9213a1c49f5917d7b0490eadef72e9155bce4cf293dcd5c5d4c5ed6c02653cfd

Analysis

max time kernel
53s
max time network
35s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
06/12/2022, 10:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9213a1c49f5917d7b0490eadef72e9155bce4cf293dcd5c5d4c5ed6c02653cfd.exe
Size

5.0MB
MD5

e3d39007c7f350f6a3844c0b7dd91c3d
SHA1

adc9d5d8650a50c2b30c92778a3acb3eb945b621
SHA256

9213a1c49f5917d7b0490eadef72e9155bce4cf293dcd5c5d4c5ed6c02653cfd
SHA512

6a02e1904a883101faa7b7b97586f43c7975939898d78f56fb6586237b41e76839eb052b28744e558a573a2622aa6f048279c1d5007cf27e2804e2010b330ba2
SSDEEP

98304:JxZWNLLtqDN1LGC28idEmzJYolnfua3DFP756q79kdVz9MOv5ZIOd3:JxZeVqDXHiKsfnDFz8g9kdrMOv5Zl

Score

10^/10

bootkit persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "userinit.exe,C:\\Windows\\system32\\sdra64.exe,"	243fgd.exe

Executes dropped EXE 2 IoCs

pid	Process
1464	243fgd.exe
556	AutoHideIP-5.1.4.6.Setup.exe

Loads dropped DLL 7 IoCs

pid	Process
1284	9213a1c49f5917d7b0490eadef72e9155bce4cf293dcd5c5d4c5ed6c02653cfd.exe
1284	9213a1c49f5917d7b0490eadef72e9155bce4cf293dcd5c5d4c5ed6c02653cfd.exe
1284	9213a1c49f5917d7b0490eadef72e9155bce4cf293dcd5c5d4c5ed6c02653cfd.exe
556	AutoHideIP-5.1.4.6.Setup.exe
556	AutoHideIP-5.1.4.6.Setup.exe
556	AutoHideIP-5.1.4.6.Setup.exe
556	AutoHideIP-5.1.4.6.Setup.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	9213a1c49f5917d7b0490eadef72e9155bce4cf293dcd5c5d4c5ed6c02653cfd.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\sdra64.exe	243fgd.exe
File created	C:\Windows\SysWOW64\sdra64.exe	243fgd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1388 set thread context of 1284	1388	9213a1c49f5917d7b0490eadef72e9155bce4cf293dcd5c5d4c5ed6c02653cfd.exe	28

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 12 IoCs

installer

resource	yara_rule
behavioral1/files/0x00090000000134f2-75.dat	nsis_installer_1
behavioral1/files/0x00090000000134f2-75.dat	nsis_installer_2
behavioral1/files/0x00090000000134f2-78.dat	nsis_installer_1
behavioral1/files/0x00090000000134f2-78.dat	nsis_installer_2
behavioral1/files/0x00090000000134f2-80.dat	nsis_installer_1
behavioral1/files/0x00090000000134f2-80.dat	nsis_installer_2
behavioral1/files/0x00090000000134f2-81.dat	nsis_installer_1
behavioral1/files/0x00090000000134f2-81.dat	nsis_installer_2
behavioral1/files/0x00090000000134f2-82.dat	nsis_installer_1
behavioral1/files/0x00090000000134f2-82.dat	nsis_installer_2
behavioral1/files/0x00090000000134f2-83.dat	nsis_installer_1
behavioral1/files/0x00090000000134f2-83.dat	nsis_installer_2

