903c6a71d2805be4673824017bdea8af89f9a2cf0a8b749dfd7397e622ffdfbe

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02-12-2022 18:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

903c6a71d2805be4673824017bdea8af89f9a2cf0a8b749dfd7397e622ffdfbe.exe
Size

174KB
MD5

e2bb9debf33967fdbdcf4d77f7bd268b
SHA1

37e6cd4aa8e60d7ce7dae8d28823c5cc069e7e20
SHA256

903c6a71d2805be4673824017bdea8af89f9a2cf0a8b749dfd7397e622ffdfbe
SHA512

ff85238a2eeff28a7f34cd0d58a13e40aed46966bd97778281d8dc53ff6a0d7379172f0d44a1c45177ad14b2d4255720c33d79a1f73cb5c8c9ac9299819f3caf
SSDEEP

3072:/3E3I2uOiBgsvKLqDHEFwKSxTjYnNG8CmmG4tcb90UuhU89di1cFR8:/U3Bu7KsjHEF/CTYG8CmmG4o0U0bi6FR

Score

7^/10

bootkit persistence

Malware Config

Signatures

Unexpected DNS network traffic destination 64 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	203.114.232.170
Destination IP	203.77.98.251
Destination IP	203.128.22.190
Destination IP	203.90.191.59
Destination IP	203.162.211.249
Destination IP	203.9.90.88
Destination IP	203.14.87.178
Destination IP	203.9.105.139
Destination IP	203.211.196.183
Destination IP	203.17.189.240
Destination IP	203.121.111.190
Destination IP	24.227.88.115
Destination IP	206.114.174.11
Destination IP	203.83.199.111
Destination IP	64.38.223.8
Destination IP	202.218.211.253
Destination IP	203.96.46.170
Destination IP	203.54.162.117
Destination IP	203.117.168.81
Destination IP	203.215.21.80
Destination IP	60.196.0.1
Destination IP	63.90.67.11
Destination IP	207.140.115.26
Destination IP	203.215.200.20
Destination IP	153.19.250.100
Destination IP	202.153.97.2
Destination IP	203.231.173.42
Destination IP	216.248.176.20
Destination IP	61.122.116.132
Destination IP	203.113.252.115
Destination IP	24.227.88.115
Destination IP	203.164.33.74
Destination IP	203.177.69.245
Destination IP	203.252.165.5
Destination IP	203.231.188.201
Destination IP	66.204.193.26
Destination IP	203.195.188.33
Destination IP	203.79.101.113
Destination IP	203.102.240.250
Destination IP	203.165.213.245
Destination IP	203.99.160.213
Destination IP	220.73.138.221
Destination IP	203.134.109.165
Destination IP	203.190.187.178
Destination IP	203.75.81.22
Destination IP	203.197.214.223
Destination IP	203.29.199.174
Destination IP	203.82.222.66
Destination IP	203.147.110.205
Destination IP	203.78.79.175
Destination IP	203.123.254.206
Destination IP	202.218.211.253
Destination IP	203.66.2.104
Destination IP	203.112.19.155
Destination IP	203.177.153.136
Destination IP	216.248.176.20
Destination IP	203.67.10.1
Destination IP	203.15.156.96
Destination IP	206.114.174.11
Destination IP	203.149.213.80
Destination IP	203.156.167.223
Destination IP	203.76.187.183
Destination IP	203.59.32.95
Destination IP	66.204.193.26

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	903c6a71d2805be4673824017bdea8af89f9a2cf0a8b749dfd7397e622ffdfbe.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2144	903c6a71d2805be4673824017bdea8af89f9a2cf0a8b749dfd7397e622ffdfbe.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2144	903c6a71d2805be4673824017bdea8af89f9a2cf0a8b749dfd7397e622ffdfbe.exe

Suspicious use of SetWindowsHookEx 20 IoCs

pid	Process
2144	903c6a71d2805be4673824017bdea8af89f9a2cf0a8b749dfd7397e622ffdfbe.exe
2144	903c6a71d2805be4673824017bdea8af89f9a2cf0a8b749dfd7397e622ffdfbe.exe
2144	903c6a71d2805be4673824017bdea8af89f9a2cf0a8b749dfd7397e622ffdfbe.exe
2144	903c6a71d2805be4673824017bdea8af89f9a2cf0a8b749dfd7397e622ffdfbe.exe
2144	903c6a71d2805be4673824017bdea8af89f9a2cf0a8b749dfd7397e622ffdfbe.exe
2144	903c6a71d2805be4673824017bdea8af89f9a2cf0a8b749dfd7397e622ffdfbe.exe
2144	903c6a71d2805be4673824017bdea8af89f9a2cf0a8b749dfd7397e622ffdfbe.exe
2144	903c6a71d2805be4673824017bdea8af89f9a2cf0a8b749dfd7397e622ffdfbe.exe
2144	903c6a71d2805be4673824017bdea8af89f9a2cf0a8b749dfd7397e622ffdfbe.exe
2144	903c6a71d2805be4673824017bdea8af89f9a2cf0a8b749dfd7397e622ffdfbe.exe
2144	903c6a71d2805be4673824017bdea8af89f9a2cf0a8b749dfd7397e622ffdfbe.exe
2144	903c6a71d2805be4673824017bdea8af89f9a2cf0a8b749dfd7397e622ffdfbe.exe
2144	903c6a71d2805be4673824017bdea8af89f9a2cf0a8b749dfd7397e622ffdfbe.exe
2144	903c6a71d2805be4673824017bdea8af89f9a2cf0a8b749dfd7397e622ffdfbe.exe
2144	903c6a71d2805be4673824017bdea8af89f9a2cf0a8b749dfd7397e622ffdfbe.exe
2144	903c6a71d2805be4673824017bdea8af89f9a2cf0a8b749dfd7397e622ffdfbe.exe
2144	903c6a71d2805be4673824017bdea8af89f9a2cf0a8b749dfd7397e622ffdfbe.exe
2144	903c6a71d2805be4673824017bdea8af89f9a2cf0a8b749dfd7397e622ffdfbe.exe
2144	903c6a71d2805be4673824017bdea8af89f9a2cf0a8b749dfd7397e622ffdfbe.exe
2144	903c6a71d2805be4673824017bdea8af89f9a2cf0a8b749dfd7397e622ffdfbe.exe

C:\Users\Admin\AppData\Local\Temp\903c6a71d2805be4673824017bdea8af89f9a2cf0a8b749dfd7397e622ffdfbe.exe
"C:\Users\Admin\AppData\Local\Temp\903c6a71d2805be4673824017bdea8af89f9a2cf0a8b749dfd7397e622ffdfbe.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2144

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2144-132-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2144-133-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2144-134-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download