Overview

overview

8

Static

static

cd8fdc43e7...19.exe

windows7-x64

8

cd8fdc43e7...19.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    58s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    01-12-2022 17:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cd8fdc43e7b00d9bd34d4f6fb477e66968b302692e8ccf040e6f180620ac5c19.exe

  • Size

    1.2MB

  • MD5

    22fde0753062a2e7921d59fe64d6f7cc

  • SHA1

    c6f1d83d64cfa541ea907d527bc79c698d337643

  • SHA256

    cd8fdc43e7b00d9bd34d4f6fb477e66968b302692e8ccf040e6f180620ac5c19

  • SHA512

    a1e024571711dab2ca9eb33f9b8371eb277cd1b708668c6b7c87ed41beec640151f2b1f775b640ec8139b598c4b298fe5bae2d2b4253142fe7fdec3f2e2aaf04

  • SSDEEP

    24576:LDFq/8wVCMozowl4as1Y+zijEJq95/T+f8hDZ9VMMwsR+jlL79VJoLwl/Q:LDFq/8KC1TUY+ziwq9ty0hDHVqJjB9Q/

Score
8/10
bootkitevasionpersistencetrojanupx

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
    persistence
  • UPX packed file 14 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 3 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cd8fdc43e7b00d9bd34d4f6fb477e66968b302692e8ccf040e6f180620ac5c19.exe
    "C:\Users\Admin\AppData\Local\Temp\cd8fdc43e7b00d9bd34d4f6fb477e66968b302692e8ccf040e6f180620ac5c19.exe"
    1⤵
    • Modifies Installed Components in the registry
    • Identifies Wine through registry keys
    • Checks whether UAC is enabled
    • Writes to the Master Boot Record (MBR)
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1520
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      2⤵
        PID:1172
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 724
        2⤵
        • Loads dropped DLL
        • Program crash
        PID:960

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Bootkit

    1
    T1067

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Virtualization/Sandbox Evasion

    1
    T1497

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    Virtualization/Sandbox Evasion

    1
    T1497

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Users\Admin\AppData\Local\Temp\cd8fdc43e7b00d9bd34d4f6fb477e66968b302692e8ccf040e6f180620ac5c19.exe
      Filesize

      1.2MB

      MD5

      22fde0753062a2e7921d59fe64d6f7cc

      SHA1

      c6f1d83d64cfa541ea907d527bc79c698d337643

      SHA256

      cd8fdc43e7b00d9bd34d4f6fb477e66968b302692e8ccf040e6f180620ac5c19

      SHA512

      a1e024571711dab2ca9eb33f9b8371eb277cd1b708668c6b7c87ed41beec640151f2b1f775b640ec8139b598c4b298fe5bae2d2b4253142fe7fdec3f2e2aaf04

      Download Submit
    • \Users\Admin\AppData\Local\Temp\cd8fdc43e7b00d9bd34d4f6fb477e66968b302692e8ccf040e6f180620ac5c19.exe
      Filesize

      1.2MB

      MD5

      22fde0753062a2e7921d59fe64d6f7cc

      SHA1

      c6f1d83d64cfa541ea907d527bc79c698d337643

      SHA256

      cd8fdc43e7b00d9bd34d4f6fb477e66968b302692e8ccf040e6f180620ac5c19

      SHA512

      a1e024571711dab2ca9eb33f9b8371eb277cd1b708668c6b7c87ed41beec640151f2b1f775b640ec8139b598c4b298fe5bae2d2b4253142fe7fdec3f2e2aaf04

      Download Submit
    • \Users\Admin\AppData\Local\Temp\cd8fdc43e7b00d9bd34d4f6fb477e66968b302692e8ccf040e6f180620ac5c19.exe
      Filesize

      1.2MB

      MD5

      22fde0753062a2e7921d59fe64d6f7cc

      SHA1

      c6f1d83d64cfa541ea907d527bc79c698d337643

      SHA256

      cd8fdc43e7b00d9bd34d4f6fb477e66968b302692e8ccf040e6f180620ac5c19

      SHA512

      a1e024571711dab2ca9eb33f9b8371eb277cd1b708668c6b7c87ed41beec640151f2b1f775b640ec8139b598c4b298fe5bae2d2b4253142fe7fdec3f2e2aaf04

      Download Submit
    • memory/960-78-0x0000000000000000-mapping.dmp
      Download
    • memory/1520-72-0x0000000005750000-0x00000000057ED000-memory.dmp
      Filesize

      628KB

      Download
    • memory/1520-81-0x00000000058F0000-0x000000000598D000-memory.dmp
      Filesize

      628KB

      Download
    • memory/1520-54-0x0000000000400000-0x000000000063C000-memory.dmp
      Filesize

      2.2MB

      Download
    • memory/1520-73-0x00000000058F0000-0x000000000598D000-memory.dmp
      Filesize

      628KB

      Download
    • memory/1520-74-0x0000000005A90000-0x0000000005B2D000-memory.dmp
      Filesize

      628KB

      Download
    • memory/1520-75-0x0000000005C30000-0x0000000005CCD000-memory.dmp
      Filesize

      628KB

      Download
    • memory/1520-76-0x0000000005DD0000-0x0000000005E6D000-memory.dmp
      Filesize

      628KB

      Download
    • memory/1520-77-0x0000000005F70000-0x000000000600D000-memory.dmp
      Filesize

      628KB

      Download
    • memory/1520-63-0x0000000075C81000-0x0000000075C83000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1520-79-0x0000000005120000-0x00000000051BD000-memory.dmp
      Filesize

      628KB

      Download
    • memory/1520-80-0x0000000005750000-0x00000000057ED000-memory.dmp
      Filesize

      628KB

      Download
    • memory/1520-71-0x0000000005120000-0x00000000051BD000-memory.dmp
      Filesize

      628KB

      Download
    • memory/1520-82-0x0000000005A90000-0x0000000005B2D000-memory.dmp
      Filesize

      628KB

      Download
    • memory/1520-83-0x0000000005C30000-0x0000000005CCD000-memory.dmp
      Filesize

      628KB

      Download
    • memory/1520-85-0x0000000005F70000-0x000000000600D000-memory.dmp
      Filesize

      628KB

      Download
    • memory/1520-84-0x0000000005DD0000-0x0000000005E6D000-memory.dmp
      Filesize

      628KB

      Download
    • memory/1520-86-0x0000000000400000-0x000000000063C000-memory.dmp
      Filesize

      2.2MB

      Download
    • memory/1520-65-0x0000000004520000-0x0000000004589000-memory.dmp
      Filesize

      420KB

      Download
    • memory/1520-64-0x0000000000400000-0x000000000063C000-memory.dmp
      Filesize

      2.2MB

      Download
    • memory/1520-89-0x0000000000400000-0x000000000063C000-memory.dmp
      Filesize

      2.2MB

      Download
    • memory/1520-56-0x0000000010410000-0x0000000010479000-memory.dmp
      Filesize

      420KB

      Download