Analysis
-
max time kernel
143s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 02:04
Static task
static1
Behavioral task
behavioral1
Sample
471112758921a033854c1732c4242ac7b6811ce915719fb94023b11050d53c67.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
471112758921a033854c1732c4242ac7b6811ce915719fb94023b11050d53c67.exe
Resource
win10v2004-20220812-en
General
-
Target
471112758921a033854c1732c4242ac7b6811ce915719fb94023b11050d53c67.exe
-
Size
972KB
-
MD5
4ad5518f25fb623058d74839a22570e1
-
SHA1
8acaeaf3c22f513124f64d2954b65a7df0f64c40
-
SHA256
471112758921a033854c1732c4242ac7b6811ce915719fb94023b11050d53c67
-
SHA512
4de4a667d9ffb86cc304db617bb6028f6b49d4013f53b99f2b75233c476dd8d2e9aa3343398a290c0a2f40cad59a6c876c77d5ef862609c7e868422c719bdbef
-
SSDEEP
12288:npZ7RqTHG1GtRmjWjRlgivK2YyUxUi2MOOpnjuNIOHeOPYxYIswU6fsDukauZHcu:f7YTmhUlV4xUlOJjuN5HeU+hXdetGj
Malware Config
Signatures
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
471112758921a033854c1732c4242ac7b6811ce915719fb94023b11050d53c67.exedescription ioc process File opened for modification \??\PhysicalDrive0 471112758921a033854c1732c4242ac7b6811ce915719fb94023b11050d53c67.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
471112758921a033854c1732c4242ac7b6811ce915719fb94023b11050d53c67.execmd.exedescription pid process target process PID 2732 wrote to memory of 2168 2732 471112758921a033854c1732c4242ac7b6811ce915719fb94023b11050d53c67.exe cmd.exe PID 2732 wrote to memory of 2168 2732 471112758921a033854c1732c4242ac7b6811ce915719fb94023b11050d53c67.exe cmd.exe PID 2732 wrote to memory of 2168 2732 471112758921a033854c1732c4242ac7b6811ce915719fb94023b11050d53c67.exe cmd.exe PID 2168 wrote to memory of 4296 2168 cmd.exe PING.EXE PID 2168 wrote to memory of 4296 2168 cmd.exe PING.EXE PID 2168 wrote to memory of 4296 2168 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\471112758921a033854c1732c4242ac7b6811ce915719fb94023b11050d53c67.exe"C:\Users\Admin\AppData\Local\Temp\471112758921a033854c1732c4242ac7b6811ce915719fb94023b11050d53c67.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\471112758921a033854c1732c4242ac7b6811ce915719fb94023b11050d53c67.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30003⤵
- Runs ping.exe
PID:4296