d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006

Analysis

max time kernel
233s
max time network
407s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05-12-2022 18:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe
Size

15.8MB
MD5

49464f49275e8d058749de05e072ad1e
SHA1

d92206c84b249f140e9d56d2508793ec693f4e1f
SHA256

d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006
SHA512

0c714aed1c5ddeb51d6103e132ace466275975edd1e4ef7edabcc4422fb1918e47f43e0f8731729c973aaf810589a6506fa183b897cf9f16efcb8a097b44fa91
SSDEEP

393216:rk6YLfSunp9MeiwRonMyfAA0TW5n8eSbkH3yuQFrA9moDW46A:w6aflnp9MeiCongoGeSbkXAA9mo/

Score

8^/10

bootkit persistence upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

SHOWDRIVE.EXEPECMD.EXEomnifs32.EXE

pid process

684 SHOWDRIVE.EXE
1044 PECMD.EXE
1344 omnifs32.EXE

pid	process
684	SHOWDRIVE.EXE
1044	PECMD.EXE
1344	omnifs32.EXE

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\SysWOW64\PECMD.EXE	upx
\Windows\SysWOW64\PECMD.EXE	upx
C:\Windows\SysWOW64\PECMD.EXE	upx
behavioral1/memory/1044-64-0x0000000000400000-0x0000000000501000-memory.dmp	upx

Loads dropped DLL 5 IoCs

Processes:

d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.execmd.exe

pid	process
1504	d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe
1504	d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe
1504	d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe
1504	d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe
556	cmd.exe

Enumerates connected drives 3 TTPs 28 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exeSHOWDRIVE.EXEomnifs32.EXEPECMD.EXE

description	ioc	process
File opened (read-only)	\??\z:	d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe
File opened (read-only)	\??\m:	d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe
File opened (read-only)	\??\w:	d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe
File opened (read-only)	\??\x:	d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe
File opened (read-only)	\??\o:	d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe
File opened (read-only)	\??\e:	d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe
File opened (read-only)	\??\r:	d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe
File opened (read-only)	\??\u:	d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe
File opened (read-only)	\??\D:	SHOWDRIVE.EXE
File opened (read-only)	\??\a:	d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe
File opened (read-only)	\??\i:	d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe
File opened (read-only)	\??\y:	d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe
File opened (read-only)	\??\l:	d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe
File opened (read-only)	\??\v:	d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe
File opened (read-only)	\??\E:	omnifs32.EXE
File opened (read-only)	\??\b:	d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe
File opened (read-only)	\??\f:	d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe
File opened (read-only)	\??\g:	d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe
File opened (read-only)	\??\h:	d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe
File opened (read-only)	\??\s:	d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe
File opened (read-only)	\??\t:	d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe
File opened (read-only)	\??\j:	d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe
File opened (read-only)	\??\n:	d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe
File opened (read-only)	\??\p:	d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe
File opened (read-only)	\??\D:	omnifs32.EXE
File opened (read-only)	\??\E:	PECMD.EXE
File opened (read-only)	\??\k:	d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe
File opened (read-only)	\??\q:	d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

omnifs32.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	omnifs32.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	omnifs32.EXE

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

omnifs32.EXE

description ioc process

File opened for modification \??\PhysicalDrive0 omnifs32.EXE

description	ioc	process
File opened for modification	\??\PhysicalDrive0	omnifs32.EXE

Drops file in System32 directory 9 IoCs

Processes:

d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.execmd.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\PECMD.EXE	d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe
File opened for modification	C:\Windows\SysWOW64\omnifs32.EXE	d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe
File created	C:\Windows\SysWOW64\omnifs.txt	cmd.exe
File created	C:\Windows\SysWOW64\Readme.txt	d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe
File created	C:\Windows\SysWOW64\SHOWDRIVE.EXE	d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe
File opened for modification	C:\Windows\SysWOW64\SHOWDRIVE.EXE	d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe
File created	C:\Windows\SysWOW64\PECMD.EXE	d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe
File created	C:\Windows\SysWOW64\omnifs32.EXE	d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe
File opened for modification	C:\Windows\SysWOW64\Readme.txt	d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe

Drops file in Windows directory 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Windows\efi.txt cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe

pid process

1504 d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

PECMD.EXE

description pid process

Token: 33 1044 PECMD.EXE
Token: SeIncBasePriorityPrivilege 1044 PECMD.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

