Analysis
-
max time kernel
91s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 21:15
Static task
static1
Behavioral task
behavioral1
Sample
a551a561dd9406a23526e439c72c12910e2b7c8fa0855983b0bb116cbfb58150.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
a551a561dd9406a23526e439c72c12910e2b7c8fa0855983b0bb116cbfb58150.exe
Resource
win10v2004-20220901-en
General
-
Target
a551a561dd9406a23526e439c72c12910e2b7c8fa0855983b0bb116cbfb58150.exe
-
Size
813KB
-
MD5
692065a54dcc974b9ebd167a39b708a0
-
SHA1
e8d2baddc90a9c26916375601776685f50e0378d
-
SHA256
a551a561dd9406a23526e439c72c12910e2b7c8fa0855983b0bb116cbfb58150
-
SHA512
fc52cc0635035b28f86327345874740954936c52e4e8ffc84bcfca0f23661ffe7c5072f8a7608a5367ce9f98cb541d3c5592e0da6ce549369b10118340e15e5d
-
SSDEEP
12288:q24Y24N7N7xiiu3C5gkROzUJmka/tB2+udrhq8IWW92wu/BnRT933pRH+004xkTP:Uz4NZfmkgt1uFNwu/X1z3O9UuiDm
Malware Config
Signatures
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
a551a561dd9406a23526e439c72c12910e2b7c8fa0855983b0bb116cbfb58150.exedescription ioc process File opened for modification \??\PhysicalDrive0 a551a561dd9406a23526e439c72c12910e2b7c8fa0855983b0bb116cbfb58150.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
a551a561dd9406a23526e439c72c12910e2b7c8fa0855983b0bb116cbfb58150.execmd.exedescription pid process target process PID 4884 wrote to memory of 3592 4884 a551a561dd9406a23526e439c72c12910e2b7c8fa0855983b0bb116cbfb58150.exe cmd.exe PID 4884 wrote to memory of 3592 4884 a551a561dd9406a23526e439c72c12910e2b7c8fa0855983b0bb116cbfb58150.exe cmd.exe PID 4884 wrote to memory of 3592 4884 a551a561dd9406a23526e439c72c12910e2b7c8fa0855983b0bb116cbfb58150.exe cmd.exe PID 3592 wrote to memory of 4144 3592 cmd.exe PING.EXE PID 3592 wrote to memory of 4144 3592 cmd.exe PING.EXE PID 3592 wrote to memory of 4144 3592 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\a551a561dd9406a23526e439c72c12910e2b7c8fa0855983b0bb116cbfb58150.exe"C:\Users\Admin\AppData\Local\Temp\a551a561dd9406a23526e439c72c12910e2b7c8fa0855983b0bb116cbfb58150.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\a551a561dd9406a23526e439c72c12910e2b7c8fa0855983b0bb116cbfb58150.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30003⤵
- Runs ping.exe