db5101650f4f671ff6c8e9d1525cb5df0d5b034f3ef91f448511f7fda06614c0

Analysis

max time kernel
172s
max time network
177s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 13:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db5101650f4f671ff6c8e9d1525cb5df0d5b034f3ef91f448511f7fda06614c0.exe
Size

322KB
MD5

b6771b11f7aa2e739501488355d8326a
SHA1

5c5870b25a4211f2cc853f788f8bbb4ad71e4072
SHA256

db5101650f4f671ff6c8e9d1525cb5df0d5b034f3ef91f448511f7fda06614c0
SHA512

584fa09bf588ade4739ba8578d5cd0022331c91f388c81bf27c9480117db0cd43e0191ca15f396cb8aa94cbfd4ee58e2123043d5fae150fce8bacca26d506ff6
SSDEEP

6144:Bz+92mhAMJ/cPl3i8/G9AKQ3SRGFLuT0bxDBgD9lkC06BAOMg9lDOV:BK2mhAMJ/cPlJGdQ3SRMLugbxuDzVnLi

Score

8^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

red_webssearches.exeDToolZip.exeDToolZip.exe

pid process

4908 red_webssearches.exe
1100 DToolZip.exe
1584 DToolZip.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

red_webssearches.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	red_webssearches.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	red_webssearches.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

db5101650f4f671ff6c8e9d1525cb5df0d5b034f3ef91f448511f7fda06614c0.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	db5101650f4f671ff6c8e9d1525cb5df0d5b034f3ef91f448511f7fda06614c0.exe

Loads dropped DLL 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

4488 rundll32.exe
4076 rundll32.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

red_webssearches.exe

description ioc process

File opened for modification \??\PhysicalDrive0 red_webssearches.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
4488	rundll32.exe
4076	rundll32.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	red_webssearches.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

red_webssearches.exerundll32.exerundll32.exe

pid	process
4908	red_webssearches.exe
4908	red_webssearches.exe
4488	rundll32.exe
4488	rundll32.exe
4488	rundll32.exe
4488	rundll32.exe
4076	rundll32.exe
4076	rundll32.exe
4076	rundll32.exe
4076	rundll32.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process
Token: SeDebugPrivilege	4488	rundll32.exe
Token: SeDebugPrivilege	4488	rundll32.exe
Token: SeDebugPrivilege	4076	rundll32.exe
Token: SeDebugPrivilege	4076	rundll32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

red_webssearches.exeDToolZip.exeDToolZip.exe

pid process

4908 red_webssearches.exe
1100 DToolZip.exe
1584 DToolZip.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

db5101650f4f671ff6c8e9d1525cb5df0d5b034f3ef91f448511f7fda06614c0.exered_webssearches.exe

description	pid	process	target process
PID 3364 wrote to memory of 4908	3364	db5101650f4f671ff6c8e9d1525cb5df0d5b034f3ef91f448511f7fda06614c0.exe	red_webssearches.exe
PID 3364 wrote to memory of 4908	3364	db5101650f4f671ff6c8e9d1525cb5df0d5b034f3ef91f448511f7fda06614c0.exe	red_webssearches.exe
PID 3364 wrote to memory of 4908	3364	db5101650f4f671ff6c8e9d1525cb5df0d5b034f3ef91f448511f7fda06614c0.exe	red_webssearches.exe
PID 4908 wrote to memory of 4488	4908	red_webssearches.exe	rundll32.exe
PID 4908 wrote to memory of 4488	4908	red_webssearches.exe	rundll32.exe
PID 4908 wrote to memory of 4488	4908	red_webssearches.exe	rundll32.exe
PID 4908 wrote to memory of 1100	4908	red_webssearches.exe	DToolZip.exe
PID 4908 wrote to memory of 1100	4908	red_webssearches.exe	DToolZip.exe
PID 4908 wrote to memory of 1100	4908	red_webssearches.exe	DToolZip.exe
PID 4908 wrote to memory of 4076	4908	red_webssearches.exe	rundll32.exe
PID 4908 wrote to memory of 4076	4908	red_webssearches.exe	rundll32.exe
PID 4908 wrote to memory of 4076	4908	red_webssearches.exe	rundll32.exe
PID 4908 wrote to memory of 1584	4908	red_webssearches.exe	DToolZip.exe
PID 4908 wrote to memory of 1584	4908	red_webssearches.exe	DToolZip.exe
PID 4908 wrote to memory of 1584	4908	red_webssearches.exe	DToolZip.exe