PECMD.EXE

pid process

1044 PECMD.EXE
1044 PECMD.EXE

description	ioc	process
File created	C:\Windows\efi.txt	cmd.exe

description	pid	process
Token: 33	1044	PECMD.EXE
Token: SeIncBasePriorityPrivilege	1044	PECMD.EXE

pid	process
1044	PECMD.EXE
1044	PECMD.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.execmd.exe

description	pid	process	target process
PID 1504 wrote to memory of 684	1504	d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe	SHOWDRIVE.EXE
PID 1504 wrote to memory of 684	1504	d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe	SHOWDRIVE.EXE
PID 1504 wrote to memory of 684	1504	d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe	SHOWDRIVE.EXE
PID 1504 wrote to memory of 684	1504	d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe	SHOWDRIVE.EXE
PID 1504 wrote to memory of 1044	1504	d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe	PECMD.EXE
PID 1504 wrote to memory of 1044	1504	d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe	PECMD.EXE
PID 1504 wrote to memory of 1044	1504	d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe	PECMD.EXE
PID 1504 wrote to memory of 1044	1504	d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe	PECMD.EXE
PID 1504 wrote to memory of 928	1504	d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe	cmd.exe
PID 1504 wrote to memory of 928	1504	d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe	cmd.exe
PID 1504 wrote to memory of 928	1504	d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe	cmd.exe
PID 1504 wrote to memory of 928	1504	d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe	cmd.exe
PID 1504 wrote to memory of 556	1504	d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe	cmd.exe
PID 1504 wrote to memory of 556	1504	d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe	cmd.exe
PID 1504 wrote to memory of 556	1504	d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe	cmd.exe
PID 1504 wrote to memory of 556	1504	d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe	cmd.exe
PID 556 wrote to memory of 1344	556	cmd.exe	omnifs32.EXE
PID 556 wrote to memory of 1344	556	cmd.exe	omnifs32.EXE
PID 556 wrote to memory of 1344	556	cmd.exe	omnifs32.EXE
PID 556 wrote to memory of 1344	556	cmd.exe	omnifs32.EXE

C:\Users\Admin\AppData\Local\Temp\d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe
"C:\Users\Admin\AppData\Local\Temp\d33cdf0a2a3457fff6edaadc7dcf53b88c6e9cbb78fd3f5470006909f83f2006.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\SysWOW64\SHOWDRIVE.EXE
SHOWDRIVE.EXE
2⤵
- Executes dropped EXE
- Enumerates connected drives
PID:684

C:\Windows\SysWOW64\PECMD.EXE
PECMD.EXE show -1:-1
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c bcdedit>C:\Windows\efi.txt
2⤵
- Drops file in Windows directory
PID:928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c omnifs32.exe -nousb -noide info>omnifs.txt
2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:556

C:\Windows\SysWOW64\omnifs32.EXE
omnifs32.exe -nousb -noide info
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Writes to the Master Boot Record (MBR)
PID:1344

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\PECMD.EXE
Filesize
479KB

MD5
ae1b31ab58dbb8e65cc261b527a0a5dd

SHA1
502505378077bdcc4286907b39808476da2df3fd

SHA256
c4e87136d140c22b097ec6ae608d4056327eb4eb45299e92032f1cb6ec279811

SHA512
f1eec1fece457bb9e3448f98288d1974aca27609710d1142b8a9bda5697561fe2ef764ca90044d5ee10b9048bf7f80fade913cdb99bea0e2764fd8c31297e1ef

Download Submit
C:\Windows\SysWOW64\SHOWDRIVE.EXE
Filesize
28KB

MD5
9dcc76e36021f25312903377500566e2

SHA1
c74d638a38e3b842b8a06958e96b11081de8d1e4

SHA256
c1863cecf48d4e0dc26326081a6bc6d6975e86d9b395fa6e49eaec632ad1c5b7

SHA512
ab751b0427ce78225f2bfa686a643aebccad7b60094c27c3a75e80bfc975dccc6aa9ae96761ca218069dc22d4161fb7837a14287dcd9287af3f35e84c2b08c5d

Download Submit
C:\Windows\SysWOW64\omnifs.txt
Filesize
252B

MD5
99a37cb18bc2dbd2ac6b704c1ef5cf17

SHA1
f0f642089aa2de9ebb228ab3c6814b03277c9815

SHA256
e25ae6ff1a3df23afc77bb1bee9d59e03949331919c21da031be29d1b387ea00

SHA512
45312da4342ace11c72110fb2b17ee47bf518c832ade12713359a1339f1ce7767e857782c47501c7a47d64bfeef65b73a1ce6779b26e992bcaa568a0209333fc