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1464	243fgd.exe
1464	243fgd.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1388	9213a1c49f5917d7b0490eadef72e9155bce4cf293dcd5c5d4c5ed6c02653cfd.exe
1284	9213a1c49f5917d7b0490eadef72e9155bce4cf293dcd5c5d4c5ed6c02653cfd.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 1284	1388	9213a1c49f5917d7b0490eadef72e9155bce4cf293dcd5c5d4c5ed6c02653cfd.exe	28
PID 1388 wrote to memory of 1284	1388	9213a1c49f5917d7b0490eadef72e9155bce4cf293dcd5c5d4c5ed6c02653cfd.exe	28
PID 1388 wrote to memory of 1284	1388	9213a1c49f5917d7b0490eadef72e9155bce4cf293dcd5c5d4c5ed6c02653cfd.exe	28
PID 1388 wrote to memory of 1284	1388	9213a1c49f5917d7b0490eadef72e9155bce4cf293dcd5c5d4c5ed6c02653cfd.exe	28
PID 1388 wrote to memory of 1284	1388	9213a1c49f5917d7b0490eadef72e9155bce4cf293dcd5c5d4c5ed6c02653cfd.exe	28
PID 1388 wrote to memory of 1284	1388	9213a1c49f5917d7b0490eadef72e9155bce4cf293dcd5c5d4c5ed6c02653cfd.exe	28
PID 1388 wrote to memory of 1284	1388	9213a1c49f5917d7b0490eadef72e9155bce4cf293dcd5c5d4c5ed6c02653cfd.exe	28
PID 1388 wrote to memory of 1284	1388	9213a1c49f5917d7b0490eadef72e9155bce4cf293dcd5c5d4c5ed6c02653cfd.exe	28
PID 1388 wrote to memory of 1284	1388	9213a1c49f5917d7b0490eadef72e9155bce4cf293dcd5c5d4c5ed6c02653cfd.exe	28
PID 1284 wrote to memory of 1464	1284	9213a1c49f5917d7b0490eadef72e9155bce4cf293dcd5c5d4c5ed6c02653cfd.exe	29
PID 1284 wrote to memory of 1464	1284	9213a1c49f5917d7b0490eadef72e9155bce4cf293dcd5c5d4c5ed6c02653cfd.exe	29
PID 1284 wrote to memory of 1464	1284	9213a1c49f5917d7b0490eadef72e9155bce4cf293dcd5c5d4c5ed6c02653cfd.exe	29
PID 1284 wrote to memory of 1464	1284	9213a1c49f5917d7b0490eadef72e9155bce4cf293dcd5c5d4c5ed6c02653cfd.exe	29
PID 1284 wrote to memory of 556	1284	9213a1c49f5917d7b0490eadef72e9155bce4cf293dcd5c5d4c5ed6c02653cfd.exe	30
PID 1284 wrote to memory of 556	1284	9213a1c49f5917d7b0490eadef72e9155bce4cf293dcd5c5d4c5ed6c02653cfd.exe	30
PID 1284 wrote to memory of 556	1284	9213a1c49f5917d7b0490eadef72e9155bce4cf293dcd5c5d4c5ed6c02653cfd.exe	30
PID 1284 wrote to memory of 556	1284	9213a1c49f5917d7b0490eadef72e9155bce4cf293dcd5c5d4c5ed6c02653cfd.exe	30
PID 1284 wrote to memory of 556	1284	9213a1c49f5917d7b0490eadef72e9155bce4cf293dcd5c5d4c5ed6c02653cfd.exe	30
PID 1284 wrote to memory of 556	1284	9213a1c49f5917d7b0490eadef72e9155bce4cf293dcd5c5d4c5ed6c02653cfd.exe	30
PID 1284 wrote to memory of 556	1284	9213a1c49f5917d7b0490eadef72e9155bce4cf293dcd5c5d4c5ed6c02653cfd.exe	30

