Analysis
-
max time kernel
188s -
max time network
205s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 09:34
Static task
static1
Behavioral task
behavioral1
Sample
cdecaf330a5b8ad5e39127496495574980d8317d6ba9bdca2a500b8ba21855e7.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
cdecaf330a5b8ad5e39127496495574980d8317d6ba9bdca2a500b8ba21855e7.exe
Resource
win10v2004-20220812-en
General
-
Target
cdecaf330a5b8ad5e39127496495574980d8317d6ba9bdca2a500b8ba21855e7.exe
-
Size
2.5MB
-
MD5
865155e52d151a3f3f530d43d19f160c
-
SHA1
09a4adf488637804bf70c70d6fac9056847db83b
-
SHA256
cdecaf330a5b8ad5e39127496495574980d8317d6ba9bdca2a500b8ba21855e7
-
SHA512
2131c68a18e7738ccc843a0d46c04ad6b4ef88d14289afabe312f89d879317f46ba20ccca407ad1928f917e0eb0fee1b10c2c220c1c0be5a27312956291e5844
-
SSDEEP
49152:gqaQM7yo/otJxf4cCfamLrkWjRnXmTgCZjQaCbe1jJ4jK3f6NRCUxKNGd:euogvxf4cCfPLrk2nXmTgCZgbe1l4jKc
Malware Config
Signatures
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
cdecaf330a5b8ad5e39127496495574980d8317d6ba9bdca2a500b8ba21855e7.exedescription ioc process File opened for modification \??\PhysicalDrive0 cdecaf330a5b8ad5e39127496495574980d8317d6ba9bdca2a500b8ba21855e7.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
cdecaf330a5b8ad5e39127496495574980d8317d6ba9bdca2a500b8ba21855e7.execmd.exedescription pid process target process PID 932 wrote to memory of 3656 932 cdecaf330a5b8ad5e39127496495574980d8317d6ba9bdca2a500b8ba21855e7.exe cmd.exe PID 932 wrote to memory of 3656 932 cdecaf330a5b8ad5e39127496495574980d8317d6ba9bdca2a500b8ba21855e7.exe cmd.exe PID 932 wrote to memory of 3656 932 cdecaf330a5b8ad5e39127496495574980d8317d6ba9bdca2a500b8ba21855e7.exe cmd.exe PID 3656 wrote to memory of 1548 3656 cmd.exe PING.EXE PID 3656 wrote to memory of 1548 3656 cmd.exe PING.EXE PID 3656 wrote to memory of 1548 3656 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\cdecaf330a5b8ad5e39127496495574980d8317d6ba9bdca2a500b8ba21855e7.exe"C:\Users\Admin\AppData\Local\Temp\cdecaf330a5b8ad5e39127496495574980d8317d6ba9bdca2a500b8ba21855e7.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\cdecaf330a5b8ad5e39127496495574980d8317d6ba9bdca2a500b8ba21855e7.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30003⤵
- Runs ping.exe