Overview

overview

8

Static

static

9b52b43aee...07.exe

windows7-x64

3

9b52b43aee...07.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    179s
  • max time network
    188s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/12/2022, 06:26

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    9b52b43aee2258bcfce7410714955a4846cf6148b9c420a8deb797d792ae8207.exe

  • Size

    20KB

  • MD5

    1208531de08e2cc108ea9dc2b02a8e40

  • SHA1

    6f7c48c22a1d310912fe9cdc9690c2ef1ad82d55

  • SHA256

    9b52b43aee2258bcfce7410714955a4846cf6148b9c420a8deb797d792ae8207

  • SHA512

    60a7968fa1065fe5d70d2c7f721dc54d5885b829f315287378a341d4dcdaaf16eb51d3a53113693667f46a64f218dcff132e9bd495caffeb3f59f2237ba155b5

  • SSDEEP

    384:Gz4PQJ55g8SYRsqNvSEB4c3rlx680RQdW2YAaBRRLTAltjFRgxwskxl:Gz1FFScHNqI/680RQMCaBIPawnxl

Score
8/10
bootkitpersistence

Malware Config

Signatures

  • Executes dropped EXE 10 IoCs
  • Adds Run key to start application 2 TTPs 10 IoCs
    persistence
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
      PID:2872
    • C:\Windows\System32\RuntimeBroker.exe
      C:\Windows\System32\RuntimeBroker.exe -Embedding
      1⤵
        PID:3476
      • C:\Windows\System32\RuntimeBroker.exe
        C:\Windows\System32\RuntimeBroker.exe -Embedding
        1⤵
          PID:4692
        • C:\Windows\System32\RuntimeBroker.exe
          C:\Windows\System32\RuntimeBroker.exe -Embedding
          1⤵
            PID:3820
          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
            1⤵
              PID:3568
            • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
              "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
              1⤵
                PID:3404
              • C:\Windows\system32\DllHost.exe
                C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                1⤵
                  PID:3304
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                  1⤵
                    PID:3104
                  • C:\Windows\system32\taskhostw.exe
                    taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
                    1⤵
                      PID:2960
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                      1⤵
                        PID:2920
                      • C:\Users\Admin\AppData\Local\Temp\9b52b43aee2258bcfce7410714955a4846cf6148b9c420a8deb797d792ae8207.exe
                        "C:\Users\Admin\AppData\Local\Temp\9b52b43aee2258bcfce7410714955a4846cf6148b9c420a8deb797d792ae8207.exe"
                        1⤵
                        • Adds Run key to start application
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of WriteProcessMemory
                        PID:424
                        • C:\Users\Admin\Admin.exe
                          C:\Users\Admin\Admin.exe /r
                          2⤵
                          • Executes dropped EXE
                          • Adds Run key to start application
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of WriteProcessMemory
                          PID:4980
                          • C:\Users\Admin\Admin.exe
                            C:\Users\Admin\Admin.exe /r
                            3⤵
                            • Executes dropped EXE
                            • Adds Run key to start application
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of WriteProcessMemory
                            PID:4920
                            • C:\Users\Admin\Admin.exe
                              C:\Users\Admin\Admin.exe /r
                              4⤵
                              • Executes dropped EXE
                              • Adds Run key to start application
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of WriteProcessMemory
                              PID:4876
                              • C:\Users\Admin\Admin.exe
                                C:\Users\Admin\Admin.exe /r
                                5⤵
                                • Executes dropped EXE
                                • Adds Run key to start application
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of WriteProcessMemory
                                PID:924
                                • C:\Users\Admin\Admin.exe
                                  C:\Users\Admin\Admin.exe /r
                                  6⤵
                                  • Executes dropped EXE
                                  • Adds Run key to start application
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of WriteProcessMemory
                                  PID:2196
                                  • C:\Users\Admin\Admin.exe
                                    C:\Users\Admin\Admin.exe /r
                                    7⤵
                                    • Executes dropped EXE
                                    • Adds Run key to start application
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of WriteProcessMemory
                                    PID:4996
                                    • C:\Users\Admin\Admin.exe
                                      C:\Users\Admin\Admin.exe /r
                                      8⤵
                                      • Executes dropped EXE
                                      • Adds Run key to start application
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of WriteProcessMemory
                                      PID:4620
                                      • C:\Users\Admin\Admin.exe
                                        C:\Users\Admin\Admin.exe /r
                                        9⤵
                                        • Executes dropped EXE
                                        • Adds Run key to start application
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of WriteProcessMemory
                                        PID:1924
                                        • C:\Users\Admin\Admin.exe
                                          C:\Users\Admin\Admin.exe /r
                                          10⤵
                                          • Executes dropped EXE
                                          • Adds Run key to start application
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of WriteProcessMemory
                                          PID:3388
                                          • C:\Users\Admin\Admin.exe
                                            C:\Users\Admin\Admin.exe /r
                                            11⤵
                                            • Executes dropped EXE
                                            • Writes to the Master Boot Record (MBR)
                                            • Suspicious behavior: EnumeratesProcesses
                                            PID:3916

