Analysis

  • max time kernel
    133s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    05-12-2022 05:46

General

  • Target

    a2fdb15acbdd8c3c7489173437839d15a364a30026cfdb1f2c75a92e782f0834.exe

  • Size

    420KB

  • MD5

    71ac5addc013828b91359648f0133f51

  • SHA1

    0a563f6be753362b770b2eacb375f1541d3df4a3

  • SHA256

    a2fdb15acbdd8c3c7489173437839d15a364a30026cfdb1f2c75a92e782f0834

  • SHA512

    230c7a9dd1de077de076b26416f18b58ebbebb70328ef5e30796a99abec0e972079fbf9cf7d18e1e6f7b86bf352f810bac881cc5a7c9e52cc143aebe43b01645

  • SSDEEP

    6144:k+gEEY+LJHi8zKRKfdlO4s4jF9GZpMtGOkq84BVMZ:kaEYOJHi0KRKw4jFAZdhq84BVM

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 2 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 46 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a2fdb15acbdd8c3c7489173437839d15a364a30026cfdb1f2c75a92e782f0834.exe
    "C:\Users\Admin\AppData\Local\Temp\a2fdb15acbdd8c3c7489173437839d15a364a30026cfdb1f2c75a92e782f0834.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:892
    • C:\Users\Admin\AppData\Local\Temp\a2fdb15acbdd8c3c7489173437839d15a364a30026cfdb1f2c75a92e782f0834.exe
      C:\Users\Admin\AppData\Local\Temp\a2fdb15acbdd8c3c7489173437839d15a364a30026cfdb1f2c75a92e782f0834.exe
      2⤵
      • Modifies firewall policy service
      • Writes to the Master Boot Record (MBR)
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:9324
      • C:\Users\Admin\AppData\Local\Temp\a2fdb15acbdd8c3c7489173437839d15a364a30026cfdb1f2c75a92e782f0834.exe
        C:\Users\Admin\AppData\Local\Temp\a2fdb15acbdd8c3c7489173437839d15a364a30026cfdb1f2c75a92e782f0834.exe -f
        3⤵
          PID:10188

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/9324-85-0x0000000002610000-0x00000000026D9000-memory.dmp

      Filesize

      804KB

    • memory/9324-95-0x00000000002A0000-0x000000000030B000-memory.dmp

      Filesize

      428KB

    • memory/9324-59-0x0000000000400000-0x000000000044A000-memory.dmp

      Filesize

      296KB

    • memory/9324-61-0x0000000000400000-0x000000000044A000-memory.dmp

      Filesize

      296KB

    • memory/9324-62-0x00000000004013BC-mapping.dmp

    • memory/9324-64-0x0000000000400000-0x000000000044A000-memory.dmp

      Filesize

      296KB

    • memory/9324-65-0x0000000000400000-0x000000000044A000-memory.dmp

      Filesize

      296KB

    • memory/9324-68-0x0000000000400000-0x000000000044A000-memory.dmp

      Filesize

      296KB

    • memory/9324-69-0x0000000000240000-0x000000000025E000-memory.dmp

      Filesize

      120KB

    • memory/9324-70-0x0000000000240000-0x000000000024E000-memory.dmp

      Filesize

      56KB

    • memory/9324-71-0x0000000000240000-0x000000000024A000-memory.dmp

      Filesize

      40KB

    • memory/9324-72-0x0000000000240000-0x0000000000249000-memory.dmp

      Filesize

      36KB

    • memory/9324-73-0x0000000000240000-0x0000000000263000-memory.dmp

      Filesize

      140KB

    • memory/9324-76-0x0000000000240000-0x0000000000259000-memory.dmp

      Filesize

      100KB

    • memory/9324-83-0x0000000000240000-0x0000000000258000-memory.dmp

      Filesize

      96KB

    • memory/9324-74-0x0000000000240000-0x000000000024E000-memory.dmp

      Filesize

      56KB

    • memory/9324-81-0x0000000000240000-0x000000000024D000-memory.dmp

      Filesize

      52KB

    • memory/9324-80-0x0000000000240000-0x0000000000242000-memory.dmp

      Filesize

      8KB

    • memory/9324-79-0x0000000000240000-0x0000000000242000-memory.dmp

      Filesize

      8KB

    • memory/9324-78-0x0000000000240000-0x0000000000249000-memory.dmp

      Filesize

      36KB

    • memory/9324-77-0x0000000000240000-0x0000000000249000-memory.dmp

      Filesize

      36KB

    • memory/9324-82-0x0000000000240000-0x0000000000255000-memory.dmp

      Filesize

      84KB

    • memory/9324-75-0x0000000000240000-0x000000000024E000-memory.dmp

      Filesize

      56KB

    • memory/9324-111-0x0000000000400000-0x000000000044A000-memory.dmp

      Filesize

      296KB

    • memory/9324-93-0x0000000000240000-0x0000000000271000-memory.dmp

      Filesize

      196KB

    • memory/9324-86-0x0000000000240000-0x000000000025E000-memory.dmp

      Filesize

      120KB

    • memory/9324-87-0x0000000000240000-0x000000000025E000-memory.dmp

      Filesize

      120KB

    • memory/9324-88-0x0000000000240000-0x000000000026D000-memory.dmp

      Filesize

      180KB

    • memory/9324-89-0x0000000000240000-0x000000000028D000-memory.dmp

      Filesize

      308KB

    • memory/9324-90-0x0000000000240000-0x0000000000264000-memory.dmp

      Filesize

      144KB

    • memory/9324-91-0x0000000002610000-0x00000000026B6000-memory.dmp

      Filesize

      664KB

    • memory/9324-92-0x0000000000240000-0x000000000024B000-memory.dmp

      Filesize

      44KB

    • memory/9324-56-0x0000000000400000-0x000000000044A000-memory.dmp

      Filesize

      296KB

    • memory/9324-94-0x0000000000240000-0x0000000000252000-memory.dmp

      Filesize

      72KB

    • memory/9324-57-0x0000000000400000-0x000000000044A000-memory.dmp

      Filesize

      296KB

    • memory/9324-96-0x0000000002610000-0x00000000026A9000-memory.dmp

      Filesize

      612KB

    • memory/9324-97-0x0000000002610000-0x0000000002681000-memory.dmp

      Filesize

      452KB

    • memory/9324-98-0x0000000000240000-0x0000000000248000-memory.dmp

      Filesize

      32KB

    • memory/9324-99-0x0000000000400000-0x000000000044A000-memory.dmp

      Filesize

      296KB

    • memory/9324-84-0x0000000000240000-0x0000000000258000-memory.dmp

      Filesize

      96KB

    • memory/10188-103-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

    • memory/10188-104-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

    • memory/10188-100-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

    • memory/10188-106-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

    • memory/10188-107-0x000000000041916F-mapping.dmp

    • memory/10188-109-0x0000000075521000-0x0000000075523000-memory.dmp

      Filesize

      8KB

    • memory/10188-110-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB

    • memory/10188-101-0x0000000000400000-0x0000000000426000-memory.dmp

      Filesize

      152KB