Analysis
-
max time kernel
90s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 19:42
Static task
static1
Behavioral task
behavioral1
Sample
935fde514a701d9181d0d343f2082416d1661fbca9835db53a62f270bceb0dae.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
935fde514a701d9181d0d343f2082416d1661fbca9835db53a62f270bceb0dae.exe
Resource
win10v2004-20220901-en
General
-
Target
935fde514a701d9181d0d343f2082416d1661fbca9835db53a62f270bceb0dae.exe
-
Size
883KB
-
MD5
09f050c10db97929c8fea54bb4d62508
-
SHA1
89f5ee58536f00cf564226a4c6637e0dc1ac3346
-
SHA256
935fde514a701d9181d0d343f2082416d1661fbca9835db53a62f270bceb0dae
-
SHA512
3ec72486e5d5959778ff5ac2e56687a175f0cd071ca29ccea77f26dd34ee1b22f93b67e135ef904fbd7c3dce2e65cd8328bf5929a3d6ee973bef15ab64371e5c
-
SSDEEP
12288:gm+eQydQu3K27bMuLBJic2Lb3eKLhklAwWmTu8S6u6v3Ic7rvDRUWFgwMqYUhcYI:g9m7SlnxhklQm3tUg8c+md2
Malware Config
Signatures
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
935fde514a701d9181d0d343f2082416d1661fbca9835db53a62f270bceb0dae.exedescription ioc process File opened for modification \??\PhysicalDrive0 935fde514a701d9181d0d343f2082416d1661fbca9835db53a62f270bceb0dae.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
935fde514a701d9181d0d343f2082416d1661fbca9835db53a62f270bceb0dae.execmd.exedescription pid process target process PID 2824 wrote to memory of 5056 2824 935fde514a701d9181d0d343f2082416d1661fbca9835db53a62f270bceb0dae.exe cmd.exe PID 2824 wrote to memory of 5056 2824 935fde514a701d9181d0d343f2082416d1661fbca9835db53a62f270bceb0dae.exe cmd.exe PID 2824 wrote to memory of 5056 2824 935fde514a701d9181d0d343f2082416d1661fbca9835db53a62f270bceb0dae.exe cmd.exe PID 5056 wrote to memory of 2264 5056 cmd.exe PING.EXE PID 5056 wrote to memory of 2264 5056 cmd.exe PING.EXE PID 5056 wrote to memory of 2264 5056 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\935fde514a701d9181d0d343f2082416d1661fbca9835db53a62f270bceb0dae.exe"C:\Users\Admin\AppData\Local\Temp\935fde514a701d9181d0d343f2082416d1661fbca9835db53a62f270bceb0dae.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\935fde514a701d9181d0d343f2082416d1661fbca9835db53a62f270bceb0dae.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 1 -w 30003⤵
- Runs ping.exe
PID:2264