Analysis
-
max time kernel
145s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
05/12/2022, 22:29
Static task
static1
Behavioral task
behavioral1
Sample
85db7cd6dae67ab63a57fba15ad5f2cb1b175a6da6b03fd81db497bb596bb824.exe
Resource
win7-20220812-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
85db7cd6dae67ab63a57fba15ad5f2cb1b175a6da6b03fd81db497bb596bb824.exe
Resource
win10v2004-20221111-en
windows10-2004-x64
3 signatures
150 seconds
General
-
Target
85db7cd6dae67ab63a57fba15ad5f2cb1b175a6da6b03fd81db497bb596bb824.exe
-
Size
117KB
-
MD5
d227fd8f393a255d222fd6e1002892e9
-
SHA1
415daa01cc933fb5072d8df9e93a7b6b6d34f03f
-
SHA256
85db7cd6dae67ab63a57fba15ad5f2cb1b175a6da6b03fd81db497bb596bb824
-
SHA512
a00269a7cdce9acadf2604eff7a289f40b9594a328b52f6a7e9dcb69b47ccbc4d4db3dd7995f561a718023f4f82d87005f2c10b903d532c81ae3b8652ec1b1dd
-
SSDEEP
3072:4qTWkUQxIiJAlTzg+/KjEdG9TSb4Z/fTPyp:1wiGZgmGBSb4RT
Score
7/10
Malware Config
Signatures
-
Unexpected DNS network traffic destination 61 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 153.19.250.100 Destination IP 212.118.133.101 Destination IP 210.206.99.57 Destination IP 193.254.184.231 Destination IP 210.77.135.115 Destination IP 210.151.254.192 Destination IP 210.166.91.84 Destination IP 210.47.36.29 Destination IP 210.252.57.87 Destination IP 210.157.91.178 Destination IP 210.246.250.60 Destination IP 210.183.85.66 Destination IP 210.213.15.39 Destination IP 210.96.182.240 Destination IP 210.161.137.203 Destination IP 195.2.117.109 Destination IP 210.2.16.72 Destination IP 211.43.205.42 Destination IP 210.242.199.212 Destination IP 210.195.255.130 Destination IP 203.215.192.20 Destination IP 210.138.130.234 Destination IP 210.24.199.118 Destination IP 207.99.0.42 Destination IP 210.199.123.97 Destination IP 210.99.129.218 Destination IP 210.206.57.20 Destination IP 210.166.9.132 Destination IP 210.211.63.73 Destination IP 210.154.146.130 Destination IP 210.245.165.166 Destination IP 210.16.44.103 Destination IP 210.120.223.203 Destination IP 150.199.199.1 Destination IP 210.141.232.250 Destination IP 210.95.226.62 Destination IP 207.218.165.10 Destination IP 210.227.211.53 Destination IP 150.199.178.1 Destination IP 210.63.158.151 Destination IP 210.59.114.214 Destination IP 210.24.243.66 Destination IP 210.35.244.133 Destination IP 210.139.131.164 Destination IP 208.101.39.237 Destination IP 210.201.53.140 Destination IP 210.230.50.136 Destination IP 210.232.144.136 Destination IP 210.223.63.58 Destination IP 210.193.80.140 Destination IP 210.140.192.208 Destination IP 210.135.100.146 Destination IP 210.66.59.5 Destination IP 210.151.24.131 Destination IP 210.176.117.131 Destination IP 210.78.149.27 Destination IP 210.231.200.185 Destination IP 210.186.118.55 Destination IP 65.89.48.11 Destination IP 210.94.0.82 Destination IP 194.186.36.186 -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 85db7cd6dae67ab63a57fba15ad5f2cb1b175a6da6b03fd81db497bb596bb824.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 624 784 WerFault.exe 25 -
Suspicious use of SetWindowsHookEx 16 IoCs
pid Process 784 85db7cd6dae67ab63a57fba15ad5f2cb1b175a6da6b03fd81db497bb596bb824.exe 784 85db7cd6dae67ab63a57fba15ad5f2cb1b175a6da6b03fd81db497bb596bb824.exe 784 85db7cd6dae67ab63a57fba15ad5f2cb1b175a6da6b03fd81db497bb596bb824.exe 784 85db7cd6dae67ab63a57fba15ad5f2cb1b175a6da6b03fd81db497bb596bb824.exe 784 85db7cd6dae67ab63a57fba15ad5f2cb1b175a6da6b03fd81db497bb596bb824.exe 784 85db7cd6dae67ab63a57fba15ad5f2cb1b175a6da6b03fd81db497bb596bb824.exe 784 85db7cd6dae67ab63a57fba15ad5f2cb1b175a6da6b03fd81db497bb596bb824.exe 784 85db7cd6dae67ab63a57fba15ad5f2cb1b175a6da6b03fd81db497bb596bb824.exe 784 85db7cd6dae67ab63a57fba15ad5f2cb1b175a6da6b03fd81db497bb596bb824.exe 784 85db7cd6dae67ab63a57fba15ad5f2cb1b175a6da6b03fd81db497bb596bb824.exe 784 85db7cd6dae67ab63a57fba15ad5f2cb1b175a6da6b03fd81db497bb596bb824.exe 784 85db7cd6dae67ab63a57fba15ad5f2cb1b175a6da6b03fd81db497bb596bb824.exe 784 85db7cd6dae67ab63a57fba15ad5f2cb1b175a6da6b03fd81db497bb596bb824.exe 784 85db7cd6dae67ab63a57fba15ad5f2cb1b175a6da6b03fd81db497bb596bb824.exe 784 85db7cd6dae67ab63a57fba15ad5f2cb1b175a6da6b03fd81db497bb596bb824.exe 784 85db7cd6dae67ab63a57fba15ad5f2cb1b175a6da6b03fd81db497bb596bb824.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 784 wrote to memory of 624 784 85db7cd6dae67ab63a57fba15ad5f2cb1b175a6da6b03fd81db497bb596bb824.exe 27 PID 784 wrote to memory of 624 784 85db7cd6dae67ab63a57fba15ad5f2cb1b175a6da6b03fd81db497bb596bb824.exe 27 PID 784 wrote to memory of 624 784 85db7cd6dae67ab63a57fba15ad5f2cb1b175a6da6b03fd81db497bb596bb824.exe 27 PID 784 wrote to memory of 624 784 85db7cd6dae67ab63a57fba15ad5f2cb1b175a6da6b03fd81db497bb596bb824.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\85db7cd6dae67ab63a57fba15ad5f2cb1b175a6da6b03fd81db497bb596bb824.exe"C:\Users\Admin\AppData\Local\Temp\85db7cd6dae67ab63a57fba15ad5f2cb1b175a6da6b03fd81db497bb596bb824.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:784 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 784 -s 17682⤵
- Program crash
PID:624
-