C:\Users\Admin\AppData\Local\Temp\9213a1c49f5917d7b0490eadef72e9155bce4cf293dcd5c5d4c5ed6c02653cfd.exe
"C:\Users\Admin\AppData\Local\Temp\9213a1c49f5917d7b0490eadef72e9155bce4cf293dcd5c5d4c5ed6c02653cfd.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Users\Admin\AppData\Local\Temp\9213a1c49f5917d7b0490eadef72e9155bce4cf293dcd5c5d4c5ed6c02653cfd.exe
  "C:\Users\Admin\AppData\Local\Temp\9213a1c49f5917d7b0490eadef72e9155bce4cf293dcd5c5d4c5ed6c02653cfd.exe"
  2⤵
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1284
- - C:\Users\Admin\AppData\Local\Temp\243fgd.exe
    "C:\Users\Admin\AppData\Local\Temp\243fgd.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:1464
- - C:\Users\Admin\AppData\Local\Temp\AutoHideIP-5.1.4.6.Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\AutoHideIP-5.1.4.6.Setup.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:556

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\243fgd.exe

Filesize
152KB

MD5
1e17b462ae0f85e08670886dd964f3d8

SHA1
41d6a2de0e289eca6f18c3fdd85c368b3f6ed0e6

SHA256
50e92930397d1ead5f4eacb63152370f435ebcd690aa65b06f81d233dcc36e1d

SHA512
17872e8ef1f3d7d77b46f39e051943400993505385bba2900613c6a37d5edfb1dbfc4cf93225a17d708bee99fd02f7b767dd1822b8b41d6e326b99fdec3059f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\243fgd.exe

Filesize
152KB

MD5
1e17b462ae0f85e08670886dd964f3d8

SHA1
41d6a2de0e289eca6f18c3fdd85c368b3f6ed0e6

SHA256
50e92930397d1ead5f4eacb63152370f435ebcd690aa65b06f81d233dcc36e1d

SHA512
17872e8ef1f3d7d77b46f39e051943400993505385bba2900613c6a37d5edfb1dbfc4cf93225a17d708bee99fd02f7b767dd1822b8b41d6e326b99fdec3059f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\AutoHideIP-5.1.4.6.Setup.exe

Filesize
4.7MB

MD5
af9b0676721d2805e4807869b48f2d06

SHA1
bc80036131532d664391ce9bd84eb91f3d821bec

SHA256
b9eff2ba321b839f51fa4929394717afad02dfda90f28ec02182cad8d184d896

SHA512
f2832aad7f5199bc4b89578a43c99f16b751622cc7b3af2f3e508b994102760bacfc354e452f1cc62504087628e921cf53666b24a19fc0cba322ab2ffcbad174

Download Submit
C:\Users\Admin\AppData\Local\Temp\AutoHideIP-5.1.4.6.Setup.exe

Filesize
4.7MB

MD5
af9b0676721d2805e4807869b48f2d06

SHA1
bc80036131532d664391ce9bd84eb91f3d821bec

SHA256
b9eff2ba321b839f51fa4929394717afad02dfda90f28ec02182cad8d184d896

SHA512
f2832aad7f5199bc4b89578a43c99f16b751622cc7b3af2f3e508b994102760bacfc354e452f1cc62504087628e921cf53666b24a19fc0cba322ab2ffcbad174

Download Submit
\Users\Admin\AppData\Local\Temp\243fgd.exe

Filesize
152KB

MD5
1e17b462ae0f85e08670886dd964f3d8

SHA1
41d6a2de0e289eca6f18c3fdd85c368b3f6ed0e6

SHA256
50e92930397d1ead5f4eacb63152370f435ebcd690aa65b06f81d233dcc36e1d

SHA512
17872e8ef1f3d7d77b46f39e051943400993505385bba2900613c6a37d5edfb1dbfc4cf93225a17d708bee99fd02f7b767dd1822b8b41d6e326b99fdec3059f8

Download Submit
\Users\Admin\AppData\Local\Temp\243fgd.exe

Filesize
152KB

MD5
1e17b462ae0f85e08670886dd964f3d8

SHA1
41d6a2de0e289eca6f18c3fdd85c368b3f6ed0e6

SHA256
50e92930397d1ead5f4eacb63152370f435ebcd690aa65b06f81d233dcc36e1d

SHA512
17872e8ef1f3d7d77b46f39e051943400993505385bba2900613c6a37d5edfb1dbfc4cf93225a17d708bee99fd02f7b767dd1822b8b41d6e326b99fdec3059f8

