Analysis
-
max time kernel
91s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
24-12-2022 05:28
Static task
static1
Behavioral task
behavioral1
Sample
667de29aacfd4418c1e7612e2beeea40c271e7b7df4261bff0ecfea1e6df15cf.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
667de29aacfd4418c1e7612e2beeea40c271e7b7df4261bff0ecfea1e6df15cf.exe
Resource
win10v2004-20220812-en
General
-
Target
667de29aacfd4418c1e7612e2beeea40c271e7b7df4261bff0ecfea1e6df15cf.exe
-
Size
22KB
-
MD5
3ab1a46fb93efbf7bcc225b3acb26681
-
SHA1
621516608f11fb501fe76a99670621e74e01a57a
-
SHA256
667de29aacfd4418c1e7612e2beeea40c271e7b7df4261bff0ecfea1e6df15cf
-
SHA512
05bda3a57e51535e6572cc124387baf181af2d3be60766e1f3c3188be98ff8242d159e68e4aa74eda6f9060b1f597ebe24b4cabb649aba0ac10481583550907e
-
SSDEEP
192:+MCSkeJmOat/+Lec8HuPu5PFfuSUYFCh5H4H5sD3SCq5XD4aZI+FSVlUFFKi/wzc:mVOaerRPubuBPHTSC0XEaNS/UFFKi/p
Malware Config
Signatures
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
667de29aacfd4418c1e7612e2beeea40c271e7b7df4261bff0ecfea1e6df15cf.exedescription ioc process File opened for modification \??\PhysicalDrive0 667de29aacfd4418c1e7612e2beeea40c271e7b7df4261bff0ecfea1e6df15cf.exe -
Runs net.exe
-
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
667de29aacfd4418c1e7612e2beeea40c271e7b7df4261bff0ecfea1e6df15cf.execmd.exenet.exedescription pid process target process PID 1944 wrote to memory of 2848 1944 667de29aacfd4418c1e7612e2beeea40c271e7b7df4261bff0ecfea1e6df15cf.exe cmd.exe PID 1944 wrote to memory of 2848 1944 667de29aacfd4418c1e7612e2beeea40c271e7b7df4261bff0ecfea1e6df15cf.exe cmd.exe PID 2848 wrote to memory of 4708 2848 cmd.exe net.exe PID 2848 wrote to memory of 4708 2848 cmd.exe net.exe PID 4708 wrote to memory of 1976 4708 net.exe net1.exe PID 4708 wrote to memory of 1976 4708 net.exe net1.exe PID 1944 wrote to memory of 1972 1944 667de29aacfd4418c1e7612e2beeea40c271e7b7df4261bff0ecfea1e6df15cf.exe cmd.exe PID 1944 wrote to memory of 1972 1944 667de29aacfd4418c1e7612e2beeea40c271e7b7df4261bff0ecfea1e6df15cf.exe cmd.exe PID 1944 wrote to memory of 2860 1944 667de29aacfd4418c1e7612e2beeea40c271e7b7df4261bff0ecfea1e6df15cf.exe cmd.exe PID 1944 wrote to memory of 2860 1944 667de29aacfd4418c1e7612e2beeea40c271e7b7df4261bff0ecfea1e6df15cf.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\667de29aacfd4418c1e7612e2beeea40c271e7b7df4261bff0ecfea1e6df15cf.exe"C:\Users\Admin\AppData\Local\Temp\667de29aacfd4418c1e7612e2beeea40c271e7b7df4261bff0ecfea1e6df15cf.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net user 1234562⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet user 1234563⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user 1234564⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