Analysis
-
max time kernel
288s -
max time network
321s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 19:35
Static task
static1
Behavioral task
behavioral1
Sample
c4a7a030fea08c1b293f1450333a0b226d7ab75928a1adb6e6a51f7e391748e2.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
c4a7a030fea08c1b293f1450333a0b226d7ab75928a1adb6e6a51f7e391748e2.exe
Resource
win10v2004-20221111-en
General
-
Target
c4a7a030fea08c1b293f1450333a0b226d7ab75928a1adb6e6a51f7e391748e2.exe
-
Size
972KB
-
MD5
4222d11ba37d5b8884b4e45ca8aeecee
-
SHA1
221b7b5378a33811d0caefa955f3a693f7fe3da2
-
SHA256
c4a7a030fea08c1b293f1450333a0b226d7ab75928a1adb6e6a51f7e391748e2
-
SHA512
db2a28e904bc5a15a52c99fb5f156b945d159fef2cd373146e6eedb6492f66c5503725bea76eadc77aabbdfbe7b3157c2cfe99a10cc62f72ec91e40c392895bf
-
SSDEEP
12288:npZ7RqTHG1GtRmjWjRlgivK2YyUxUi2MOOpnjuNIOHeOPYxYIswU6fsDukauZHcO:f7YTmhUlV4xUlOJjuN5HeU+hX9etGj
Malware Config
Signatures
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
c4a7a030fea08c1b293f1450333a0b226d7ab75928a1adb6e6a51f7e391748e2.exedescription ioc process File opened for modification \??\PhysicalDrive0 c4a7a030fea08c1b293f1450333a0b226d7ab75928a1adb6e6a51f7e391748e2.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
c4a7a030fea08c1b293f1450333a0b226d7ab75928a1adb6e6a51f7e391748e2.execmd.exedescription pid process target process PID 1136 wrote to memory of 4608 1136 c4a7a030fea08c1b293f1450333a0b226d7ab75928a1adb6e6a51f7e391748e2.exe cmd.exe PID 1136 wrote to memory of 4608 1136 c4a7a030fea08c1b293f1450333a0b226d7ab75928a1adb6e6a51f7e391748e2.exe cmd.exe PID 1136 wrote to memory of 4608 1136 c4a7a030fea08c1b293f1450333a0b226d7ab75928a1adb6e6a51f7e391748e2.exe cmd.exe PID 4608 wrote to memory of 4624 4608 cmd.exe PING.EXE PID 4608 wrote to memory of 4624 4608 cmd.exe PING.EXE PID 4608 wrote to memory of 4624 4608 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\c4a7a030fea08c1b293f1450333a0b226d7ab75928a1adb6e6a51f7e391748e2.exe"C:\Users\Admin\AppData\Local\Temp\c4a7a030fea08c1b293f1450333a0b226d7ab75928a1adb6e6a51f7e391748e2.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\c4a7a030fea08c1b293f1450333a0b226d7ab75928a1adb6e6a51f7e391748e2.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30003⤵
- Runs ping.exe