Overview

overview

8

Static

static

d73f035c91...91.exe

windows7-x64

8

d73f035c91...91.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    151s
  • max time network
    389s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/12/2022, 02:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d73f035c914e2b26fe5a902bcb2f167416496a2a3af88f92cac4060763c45891.exe

  • Size

    837KB

  • MD5

    45ba505205cc7d1d9e331ce88d5b27dd

  • SHA1

    e53d1804b55c6f14112947bbfde2d8893cfd38ce

  • SHA256

    d73f035c914e2b26fe5a902bcb2f167416496a2a3af88f92cac4060763c45891

  • SHA512

    171fc53c3f3beaf880dad9f285aa5a8e94ce4ef60f14a266194fbc3e178cf785d0f7e17c1550fa5a637ddca49a703a9d5246ad80c283753b6a210a38b7f6f86f

  • SSDEEP

    24576:1HzKsfETSDBqKrYX59HhlmeAJdE9oIwXaClqD:5zKsMxl5jgerobbA

Score
8/10
bootkitpersistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d73f035c914e2b26fe5a902bcb2f167416496a2a3af88f92cac4060763c45891.exe
    "C:\Users\Admin\AppData\Local\Temp\d73f035c914e2b26fe5a902bcb2f167416496a2a3af88f92cac4060763c45891.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:1680
    • C:\ProgramData\isecurity.exe
      C:\ProgramData\isecurity.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Enumerates connected drives
      • Writes to the Master Boot Record (MBR)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:3020
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 880
        3⤵
        • Program crash
        PID:3456
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 1180
        3⤵
        • Program crash
        PID:364
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 1200
        3⤵
        • Program crash
        PID:2184
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 1232
        3⤵
        • Program crash
        PID:3208
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 1240
        3⤵
        • Program crash
        PID:3812
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 1284
        3⤵
        • Program crash
        PID:4284
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 1284
        3⤵
        • Program crash
        PID:3580
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 1284
        3⤵
        • Program crash
        PID:4412
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3020 -ip 3020
    1⤵
      PID:2420
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3020 -ip 3020
      1⤵
        PID:4784
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3020 -ip 3020
        1⤵
          PID:4388
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3020 -ip 3020
          1⤵
            PID:1452
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3020 -ip 3020
            1⤵
              PID:1708
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3020 -ip 3020
              1⤵
                PID:4372
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3020 -ip 3020
                1⤵
                  PID:2840
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3020 -ip 3020
                  1⤵
                    PID:4992
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3020 -ip 3020
                    1⤵
                      PID:380

                    Network

                    MITRE ATT&CK Enterprise v6

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\ProgramData\isecurity.exe
                      Filesize

                      828KB

                      MD5

                      6f8a8589dfdca9a93c83771eef0025d0

                      SHA1

                      a06fb37488361f8d70303390d4567018c60623fb

                      SHA256

                      12ba3a50481a7a383a920e07eaf69f7348d304c51beb8617c1e6d1f3382a0bcc

                      SHA512

                      0c1d8e19052a03828d09354ed7bacf6b9dfd2cc7bc073cf18b2090096a0807791d31d7b790a667fc61d544de4032c340f91fd2f8a712c1b2b29663e9a1e0257b

                      Download Submit

                    • C:\ProgramData\isecurity.exe
                      Filesize

                      828KB

                      MD5

                      6f8a8589dfdca9a93c83771eef0025d0

                      SHA1

                      a06fb37488361f8d70303390d4567018c60623fb

                      SHA256

                      12ba3a50481a7a383a920e07eaf69f7348d304c51beb8617c1e6d1f3382a0bcc

                      SHA512

                      0c1d8e19052a03828d09354ed7bacf6b9dfd2cc7bc073cf18b2090096a0807791d31d7b790a667fc61d544de4032c340f91fd2f8a712c1b2b29663e9a1e0257b

                      Download Submit

                    • memory/1680-132-0x0000000000400000-0x0000000000508000-memory.dmp

                      Filesize

                      1.0MB

                      Download

                    • memory/1680-133-0x0000000000400000-0x0000000000508000-memory.dmp

                      Filesize

                      1.0MB

                      Download

                    • memory/3020-137-0x0000000000400000-0x0000000000A34000-memory.dmp

                      Filesize

                      6.2MB

                      Download

                    • memory/3020-138-0x0000000000400000-0x0000000000A34000-memory.dmp

                      Filesize

                      6.2MB

                      Download

                    • memory/3020-140-0x0000000000400000-0x0000000000A34000-memory.dmp

                      Filesize

                      6.2MB

                      Download

                    • memory/3020-141-0x0000000000400000-0x0000000000A34000-memory.dmp

                      Filesize

                      6.2MB

                      Download