Overview

overview

8

Static

static

9ba5c4f025...c9.exe

windows7-x64

8

9ba5c4f025...c9.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    187s
  • max time network
    192s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/11/2022, 04:37

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    9ba5c4f0257e507ff6e841013401d77ff3b1d3a63a41c2dfdb4fe9a57a88eac9.exe

  • Size

    840KB

  • MD5

    272d3231049d381a09d009f101c07b40

  • SHA1

    452486b04dc2da20ae26511eddd5da243f28cc91

  • SHA256

    9ba5c4f0257e507ff6e841013401d77ff3b1d3a63a41c2dfdb4fe9a57a88eac9

  • SHA512

    60f4a69cfe9efda8b7cd305c22522b4deee66e16807028c652b46a619d02eb53db39df341900cb728bfb2210dabcc08e7d05c991119f4413f7ac12d776e4a61f

  • SSDEEP

    12288:ckolW+pPv+AsOQSH1u/eHnJELfdiKSGeW/7B3O1m1l2bDi5ozUinkL:RoECPmAbsEnyLVMYBdl2bDi6QqkL

Score
8/10
bootkitpersistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9ba5c4f0257e507ff6e841013401d77ff3b1d3a63a41c2dfdb4fe9a57a88eac9.exe
    "C:\Users\Admin\AppData\Local\Temp\9ba5c4f0257e507ff6e841013401d77ff3b1d3a63a41c2dfdb4fe9a57a88eac9.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:3476
    • C:\ProgramData\meprotection.exe
      C:\ProgramData\meprotection.exe
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Writes to the Master Boot Record (MBR)
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:3624
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 752
        3⤵
        • Program crash
        PID:1340
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 752
        3⤵
        • Program crash
        PID:2232
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 1100
        3⤵
        • Program crash
        PID:3748
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 1120
        3⤵
        • Program crash
        PID:4768
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 1160
        3⤵
        • Program crash
        PID:4452
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3624 -ip 3624
    1⤵
      PID:680
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3624 -ip 3624
      1⤵
        PID:4852
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3624 -ip 3624
        1⤵
          PID:2476
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3624 -ip 3624
          1⤵
            PID:2260
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3624 -ip 3624
            1⤵
              PID:4620

            Network

                  MITRE ATT&CK Enterprise v6

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\ProgramData\meprotection.exe
                    Filesize

                    825KB

                    MD5

                    4fc05dfaa3b4ec316b01a1d58668a00d

                    SHA1

                    36e25dc547b781b9b309730ca0aaa9b751a7331d

                    SHA256

                    11f3733e9c98fbb438862a1de26bb602035923b1d5f6183dfcbde29bfbe73f72

                    SHA512

                    1a7b23165777342b1ee42537b4fd1103cd1c7b170ce74e6a0550d25bc2c73f8742322042217b59ef6002bd74c4bffa3c20c7661f446ba6ed81ba9737ebc24a92

                    Download Submit

                  • C:\ProgramData\meprotection.exe
                    Filesize

                    825KB

                    MD5

                    4fc05dfaa3b4ec316b01a1d58668a00d

                    SHA1

                    36e25dc547b781b9b309730ca0aaa9b751a7331d

                    SHA256

                    11f3733e9c98fbb438862a1de26bb602035923b1d5f6183dfcbde29bfbe73f72

                    SHA512

                    1a7b23165777342b1ee42537b4fd1103cd1c7b170ce74e6a0550d25bc2c73f8742322042217b59ef6002bd74c4bffa3c20c7661f446ba6ed81ba9737ebc24a92

                    Download Submit

                  • memory/3476-132-0x0000000000400000-0x00000000004EA000-memory.dmp

                    Filesize

                    936KB

                    Download

                  • memory/3476-133-0x0000000000400000-0x00000000004EA000-memory.dmp

                    Filesize

                    936KB

                    Download

                  • memory/3476-134-0x0000000000400000-0x00000000004EA000-memory.dmp

                    Filesize

                    936KB

                    Download

                  • memory/3476-142-0x0000000000400000-0x00000000004EA000-memory.dmp

                    Filesize

                    936KB

                    Download

                  • memory/3624-138-0x0000000000400000-0x0000000000A1C000-memory.dmp

                    Filesize

                    6.1MB

                    Download

                  • memory/3624-139-0x0000000000400000-0x0000000000A1C000-memory.dmp

                    Filesize

                    6.1MB

                    Download

                  • memory/3624-141-0x0000000000400000-0x0000000000A1C000-memory.dmp

                    Filesize

                    6.1MB

                    Download