Analysis
-
max time kernel
74s -
max time network
70s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 02:59
Static task
static1
Behavioral task
behavioral1
Sample
347e0f8e0009876115b166dc08ba73b3af224c5462a5ae08c668e4aace3e3ab8.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
347e0f8e0009876115b166dc08ba73b3af224c5462a5ae08c668e4aace3e3ab8.exe
Resource
win10v2004-20221111-en
General
-
Target
347e0f8e0009876115b166dc08ba73b3af224c5462a5ae08c668e4aace3e3ab8.exe
-
Size
813KB
-
MD5
7074d498d8cd671b832f20cb359ee790
-
SHA1
439d53759effe8c775da299fb78812a94cb10899
-
SHA256
347e0f8e0009876115b166dc08ba73b3af224c5462a5ae08c668e4aace3e3ab8
-
SHA512
b956c4086d409ca144d2bf51cdf11d3c31555701a7aa240bdaabae4b565b466ea1e798a52b2f6cecae19070e22995b55d859f3d90bf80321404f646f499d9224
-
SSDEEP
12288:q24Y24N7N7xiiu3C5gkROzUJmka/tB2+udrhq8IWW92wu/BnRT933pRH+004xkTZ:Uz4NZfmkgt1uFNwu/X1z3O9UuNDm
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1084 cmd.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
347e0f8e0009876115b166dc08ba73b3af224c5462a5ae08c668e4aace3e3ab8.exedescription ioc process File opened for modification \??\PhysicalDrive0 347e0f8e0009876115b166dc08ba73b3af224c5462a5ae08c668e4aace3e3ab8.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
347e0f8e0009876115b166dc08ba73b3af224c5462a5ae08c668e4aace3e3ab8.execmd.exedescription pid process target process PID 1632 wrote to memory of 1084 1632 347e0f8e0009876115b166dc08ba73b3af224c5462a5ae08c668e4aace3e3ab8.exe cmd.exe PID 1632 wrote to memory of 1084 1632 347e0f8e0009876115b166dc08ba73b3af224c5462a5ae08c668e4aace3e3ab8.exe cmd.exe PID 1632 wrote to memory of 1084 1632 347e0f8e0009876115b166dc08ba73b3af224c5462a5ae08c668e4aace3e3ab8.exe cmd.exe PID 1632 wrote to memory of 1084 1632 347e0f8e0009876115b166dc08ba73b3af224c5462a5ae08c668e4aace3e3ab8.exe cmd.exe PID 1084 wrote to memory of 1756 1084 cmd.exe PING.EXE PID 1084 wrote to memory of 1756 1084 cmd.exe PING.EXE PID 1084 wrote to memory of 1756 1084 cmd.exe PING.EXE PID 1084 wrote to memory of 1756 1084 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\347e0f8e0009876115b166dc08ba73b3af224c5462a5ae08c668e4aace3e3ab8.exe"C:\Users\Admin\AppData\Local\Temp\347e0f8e0009876115b166dc08ba73b3af224c5462a5ae08c668e4aace3e3ab8.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\347e0f8e0009876115b166dc08ba73b3af224c5462a5ae08c668e4aace3e3ab8.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30003⤵
- Runs ping.exe