Download Submit
\Users\Admin\AppData\Local\Temp\AutoHideIP-5.1.4.6.Setup.exe

Filesize
4.7MB

MD5
af9b0676721d2805e4807869b48f2d06

SHA1
bc80036131532d664391ce9bd84eb91f3d821bec

SHA256
b9eff2ba321b839f51fa4929394717afad02dfda90f28ec02182cad8d184d896

SHA512
f2832aad7f5199bc4b89578a43c99f16b751622cc7b3af2f3e508b994102760bacfc354e452f1cc62504087628e921cf53666b24a19fc0cba322ab2ffcbad174

Download Submit
\Users\Admin\AppData\Local\Temp\AutoHideIP-5.1.4.6.Setup.exe

Filesize
4.7MB

MD5
af9b0676721d2805e4807869b48f2d06

SHA1
bc80036131532d664391ce9bd84eb91f3d821bec

SHA256
b9eff2ba321b839f51fa4929394717afad02dfda90f28ec02182cad8d184d896

SHA512
f2832aad7f5199bc4b89578a43c99f16b751622cc7b3af2f3e508b994102760bacfc354e452f1cc62504087628e921cf53666b24a19fc0cba322ab2ffcbad174

Download Submit
\Users\Admin\AppData\Local\Temp\AutoHideIP-5.1.4.6.Setup.exe

Filesize
4.7MB

MD5
af9b0676721d2805e4807869b48f2d06

SHA1
bc80036131532d664391ce9bd84eb91f3d821bec

SHA256
b9eff2ba321b839f51fa4929394717afad02dfda90f28ec02182cad8d184d896

SHA512
f2832aad7f5199bc4b89578a43c99f16b751622cc7b3af2f3e508b994102760bacfc354e452f1cc62504087628e921cf53666b24a19fc0cba322ab2ffcbad174

Download Submit
\Users\Admin\AppData\Local\Temp\AutoHideIP-5.1.4.6.Setup.exe

Filesize
4.7MB

MD5
af9b0676721d2805e4807869b48f2d06

SHA1
bc80036131532d664391ce9bd84eb91f3d821bec

SHA256
b9eff2ba321b839f51fa4929394717afad02dfda90f28ec02182cad8d184d896

SHA512
f2832aad7f5199bc4b89578a43c99f16b751622cc7b3af2f3e508b994102760bacfc354e452f1cc62504087628e921cf53666b24a19fc0cba322ab2ffcbad174

Download Submit
\Users\Admin\AppData\Local\Temp\nst3601.tmp\InstallOptions.dll

Filesize
14KB

MD5
ec48a8204e1aed3d9a951cd92158cbe3

SHA1
0db29522e15448553b697b88b31a3d8392efd933

SHA256
3166399ed2ee296749aa412a4ec70807373b6349e9b94a7fcd97c3418f744f0f

SHA512
9b0ab63fbe4bf89ddf93e5fc6922cc95c0586e21dea945ce04065afd7957bd2472e34c909d356123346f62dee4c6d6077a0072810c91b61ad3df4c168cdb79d5

Download Submit
memory/1284-67-0x0000000000400000-0x00000000008EC000-memory.dmp

Filesize
4.9MB

Download
memory/1284-69-0x0000000000400000-0x00000000008EC000-memory.dmp

Filesize
4.9MB

Download
memory/1284-68-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download
memory/1284-56-0x0000000000400000-0x00000000008EC000-memory.dmp

Filesize
4.9MB

Download
memory/1284-62-0x0000000000400000-0x00000000008EC000-memory.dmp

Filesize
4.9MB

Download
memory/1284-59-0x0000000000400000-0x00000000008EC000-memory.dmp

Filesize
4.9MB

Download
memory/1284-57-0x0000000000400000-0x00000000008EC000-memory.dmp

Filesize
4.9MB

Download