Analysis
-
max time kernel
36s -
max time network
80s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 21:47
Static task
static1
Behavioral task
behavioral1
Sample
6d523b6e8a186a2e19c04ffc514e8807db9fb415734b42659272de7b055da4e7.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
6d523b6e8a186a2e19c04ffc514e8807db9fb415734b42659272de7b055da4e7.exe
Resource
win10v2004-20221111-en
General
-
Target
6d523b6e8a186a2e19c04ffc514e8807db9fb415734b42659272de7b055da4e7.exe
-
Size
845KB
-
MD5
dffeb8dae0fb4d2c6bf0fd9d2463b44f
-
SHA1
23b2e86676e77462f0f5b71bd77c14ffe0ee32b0
-
SHA256
6d523b6e8a186a2e19c04ffc514e8807db9fb415734b42659272de7b055da4e7
-
SHA512
ec36f20dae2fe0dcc54cf5837edf4c6e568fe502d30cda8894d83e7d502c6046437339bf5cc4de6c03d8277bb78609201e112b78dbda2a930434531d1b340f35
-
SSDEEP
12288:5HmazRrqCpsZJ/p3FcSHVUFXDq0V6F/EolcjlFgwb4CjHBD9JWqdlzgzJF7ccYFf:lde/oSHVCKhcxFJLlX5pdf
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 900 cmd.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
6d523b6e8a186a2e19c04ffc514e8807db9fb415734b42659272de7b055da4e7.exedescription ioc process File opened for modification \??\PhysicalDrive0 6d523b6e8a186a2e19c04ffc514e8807db9fb415734b42659272de7b055da4e7.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
6d523b6e8a186a2e19c04ffc514e8807db9fb415734b42659272de7b055da4e7.execmd.exedescription pid process target process PID 1380 wrote to memory of 900 1380 6d523b6e8a186a2e19c04ffc514e8807db9fb415734b42659272de7b055da4e7.exe cmd.exe PID 1380 wrote to memory of 900 1380 6d523b6e8a186a2e19c04ffc514e8807db9fb415734b42659272de7b055da4e7.exe cmd.exe PID 1380 wrote to memory of 900 1380 6d523b6e8a186a2e19c04ffc514e8807db9fb415734b42659272de7b055da4e7.exe cmd.exe PID 1380 wrote to memory of 900 1380 6d523b6e8a186a2e19c04ffc514e8807db9fb415734b42659272de7b055da4e7.exe cmd.exe PID 900 wrote to memory of 532 900 cmd.exe PING.EXE PID 900 wrote to memory of 532 900 cmd.exe PING.EXE PID 900 wrote to memory of 532 900 cmd.exe PING.EXE PID 900 wrote to memory of 532 900 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\6d523b6e8a186a2e19c04ffc514e8807db9fb415734b42659272de7b055da4e7.exe"C:\Users\Admin\AppData\Local\Temp\6d523b6e8a186a2e19c04ffc514e8807db9fb415734b42659272de7b055da4e7.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\6d523b6e8a186a2e19c04ffc514e8807db9fb415734b42659272de7b055da4e7.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:900 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30003⤵
- Runs ping.exe
PID:532