d12ec0bd53761d32ea5771ba5ef22679f5c4b11b03742c70d1fb559b66e813b7

Analysis

max time kernel
88s
max time network
130s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 18:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d12ec0bd53761d32ea5771ba5ef22679f5c4b11b03742c70d1fb559b66e813b7.exe
Size

368KB
MD5

2c711d5d912e0998355db30d6f26e210
SHA1

b7b54cbc048296e7fdd312394ce66cf9d2de477c
SHA256

d12ec0bd53761d32ea5771ba5ef22679f5c4b11b03742c70d1fb559b66e813b7
SHA512

6007324a511144de22693687d957adcd7569628d1f712375a2341c0254311b43762f712f4026283ffc0cdddf6e32a625f8b48e3d5d040dfaa248675e4d103f81
SSDEEP

6144:eZirc2Q2/J1uKBhvLR001fiXCxPsskcPJuoXbW9Rpm:J4v2mKBT6XuPssXJPyDpm

Score

8^/10

bootkit discovery persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1180	d12ec0bd53761d32ea5771ba5ef22679f5c4b11b03742c70d1fb559b66e813b7.exe
1488	d12ec0bd53761d32ea5771ba5ef22679f5c4b11b03742c70d1fb559b66e813b7.exe

Loads dropped DLL 4 IoCs

pid	Process
584	d12ec0bd53761d32ea5771ba5ef22679f5c4b11b03742c70d1fb559b66e813b7.exe
584	d12ec0bd53761d32ea5771ba5ef22679f5c4b11b03742c70d1fb559b66e813b7.exe
584	d12ec0bd53761d32ea5771ba5ef22679f5c4b11b03742c70d1fb559b66e813b7.exe
584	d12ec0bd53761d32ea5771ba5ef22679f5c4b11b03742c70d1fb559b66e813b7.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	d12ec0bd53761d32ea5771ba5ef22679f5c4b11b03742c70d1fb559b66e813b7.exe
File opened for modification	\??\PhysicalDrive0	d12ec0bd53761d32ea5771ba5ef22679f5c4b11b03742c70d1fb559b66e813b7.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	d12ec0bd53761d32ea5771ba5ef22679f5c4b11b03742c70d1fb559b66e813b7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	d12ec0bd53761d32ea5771ba5ef22679f5c4b11b03742c70d1fb559b66e813b7.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	d12ec0bd53761d32ea5771ba5ef22679f5c4b11b03742c70d1fb559b66e813b7.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	d12ec0bd53761d32ea5771ba5ef22679f5c4b11b03742c70d1fb559b66e813b7.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 584 wrote to memory of 1180	584	d12ec0bd53761d32ea5771ba5ef22679f5c4b11b03742c70d1fb559b66e813b7.exe	28
PID 584 wrote to memory of 1180	584	d12ec0bd53761d32ea5771ba5ef22679f5c4b11b03742c70d1fb559b66e813b7.exe	28
PID 584 wrote to memory of 1180	584	d12ec0bd53761d32ea5771ba5ef22679f5c4b11b03742c70d1fb559b66e813b7.exe	28
PID 584 wrote to memory of 1180	584	d12ec0bd53761d32ea5771ba5ef22679f5c4b11b03742c70d1fb559b66e813b7.exe	28

C:\Users\Admin\AppData\Local\Temp\d12ec0bd53761d32ea5771ba5ef22679f5c4b11b03742c70d1fb559b66e813b7.exe
"C:\Users\Admin\AppData\Local\Temp\d12ec0bd53761d32ea5771ba5ef22679f5c4b11b03742c70d1fb559b66e813b7.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:584
- C:\ProgramData\eSafe\d12ec0bd53761d32ea5771ba5ef22679f5c4b11b03742c70d1fb559b66e813b7.exe
  "C:\ProgramData\eSafe\d12ec0bd53761d32ea5771ba5ef22679f5c4b11b03742c70d1fb559b66e813b7.exe" -run
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  PID:1180

C:\ProgramData\eSafe\d12ec0bd53761d32ea5771ba5ef22679f5c4b11b03742c70d1fb559b66e813b7.exe
C:\ProgramData\eSafe\d12ec0bd53761d32ea5771ba5ef22679f5c4b11b03742c70d1fb559b66e813b7.exe
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1488

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\eSafe\d12ec0bd53761d32ea5771ba5ef22679f5c4b11b03742c70d1fb559b66e813b7.exe

Filesize
368KB

MD5
2c711d5d912e0998355db30d6f26e210

SHA1
b7b54cbc048296e7fdd312394ce66cf9d2de477c

SHA256
d12ec0bd53761d32ea5771ba5ef22679f5c4b11b03742c70d1fb559b66e813b7

SHA512
6007324a511144de22693687d957adcd7569628d1f712375a2341c0254311b43762f712f4026283ffc0cdddf6e32a625f8b48e3d5d040dfaa248675e4d103f81

Download Submit
C:\ProgramData\eSafe\d12ec0bd53761d32ea5771ba5ef22679f5c4b11b03742c70d1fb559b66e813b7.exe