C:\Users\Admin\AppData\Local\Temp\db5101650f4f671ff6c8e9d1525cb5df0d5b034f3ef91f448511f7fda06614c0.exe
"C:\Users\Admin\AppData\Local\Temp\db5101650f4f671ff6c8e9d1525cb5df0d5b034f3ef91f448511f7fda06614c0.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3364

C:\Users\Admin\AppData\Local\Temp\RarSFX0\red_webssearches.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\red_webssearches.exe" -silence -ptid=red
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4908

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7E82590C-48C6-48BD-9DBB-BDCC68C3CBB8[i]\DTool.dll,DoD 1
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4488

C:\Users\Admin\AppData\Local\Temp\7E82590C-48C6-48BD-9DBB-BDCC68C3CBB8[i]\DToolZip.exe
C:\Users\Admin\AppData\Local\Temp\7E82590C-48C6-48BD-9DBB-BDCC68C3CBB8[i]\DToolZip.exe -x -o C:\Users\Admin\AppData\Local\Temp\7E82590C-48C6-48BD-9DBB-BDCC68C3CBB8[i]\1.zip -d C:\Users\Admin\AppData\Local\Temp\7E82590C-48C6-48BD-9DBB-BDCC68C3CBB8[i]
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1100

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7E82590C-48C6-48BD-9DBB-BDCC68C3CBB8[i]\DTool.dll,DoD 2
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4076

C:\Users\Admin\AppData\Local\Temp\7E82590C-48C6-48BD-9DBB-BDCC68C3CBB8[i]\DToolZip.exe
C:\Users\Admin\AppData\Local\Temp\7E82590C-48C6-48BD-9DBB-BDCC68C3CBB8[i]\DToolZip.exe -x -o C:\Users\Admin\AppData\Local\Temp\7E82590C-48C6-48BD-9DBB-BDCC68C3CBB8[i]\2.zip -d C:\Users\Admin\AppData\Local\Temp\7E82590C-48C6-48BD-9DBB-BDCC68C3CBB8[i]\tmp
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1584

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7E82590C-48C6-48BD-9DBB-BDCC68C3CBB8[i]\DTool.dll
Filesize
190KB

MD5
b0daac9195ed549b89bfea99ceb1a39b

SHA1
fbc97963b642ec1a993d94bc7d41b8268116ed9e

SHA256
f530dc7295b102a0b89ee5ac3654e476e037280ca2b849a48ab84c450404aede

SHA512
e9792dd6bee47063c4ed4bd62aaa59036fed5cd214e1510021470351ce3251e92f049ff0fefe99344d361cbd1a284ce706e733ee9519a41f7c1fa5a53c7cc70d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7E82590C-48C6-48BD-9DBB-BDCC68C3CBB8[i]\DTool.dll
Filesize
190KB

MD5
b0daac9195ed549b89bfea99ceb1a39b

SHA1
fbc97963b642ec1a993d94bc7d41b8268116ed9e

SHA256
f530dc7295b102a0b89ee5ac3654e476e037280ca2b849a48ab84c450404aede

SHA512
e9792dd6bee47063c4ed4bd62aaa59036fed5cd214e1510021470351ce3251e92f049ff0fefe99344d361cbd1a284ce706e733ee9519a41f7c1fa5a53c7cc70d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7E82590C-48C6-48BD-9DBB-BDCC68C3CBB8[i]\DTool.dll
Filesize
190KB

MD5
b0daac9195ed549b89bfea99ceb1a39b

SHA1
fbc97963b642ec1a993d94bc7d41b8268116ed9e

SHA256
f530dc7295b102a0b89ee5ac3654e476e037280ca2b849a48ab84c450404aede

SHA512
e9792dd6bee47063c4ed4bd62aaa59036fed5cd214e1510021470351ce3251e92f049ff0fefe99344d361cbd1a284ce706e733ee9519a41f7c1fa5a53c7cc70d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7E82590C-48C6-48BD-9DBB-BDCC68C3CBB8[i]\DTool.dll
Filesize
190KB