                      Network

                            MITRE ATT&CK Enterprise v6

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\Admin.exe
                              Filesize

                              20KB

                              MD5

                              1208531de08e2cc108ea9dc2b02a8e40

                              SHA1

                              6f7c48c22a1d310912fe9cdc9690c2ef1ad82d55

                              SHA256

                              9b52b43aee2258bcfce7410714955a4846cf6148b9c420a8deb797d792ae8207

                              SHA512

                              60a7968fa1065fe5d70d2c7f721dc54d5885b829f315287378a341d4dcdaaf16eb51d3a53113693667f46a64f218dcff132e9bd495caffeb3f59f2237ba155b5

                              Download Submit

                            • C:\Users\Admin\Admin.exe
                              Filesize

                              20KB

                              MD5

                              1208531de08e2cc108ea9dc2b02a8e40

                              SHA1

                              6f7c48c22a1d310912fe9cdc9690c2ef1ad82d55

                              SHA256

                              9b52b43aee2258bcfce7410714955a4846cf6148b9c420a8deb797d792ae8207

                              SHA512

                              60a7968fa1065fe5d70d2c7f721dc54d5885b829f315287378a341d4dcdaaf16eb51d3a53113693667f46a64f218dcff132e9bd495caffeb3f59f2237ba155b5

                              Download Submit

                            • C:\Users\Admin\Admin.exe
                              Filesize

                              20KB

                              MD5

                              1208531de08e2cc108ea9dc2b02a8e40

                              SHA1

                              6f7c48c22a1d310912fe9cdc9690c2ef1ad82d55

                              SHA256

                              9b52b43aee2258bcfce7410714955a4846cf6148b9c420a8deb797d792ae8207

                              SHA512

                              60a7968fa1065fe5d70d2c7f721dc54d5885b829f315287378a341d4dcdaaf16eb51d3a53113693667f46a64f218dcff132e9bd495caffeb3f59f2237ba155b5

                              Download Submit

                            • C:\Users\Admin\Admin.exe
                              Filesize

                              20KB

                              MD5

                              1208531de08e2cc108ea9dc2b02a8e40

                              SHA1

                              6f7c48c22a1d310912fe9cdc9690c2ef1ad82d55

                              SHA256

                              9b52b43aee2258bcfce7410714955a4846cf6148b9c420a8deb797d792ae8207

                              SHA512

                              60a7968fa1065fe5d70d2c7f721dc54d5885b829f315287378a341d4dcdaaf16eb51d3a53113693667f46a64f218dcff132e9bd495caffeb3f59f2237ba155b5

                              Download Submit

                            • C:\Users\Admin\Admin.exe
                              Filesize

                              20KB

                              MD5

                              1208531de08e2cc108ea9dc2b02a8e40

                              SHA1

                              6f7c48c22a1d310912fe9cdc9690c2ef1ad82d55

                              SHA256

                              9b52b43aee2258bcfce7410714955a4846cf6148b9c420a8deb797d792ae8207

                              SHA512

                              60a7968fa1065fe5d70d2c7f721dc54d5885b829f315287378a341d4dcdaaf16eb51d3a53113693667f46a64f218dcff132e9bd495caffeb3f59f2237ba155b5

                              Download Submit

                            • C:\Users\Admin\Admin.exe
                              Filesize

                              20KB

                              MD5

                              1208531de08e2cc108ea9dc2b02a8e40

                              SHA1

                              6f7c48c22a1d310912fe9cdc9690c2ef1ad82d55

                              SHA256

                              9b52b43aee2258bcfce7410714955a4846cf6148b9c420a8deb797d792ae8207

                              SHA512

                              60a7968fa1065fe5d70d2c7f721dc54d5885b829f315287378a341d4dcdaaf16eb51d3a53113693667f46a64f218dcff132e9bd495caffeb3f59f2237ba155b5