Filesize
368KB

MD5
2c711d5d912e0998355db30d6f26e210

SHA1
b7b54cbc048296e7fdd312394ce66cf9d2de477c

SHA256
d12ec0bd53761d32ea5771ba5ef22679f5c4b11b03742c70d1fb559b66e813b7

SHA512
6007324a511144de22693687d957adcd7569628d1f712375a2341c0254311b43762f712f4026283ffc0cdddf6e32a625f8b48e3d5d040dfaa248675e4d103f81

Download Submit
C:\ProgramData\eSafe\log\d12ec0bd53761d32ea5771ba5ef22679f5c4b11b03742c70d1fb559b66e813b7.LOG

Filesize
986B

MD5
051b399fc7c4d57e14d20ca0a1845cbe

SHA1
a3b2bb3613ef8f6fe6b4d562dbc7bdc5ea8cf271

SHA256
da7ca5e2813a3441d6659fe372f1cd9f0f9b5abc4efb8312bfa37dd903e4f864

SHA512
a3f69f77ec399a47c7f9df31aec3ec6709551423e18b0ba22b23be445fda2228a9ccf89d7db500529dabbf38485cae3264f0512e9544c960e6ed3517a9809ae3

Download Submit
C:\ProgramData\eSafe\log\d12ec0bd53761d32ea5771ba5ef22679f5c4b11b03742c70d1fb559b66e813b7.LOG

Filesize
1KB

MD5
15c43b954609a7914f94c8339cacec4b

SHA1
aff5394cb15d43ca8cf1d65e7b6b52071bbac353

SHA256
9532568a8c398c0d81cce099a2bd30e3554f188470165bdbc23cf49778b4792e

SHA512
6c71af9bc7da44a563c6803bdb3ccd294d365b73508cb8ec9c78bcc20758b778f935d39309d885ba592230c7cb635bb615743524242e04eb9166b99f1b92768a

Download Submit
C:\ProgramData\eSafe\log\d12ec0bd53761d32ea5771ba5ef22679f5c4b11b03742c70d1fb559b66e813b7.LOG

Filesize
1KB

MD5
cbae62263d19eca1015f7083ad896e03

SHA1
e268765b3c0899e14c355c561e5c1506ac1f2a30

SHA256
062efef98a584e26be27be84f0daea5cc46a73c4f422b470f1256159d620b5f9

SHA512
386ec90509aef5cf59e95afb3db8967ddd3f228365d935d9f0094035d6087194d9e76e357738dcd69df8f0b91b50bb88d1f35b764de1c85ff53521e373de6232

Download Submit
\ProgramData\eSafe\d12ec0bd53761d32ea5771ba5ef22679f5c4b11b03742c70d1fb559b66e813b7.exe

Filesize
368KB

MD5
2c711d5d912e0998355db30d6f26e210

SHA1
b7b54cbc048296e7fdd312394ce66cf9d2de477c

SHA256
d12ec0bd53761d32ea5771ba5ef22679f5c4b11b03742c70d1fb559b66e813b7

SHA512
6007324a511144de22693687d957adcd7569628d1f712375a2341c0254311b43762f712f4026283ffc0cdddf6e32a625f8b48e3d5d040dfaa248675e4d103f81

Download Submit
\ProgramData\eSafe\d12ec0bd53761d32ea5771ba5ef22679f5c4b11b03742c70d1fb559b66e813b7.exe

Filesize
368KB

MD5
2c711d5d912e0998355db30d6f26e210

SHA1
b7b54cbc048296e7fdd312394ce66cf9d2de477c

SHA256
d12ec0bd53761d32ea5771ba5ef22679f5c4b11b03742c70d1fb559b66e813b7

SHA512
6007324a511144de22693687d957adcd7569628d1f712375a2341c0254311b43762f712f4026283ffc0cdddf6e32a625f8b48e3d5d040dfaa248675e4d103f81

Download Submit
\ProgramData\eSafe\d12ec0bd53761d32ea5771ba5ef22679f5c4b11b03742c70d1fb559b66e813b7.exe

Filesize
368KB

MD5
2c711d5d912e0998355db30d6f26e210

SHA1
b7b54cbc048296e7fdd312394ce66cf9d2de477c

SHA256
d12ec0bd53761d32ea5771ba5ef22679f5c4b11b03742c70d1fb559b66e813b7

SHA512
6007324a511144de22693687d957adcd7569628d1f712375a2341c0254311b43762f712f4026283ffc0cdddf6e32a625f8b48e3d5d040dfaa248675e4d103f81

Download Submit
\ProgramData\eSafe\d12ec0bd53761d32ea5771ba5ef22679f5c4b11b03742c70d1fb559b66e813b7.exe

Filesize
368KB

MD5
2c711d5d912e0998355db30d6f26e210

SHA1
b7b54cbc048296e7fdd312394ce66cf9d2de477c

SHA256
d12ec0bd53761d32ea5771ba5ef22679f5c4b11b03742c70d1fb559b66e813b7

SHA512
6007324a511144de22693687d957adcd7569628d1f712375a2341c0254311b43762f712f4026283ffc0cdddf6e32a625f8b48e3d5d040dfaa248675e4d103f81

Download Submit
memory/584-54-0x00000000757E1000-0x00000000757E3000-memory.dmp

Filesize
8KB

Download