Overview

overview

8

Static

static

0cdead5328...9d.exe

windows7-x64

8

0cdead5328...9d.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-11-2022 00:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0cdead53285bef7b75782f1d46c82934f60ab372a944142efe0b3cc54d0fb39d.exe

  • Size

    400KB

  • MD5

    349fad42277afb30c8324b3b83c57d35

  • SHA1

    bd99021a4e77d1ea517f91981c9b34cef217bea2

  • SHA256

    0cdead53285bef7b75782f1d46c82934f60ab372a944142efe0b3cc54d0fb39d

  • SHA512

    d8b07c6af456c55049d1fdf916a8a2ba77ca4e138ffb258f6a7419fb4ece6ac9ba843bc9b35e4d45875b1d15d4fa74a22f1abfd86bdcb7ad2a1d2448505f1391

  • SSDEEP

    6144:HMkXEBJ4f03VZSaH8WwQVcD4fsomxbHQlGUi2jhsmHplLxPRJfsoy/Oti+azNC:AVoIJwQVcD4fnGUJsmHplLxJJf5uzY

Score
8/10
bootkitpersistence

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in System32 directory 9 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 2 IoCs
    evasion
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0cdead53285bef7b75782f1d46c82934f60ab372a944142efe0b3cc54d0fb39d.exe
    "C:\Users\Admin\AppData\Local\Temp\0cdead53285bef7b75782f1d46c82934f60ab372a944142efe0b3cc54d0fb39d.exe"
    1⤵
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:5000
    • C:\Windows\main46.exe
      "C:\Windows\main46.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Writes to the Master Boot Record (MBR)
      • Drops file in System32 directory
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1488
      • C:\Windows\SysWOW64\netlos.exe
        "C:\Windows\system32\netlos.exe"
        3⤵
        • Executes dropped EXE
        • Writes to the Master Boot Record (MBR)
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2928
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im netlos.exe
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:220
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im svchoct.exe
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:5100

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\log.sql
    Filesize

    20B

    MD5

    7c22628b08f0af2e7449794ff4958136

    SHA1

    adbaef0b6981ead722870796e1b1e59531878790

    SHA256

    324b3ff2551cf509ab487164603d9e9776ba1520394dc973d85c619fa9b8141d

    SHA512

    b5a41a1ca0853a98afc8459f671547cd40b9116afa04add0eb7c9134c8d36a71ad4ebed87dab631eb63ee5f5b0a9957410a67f6a947823a6843d665fbb0c1424

    Download Submit

  • C:\Windows\SysWOW64\netlos.exe
    Filesize

    304KB

    MD5

    756c1a61ddc096120a220f9ace927d5c

    SHA1

    fbba17a4f806839a5a3f71fdef70d05f24cf66d6

    SHA256

    8cdbf771c50e1e38c0a225576395804b383cff852a8fd2d0945f047ed82cbbf9

    SHA512

    4994b903f25cb4be752b4cd57457334b098e79c82a4c28cd2d19d4135ee52535f059d95ebdf290d30d699a677a32ec861e67943006f2398364453c66cec735f0

    Download Submit

  • C:\Windows\SysWOW64\netlos.exe
    Filesize

    304KB

    MD5

    756c1a61ddc096120a220f9ace927d5c

    SHA1

    fbba17a4f806839a5a3f71fdef70d05f24cf66d6

    SHA256

    8cdbf771c50e1e38c0a225576395804b383cff852a8fd2d0945f047ed82cbbf9

    SHA512

    4994b903f25cb4be752b4cd57457334b098e79c82a4c28cd2d19d4135ee52535f059d95ebdf290d30d699a677a32ec861e67943006f2398364453c66cec735f0

    Download Submit

  • C:\Windows\main46.exe
    Filesize

    304KB

    MD5

    756c1a61ddc096120a220f9ace927d5c

    SHA1

    fbba17a4f806839a5a3f71fdef70d05f24cf66d6

    SHA256

    8cdbf771c50e1e38c0a225576395804b383cff852a8fd2d0945f047ed82cbbf9

    SHA512

    4994b903f25cb4be752b4cd57457334b098e79c82a4c28cd2d19d4135ee52535f059d95ebdf290d30d699a677a32ec861e67943006f2398364453c66cec735f0

    Download Submit

  • C:\Windows\main46.exe
    Filesize

    304KB

    MD5

    756c1a61ddc096120a220f9ace927d5c

    SHA1

    fbba17a4f806839a5a3f71fdef70d05f24cf66d6

    SHA256

    8cdbf771c50e1e38c0a225576395804b383cff852a8fd2d0945f047ed82cbbf9

    SHA512

    4994b903f25cb4be752b4cd57457334b098e79c82a4c28cd2d19d4135ee52535f059d95ebdf290d30d699a677a32ec861e67943006f2398364453c66cec735f0

    Download Submit