                              Download Submit

                            • C:\Users\Admin\Admin.exe
                              Filesize

                              20KB

                              MD5

                              1208531de08e2cc108ea9dc2b02a8e40

                              SHA1

                              6f7c48c22a1d310912fe9cdc9690c2ef1ad82d55

                              SHA256

                              9b52b43aee2258bcfce7410714955a4846cf6148b9c420a8deb797d792ae8207

                              SHA512

                              60a7968fa1065fe5d70d2c7f721dc54d5885b829f315287378a341d4dcdaaf16eb51d3a53113693667f46a64f218dcff132e9bd495caffeb3f59f2237ba155b5

                              Download Submit

                            • C:\Users\Admin\Admin.exe
                              Filesize

                              20KB

                              MD5

                              1208531de08e2cc108ea9dc2b02a8e40

                              SHA1

                              6f7c48c22a1d310912fe9cdc9690c2ef1ad82d55

                              SHA256

                              9b52b43aee2258bcfce7410714955a4846cf6148b9c420a8deb797d792ae8207

                              SHA512

                              60a7968fa1065fe5d70d2c7f721dc54d5885b829f315287378a341d4dcdaaf16eb51d3a53113693667f46a64f218dcff132e9bd495caffeb3f59f2237ba155b5

                              Download Submit

                            • C:\Users\Admin\Admin.exe
                              Filesize

                              20KB

                              MD5

                              1208531de08e2cc108ea9dc2b02a8e40

                              SHA1

                              6f7c48c22a1d310912fe9cdc9690c2ef1ad82d55

                              SHA256

                              9b52b43aee2258bcfce7410714955a4846cf6148b9c420a8deb797d792ae8207

                              SHA512

                              60a7968fa1065fe5d70d2c7f721dc54d5885b829f315287378a341d4dcdaaf16eb51d3a53113693667f46a64f218dcff132e9bd495caffeb3f59f2237ba155b5

                              Download Submit

                            • C:\Users\Admin\Admin.exe
                              Filesize

                              20KB

                              MD5

                              1208531de08e2cc108ea9dc2b02a8e40

                              SHA1

                              6f7c48c22a1d310912fe9cdc9690c2ef1ad82d55

                              SHA256

                              9b52b43aee2258bcfce7410714955a4846cf6148b9c420a8deb797d792ae8207

                              SHA512

                              60a7968fa1065fe5d70d2c7f721dc54d5885b829f315287378a341d4dcdaaf16eb51d3a53113693667f46a64f218dcff132e9bd495caffeb3f59f2237ba155b5

                              Download Submit

                            • C:\Users\Admin\Admin.exe
                              Filesize

                              20KB

                              MD5

                              1208531de08e2cc108ea9dc2b02a8e40

                              SHA1

                              6f7c48c22a1d310912fe9cdc9690c2ef1ad82d55

                              SHA256

                              9b52b43aee2258bcfce7410714955a4846cf6148b9c420a8deb797d792ae8207

                              SHA512

                              60a7968fa1065fe5d70d2c7f721dc54d5885b829f315287378a341d4dcdaaf16eb51d3a53113693667f46a64f218dcff132e9bd495caffeb3f59f2237ba155b5

                              Download Submit

                            • memory/424-135-0x0000000008000000-0x0000000008008000-memory.dmp

                              Filesize

                              32KB

                              Download

                            • memory/924-145-0x0000000008000000-0x0000000008008000-memory.dmp

                              Filesize

                              32KB

                              Download

                            • memory/1924-157-0x0000000008000000-0x0000000008008000-memory.dmp

                              Filesize

                              32KB

                              Download

                            • memory/2196-148-0x0000000008000000-0x0000000008008000-memory.dmp

                              Filesize

                              32KB

                              Download

                            • memory/3388-160-0x0000000008000000-0x0000000008008000-memory.dmp

                              Filesize

                              32KB

                              Download

                            • memory/3916-163-0x0000000008000000-0x0000000008008000-memory.dmp

                              Filesize

                              32KB

                              Download

                            • memory/4620-154-0x0000000008000000-0x0000000008008000-memory.dmp

                              Filesize

                              32KB

                              Download

                            • memory/4876-142-0x0000000008000000-0x0000000008008000-memory.dmp

                              Filesize

                              32KB

                              Download

                            • memory/4920-139-0x0000000008000000-0x0000000008008000-memory.dmp

                              Filesize

                              32KB

                              Download

                            • memory/4980-136-0x0000000008000000-0x0000000008008000-memory.dmp

                              Filesize

                              32KB

                              Download

                            • memory/4996-151-0x0000000008000000-0x0000000008008000-memory.dmp

                              Filesize

                              32KB

                              Download