Overview

overview

6

Static

static

6c42423e18...19.exe

windows7-x64

6

6c42423e18...19.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    148s
  • max time network
    191s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    04-12-2022 02:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6c42423e18decb610668de1f708a55f80dc7e73b4fbf32c739b9c6d4d4d97719.exe

  • Size

    1.4MB

  • MD5

    5d93d6b3c7fae90403a91666598d3d9f

  • SHA1

    db22b53e6cb625c7cae1befa0655e83176dd9a76

  • SHA256

    6c42423e18decb610668de1f708a55f80dc7e73b4fbf32c739b9c6d4d4d97719

  • SHA512

    e20334d38b266caa8cf39e06362513d12b73995f9d1f9adbee353b6b58956825e53d146c34dc5c7011881cdab47eba968622c4df7e5474c1963ee59a77c1dd84

  • SSDEEP

    24576:JHPn34MhTCilQoR1Ke2xnk6c/gfsGfhyQemrNDgPUzCgnextHWUziJm4IFMesbT7:RP9RbGGc9eTYmEbTrL1OImTyTYhlB7B

Score
6/10
bootkitevasionpersistencetrojan

Malware Config

Signatures

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 55 IoCs
    adwarespyware
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6c42423e18decb610668de1f708a55f80dc7e73b4fbf32c739b9c6d4d4d97719.exe
    "C:\Users\Admin\AppData\Local\Temp\6c42423e18decb610668de1f708a55f80dc7e73b4fbf32c739b9c6d4d4d97719.exe"
    1⤵
    • Checks whether UAC is enabled
    • Writes to the Master Boot Record (MBR)
    • Modifies Internet Explorer settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:1776
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x574
    1⤵
      PID:932
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -startmediumtab -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:748
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:748 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:744

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Bootkit

    1
    T1067

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B
      Filesize

      1KB

      MD5

      0339b8dc921fec5a91b0a54ab2c51553

      SHA1

      444e54c0bb3295912b71a9781ebc94ec8a8e1c6f

      SHA256

      c932b5ca8cc6db0baea3ba0bc2c942dd7ebb4e5b876a4912ce43fc76bd8b4f71

      SHA512

      45191cb3148e05b286383b7580101484232f7e7e73c1ddc610b53c8cdaa7f988f90908c7906ffc3a23f74fc104f3dbac3461eed67ee1143d767e765d2e10d6da

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\349D186F1CB5682FA0194D4F3754EF36_97A2CB43E01F27293633B7B57353C80B
      Filesize

      1KB

      MD5

      0b79e1bd9f1d76b5c103ec4a616d79f4

      SHA1

      05fb002a96bfc2f0c17ddce7e39f413dfab6a072

      SHA256

      3f21740ba2ec28d48d240dbdb73ce8bd069d05a09b32be0f2f82cf782e2201db

      SHA512

      40cc59f003fa1deca9a69b5d6f80e33b6740d471c13a436e358f5dd94deb8f40da0b75f7db68532eee28d7eb28941ac5472a2e4756f3c0e8ca7c896623de0881

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3
      Filesize

      1KB

      MD5

      a97577190572ad816e8df77e38998767

      SHA1

      cb64dc82fcad123ad60979c9037d098ebb2f9671

      SHA256

      5f0b0e3afa8203e0f2c6260723ab56a89ff6b629b7718e9e5071f7d6f3c7e6eb

      SHA512

      b27175604139942b7bd140ed89befd3c1833ba1b3f48c9860fb005b1e5c8cb8622594c5da91613443f840e868b44f94e5dc8ee39b95f50485c251a07188c834f

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B
      Filesize

      508B

      MD5

      dcf0d4513fa52579cc71529af5ebccf7

      SHA1

      34d2a68e681c31e0bd3052f7b96d7e9630bd8a6d

      SHA256

      777804f300ae127d2c181916fc39ac856ec385145eb4e5d78d27a2770125fcb0

      SHA512

      3420e1ae614a588c228eda87858c946def784039c4303d9c6a9cc633c61feed0ef13d30027a4a383d261263bb77b650ac76919a09d169d5889824e8f54f219a1

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\349D186F1CB5682FA0194D4F3754EF36_97A2CB43E01F27293633B7B57353C80B
      Filesize

      532B

      MD5

      cb50890168cc0b87b98977716dfa6b64

      SHA1

      ec44c68f040f1281ed543b388da435b7ab5c0d02

      SHA256

      213636eba82a5c15d8ce39b7e0a38f37c48f2a35cb3b4f37e1054bf55e499477

      SHA512

      5a01452bcf2449ce984b6a431cb65a1981af534ae97fdd10872020fc713e9d380c28adb72cf3e0d2731195f6a62e1be99d967cc212c564363227efda9709ad1a

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      c7f0f0af25ce882bc6f147108c77e92c

      SHA1

      58a6dc551451e54b1d6decef496f51e234d55b24

      SHA256

      0d840c87dd953ebec69ebca431a40029f6716b99c49f9996994e5bf8eb4951ca

      SHA512

      9012c8e0740997f3dfe6272cb1c9d5942b7fe962eec418af98154131ac7ba0323837af5a245d237018afe38b05edc943674e055ef5ee594af3d1876df8c8d03e

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3
      Filesize

      506B

      MD5

      b3be76553a33740b715bddb0fae6e9e2

      SHA1

      1c0b44ffca40ccc4b49507fc005039f2c10f193e

      SHA256

      e296583bac29ecaa2abb66595842e6990350559af59b9e62c4829ca705574941

      SHA512

      22487027011139d43000819e6edf5eb5348b108b08006735b21e3a921ee5dcaf9fd1ebd2608bae40ab0afb965cf5d62f466ce5b98f2584360d513064f126f0fc

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\try74lz\imagestore.dat
      Filesize

      1KB

      MD5

      8196eeccd2e9d3baa3d2b3fef1a3a611

      SHA1

      cca3a9dcc5718eb1aeaa2a875dea88573d20469d

      SHA256

      020f8fd982ffc19de4d4e42b741eebe28a2d2ab96376caa14e1b6fdf738ae475

      SHA512

      821e1555fe80f5a19801fa224e198ea8890b1ce597e5afe4adfe78a4ad735ce0b071c62bd1b8f85310633286d65aed595cc2ef0ad98aa33f1e5b0362a8c1042c

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\4NES7UYJ.txt
      Filesize

      539B

      MD5

      905960dc1a83dbd901d68f18a9167414

      SHA1

      91cb306e068e74d178cc54525dcd0e5fad0b00d4

      SHA256

      d0aac615ce93f6f2e751aa8af0e941b75c721d602e205f2bd4d3e4f540762014

      SHA512

      849503085e9784020d35cbf2073a5c20cefbca687a522293ba14ebae6bb2983388c0aea6c126bfd15ac05a8dee9dad7a85de13167394460d4b0d6351968bfb3e

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\6OV27LEH.txt
      Filesize

      94B

      MD5

      09970c90d4bf9727fbdc9743f1d3f58f

      SHA1

      d33fe905bb985e35320857150bb88b9d5a8dca37

      SHA256

      4e7ae339af1e1cd2fd0d7cd63ffe948fea5cb97abd9c1b24e47ad8ee88280501

      SHA512

      bf8e7263f1fcf5d9895c475fbc954ccd7864ec603713d836dc5dfeda6e9ffff6e8b2827d1f9b9c19ebf68a7f1c9f971dcf35b67543fb155b6bc16eed0d6d5ef6

      Download Submit
    • memory/1776-54-0x0000000074DA1000-0x0000000074DA3000-memory.dmp
      Filesize

      8KB

      Download