c7afec2b1e8204b71e7ebae7b8752e11d35f85c54d6992c558e5083a00b4cdf5

Analysis

max time kernel
11s
max time network
33s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
04/12/2022, 10:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c7afec2b1e8204b71e7ebae7b8752e11d35f85c54d6992c558e5083a00b4cdf5.exe
Size

875KB
MD5

1d300b42acc00f14506e3bf709dd9a6c
SHA1

48be4d2b37d461a6c05640626e427046d97393c9
SHA256

c7afec2b1e8204b71e7ebae7b8752e11d35f85c54d6992c558e5083a00b4cdf5
SHA512

73ba9aee764d61aa385cfcb1cc5468fa481d534147a76af0642112ffa823bc40f44605407764962fc654baa1865065f1faf9b2e0462303782e2380bd00b6bc98
SSDEEP

24576:QyETPiLKHOuAyNotn4Jtre0SgkeAzytQC:QyOoKHOuAyNYnAmOGaQC

Score

8^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1468	1.EXE
1112	H_Server.exe

Loads dropped DLL 6 IoCs

pid	Process
1620	c7afec2b1e8204b71e7ebae7b8752e11d35f85c54d6992c558e5083a00b4cdf5.exe
1620	c7afec2b1e8204b71e7ebae7b8752e11d35f85c54d6992c558e5083a00b4cdf5.exe
1468	1.EXE
1468	1.EXE
1468	1.EXE
1112	H_Server.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	c7afec2b1e8204b71e7ebae7b8752e11d35f85c54d6992c558e5083a00b4cdf5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c7afec2b1e8204b71e7ebae7b8752e11d35f85c54d6992c558e5083a00b4cdf5.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	1.EXE

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	H_Server.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Server.com	H_Server.exe
File opened for modification	C:\Windows\Server.com	H_Server.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 1468	1620	c7afec2b1e8204b71e7ebae7b8752e11d35f85c54d6992c558e5083a00b4cdf5.exe	28
PID 1620 wrote to memory of 1468	1620	c7afec2b1e8204b71e7ebae7b8752e11d35f85c54d6992c558e5083a00b4cdf5.exe	28
PID 1620 wrote to memory of 1468	1620	c7afec2b1e8204b71e7ebae7b8752e11d35f85c54d6992c558e5083a00b4cdf5.exe	28
PID 1620 wrote to memory of 1468	1620	c7afec2b1e8204b71e7ebae7b8752e11d35f85c54d6992c558e5083a00b4cdf5.exe	28
PID 1620 wrote to memory of 1468	1620	c7afec2b1e8204b71e7ebae7b8752e11d35f85c54d6992c558e5083a00b4cdf5.exe	28
PID 1620 wrote to memory of 1468	1620	c7afec2b1e8204b71e7ebae7b8752e11d35f85c54d6992c558e5083a00b4cdf5.exe	28
PID 1620 wrote to memory of 1468	1620	c7afec2b1e8204b71e7ebae7b8752e11d35f85c54d6992c558e5083a00b4cdf5.exe	28
PID 1468 wrote to memory of 1112	1468	1.EXE	29
PID 1468 wrote to memory of 1112	1468	1.EXE	29
PID 1468 wrote to memory of 1112	1468	1.EXE	29
PID 1468 wrote to memory of 1112	1468	1.EXE	29
PID 1468 wrote to memory of 1112	1468	1.EXE	29
PID 1468 wrote to memory of 1112	1468	1.EXE	29
PID 1468 wrote to memory of 1112	1468	1.EXE	29
PID 1112 wrote to memory of 748	1112	H_Server.exe	30
PID 1112 wrote to memory of 748	1112	H_Server.exe	30
PID 1112 wrote to memory of 748	1112	H_Server.exe	30
PID 1112 wrote to memory of 748	1112	H_Server.exe	30
PID 1112 wrote to memory of 748	1112	H_Server.exe	30
PID 1112 wrote to memory of 748	1112	H_Server.exe	30
PID 1112 wrote to memory of 748	1112	H_Server.exe	30

C:\Users\Admin\AppData\Local\Temp\c7afec2b1e8204b71e7ebae7b8752e11d35f85c54d6992c558e5083a00b4cdf5.exe
"C:\Users\Admin\AppData\Local\Temp\c7afec2b1e8204b71e7ebae7b8752e11d35f85c54d6992c558e5083a00b4cdf5.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1468
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\H_Server.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\H_Server.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Writes to the Master Boot Record (MBR)
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:1112
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" ¨Á
      4⤵
      PID:748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.EXE

Filesize
576KB

MD5
c452aecd32bed47f0886faf81373395b

SHA1
c310a7bf86b076c646f9399b738e0e1a22e8b274

SHA256
3bb9311c7d78a863768c9f1bae5c3a96a39f3b2ad999f49ad82ecdd79ff76621

SHA512
f54dc44639e0c1a65aba5e02668c8b22cc41ada551199cbac4040c34f495c14197079d55b5457d3a1e14028e0166da229cdd1cf57f92e3299855a7d1c423dbb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.EXE

Filesize
576KB

MD5
c452aecd32bed47f0886faf81373395b

SHA1
c310a7bf86b076c646f9399b738e0e1a22e8b274

SHA256
3bb9311c7d78a863768c9f1bae5c3a96a39f3b2ad999f49ad82ecdd79ff76621

SHA512
f54dc44639e0c1a65aba5e02668c8b22cc41ada551199cbac4040c34f495c14197079d55b5457d3a1e14028e0166da229cdd1cf57f92e3299855a7d1c423dbb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\H_Server.exe

