Analysis
-
max time kernel
150s -
max time network
192s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 21:47
Static task
static1
Behavioral task
behavioral1
Sample
6d523b6e8a186a2e19c04ffc514e8807db9fb415734b42659272de7b055da4e7.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
6d523b6e8a186a2e19c04ffc514e8807db9fb415734b42659272de7b055da4e7.exe
Resource
win10v2004-20221111-en
General
-
Target
6d523b6e8a186a2e19c04ffc514e8807db9fb415734b42659272de7b055da4e7.exe
-
Size
845KB
-
MD5
dffeb8dae0fb4d2c6bf0fd9d2463b44f
-
SHA1
23b2e86676e77462f0f5b71bd77c14ffe0ee32b0
-
SHA256
6d523b6e8a186a2e19c04ffc514e8807db9fb415734b42659272de7b055da4e7
-
SHA512
ec36f20dae2fe0dcc54cf5837edf4c6e568fe502d30cda8894d83e7d502c6046437339bf5cc4de6c03d8277bb78609201e112b78dbda2a930434531d1b340f35
-
SSDEEP
12288:5HmazRrqCpsZJ/p3FcSHVUFXDq0V6F/EolcjlFgwb4CjHBD9JWqdlzgzJF7ccYFf:lde/oSHVCKhcxFJLlX5pdf
Malware Config
Signatures
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
6d523b6e8a186a2e19c04ffc514e8807db9fb415734b42659272de7b055da4e7.exedescription ioc process File opened for modification \??\PhysicalDrive0 6d523b6e8a186a2e19c04ffc514e8807db9fb415734b42659272de7b055da4e7.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
6d523b6e8a186a2e19c04ffc514e8807db9fb415734b42659272de7b055da4e7.execmd.exedescription pid process target process PID 3364 wrote to memory of 1380 3364 6d523b6e8a186a2e19c04ffc514e8807db9fb415734b42659272de7b055da4e7.exe cmd.exe PID 3364 wrote to memory of 1380 3364 6d523b6e8a186a2e19c04ffc514e8807db9fb415734b42659272de7b055da4e7.exe cmd.exe PID 3364 wrote to memory of 1380 3364 6d523b6e8a186a2e19c04ffc514e8807db9fb415734b42659272de7b055da4e7.exe cmd.exe PID 1380 wrote to memory of 3116 1380 cmd.exe PING.EXE PID 1380 wrote to memory of 3116 1380 cmd.exe PING.EXE PID 1380 wrote to memory of 3116 1380 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\6d523b6e8a186a2e19c04ffc514e8807db9fb415734b42659272de7b055da4e7.exe"C:\Users\Admin\AppData\Local\Temp\6d523b6e8a186a2e19c04ffc514e8807db9fb415734b42659272de7b055da4e7.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:3364 -
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\6d523b6e8a186a2e19c04ffc514e8807db9fb415734b42659272de7b055da4e7.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30003⤵
- Runs ping.exe
PID:3116