Analysis
-
max time kernel
141s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 04:09
Static task
static1
Behavioral task
behavioral1
Sample
e5dcdf63bbc6958b3279b63eceef77f381628d36387655b86523644bc8a128e0.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
e5dcdf63bbc6958b3279b63eceef77f381628d36387655b86523644bc8a128e0.exe
Resource
win10v2004-20221111-en
General
-
Target
e5dcdf63bbc6958b3279b63eceef77f381628d36387655b86523644bc8a128e0.exe
-
Size
140KB
-
MD5
0d22a7daa73eb03d96df1d78fd4eea0f
-
SHA1
b3996401c0758f0560674c033b43de41e27303bf
-
SHA256
e5dcdf63bbc6958b3279b63eceef77f381628d36387655b86523644bc8a128e0
-
SHA512
38fc9b781d497c0fe3656c245e1569bc733e169aea77676ab782e3eae1c28f9a72ab324e9cc6d006e42cbe480bf119b16003bd076c334d8a056122f26f6346cd
-
SSDEEP
3072:d15ecfqXx11utwPGT+MKruQ/J06p6b7R+9WH:8iqBU8GT3KruQ/J06f
Malware Config
Signatures
-
Unexpected DNS network traffic destination 53 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 141.150.0.68 Destination IP 192.229.117.116 Destination IP 192.163.48.138 Destination IP 192.164.245.32 Destination IP 192.125.77.63 Destination IP 192.20.241.98 Destination IP 192.197.60.148 Destination IP 192.84.50.71 Destination IP 198.209.72.102 Destination IP 61.250.87.250 Destination IP 192.103.210.213 Destination IP 192.155.61.234 Destination IP 192.207.230.100 Destination IP 192.208.234.11 Destination IP 192.126.81.154 Destination IP 192.136.61.15 Destination IP 192.43.196.2 Destination IP 217.174.98.235 Destination IP 202.27.17.252 Destination IP 192.150.109.121 Destination IP 192.52.201.128 Destination IP 202.139.83.3 Destination IP 80.92.162.200 Destination IP 192.21.95.218 Destination IP 192.235.143.147 Destination IP 202.218.211.253 Destination IP 192.216.82.1 Destination IP 192.204.245.6 Destination IP 192.129.248.133 Destination IP 192.218.247.79 Destination IP 192.64.149.184 Destination IP 192.39.177.246 Destination IP 192.59.103.186 Destination IP 195.133.91.136 Destination IP 200.10.122.11 Destination IP 192.29.91.210 Destination IP 203.192.158.22 Destination IP 192.129.5.211 Destination IP 192.153.183.65 Destination IP 192.59.0.94 Destination IP 192.35.211.61 Destination IP 192.180.102.230 Destination IP 66.152.91.2 Destination IP 192.254.167.39 Destination IP 192.252.116.215 Destination IP 192.233.59.245 Destination IP 202.181.98.171 Destination IP 192.195.174.104 Destination IP 192.180.149.40 Destination IP 192.76.50.100 Destination IP 192.169.34.6 Destination IP 192.88.195.10 Destination IP 222.255.120.130 -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
e5dcdf63bbc6958b3279b63eceef77f381628d36387655b86523644bc8a128e0.exedescription ioc process File opened for modification \??\PhysicalDrive0 e5dcdf63bbc6958b3279b63eceef77f381628d36387655b86523644bc8a128e0.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1772 1396 WerFault.exe e5dcdf63bbc6958b3279b63eceef77f381628d36387655b86523644bc8a128e0.exe -
Suspicious use of SetWindowsHookEx 15 IoCs
Processes:
e5dcdf63bbc6958b3279b63eceef77f381628d36387655b86523644bc8a128e0.exepid process 1396 e5dcdf63bbc6958b3279b63eceef77f381628d36387655b86523644bc8a128e0.exe 1396 e5dcdf63bbc6958b3279b63eceef77f381628d36387655b86523644bc8a128e0.exe 1396 e5dcdf63bbc6958b3279b63eceef77f381628d36387655b86523644bc8a128e0.exe 1396 e5dcdf63bbc6958b3279b63eceef77f381628d36387655b86523644bc8a128e0.exe 1396 e5dcdf63bbc6958b3279b63eceef77f381628d36387655b86523644bc8a128e0.exe 1396 e5dcdf63bbc6958b3279b63eceef77f381628d36387655b86523644bc8a128e0.exe 1396 e5dcdf63bbc6958b3279b63eceef77f381628d36387655b86523644bc8a128e0.exe 1396 e5dcdf63bbc6958b3279b63eceef77f381628d36387655b86523644bc8a128e0.exe 1396 e5dcdf63bbc6958b3279b63eceef77f381628d36387655b86523644bc8a128e0.exe 1396 e5dcdf63bbc6958b3279b63eceef77f381628d36387655b86523644bc8a128e0.exe 1396 e5dcdf63bbc6958b3279b63eceef77f381628d36387655b86523644bc8a128e0.exe 1396 e5dcdf63bbc6958b3279b63eceef77f381628d36387655b86523644bc8a128e0.exe 1396 e5dcdf63bbc6958b3279b63eceef77f381628d36387655b86523644bc8a128e0.exe 1396 e5dcdf63bbc6958b3279b63eceef77f381628d36387655b86523644bc8a128e0.exe 1396 e5dcdf63bbc6958b3279b63eceef77f381628d36387655b86523644bc8a128e0.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
e5dcdf63bbc6958b3279b63eceef77f381628d36387655b86523644bc8a128e0.exedescription pid process target process PID 1396 wrote to memory of 1772 1396 e5dcdf63bbc6958b3279b63eceef77f381628d36387655b86523644bc8a128e0.exe WerFault.exe PID 1396 wrote to memory of 1772 1396 e5dcdf63bbc6958b3279b63eceef77f381628d36387655b86523644bc8a128e0.exe WerFault.exe PID 1396 wrote to memory of 1772 1396 e5dcdf63bbc6958b3279b63eceef77f381628d36387655b86523644bc8a128e0.exe WerFault.exe PID 1396 wrote to memory of 1772 1396 e5dcdf63bbc6958b3279b63eceef77f381628d36387655b86523644bc8a128e0.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e5dcdf63bbc6958b3279b63eceef77f381628d36387655b86523644bc8a128e0.exe"C:\Users\Admin\AppData\Local\Temp\e5dcdf63bbc6958b3279b63eceef77f381628d36387655b86523644bc8a128e0.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1396 -s 17202⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1396-54-0x00000000760E1000-0x00000000760E3000-memory.dmpFilesize
8KB
-
memory/1396-55-0x0000000000400000-0x000000000045F000-memory.dmpFilesize
380KB
-
memory/1396-57-0x0000000000400000-0x000000000045F000-memory.dmpFilesize
380KB
-
memory/1772-56-0x0000000000000000-mapping.dmp