Analysis
-
max time kernel
204s -
max time network
181s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 04:09
Static task
static1
Behavioral task
behavioral1
Sample
e5dcdf63bbc6958b3279b63eceef77f381628d36387655b86523644bc8a128e0.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
e5dcdf63bbc6958b3279b63eceef77f381628d36387655b86523644bc8a128e0.exe
Resource
win10v2004-20221111-en
General
-
Target
e5dcdf63bbc6958b3279b63eceef77f381628d36387655b86523644bc8a128e0.exe
-
Size
140KB
-
MD5
0d22a7daa73eb03d96df1d78fd4eea0f
-
SHA1
b3996401c0758f0560674c033b43de41e27303bf
-
SHA256
e5dcdf63bbc6958b3279b63eceef77f381628d36387655b86523644bc8a128e0
-
SHA512
38fc9b781d497c0fe3656c245e1569bc733e169aea77676ab782e3eae1c28f9a72ab324e9cc6d006e42cbe480bf119b16003bd076c334d8a056122f26f6346cd
-
SSDEEP
3072:d15ecfqXx11utwPGT+MKruQ/J06p6b7R+9WH:8iqBU8GT3KruQ/J06f
Malware Config
Signatures
-
Unexpected DNS network traffic destination 58 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 219.230.108.56 Destination IP 219.99.160.180 Destination IP 219.171.139.82 Destination IP 219.197.54.49 Destination IP 219.219.63.28 Destination IP 70.87.180.210 Destination IP 219.201.61.248 Destination IP 219.30.245.71 Destination IP 219.104.120.208 Destination IP 66.118.80.4 Destination IP 219.33.48.93 Destination IP 219.188.254.186 Destination IP 219.20.202.162 Destination IP 219.156.190.22 Destination IP 219.119.213.245 Destination IP 151.197.0.68 Destination IP 219.129.60.222 Destination IP 219.73.230.186 Destination IP 219.42.207.248 Destination IP 219.190.145.50 Destination IP 219.169.207.29 Destination IP 219.78.61.5 Destination IP 219.109.70.142 Destination IP 219.180.57.7 Destination IP 219.5.168.185 Destination IP 219.47.46.36 Destination IP 221.250.223.126 Destination IP 219.209.186.141 Destination IP 219.182.96.7 Destination IP 219.141.131.203 Destination IP 219.223.186.166 Destination IP 219.6.103.197 Destination IP 219.245.117.50 Destination IP 219.0.31.123 Destination IP 219.116.147.118 Destination IP 67.18.223.74 Destination IP 219.23.203.159 Destination IP 219.141.99.216 Destination IP 64.14.124.73 Destination IP 219.237.30.186 Destination IP 219.231.151.163 Destination IP 219.130.171.46 Destination IP 219.103.11.66 Destination IP 219.190.93.125 Destination IP 219.22.116.3 Destination IP 219.52.49.64 Destination IP 219.91.53.200 Destination IP 219.79.158.69 Destination IP 219.6.220.61 Destination IP 219.83.216.255 Destination IP 219.165.88.18 Destination IP 219.102.177.27 Destination IP 219.20.221.108 Destination IP 202.218.211.253 Destination IP 219.114.112.190 Destination IP 219.172.26.153 Destination IP 219.19.198.163 Destination IP 219.212.8.33 -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
e5dcdf63bbc6958b3279b63eceef77f381628d36387655b86523644bc8a128e0.exedescription ioc process File opened for modification \??\PhysicalDrive0 e5dcdf63bbc6958b3279b63eceef77f381628d36387655b86523644bc8a128e0.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
e5dcdf63bbc6958b3279b63eceef77f381628d36387655b86523644bc8a128e0.exepid process 4272 e5dcdf63bbc6958b3279b63eceef77f381628d36387655b86523644bc8a128e0.exe 4272 e5dcdf63bbc6958b3279b63eceef77f381628d36387655b86523644bc8a128e0.exe 4272 e5dcdf63bbc6958b3279b63eceef77f381628d36387655b86523644bc8a128e0.exe 4272 e5dcdf63bbc6958b3279b63eceef77f381628d36387655b86523644bc8a128e0.exe 4272 e5dcdf63bbc6958b3279b63eceef77f381628d36387655b86523644bc8a128e0.exe 4272 e5dcdf63bbc6958b3279b63eceef77f381628d36387655b86523644bc8a128e0.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e5dcdf63bbc6958b3279b63eceef77f381628d36387655b86523644bc8a128e0.exe"C:\Users\Admin\AppData\Local\Temp\e5dcdf63bbc6958b3279b63eceef77f381628d36387655b86523644bc8a128e0.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx