cf6719a94332139284db1145dca0e8fc94a6e52a9ab9523d82628bdc3b4f5d62

Analysis

max time kernel
26s
max time network
28s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2022 04:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cf6719a94332139284db1145dca0e8fc94a6e52a9ab9523d82628bdc3b4f5d62.exe
Size

593KB
MD5

67aca6a4e6a6bff00b3f6868671d443a
SHA1

b4eeee56d52d4d64248b5cdbcc933f3eb5b4e371
SHA256

cf6719a94332139284db1145dca0e8fc94a6e52a9ab9523d82628bdc3b4f5d62
SHA512

beb96c2c06f54b5f1186ac0b5906717eb96760eaca9f265a35f0176dd77d845c5ad5beff5cc2d37f22243b7b5488371f20b3da6a16a3c233d34a9074232089aa
SSDEEP

12288:VuBSP/amC/BJSpc/aaT9/gur79Yq63kfydqAKTE1qH:sA6/Bwy/aI/gK79YH0FAgxH

Score

8^/10

bootkit persistence upx

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

BqjnC0gFVHRul8.exewin.exewio.exewiq.exe

pid process

864 BqjnC0gFVHRul8.exe
820 win.exe
4288 wio.exe
5016 wiq.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3084-162-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/3084-165-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/3084-166-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/3084-167-0x0000000000400000-0x000000000040E000-memory.dmp	upx

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3880 rundll32.exe

pid	process
3880	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fgideburimuq = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\maLAp10.dll\",Startup"	rundll32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

win.exe

description ioc process

File opened for modification \??\physicaldrive0 win.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

wiq.exe

description pid process target process

PID 5016 set thread context of 3084 5016 wiq.exe svchost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	\??\physicaldrive0	win.exe

description	pid	process	target process
PID 5016 set thread context of 3084	5016	wiq.exe	svchost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

BqjnC0gFVHRul8.exesvchost.exe

pid	process
864	BqjnC0gFVHRul8.exe
864	BqjnC0gFVHRul8.exe
3084	svchost.exe
3084	svchost.exe
864	BqjnC0gFVHRul8.exe
864	BqjnC0gFVHRul8.exe
3084	svchost.exe
3084	svchost.exe
3084	svchost.exe
3084	svchost.exe
3084	svchost.exe
3084	svchost.exe
3084	svchost.exe
3084	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

win.exe

description pid process

Token: SeShutdownPrivilege 820 win.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

BqjnC0gFVHRul8.exewiq.exe

pid process

864 BqjnC0gFVHRul8.exe
5016 wiq.exe

description	pid	process
Token: SeShutdownPrivilege	820	win.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

cf6719a94332139284db1145dca0e8fc94a6e52a9ab9523d82628bdc3b4f5d62.exewio.exewiq.exe

description	pid	process	target process
PID 848 wrote to memory of 864	848	cf6719a94332139284db1145dca0e8fc94a6e52a9ab9523d82628bdc3b4f5d62.exe	BqjnC0gFVHRul8.exe
PID 848 wrote to memory of 864	848	cf6719a94332139284db1145dca0e8fc94a6e52a9ab9523d82628bdc3b4f5d62.exe	BqjnC0gFVHRul8.exe
PID 848 wrote to memory of 864	848	cf6719a94332139284db1145dca0e8fc94a6e52a9ab9523d82628bdc3b4f5d62.exe	BqjnC0gFVHRul8.exe
PID 848 wrote to memory of 820	848	cf6719a94332139284db1145dca0e8fc94a6e52a9ab9523d82628bdc3b4f5d62.exe	win.exe
PID 848 wrote to memory of 820	848	cf6719a94332139284db1145dca0e8fc94a6e52a9ab9523d82628bdc3b4f5d62.exe	win.exe
PID 848 wrote to memory of 820	848	cf6719a94332139284db1145dca0e8fc94a6e52a9ab9523d82628bdc3b4f5d62.exe	win.exe
PID 848 wrote to memory of 4288	848	cf6719a94332139284db1145dca0e8fc94a6e52a9ab9523d82628bdc3b4f5d62.exe	wio.exe
PID 848 wrote to memory of 4288	848	cf6719a94332139284db1145dca0e8fc94a6e52a9ab9523d82628bdc3b4f5d62.exe	wio.exe
PID 848 wrote to memory of 4288	848	cf6719a94332139284db1145dca0e8fc94a6e52a9ab9523d82628bdc3b4f5d62.exe	wio.exe
PID 848 wrote to memory of 5016	848	cf6719a94332139284db1145dca0e8fc94a6e52a9ab9523d82628bdc3b4f5d62.exe	wiq.exe
PID 848 wrote to memory of 5016	848	cf6719a94332139284db1145dca0e8fc94a6e52a9ab9523d82628bdc3b4f5d62.exe	wiq.exe
PID 848 wrote to memory of 5016	848	cf6719a94332139284db1145dca0e8fc94a6e52a9ab9523d82628bdc3b4f5d62.exe	wiq.exe
PID 848 wrote to memory of 1732	848	cf6719a94332139284db1145dca0e8fc94a6e52a9ab9523d82628bdc3b4f5d62.exe	cmd.exe
PID 848 wrote to memory of 1732	848	cf6719a94332139284db1145dca0e8fc94a6e52a9ab9523d82628bdc3b4f5d62.exe	cmd.exe
PID 848 wrote to memory of 1732	848	cf6719a94332139284db1145dca0e8fc94a6e52a9ab9523d82628bdc3b4f5d62.exe	cmd.exe
PID 4288 wrote to memory of 3880	4288	wio.exe	rundll32.exe
PID 4288 wrote to memory of 3880	4288	wio.exe	rundll32.exe
PID 4288 wrote to memory of 3880	4288	wio.exe	rundll32.exe
PID 5016 wrote to memory of 3084	5016	wiq.exe	svchost.exe
PID 5016 wrote to memory of 3084	5016	wiq.exe	svchost.exe
PID 5016 wrote to memory of 3084	5016	wiq.exe	svchost.exe
PID 5016 wrote to memory of 3084	5016	wiq.exe	svchost.exe
PID 5016 wrote to memory of 3084	5016	wiq.exe	svchost.exe
PID 5016 wrote to memory of 3084	5016	wiq.exe	svchost.exe
PID 5016 wrote to memory of 3084	5016	wiq.exe	svchost.exe
PID 5016 wrote to memory of 3084	5016	wiq.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\cf6719a94332139284db1145dca0e8fc94a6e52a9ab9523d82628bdc3b4f5d62.exe
"C:\Users\Admin\AppData\Local\Temp\cf6719a94332139284db1145dca0e8fc94a6e52a9ab9523d82628bdc3b4f5d62.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:848

C:\Users\Admin\BqjnC0gFVHRul8.exe
BqjnC0gFVHRul8.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:864

C:\Users\Admin\win.exe
win.exe
2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
PID:820

C:\Users\Admin\wiq.exe
wiq.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5016

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\system32\svchost.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3084

C:\Users\Admin\wio.exe
wio.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4288

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\maLAp10.dll",Startup
3⤵
- Loads dropped DLL
- Adds Run key to start application
PID:3880

C:\Windows\SysWOW64\cmd.exe
cmd /c del cf6719a94332139284db1145dca0e8fc94a6e52a9ab9523d82628bdc3b4f5d62.exe
2⤵
PID:1732

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\maLAp10.dll
Filesize
103KB

MD5
19f8a2d4e8270baf8bd5a6086f565e70

SHA1
b5a05abe09066906b569f0fadefb00fb567ef547

SHA256
2f677a22315a327d82514449be56d53cd85a8dd3eef75317231647faac6caf50

SHA512
8a5686b22a993f8c38420f9c163e6321eab7a089858da4852160684ccc260d82f21e933365e0f413418849f9af26786d805d0dd6295546b52ae9ab5fcf88ed63

Download Submit
C:\Users\Admin\AppData\Local\maLAp10.dll
Filesize
103KB

MD5
19f8a2d4e8270baf8bd5a6086f565e70

SHA1
b5a05abe09066906b569f0fadefb00fb567ef547

SHA256
2f677a22315a327d82514449be56d53cd85a8dd3eef75317231647faac6caf50

SHA512
8a5686b22a993f8c38420f9c163e6321eab7a089858da4852160684ccc260d82f21e933365e0f413418849f9af26786d805d0dd6295546b52ae9ab5fcf88ed63

Download Submit
C:\Users\Admin\BqjnC0gFVHRul8.exe
Filesize
148KB

MD5
fc8e30e732d9e1483b7d29ea39ad9c15

SHA1
04215f820a214d11e1dd9a832ac264605cf98604

SHA256
c3bb55f793445fe9ca4dbdd55c7dd1d5ec90c807d3270833b3f9678a9a956585

SHA512
d56cb22fde3d54cc4d5008857e573e4b8182b4d690c9a9ca9978aca5ed0051001c919588918ac17dd7c3d41c90acca9411d42cf33c10accd12d3d313fb60afd6

Download Submit
C:\Users\Admin\BqjnC0gFVHRul8.exe
Filesize
148KB

MD5
fc8e30e732d9e1483b7d29ea39ad9c15

SHA1
04215f820a214d11e1dd9a832ac264605cf98604

SHA256
c3bb55f793445fe9ca4dbdd55c7dd1d5ec90c807d3270833b3f9678a9a956585

SHA512
d56cb22fde3d54cc4d5008857e573e4b8182b4d690c9a9ca9978aca5ed0051001c919588918ac17dd7c3d41c90acca9411d42cf33c10accd12d3d313fb60afd6

Download Submit
C:\Users\Admin\win.exe
Filesize
172KB

MD5
16dfe37b77854e727eabedd05239ebee

SHA1
9218bb944834fb46eb2f04858ada0dacdf821d77

SHA256
8ee33551b06628414ed9003fd0c35ab5abbedf6f85e50c9bfdb99fc72172d267

SHA512
56c765b030817f0903dd9ce50aefb3511e30706891f7d9accd7f95c465d1890fdda3ab59238919b59951fe1c361699f80675b6fab9c9df26dd4f22d97b0ca903

Download Submit
C:\Users\Admin\win.exe
Filesize
172KB

MD5
16dfe37b77854e727eabedd05239ebee

SHA1
9218bb944834fb46eb2f04858ada0dacdf821d77

SHA256
8ee33551b06628414ed9003fd0c35ab5abbedf6f85e50c9bfdb99fc72172d267

SHA512
56c765b030817f0903dd9ce50aefb3511e30706891f7d9accd7f95c465d1890fdda3ab59238919b59951fe1c361699f80675b6fab9c9df26dd4f22d97b0ca903

Download Submit
C:\Users\Admin\wio.exe
Filesize
103KB

MD5
f7756f6980dc23ef661085d6cd999831

SHA1
cd77f7a9bc8c058023779a531e2deac8c3241638

SHA256
53122fb8bd9b1a304af221e3172c1770f18d20e71f275b98bcfe10cc81ec3740

SHA512
b1e51945dea731c962140b9755c2d6b549feb3fb0d9793a0c67fe6a99498dde1a4744931ca80053f723eec221975e26220e7c357188bd0f11f5966bf2cc618df

Download Submit
C:\Users\Admin\wio.exe
Filesize
103KB

MD5
f7756f6980dc23ef661085d6cd999831

SHA1
cd77f7a9bc8c058023779a531e2deac8c3241638

SHA256
53122fb8bd9b1a304af221e3172c1770f18d20e71f275b98bcfe10cc81ec3740

SHA512
b1e51945dea731c962140b9755c2d6b549feb3fb0d9793a0c67fe6a99498dde1a4744931ca80053f723eec221975e26220e7c357188bd0f11f5966bf2cc618df

Download Submit
C:\Users\Admin\wiq.exe
Filesize
52KB

MD5
65a849404ffe62e0d2f56d7993f00920

SHA1
6401a9e92690172958fbf0ee122990479628e92f

SHA256
afe7c75a0e8d28d5f068cf3605f9aa10016d37348eab013b6dc487e943110c50

SHA512
99af61b924d550ff3d8c52db86991cc40ebd94510982dc69ce99bb975ad8de32c07ea9c7eb28d05e55117b15ab3b57d3d2bfe25c744c8918d63d96ef974d5d38

Download Submit
C:\Users\Admin\wiq.exe
Filesize
52KB

MD5
65a849404ffe62e0d2f56d7993f00920

SHA1
6401a9e92690172958fbf0ee122990479628e92f

SHA256
afe7c75a0e8d28d5f068cf3605f9aa10016d37348eab013b6dc487e943110c50

SHA512
99af61b924d550ff3d8c52db86991cc40ebd94510982dc69ce99bb975ad8de32c07ea9c7eb28d05e55117b15ab3b57d3d2bfe25c744c8918d63d96ef974d5d38

Download Submit
memory/820-163-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/820-134-0x0000000000000000-mapping.dmp

Download
memory/820-160-0x0000000002430000-0x0000000002486000-memory.dmp

Filesize
344KB

Download
memory/820-159-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/820-158-0x0000000002430000-0x0000000002486000-memory.dmp

Filesize
344KB

Download
memory/820-156-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/820-155-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/864-132-0x0000000000000000-mapping.dmp

Download
memory/1732-143-0x0000000000000000-mapping.dmp

Download
memory/3084-167-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3084-161-0x0000000000000000-mapping.dmp

Download
memory/3084-162-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3084-165-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3084-166-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3880-147-0x0000000000000000-mapping.dmp

Download
memory/3880-157-0x0000000001061000-0x000000000106F000-memory.dmp

Filesize
56KB

Download
memory/3880-152-0x0000000010000000-0x000000001001D000-memory.dmp

Filesize
116KB

Download
memory/4288-154-0x0000000002021000-0x000000000202F000-memory.dmp

Filesize
56KB

Download
memory/4288-142-0x0000000010000000-0x000000001001D000-memory.dmp

Filesize
116KB

Download
memory/4288-138-0x0000000000000000-mapping.dmp

Download
memory/5016-141-0x0000000000000000-mapping.dmp

Download