Download Submit
C:\Windows\SysWOW64\omnifs32.EXE
Filesize
2.3MB

MD5
70b6a76178479d237a2c23b86d6c06d9

SHA1
3bfd492082e3958a1038685ad9e17800510e94e1

SHA256
ed1f0c01a20b99435c9f6a233bf3a766e756c866db1dda460822424d228ec5d7

SHA512
596dcbbb2daf686b938356dff9bbc94f92bf9e92d1230beda5e11cb6dde6538d3878e1d83b9d007dbd550f09d4335443b9b5e922580f6b9b6d2f03d8d6cb0cbd

Download Submit
C:\Windows\SysWOW64\omnifs32.EXE
Filesize
2.3MB

MD5
70b6a76178479d237a2c23b86d6c06d9

SHA1
3bfd492082e3958a1038685ad9e17800510e94e1

SHA256
ed1f0c01a20b99435c9f6a233bf3a766e756c866db1dda460822424d228ec5d7

SHA512
596dcbbb2daf686b938356dff9bbc94f92bf9e92d1230beda5e11cb6dde6538d3878e1d83b9d007dbd550f09d4335443b9b5e922580f6b9b6d2f03d8d6cb0cbd

Download Submit
\Windows\SysWOW64\PECMD.EXE
Filesize
479KB

MD5
ae1b31ab58dbb8e65cc261b527a0a5dd

SHA1
502505378077bdcc4286907b39808476da2df3fd

SHA256
c4e87136d140c22b097ec6ae608d4056327eb4eb45299e92032f1cb6ec279811

SHA512
f1eec1fece457bb9e3448f98288d1974aca27609710d1142b8a9bda5697561fe2ef764ca90044d5ee10b9048bf7f80fade913cdb99bea0e2764fd8c31297e1ef

Download Submit
\Windows\SysWOW64\PECMD.EXE
Filesize
479KB

MD5
ae1b31ab58dbb8e65cc261b527a0a5dd

SHA1
502505378077bdcc4286907b39808476da2df3fd

SHA256
c4e87136d140c22b097ec6ae608d4056327eb4eb45299e92032f1cb6ec279811

SHA512
f1eec1fece457bb9e3448f98288d1974aca27609710d1142b8a9bda5697561fe2ef764ca90044d5ee10b9048bf7f80fade913cdb99bea0e2764fd8c31297e1ef

Download Submit
\Windows\SysWOW64\SHOWDRIVE.EXE
Filesize
28KB

MD5
9dcc76e36021f25312903377500566e2

SHA1
c74d638a38e3b842b8a06958e96b11081de8d1e4

SHA256
c1863cecf48d4e0dc26326081a6bc6d6975e86d9b395fa6e49eaec632ad1c5b7

SHA512
ab751b0427ce78225f2bfa686a643aebccad7b60094c27c3a75e80bfc975dccc6aa9ae96761ca218069dc22d4161fb7837a14287dcd9287af3f35e84c2b08c5d

Download Submit
\Windows\SysWOW64\SHOWDRIVE.EXE
Filesize
28KB

MD5
9dcc76e36021f25312903377500566e2

SHA1
c74d638a38e3b842b8a06958e96b11081de8d1e4

SHA256
c1863cecf48d4e0dc26326081a6bc6d6975e86d9b395fa6e49eaec632ad1c5b7

SHA512
ab751b0427ce78225f2bfa686a643aebccad7b60094c27c3a75e80bfc975dccc6aa9ae96761ca218069dc22d4161fb7837a14287dcd9287af3f35e84c2b08c5d

Download Submit
\Windows\SysWOW64\omnifs32.EXE
Filesize
2.3MB

MD5
70b6a76178479d237a2c23b86d6c06d9

SHA1
3bfd492082e3958a1038685ad9e17800510e94e1

SHA256
ed1f0c01a20b99435c9f6a233bf3a766e756c866db1dda460822424d228ec5d7

SHA512
596dcbbb2daf686b938356dff9bbc94f92bf9e92d1230beda5e11cb6dde6538d3878e1d83b9d007dbd550f09d4335443b9b5e922580f6b9b6d2f03d8d6cb0cbd

Download Submit
memory/556-67-0x0000000000000000-mapping.dmp

Download
memory/684-57-0x0000000000000000-mapping.dmp

Download
memory/928-66-0x0000000000000000-mapping.dmp

Download
memory/1044-61-0x0000000000000000-mapping.dmp

Download
memory/1044-64-0x0000000000400000-0x0000000000501000-memory.dmp

Filesize
1.0MB

Download
memory/1344-70-0x0000000000000000-mapping.dmp

Download
memory/1504-74-0x0000000004150000-0x0000000004251000-memory.dmp

Filesize
1.0MB

Download
memory/1504-54-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download
memory/1504-65-0x0000000004150000-0x0000000004251000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads