Analysis
-
max time kernel
28s -
max time network
31s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
24-12-2022 05:28
Static task
static1
Behavioral task
behavioral1
Sample
667de29aacfd4418c1e7612e2beeea40c271e7b7df4261bff0ecfea1e6df15cf.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
667de29aacfd4418c1e7612e2beeea40c271e7b7df4261bff0ecfea1e6df15cf.exe
Resource
win10v2004-20220812-en
General
-
Target
667de29aacfd4418c1e7612e2beeea40c271e7b7df4261bff0ecfea1e6df15cf.exe
-
Size
22KB
-
MD5
3ab1a46fb93efbf7bcc225b3acb26681
-
SHA1
621516608f11fb501fe76a99670621e74e01a57a
-
SHA256
667de29aacfd4418c1e7612e2beeea40c271e7b7df4261bff0ecfea1e6df15cf
-
SHA512
05bda3a57e51535e6572cc124387baf181af2d3be60766e1f3c3188be98ff8242d159e68e4aa74eda6f9060b1f597ebe24b4cabb649aba0ac10481583550907e
-
SSDEEP
192:+MCSkeJmOat/+Lec8HuPu5PFfuSUYFCh5H4H5sD3SCq5XD4aZI+FSVlUFFKi/wzc:mVOaerRPubuBPHTSC0XEaNS/UFFKi/p
Malware Config
Signatures
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
667de29aacfd4418c1e7612e2beeea40c271e7b7df4261bff0ecfea1e6df15cf.exedescription ioc process File opened for modification \??\PhysicalDrive0 667de29aacfd4418c1e7612e2beeea40c271e7b7df4261bff0ecfea1e6df15cf.exe -
Runs net.exe
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
667de29aacfd4418c1e7612e2beeea40c271e7b7df4261bff0ecfea1e6df15cf.execmd.exenet.exedescription pid process target process PID 2044 wrote to memory of 1788 2044 667de29aacfd4418c1e7612e2beeea40c271e7b7df4261bff0ecfea1e6df15cf.exe cmd.exe PID 2044 wrote to memory of 1788 2044 667de29aacfd4418c1e7612e2beeea40c271e7b7df4261bff0ecfea1e6df15cf.exe cmd.exe PID 2044 wrote to memory of 1788 2044 667de29aacfd4418c1e7612e2beeea40c271e7b7df4261bff0ecfea1e6df15cf.exe cmd.exe PID 1788 wrote to memory of 1764 1788 cmd.exe net.exe PID 1788 wrote to memory of 1764 1788 cmd.exe net.exe PID 1788 wrote to memory of 1764 1788 cmd.exe net.exe PID 1764 wrote to memory of 1740 1764 net.exe net1.exe PID 1764 wrote to memory of 1740 1764 net.exe net1.exe PID 1764 wrote to memory of 1740 1764 net.exe net1.exe PID 2044 wrote to memory of 1176 2044 667de29aacfd4418c1e7612e2beeea40c271e7b7df4261bff0ecfea1e6df15cf.exe cmd.exe PID 2044 wrote to memory of 1176 2044 667de29aacfd4418c1e7612e2beeea40c271e7b7df4261bff0ecfea1e6df15cf.exe cmd.exe PID 2044 wrote to memory of 1176 2044 667de29aacfd4418c1e7612e2beeea40c271e7b7df4261bff0ecfea1e6df15cf.exe cmd.exe PID 2044 wrote to memory of 1340 2044 667de29aacfd4418c1e7612e2beeea40c271e7b7df4261bff0ecfea1e6df15cf.exe cmd.exe PID 2044 wrote to memory of 1340 2044 667de29aacfd4418c1e7612e2beeea40c271e7b7df4261bff0ecfea1e6df15cf.exe cmd.exe PID 2044 wrote to memory of 1340 2044 667de29aacfd4418c1e7612e2beeea40c271e7b7df4261bff0ecfea1e6df15cf.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\667de29aacfd4418c1e7612e2beeea40c271e7b7df4261bff0ecfea1e6df15cf.exe"C:\Users\Admin\AppData\Local\Temp\667de29aacfd4418c1e7612e2beeea40c271e7b7df4261bff0ecfea1e6df15cf.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net user 1234562⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet user 1234563⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user 1234564⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