Overview

overview

8

Static

static

8

ede707e9ac...6b.exe

windows7-x64

8

ede707e9ac...6b.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    152s
  • max time network
    50s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    04/12/2022, 13:58

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    ede707e9acef3cc2de7e9a6e3ab2b869064ddf69c4a510e1510a250004dfd76b.exe

  • Size

    156KB

  • MD5

    3f17f63a227b16630e2396fef16144be

  • SHA1

    204a376e352ca4e698dd366ecb261efa347db3be

  • SHA256

    ede707e9acef3cc2de7e9a6e3ab2b869064ddf69c4a510e1510a250004dfd76b

  • SHA512

    d99a47398dd640a85d42fd3f832798a0654a7bb6357bc1a85977936f62838fe750ae1d1fc2dc20d0b9362393a35084203a6a0ee2645d4a8ace2920845d1a9fbc

  • SSDEEP

    3072:ebZQ7MmKd2DvUrJQArxjnoxDAnGbasa0m5QwNoOnGjWuD:eb6HI2DvyZFjnoVAn0i5QwNoOG

Score
8/10
bootkitpersistencevmprotect

Malware Config

Signatures

  • Drops file in Drivers directory 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Sets DLL path for service in the registry 2 TTPs 1 IoCs
    persistence
  • Sets file execution options in registry 2 TTPs 64 IoCs
    persistence
  • VMProtect packed file 3 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Deletes itself 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ede707e9acef3cc2de7e9a6e3ab2b869064ddf69c4a510e1510a250004dfd76b.exe
    "C:\Users\Admin\AppData\Local\Temp\ede707e9acef3cc2de7e9a6e3ab2b869064ddf69c4a510e1510a250004dfd76b.exe"
    1⤵
    • Sets file execution options in registry
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:944
    • C:\Temp\1.exe
      "C:\Temp\1.exe"
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Sets DLL path for service in the registry
      • Suspicious use of AdjustPrivilegeToken
      PID:2020
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ping 127.0.0.1&&del /f /q /a:- "C:\Users\Admin\AppData\Local\Temp\ede707e9acef3cc2de7e9a6e3ab2b869064ddf69c4a510e1510a250004dfd76b.exe"
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:1732
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:1904
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs
    1⤵
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • Suspicious use of SetWindowsHookEx
    PID:1212

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Temp\1.exe
          Filesize

          176KB

          MD5

          13d3a8eef1ab8b14ab364da4e8623931

          SHA1

          870bdadbcd4099c1bc4241ce2531c951e4eae47e

          SHA256

          f360e672a3c624302f5bde171b745fe0cc78455fd16c47ce91ceec2df8585b36

          SHA512

          4a3fc8925c618b1c2fbf68440f8ea8c70a5209cc52d919ba321c4ea48b09b3a83ad787d12a12694a29085f59d6d0bcec7730031260068c42c9ca38115dc9fa39

          Download Submit

        • C:\Temp\1.exe
          Filesize

          176KB

          MD5

          13d3a8eef1ab8b14ab364da4e8623931

          SHA1

          870bdadbcd4099c1bc4241ce2531c951e4eae47e

          SHA256

          f360e672a3c624302f5bde171b745fe0cc78455fd16c47ce91ceec2df8585b36

          SHA512

          4a3fc8925c618b1c2fbf68440f8ea8c70a5209cc52d919ba321c4ea48b09b3a83ad787d12a12694a29085f59d6d0bcec7730031260068c42c9ca38115dc9fa39

          Download Submit

        • C:\Windows\system32\drivers\etc\oeOnUQstg6.del
          Filesize

          15B

          MD5

          27d68454ed0c780848194c6c571ba4c2

          SHA1

          b4cdd52d083c73cff2b4261942b5d8e9374e0d51

          SHA256

          417dd5e1a1b9485f7eac6ff92a6faccc2bb471e5085f64b7759241ea3f0957e0

          SHA512

          59a99b708dc124e512be2c96494053e53989a96b81ebcb9a25629530f79c062a3385ed6165bb86432135c352c99a10346a9a4f0610d77d849565a669651de7e7

          Download Submit

        • \??\c:\windows\system32\drivers\etc\qvezoupq.dll
          Filesize

          144KB

          MD5

          023b0720c428f5dfb20166ac0fd2b6fc

          SHA1

          7c2ef2b17fc0eb8f8834c4d83d6cd33b17fb3610

          SHA256

          f4e5e9ea371e5a7ff4c1c7af7ea1bce78a02d7118d17905961d1e6f673f84115

          SHA512

          a1898d17155194cea19c1fc1a72c8aa8756fa54f90342fce5fa8d1565272624b8ad10243f1d33cc55a7a7c5e01919426a5588a33583f6cb060d4efb61812f6e3

          Download Submit

        • \Temp\1.exe
          Filesize

          176KB

          MD5

          13d3a8eef1ab8b14ab364da4e8623931

          SHA1

          870bdadbcd4099c1bc4241ce2531c951e4eae47e

          SHA256

          f360e672a3c624302f5bde171b745fe0cc78455fd16c47ce91ceec2df8585b36

          SHA512

          4a3fc8925c618b1c2fbf68440f8ea8c70a5209cc52d919ba321c4ea48b09b3a83ad787d12a12694a29085f59d6d0bcec7730031260068c42c9ca38115dc9fa39

          Download Submit

        • \Temp\1.exe
          Filesize

          176KB

          MD5

          13d3a8eef1ab8b14ab364da4e8623931

          SHA1

          870bdadbcd4099c1bc4241ce2531c951e4eae47e

          SHA256

          f360e672a3c624302f5bde171b745fe0cc78455fd16c47ce91ceec2df8585b36

          SHA512

          4a3fc8925c618b1c2fbf68440f8ea8c70a5209cc52d919ba321c4ea48b09b3a83ad787d12a12694a29085f59d6d0bcec7730031260068c42c9ca38115dc9fa39

          Download Submit

        • \Windows\System32\drivers\etc\QveZOupQ.dll
          Filesize

          144KB

          MD5

          023b0720c428f5dfb20166ac0fd2b6fc

          SHA1

          7c2ef2b17fc0eb8f8834c4d83d6cd33b17fb3610

          SHA256

          f4e5e9ea371e5a7ff4c1c7af7ea1bce78a02d7118d17905961d1e6f673f84115

          SHA512

          a1898d17155194cea19c1fc1a72c8aa8756fa54f90342fce5fa8d1565272624b8ad10243f1d33cc55a7a7c5e01919426a5588a33583f6cb060d4efb61812f6e3

          Download Submit

        • memory/944-66-0x0000000000400000-0x0000000000461000-memory.dmp

          Filesize

          388KB

          Download

        • memory/944-54-0x0000000000400000-0x0000000000461000-memory.dmp

          Filesize

          388KB

          Download

        • memory/944-59-0x0000000075021000-0x0000000075023000-memory.dmp

          Filesize

          8KB

          Download

        • memory/944-55-0x0000000000400000-0x0000000000461000-memory.dmp

          Filesize

          388KB

          Download