8eb8ce5eb5547a38069af164766a508b03d4ad96d75680f59fbebce6d3ef2408

Analysis

max time kernel
153s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 22:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8eb8ce5eb5547a38069af164766a508b03d4ad96d75680f59fbebce6d3ef2408.exe
Size

1013KB
MD5

f7adad3935f3641363cc1f61e7eff24f
SHA1

f3e667bb4c25951613fc2936f90d2e086993eab1
SHA256

8eb8ce5eb5547a38069af164766a508b03d4ad96d75680f59fbebce6d3ef2408
SHA512

56d679784dece8ea5922c0969ac292b33f38b3bbe340edb73d8ef07b483affb23c19776cf2f23ed24c10df781218776da160399c19ac1f04ec6c3286525fafdb
SSDEEP

24576:rEPrVEkNwwouWihUW3cfwspt82UKVTSv:4CMorfb82UKVTSv

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

8eb8ce5eb5547a38069af164766a508b03d4ad96d75680f59fbebce6d3ef2408.exe

description ioc process

File opened for modification \??\PhysicalDrive0 8eb8ce5eb5547a38069af164766a508b03d4ad96d75680f59fbebce6d3ef2408.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	8eb8ce5eb5547a38069af164766a508b03d4ad96d75680f59fbebce6d3ef2408.exe

Drops file in System32 directory 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{E5E38DC3-4929-4D30-8603-D6EA7EC83083}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{5AE72309-0C84-4DCA-BBC0-296513A426A8}.catalogItem	svchost.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	svchost.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4348 PING.EXE

pid	process
4348	PING.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

8eb8ce5eb5547a38069af164766a508b03d4ad96d75680f59fbebce6d3ef2408.execmd.exe

description	pid	process	target process
PID 2228 wrote to memory of 2440	2228	8eb8ce5eb5547a38069af164766a508b03d4ad96d75680f59fbebce6d3ef2408.exe	cmd.exe
PID 2228 wrote to memory of 2440	2228	8eb8ce5eb5547a38069af164766a508b03d4ad96d75680f59fbebce6d3ef2408.exe	cmd.exe
PID 2228 wrote to memory of 2440	2228	8eb8ce5eb5547a38069af164766a508b03d4ad96d75680f59fbebce6d3ef2408.exe	cmd.exe
PID 2440 wrote to memory of 4348	2440	cmd.exe	PING.EXE
PID 2440 wrote to memory of 4348	2440	cmd.exe	PING.EXE
PID 2440 wrote to memory of 4348	2440	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\8eb8ce5eb5547a38069af164766a508b03d4ad96d75680f59fbebce6d3ef2408.exe
"C:\Users\Admin\AppData\Local\Temp\8eb8ce5eb5547a38069af164766a508b03d4ad96d75680f59fbebce6d3ef2408.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:2228

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\8eb8ce5eb5547a38069af164766a508b03d4ad96d75680f59fbebce6d3ef2408.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2440

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 3000
3⤵
- Runs ping.exe
PID:4348

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:4100

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2440-132-0x0000000000000000-mapping.dmp

Download
memory/4348-133-0x0000000000000000-mapping.dmp

Download