5219732128190b2cf5bcdf3fae5b3ba11af9735c7b331c8d627cd74d346c22d4

Analysis

max time kernel
44s
max time network
48s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
04-12-2022 04:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5219732128190b2cf5bcdf3fae5b3ba11af9735c7b331c8d627cd74d346c22d4.exe
Size

2.1MB
MD5

6078ebe6a896729a28e5577891a352fa
SHA1

8df98b640292ea4803230b2b8c9c0c5d3d52ec6f
SHA256

5219732128190b2cf5bcdf3fae5b3ba11af9735c7b331c8d627cd74d346c22d4
SHA512

5c14af0d27871bd6e22e1c35f4311d3384639de92c161baafdc5b3af80ce0cf6f00e8f6c55e779ee7750285171fe7adfa0c9f1f6487c9ef63e06a0d9124041a1
SSDEEP

49152:BRhhTNSh+00XcG/7R4MVo4p87OtpRNcnMSptbpwE:3wh+Z/79Dp8K7rc3b

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

5219732128190b2cf5bcdf3fae5b3ba11af9735c7b331c8d627cd74d346c22d4.exe

description ioc process

File opened for modification \??\PhysicalDrive0 5219732128190b2cf5bcdf3fae5b3ba11af9735c7b331c8d627cd74d346c22d4.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	\??\PhysicalDrive0	5219732128190b2cf5bcdf3fae5b3ba11af9735c7b331c8d627cd74d346c22d4.exe

Modifies registry class 3 IoCs

Processes:

5219732128190b2cf5bcdf3fae5b3ba11af9735c7b331c8d627cd74d346c22d4.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	5219732128190b2cf5bcdf3fae5b3ba11af9735c7b331c8d627cd74d346c22d4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	5219732128190b2cf5bcdf3fae5b3ba11af9735c7b331c8d627cd74d346c22d4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	5219732128190b2cf5bcdf3fae5b3ba11af9735c7b331c8d627cd74d346c22d4.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

5219732128190b2cf5bcdf3fae5b3ba11af9735c7b331c8d627cd74d346c22d4.exe

pid process

1056 5219732128190b2cf5bcdf3fae5b3ba11af9735c7b331c8d627cd74d346c22d4.exe

pid	process
1056	5219732128190b2cf5bcdf3fae5b3ba11af9735c7b331c8d627cd74d346c22d4.exe

C:\Users\Admin\AppData\Local\Temp\5219732128190b2cf5bcdf3fae5b3ba11af9735c7b331c8d627cd74d346c22d4.exe
"C:\Users\Admin\AppData\Local\Temp\5219732128190b2cf5bcdf3fae5b3ba11af9735c7b331c8d627cd74d346c22d4.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1056

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1056-54-0x0000000075A71000-0x0000000075A73000-memory.dmp

Filesize
8KB

Download
memory/1056-55-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download
memory/1056-56-0x0000000000DE0000-0x0000000000DE3000-memory.dmp

Filesize
12KB

Download
memory/1056-57-0x0000000000400000-0x0000000000AA3000-memory.dmp

Filesize
6.6MB

Download