Analysis
-
max time kernel
153s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 22:22
Static task
static1
Behavioral task
behavioral1
Sample
8eb8ce5eb5547a38069af164766a508b03d4ad96d75680f59fbebce6d3ef2408.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
8eb8ce5eb5547a38069af164766a508b03d4ad96d75680f59fbebce6d3ef2408.exe
Resource
win10v2004-20220812-en
General
-
Target
8eb8ce5eb5547a38069af164766a508b03d4ad96d75680f59fbebce6d3ef2408.exe
-
Size
1013KB
-
MD5
f7adad3935f3641363cc1f61e7eff24f
-
SHA1
f3e667bb4c25951613fc2936f90d2e086993eab1
-
SHA256
8eb8ce5eb5547a38069af164766a508b03d4ad96d75680f59fbebce6d3ef2408
-
SHA512
56d679784dece8ea5922c0969ac292b33f38b3bbe340edb73d8ef07b483affb23c19776cf2f23ed24c10df781218776da160399c19ac1f04ec6c3286525fafdb
-
SSDEEP
24576:rEPrVEkNwwouWihUW3cfwspt82UKVTSv:4CMorfb82UKVTSv
Malware Config
Signatures
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
8eb8ce5eb5547a38069af164766a508b03d4ad96d75680f59fbebce6d3ef2408.exedescription ioc process File opened for modification \??\PhysicalDrive0 8eb8ce5eb5547a38069af164766a508b03d4ad96d75680f59fbebce6d3ef2408.exe -
Drops file in System32 directory 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{E5E38DC3-4929-4D30-8603-D6EA7EC83083}.catalogItem svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{5AE72309-0C84-4DCA-BBC0-296513A426A8}.catalogItem svchost.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU svchost.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
8eb8ce5eb5547a38069af164766a508b03d4ad96d75680f59fbebce6d3ef2408.execmd.exedescription pid process target process PID 2228 wrote to memory of 2440 2228 8eb8ce5eb5547a38069af164766a508b03d4ad96d75680f59fbebce6d3ef2408.exe cmd.exe PID 2228 wrote to memory of 2440 2228 8eb8ce5eb5547a38069af164766a508b03d4ad96d75680f59fbebce6d3ef2408.exe cmd.exe PID 2228 wrote to memory of 2440 2228 8eb8ce5eb5547a38069af164766a508b03d4ad96d75680f59fbebce6d3ef2408.exe cmd.exe PID 2440 wrote to memory of 4348 2440 cmd.exe PING.EXE PID 2440 wrote to memory of 4348 2440 cmd.exe PING.EXE PID 2440 wrote to memory of 4348 2440 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\8eb8ce5eb5547a38069af164766a508b03d4ad96d75680f59fbebce6d3ef2408.exe"C:\Users\Admin\AppData\Local\Temp\8eb8ce5eb5547a38069af164766a508b03d4ad96d75680f59fbebce6d3ef2408.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\8eb8ce5eb5547a38069af164766a508b03d4ad96d75680f59fbebce6d3ef2408.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30003⤵
- Runs ping.exe
PID:4348
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:4100