Analysis
-
max time kernel
87s -
max time network
110s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
24-11-2022 09:34
Static task
static1
Behavioral task
behavioral1
Sample
cdecaf330a5b8ad5e39127496495574980d8317d6ba9bdca2a500b8ba21855e7.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
cdecaf330a5b8ad5e39127496495574980d8317d6ba9bdca2a500b8ba21855e7.exe
Resource
win10v2004-20220812-en
General
-
Target
cdecaf330a5b8ad5e39127496495574980d8317d6ba9bdca2a500b8ba21855e7.exe
-
Size
2.5MB
-
MD5
865155e52d151a3f3f530d43d19f160c
-
SHA1
09a4adf488637804bf70c70d6fac9056847db83b
-
SHA256
cdecaf330a5b8ad5e39127496495574980d8317d6ba9bdca2a500b8ba21855e7
-
SHA512
2131c68a18e7738ccc843a0d46c04ad6b4ef88d14289afabe312f89d879317f46ba20ccca407ad1928f917e0eb0fee1b10c2c220c1c0be5a27312956291e5844
-
SSDEEP
49152:gqaQM7yo/otJxf4cCfamLrkWjRnXmTgCZjQaCbe1jJ4jK3f6NRCUxKNGd:euogvxf4cCfPLrk2nXmTgCZgbe1l4jKc
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1028 cmd.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
cdecaf330a5b8ad5e39127496495574980d8317d6ba9bdca2a500b8ba21855e7.exedescription ioc process File opened for modification \??\PhysicalDrive0 cdecaf330a5b8ad5e39127496495574980d8317d6ba9bdca2a500b8ba21855e7.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
cdecaf330a5b8ad5e39127496495574980d8317d6ba9bdca2a500b8ba21855e7.execmd.exedescription pid process target process PID 1204 wrote to memory of 1028 1204 cdecaf330a5b8ad5e39127496495574980d8317d6ba9bdca2a500b8ba21855e7.exe cmd.exe PID 1204 wrote to memory of 1028 1204 cdecaf330a5b8ad5e39127496495574980d8317d6ba9bdca2a500b8ba21855e7.exe cmd.exe PID 1204 wrote to memory of 1028 1204 cdecaf330a5b8ad5e39127496495574980d8317d6ba9bdca2a500b8ba21855e7.exe cmd.exe PID 1204 wrote to memory of 1028 1204 cdecaf330a5b8ad5e39127496495574980d8317d6ba9bdca2a500b8ba21855e7.exe cmd.exe PID 1028 wrote to memory of 1172 1028 cmd.exe PING.EXE PID 1028 wrote to memory of 1172 1028 cmd.exe PING.EXE PID 1028 wrote to memory of 1172 1028 cmd.exe PING.EXE PID 1028 wrote to memory of 1172 1028 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\cdecaf330a5b8ad5e39127496495574980d8317d6ba9bdca2a500b8ba21855e7.exe"C:\Users\Admin\AppData\Local\Temp\cdecaf330a5b8ad5e39127496495574980d8317d6ba9bdca2a500b8ba21855e7.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\cdecaf330a5b8ad5e39127496495574980d8317d6ba9bdca2a500b8ba21855e7.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30003⤵
- Runs ping.exe