Analysis
-
max time kernel
54s -
max time network
57s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
24-11-2022 19:35
Static task
static1
Behavioral task
behavioral1
Sample
c4a7a030fea08c1b293f1450333a0b226d7ab75928a1adb6e6a51f7e391748e2.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
c4a7a030fea08c1b293f1450333a0b226d7ab75928a1adb6e6a51f7e391748e2.exe
Resource
win10v2004-20221111-en
General
-
Target
c4a7a030fea08c1b293f1450333a0b226d7ab75928a1adb6e6a51f7e391748e2.exe
-
Size
972KB
-
MD5
4222d11ba37d5b8884b4e45ca8aeecee
-
SHA1
221b7b5378a33811d0caefa955f3a693f7fe3da2
-
SHA256
c4a7a030fea08c1b293f1450333a0b226d7ab75928a1adb6e6a51f7e391748e2
-
SHA512
db2a28e904bc5a15a52c99fb5f156b945d159fef2cd373146e6eedb6492f66c5503725bea76eadc77aabbdfbe7b3157c2cfe99a10cc62f72ec91e40c392895bf
-
SSDEEP
12288:npZ7RqTHG1GtRmjWjRlgivK2YyUxUi2MOOpnjuNIOHeOPYxYIswU6fsDukauZHcO:f7YTmhUlV4xUlOJjuN5HeU+hX9etGj
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1124 cmd.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
c4a7a030fea08c1b293f1450333a0b226d7ab75928a1adb6e6a51f7e391748e2.exedescription ioc process File opened for modification \??\PhysicalDrive0 c4a7a030fea08c1b293f1450333a0b226d7ab75928a1adb6e6a51f7e391748e2.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
c4a7a030fea08c1b293f1450333a0b226d7ab75928a1adb6e6a51f7e391748e2.execmd.exedescription pid process target process PID 304 wrote to memory of 1124 304 c4a7a030fea08c1b293f1450333a0b226d7ab75928a1adb6e6a51f7e391748e2.exe cmd.exe PID 304 wrote to memory of 1124 304 c4a7a030fea08c1b293f1450333a0b226d7ab75928a1adb6e6a51f7e391748e2.exe cmd.exe PID 304 wrote to memory of 1124 304 c4a7a030fea08c1b293f1450333a0b226d7ab75928a1adb6e6a51f7e391748e2.exe cmd.exe PID 304 wrote to memory of 1124 304 c4a7a030fea08c1b293f1450333a0b226d7ab75928a1adb6e6a51f7e391748e2.exe cmd.exe PID 1124 wrote to memory of 1248 1124 cmd.exe PING.EXE PID 1124 wrote to memory of 1248 1124 cmd.exe PING.EXE PID 1124 wrote to memory of 1248 1124 cmd.exe PING.EXE PID 1124 wrote to memory of 1248 1124 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\c4a7a030fea08c1b293f1450333a0b226d7ab75928a1adb6e6a51f7e391748e2.exe"C:\Users\Admin\AppData\Local\Temp\c4a7a030fea08c1b293f1450333a0b226d7ab75928a1adb6e6a51f7e391748e2.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\c4a7a030fea08c1b293f1450333a0b226d7ab75928a1adb6e6a51f7e391748e2.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30003⤵
- Runs ping.exe