Overview

overview

8

Static

static

4bbea26455...69.exe

windows7-x64

8

4bbea26455...69.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    146s
  • max time network
    71s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    10/01/2023, 02:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4bbea264553c5ab3ada8d5346993841cca5adf69.exe

  • Size

    837KB

  • MD5

    0c7b1f176655930b610a46b5edad4fae

  • SHA1

    4bbea264553c5ab3ada8d5346993841cca5adf69

  • SHA256

    e7a84aae836e84c314c382e2722872cbcffe042fadf539697fa52fa6a40d67b7

  • SHA512

    cd2bb15a70127e467b6151e52f1cd81098db32e37d61ef89886a341d3b2b8448f9199a2a27f6e73883684114c5cd3931a3233fb4983801f5065a61fdbc24a87d

  • SSDEEP

    24576:Ti4/mDs3EjQIXxCbq9EtzaZhES6iNU8576GY:Ti5Ds3mQSCuGzanES6iP

Score
8/10
bootkitpersistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious use of FindShellTrayWindow 12 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4bbea264553c5ab3ada8d5346993841cca5adf69.exe
    "C:\Users\Admin\AppData\Local\Temp\4bbea264553c5ab3ada8d5346993841cca5adf69.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1312
    • C:\ProgramData\isecurity.exe
      C:\ProgramData\isecurity.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Enumerates connected drives
      • Writes to the Master Boot Record (MBR)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:1988

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\isecurity.exe
    Filesize

    829KB

    MD5

    9e6a8eb74742ad1e9fa9a1fc09243dde

    SHA1

    e1ae60930afbe752452b185c963ba1a306b976af

    SHA256

    67e681222f6700ee2e0030a2f6c026dc25a5bb5bc26506d67d21cf3c66d8f60a

    SHA512

    cdbedb5c56409447e8c3a554c167d4dedf7b28b90f251ec971f1161b72cf6ba4d43c6bca6f9c7d95060c9fe27008b94d0ac7c2fa079d21c4637c2086de8b1389

    Download Submit

  • \ProgramData\isecurity.exe
    Filesize

    829KB

    MD5

    9e6a8eb74742ad1e9fa9a1fc09243dde

    SHA1

    e1ae60930afbe752452b185c963ba1a306b976af

    SHA256

    67e681222f6700ee2e0030a2f6c026dc25a5bb5bc26506d67d21cf3c66d8f60a

    SHA512

    cdbedb5c56409447e8c3a554c167d4dedf7b28b90f251ec971f1161b72cf6ba4d43c6bca6f9c7d95060c9fe27008b94d0ac7c2fa079d21c4637c2086de8b1389

    Download Submit

  • \ProgramData\isecurity.exe
    Filesize

    829KB

    MD5

    9e6a8eb74742ad1e9fa9a1fc09243dde

    SHA1

    e1ae60930afbe752452b185c963ba1a306b976af

    SHA256

    67e681222f6700ee2e0030a2f6c026dc25a5bb5bc26506d67d21cf3c66d8f60a

    SHA512

    cdbedb5c56409447e8c3a554c167d4dedf7b28b90f251ec971f1161b72cf6ba4d43c6bca6f9c7d95060c9fe27008b94d0ac7c2fa079d21c4637c2086de8b1389

    Download Submit

  • \ProgramData\isecurity.exe
    Filesize

    829KB

    MD5

    9e6a8eb74742ad1e9fa9a1fc09243dde

    SHA1

    e1ae60930afbe752452b185c963ba1a306b976af

    SHA256

    67e681222f6700ee2e0030a2f6c026dc25a5bb5bc26506d67d21cf3c66d8f60a

    SHA512

    cdbedb5c56409447e8c3a554c167d4dedf7b28b90f251ec971f1161b72cf6ba4d43c6bca6f9c7d95060c9fe27008b94d0ac7c2fa079d21c4637c2086de8b1389

    Download Submit

  • memory/1312-54-0x0000000075531000-0x0000000075533000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1312-55-0x0000000000400000-0x00000000004FA000-memory.dmp

    Filesize

    1000KB

    Download

  • memory/1312-64-0x0000000000400000-0x00000000004FA000-memory.dmp

    Filesize

    1000KB

    Download

  • memory/1988-62-0x0000000000400000-0x0000000000A36000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1988-65-0x0000000000400000-0x0000000000A36000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1988-66-0x0000000000400000-0x0000000000A36000-memory.dmp

    Filesize

    6.2MB

    Download