Overview

overview

8

Static

static

64b5293cf3...70.exe

windows7-x64

8

64b5293cf3...70.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    151s
  • max time network
    100s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    29/11/2022, 08:27

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    64b5293cf312f20766b40e2c9e16e24d6e33308e00ae2964b0b135685f780370.exe

  • Size

    841KB

  • MD5

    06034bc1fb52273ac0e5227c62800240

  • SHA1

    fafed6af6a1476e4470e8682a0da501273ada33c

  • SHA256

    64b5293cf312f20766b40e2c9e16e24d6e33308e00ae2964b0b135685f780370

  • SHA512

    cb6b28bb37d3c9eb2ce565c343ceae9c2ad4d038a45e45db300973fa689072f3734df257d8e97d16bd44802cb41480be665876c33d61f33fc5a6702dfe889ea8

  • SSDEEP

    12288:FIh/Qztxs+YjZrottJYAZAXqZE+n7uCaxBkmz782xOqu0zoWRrsFlR8dzcEeBsUp:FuSKIJYQA6ZbnK0eDno58dzcEeup0V

Score
8/10
bootkitpersistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of FindShellTrayWindow 11 IoCs
  • Suspicious use of SendNotifyMessage 11 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\64b5293cf312f20766b40e2c9e16e24d6e33308e00ae2964b0b135685f780370.exe
    "C:\Users\Admin\AppData\Local\Temp\64b5293cf312f20766b40e2c9e16e24d6e33308e00ae2964b0b135685f780370.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:1792
    • C:\ProgramData\bsprotection.exe
      C:\ProgramData\bsprotection.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Enumerates connected drives
      • Writes to the Master Boot Record (MBR)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:1252

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\bsprotection.exe
          Filesize

          824KB

          MD5

          a6841c61c353c6110d15417fc72cbad7

          SHA1

          412513364d161fff36a3a26b3cab922533e59d2e

          SHA256

          936cd15c031f4b76375b6febcd35cc214fc9a6931e045a68848af293be86564f

          SHA512

          4e2100e2d99c56e9d3b6eacdbc8a50664d54a4aed1edf8cd285baaaebbfb1ab7f705cb6419cd50afe311ae2def92c04e9b7bd57c4b4d9952e7d7594db0ec3ba1

          Download Submit

        • \ProgramData\bsprotection.exe
          Filesize

          824KB

          MD5

          a6841c61c353c6110d15417fc72cbad7

          SHA1

          412513364d161fff36a3a26b3cab922533e59d2e

          SHA256

          936cd15c031f4b76375b6febcd35cc214fc9a6931e045a68848af293be86564f

          SHA512

          4e2100e2d99c56e9d3b6eacdbc8a50664d54a4aed1edf8cd285baaaebbfb1ab7f705cb6419cd50afe311ae2def92c04e9b7bd57c4b4d9952e7d7594db0ec3ba1

          Download Submit

        • \ProgramData\bsprotection.exe
          Filesize

          824KB

          MD5

          a6841c61c353c6110d15417fc72cbad7

          SHA1

          412513364d161fff36a3a26b3cab922533e59d2e

          SHA256

          936cd15c031f4b76375b6febcd35cc214fc9a6931e045a68848af293be86564f

          SHA512

          4e2100e2d99c56e9d3b6eacdbc8a50664d54a4aed1edf8cd285baaaebbfb1ab7f705cb6419cd50afe311ae2def92c04e9b7bd57c4b4d9952e7d7594db0ec3ba1

          Download Submit

        • memory/1252-62-0x0000000000400000-0x0000000000A1B000-memory.dmp

          Filesize

          6.1MB

          Download

        • memory/1252-64-0x0000000000400000-0x0000000000A1B000-memory.dmp

          Filesize

          6.1MB

          Download

        • memory/1252-66-0x0000000000400000-0x0000000000A1B000-memory.dmp

          Filesize

          6.1MB

          Download

        • memory/1792-54-0x0000000000400000-0x00000000004EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/1792-55-0x0000000076321000-0x0000000076323000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1792-56-0x0000000000400000-0x00000000004EB000-memory.dmp

          Filesize

          940KB

          Download

        • memory/1792-65-0x0000000000400000-0x00000000004EB000-memory.dmp

          Filesize

          940KB

          Download