Filesize
514KB

MD5
40fb0c5e294b2ea037a338d6c0a69402

SHA1
e12ca36ed89f4ea6cdf43d04e76249d51bf73225

SHA256
b61e6247f8360ecdc5ac257708b66ed160059f24ad46f356ef600df69a750224

SHA512
783cf2cd1c9d717c04ca9134a3d77c4aca5d1878e85a9386996653b05ac4a307f0bf7e23d4837ff109db96d9c672c381d4055173b32353605ebef98d908bf867

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\H_Server.exe

Filesize
514KB

MD5
40fb0c5e294b2ea037a338d6c0a69402

SHA1
e12ca36ed89f4ea6cdf43d04e76249d51bf73225

SHA256
b61e6247f8360ecdc5ac257708b66ed160059f24ad46f356ef600df69a750224

SHA512
783cf2cd1c9d717c04ca9134a3d77c4aca5d1878e85a9386996653b05ac4a307f0bf7e23d4837ff109db96d9c672c381d4055173b32353605ebef98d908bf867

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.EXE

Filesize
576KB

MD5
c452aecd32bed47f0886faf81373395b

SHA1
c310a7bf86b076c646f9399b738e0e1a22e8b274

SHA256
3bb9311c7d78a863768c9f1bae5c3a96a39f3b2ad999f49ad82ecdd79ff76621

SHA512
f54dc44639e0c1a65aba5e02668c8b22cc41ada551199cbac4040c34f495c14197079d55b5457d3a1e14028e0166da229cdd1cf57f92e3299855a7d1c423dbb1

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.EXE

Filesize
576KB

MD5
c452aecd32bed47f0886faf81373395b

SHA1
c310a7bf86b076c646f9399b738e0e1a22e8b274

SHA256
3bb9311c7d78a863768c9f1bae5c3a96a39f3b2ad999f49ad82ecdd79ff76621

SHA512
f54dc44639e0c1a65aba5e02668c8b22cc41ada551199cbac4040c34f495c14197079d55b5457d3a1e14028e0166da229cdd1cf57f92e3299855a7d1c423dbb1

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\1.EXE

Filesize
576KB

MD5
c452aecd32bed47f0886faf81373395b

SHA1
c310a7bf86b076c646f9399b738e0e1a22e8b274

SHA256
3bb9311c7d78a863768c9f1bae5c3a96a39f3b2ad999f49ad82ecdd79ff76621

SHA512
f54dc44639e0c1a65aba5e02668c8b22cc41ada551199cbac4040c34f495c14197079d55b5457d3a1e14028e0166da229cdd1cf57f92e3299855a7d1c423dbb1

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\H_Server.exe

Filesize
514KB

MD5
40fb0c5e294b2ea037a338d6c0a69402

SHA1
e12ca36ed89f4ea6cdf43d04e76249d51bf73225

SHA256
b61e6247f8360ecdc5ac257708b66ed160059f24ad46f356ef600df69a750224

SHA512
783cf2cd1c9d717c04ca9134a3d77c4aca5d1878e85a9386996653b05ac4a307f0bf7e23d4837ff109db96d9c672c381d4055173b32353605ebef98d908bf867

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\H_Server.exe

Filesize
514KB

MD5
40fb0c5e294b2ea037a338d6c0a69402

SHA1
e12ca36ed89f4ea6cdf43d04e76249d51bf73225

SHA256
b61e6247f8360ecdc5ac257708b66ed160059f24ad46f356ef600df69a750224

SHA512
783cf2cd1c9d717c04ca9134a3d77c4aca5d1878e85a9386996653b05ac4a307f0bf7e23d4837ff109db96d9c672c381d4055173b32353605ebef98d908bf867

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\H_Server.exe

Filesize
514KB

MD5
40fb0c5e294b2ea037a338d6c0a69402

SHA1
e12ca36ed89f4ea6cdf43d04e76249d51bf73225

SHA256
b61e6247f8360ecdc5ac257708b66ed160059f24ad46f356ef600df69a750224

SHA512
783cf2cd1c9d717c04ca9134a3d77c4aca5d1878e85a9386996653b05ac4a307f0bf7e23d4837ff109db96d9c672c381d4055173b32353605ebef98d908bf867

Download Submit
memory/1112-79-0x0000000000400000-0x00000000005737F2-memory.dmp

Filesize
1.5MB

Download
memory/1112-78-0x00000000005F0000-0x00000000005F8000-memory.dmp

Filesize
32KB

Download
memory/1112-77-0x0000000000580000-0x00000000005C3000-memory.dmp

Filesize
268KB

Download
memory/1112-76-0x0000000000C20000-0x0000000000D94000-memory.dmp

Filesize
1.5MB

Download
memory/1112-75-0x0000000000400000-0x00000000005737F2-memory.dmp

Filesize
1.5MB

Download
memory/1468-74-0x0000000002520000-0x0000000002694000-memory.dmp

Filesize
1.5MB

Download
memory/1468-73-0x0000000001000000-0x000000000111EECD-memory.dmp

Filesize
1.1MB

Download
memory/1468-80-0x0000000001000000-0x000000000111EECD-memory.dmp

Filesize
1.1MB

Download
memory/1620-72-0x0000000000E70000-0x0000000000F8F000-memory.dmp

Filesize
1.1MB

Download
memory/1620-71-0x0000000001000000-0x00000000011A1DF5-memory.dmp

Filesize
1.6MB

Download
memory/1620-70-0x0000000000BA0000-0x0000000000D42000-memory.dmp

Filesize
1.6MB

Download
memory/1620-55-0x0000000075C81000-0x0000000075C83000-memory.dmp

Filesize
8KB

Download
memory/1620-54-0x0000000001000000-0x00000000011A1DF5-memory.dmp

Filesize
1.6MB

Download
memory/1620-81-0x0000000001000000-0x00000000011A1DF5-memory.dmp

Filesize
1.6MB

Download