MD5
b0daac9195ed549b89bfea99ceb1a39b

SHA1
fbc97963b642ec1a993d94bc7d41b8268116ed9e

SHA256
f530dc7295b102a0b89ee5ac3654e476e037280ca2b849a48ab84c450404aede

SHA512
e9792dd6bee47063c4ed4bd62aaa59036fed5cd214e1510021470351ce3251e92f049ff0fefe99344d361cbd1a284ce706e733ee9519a41f7c1fa5a53c7cc70d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7E82590C-48C6-48BD-9DBB-BDCC68C3CBB8[i]\DToolZip.exe
Filesize
220KB

MD5
04d02d6f85c6025b55f570746884922b

SHA1
f8c84731b604a2a5b0eb865acce523560aac3fd1

SHA256
9566eabe217a46841a2e0dde6ca001c3366ae68350dee612cdd06cca0e8ee5c0

SHA512
d70df32cb55c86f8555a69bf47aec55582282eb5be872b3d9983447c17e4661bb3db43b3746938168f6e70a2a3679d174abc8bdb7439e6ae35debb37f665e0af

Download Submit
C:\Users\Admin\AppData\Local\Temp\7E82590C-48C6-48BD-9DBB-BDCC68C3CBB8[i]\DToolZip.exe
Filesize
220KB

MD5
04d02d6f85c6025b55f570746884922b

SHA1
f8c84731b604a2a5b0eb865acce523560aac3fd1

SHA256
9566eabe217a46841a2e0dde6ca001c3366ae68350dee612cdd06cca0e8ee5c0

SHA512
d70df32cb55c86f8555a69bf47aec55582282eb5be872b3d9983447c17e4661bb3db43b3746938168f6e70a2a3679d174abc8bdb7439e6ae35debb37f665e0af

Download Submit
C:\Users\Admin\AppData\Local\Temp\7E82590C-48C6-48BD-9DBB-BDCC68C3CBB8[i]\DToolZip.exe
Filesize
220KB

MD5
04d02d6f85c6025b55f570746884922b

SHA1
f8c84731b604a2a5b0eb865acce523560aac3fd1

SHA256
9566eabe217a46841a2e0dde6ca001c3366ae68350dee612cdd06cca0e8ee5c0

SHA512
d70df32cb55c86f8555a69bf47aec55582282eb5be872b3d9983447c17e4661bb3db43b3746938168f6e70a2a3679d174abc8bdb7439e6ae35debb37f665e0af

Download Submit
C:\Users\Admin\AppData\Local\Temp\7E82590C-48C6-48BD-9DBB-BDCC68C3CBB8[i]\DToolZip.exe
Filesize
220KB

MD5
04d02d6f85c6025b55f570746884922b

SHA1
f8c84731b604a2a5b0eb865acce523560aac3fd1

SHA256
9566eabe217a46841a2e0dde6ca001c3366ae68350dee612cdd06cca0e8ee5c0

SHA512
d70df32cb55c86f8555a69bf47aec55582282eb5be872b3d9983447c17e4661bb3db43b3746938168f6e70a2a3679d174abc8bdb7439e6ae35debb37f665e0af

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\red_webssearches.exe
Filesize
706KB

MD5
da6dcd1f5db81941c5d93f34af6c1655

SHA1
4417d9d1de9c504b113bb266407b3663c5fe6c0c

SHA256
55c1be255a3ea21ecde16db3b17059c14927602a77008097d1d769a981832d76

SHA512
2781c080c723f170967fadaf99eede40c996c7731c0ebed9573c96e4ec1aa871668e51b30b10fa0a35f86769cc0577d05651eb17462385264ffeec9b5d2b00da

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\red_webssearches.exe
Filesize
706KB

MD5
da6dcd1f5db81941c5d93f34af6c1655

SHA1
4417d9d1de9c504b113bb266407b3663c5fe6c0c

SHA256
55c1be255a3ea21ecde16db3b17059c14927602a77008097d1d769a981832d76

SHA512
2781c080c723f170967fadaf99eede40c996c7731c0ebed9573c96e4ec1aa871668e51b30b10fa0a35f86769cc0577d05651eb17462385264ffeec9b5d2b00da

Download Submit
memory/1100-138-0x0000000000000000-mapping.dmp

Download
memory/1584-144-0x0000000000000000-mapping.dmp

Download
memory/4076-141-0x0000000000000000-mapping.dmp

Download
memory/4488-135-0x0000000000000000-mapping.dmp

Download
memory/4908-132-0x0000000000000000-mapping.dmp

Download