f10e7ac5ff8d234cf26a.exe
1960	5aa2a4b41857e176fdf1721e7a45b28e7bed8754f9b3f10e7ac5ff8d234cf26a.exe
1960	5aa2a4b41857e176fdf1721e7a45b28e7bed8754f9b3f10e7ac5ff8d234cf26a.exe
1960	5aa2a4b41857e176fdf1721e7a45b28e7bed8754f9b3f10e7ac5ff8d234cf26a.exe
1960	5aa2a4b41857e176fdf1721e7a45b28e7bed8754f9b3f10e7ac5ff8d234cf26a.exe
1960	5aa2a4b41857e176fdf1721e7a45b28e7bed8754f9b3f10e7ac5ff8d234cf26a.exe
1960	5aa2a4b41857e176fdf1721e7a45b28e7bed8754f9b3f10e7ac5ff8d234cf26a.exe
1960	5aa2a4b41857e176fdf1721e7a45b28e7bed8754f9b3f10e7ac5ff8d234cf26a.exe
1960	5aa2a4b41857e176fdf1721e7a45b28e7bed8754f9b3f10e7ac5ff8d234cf26a.exe
1960	5aa2a4b41857e176fdf1721e7a45b28e7bed8754f9b3f10e7ac5ff8d234cf26a.exe
1960	5aa2a4b41857e176fdf1721e7a45b28e7bed8754f9b3f10e7ac5ff8d234cf26a.exe
1960	5aa2a4b41857e176fdf1721e7a45b28e7bed8754f9b3f10e7ac5ff8d234cf26a.exe
1960	5aa2a4b41857e176fdf1721e7a45b28e7bed8754f9b3f10e7ac5ff8d234cf26a.exe
1960	5aa2a4b41857e176fdf1721e7a45b28e7bed8754f9b3f10e7ac5ff8d234cf26a.exe
1960	5aa2a4b41857e176fdf1721e7a45b28e7bed8754f9b3f10e7ac5ff8d234cf26a.exe
1960	5aa2a4b41857e176fdf1721e7a45b28e7bed8754f9b3f10e7ac5ff8d234cf26a.exe
1960	5aa2a4b41857e176fdf1721e7a45b28e7bed8754f9b3f10e7ac5ff8d234cf26a.exe
1960	5aa2a4b41857e176fdf1721e7a45b28e7bed8754f9b3f10e7ac5ff8d234cf26a.exe

C:\Users\Admin\AppData\Local\Temp\5aa2a4b41857e176fdf1721e7a45b28e7bed8754f9b3f10e7ac5ff8d234cf26a.exe
"C:\Users\Admin\AppData\Local\Temp\5aa2a4b41857e176fdf1721e7a45b28e7bed8754f9b3f10e7ac5ff8d234cf26a.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1960-54-0x0000000075241000-0x0000000075243000-memory.dmp

Filesize
8KB

Download
memory/1960-55-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1960-56-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download