b1d26549e2124ad2218a1cfdec72005955b7f589037576896c989c4025873760

Analysis

max time kernel
148s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02/12/2022, 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b1d26549e2124ad2218a1cfdec72005955b7f589037576896c989c4025873760.exe
Size

404KB
MD5

6fc529de07d137f3ee1ba04f5ff6e5c4
SHA1

4e6884206ce49342ebef7d03dd81dd6dbed7a60f
SHA256

b1d26549e2124ad2218a1cfdec72005955b7f589037576896c989c4025873760
SHA512

c725d789f0d50333ec620b2ebfb52261b12cf1d7d3724b67d506c6aeca698777b7e535bb9fe541aa3627e1a7272cd2e028db53fc3c8f69a41bf2bb2d73934ca8
SSDEEP

12288:35Bevhp0wpE9z/uXagSAiLNZQ4i696+IUvbOI2/Kmu7wxwj:gWqJSzZOCIiiymuf

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4388-132-0x0000000000400000-0x0000000000435000-memory.dmp	upx
behavioral2/memory/4388-134-0x0000000000400000-0x0000000000435000-memory.dmp	upx

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\MBR Regenerator\core\hosts.$$A	b1d26549e2124ad2218a1cfdec72005955b7f589037576896c989c4025873760.exe
File created	C:\Windows\MBR Regenerator\core\scanner.$$A	b1d26549e2124ad2218a1cfdec72005955b7f589037576896c989c4025873760.exe
File created	C:\Windows\MBR Regenerator\core\sfc64\sfc.$AA	b1d26549e2124ad2218a1cfdec72005955b7f589037576896c989c4025873760.exe
File created	C:\Windows\MBR Regenerator\engine.$$A	b1d26549e2124ad2218a1cfdec72005955b7f589037576896c989c4025873760.exe
File created	C:\Windows\MBR Regenerator\core\engine64.$$A	b1d26549e2124ad2218a1cfdec72005955b7f589037576896c989c4025873760.exe
File created	C:\Windows\MBR Regenerator\core\engine86.$AA	b1d26549e2124ad2218a1cfdec72005955b7f589037576896c989c4025873760.exe
File created	C:\Windows\MBR Regenerator\core\sfc32\sfc.$$A	b1d26549e2124ad2218a1cfdec72005955b7f589037576896c989c4025873760.exe
File created	C:\Windows\MBR Regenerator\core\sfc64\sfc.$$A	b1d26549e2124ad2218a1cfdec72005955b7f589037576896c989c4025873760.exe
File opened for modification	C:\Windows\MBR Regenerator\core\sfc64\sfc.exe	b1d26549e2124ad2218a1cfdec72005955b7f589037576896c989c4025873760.exe
File created	C:\Windows\MBR Regenerator\core\sleep.$$A	b1d26549e2124ad2218a1cfdec72005955b7f589037576896c989c4025873760.exe
File created	C:\Windows\MBR Regenerator\core\bootsect.$$A	b1d26549e2124ad2218a1cfdec72005955b7f589037576896c989c4025873760.exe
File created	C:\Windows\MBR Regenerator\core\engine86.$$A	b1d26549e2124ad2218a1cfdec72005955b7f589037576896c989c4025873760.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4388 wrote to memory of 4184	4388	b1d26549e2124ad2218a1cfdec72005955b7f589037576896c989c4025873760.exe	80
PID 4388 wrote to memory of 4184	4388	b1d26549e2124ad2218a1cfdec72005955b7f589037576896c989c4025873760.exe	80
PID 4388 wrote to memory of 4184	4388	b1d26549e2124ad2218a1cfdec72005955b7f589037576896c989c4025873760.exe	80
PID 4184 wrote to memory of 4936	4184	cmd.exe	82
PID 4184 wrote to memory of 4936	4184	cmd.exe	82
PID 4184 wrote to memory of 4936	4184	cmd.exe	82
PID 4184 wrote to memory of 1980	4184	cmd.exe	83
PID 4184 wrote to memory of 1980	4184	cmd.exe	83
PID 4184 wrote to memory of 1980	4184	cmd.exe	83
PID 4184 wrote to memory of 2068	4184	cmd.exe	84
PID 4184 wrote to memory of 2068	4184	cmd.exe	84
PID 4184 wrote to memory of 2068	4184	cmd.exe	84

C:\Users\Admin\AppData\Local\Temp\b1d26549e2124ad2218a1cfdec72005955b7f589037576896c989c4025873760.exe
"C:\Users\Admin\AppData\Local\Temp\b1d26549e2124ad2218a1cfdec72005955b7f589037576896c989c4025873760.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4388
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Windows\MBR Regenerator\engine.cmd""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4184
- - C:\Windows\SysWOW64\mode.com
    mode con: cols=80 lines=16
    3⤵
    PID:4936
- - C:\Windows\SysWOW64\reg.exe
    REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "ProductName"
    3⤵
    PID:1980
- - C:\Windows\SysWOW64\findstr.exe
    FINDSTR "7"
    3⤵
    PID:2068

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\MBR Regenerator\engine.cmd

Filesize
16KB

MD5
9807689728c81d44376164beaed5498f

SHA1
94052d250b3d6dba4cd002b04fa8c933353a429a

SHA256
c2e381524ea02e1a447c0f091da8d695ba5be58c707f09486080a282bceaeb05

SHA512
ab71c1686d858e80eec4d04d220b140dce08c14f811bdd034eaf77bf616202341356b127c65777a85af629633108b98c5aeddb94c70fc6a2342bc4b5d49ced09

Download Submit
memory/4388-132-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4388-134-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads