Overview

overview

8

Static

static

d4bf4aa181...88.exe

windows7-x64

8

d4bf4aa181...88.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    72s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    10-01-2023 02:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d4bf4aa1811c33145d8fd41966f28fd5cdae2f88.exe

  • Size

    838KB

  • MD5

    4a9fa940e898ebcc4f723cad30f0ad07

  • SHA1

    d4bf4aa1811c33145d8fd41966f28fd5cdae2f88

  • SHA256

    e1a4f84716f597d3bdb3097fd7d3cf6db230f853c2719156cc5a1ae1b7b5051c

  • SHA512

    c23c3bbfda82df201f5f5ea429e0aa6c14ccfd8cbd43addbbfc5d77dfa0717ed02d60c7ab8a581cdfc651653223b339246374bd892cb7c546b5245e1ea0206bc

  • SSDEEP

    12288:SXo30W26PmYn4QqWJgksAQYUT6eETMaICXadZe09CKEvYzQq6E+UFRZECNzYlL:SXo526e49CbaMavt0IfY8vE+MRGizML

Score
8/10
bootkitpersistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of FindShellTrayWindow 12 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d4bf4aa1811c33145d8fd41966f28fd5cdae2f88.exe
    "C:\Users\Admin\AppData\Local\Temp\d4bf4aa1811c33145d8fd41966f28fd5cdae2f88.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:1264
    • C:\ProgramData\isecurity.exe
      C:\ProgramData\isecurity.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Enumerates connected drives
      • Writes to the Master Boot Record (MBR)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:988

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Bootkit

1
T1067

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\isecurity.exe
    Filesize

    830KB

    MD5

    3f6a90e1ac85e296d3da4283ada9eaf2

    SHA1

    ee32ce828dd445a4e45b057a68af8e9fde79d42a

    SHA256

    ce0075e8ab4c6c5455b362c35e077ed409cef1c31f3ea5e1a7b007eaefc22757

    SHA512

    bfdb6a57c4673ff209272279174305e9d19c54a569ca63b030be85f05cbc0c4845aa2447449def390a9b7356511950c65481505ec75f0eaefa65c5c1dfd208ac

    Download Submit
  • \ProgramData\isecurity.exe
    Filesize

    830KB

    MD5

    3f6a90e1ac85e296d3da4283ada9eaf2

    SHA1

    ee32ce828dd445a4e45b057a68af8e9fde79d42a

    SHA256

    ce0075e8ab4c6c5455b362c35e077ed409cef1c31f3ea5e1a7b007eaefc22757

    SHA512

    bfdb6a57c4673ff209272279174305e9d19c54a569ca63b030be85f05cbc0c4845aa2447449def390a9b7356511950c65481505ec75f0eaefa65c5c1dfd208ac

    Download Submit
  • \ProgramData\isecurity.exe
    Filesize

    830KB

    MD5

    3f6a90e1ac85e296d3da4283ada9eaf2

    SHA1

    ee32ce828dd445a4e45b057a68af8e9fde79d42a

    SHA256

    ce0075e8ab4c6c5455b362c35e077ed409cef1c31f3ea5e1a7b007eaefc22757

    SHA512

    bfdb6a57c4673ff209272279174305e9d19c54a569ca63b030be85f05cbc0c4845aa2447449def390a9b7356511950c65481505ec75f0eaefa65c5c1dfd208ac

    Download Submit
  • \ProgramData\isecurity.exe
    Filesize

    830KB

    MD5

    3f6a90e1ac85e296d3da4283ada9eaf2

    SHA1

    ee32ce828dd445a4e45b057a68af8e9fde79d42a

    SHA256

    ce0075e8ab4c6c5455b362c35e077ed409cef1c31f3ea5e1a7b007eaefc22757

    SHA512

    bfdb6a57c4673ff209272279174305e9d19c54a569ca63b030be85f05cbc0c4845aa2447449def390a9b7356511950c65481505ec75f0eaefa65c5c1dfd208ac

    Download Submit
  • memory/988-59-0x0000000000000000-mapping.dmp
    Download
  • memory/988-62-0x0000000000400000-0x0000000000A3F000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/988-65-0x0000000000400000-0x0000000000A3F000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/988-66-0x0000000000400000-0x0000000000A3F000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/1264-54-0x0000000076711000-0x0000000076713000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1264-55-0x0000000000400000-0x00000000004FC000-memory.dmp
    Filesize

    1008KB

    Download
  • memory/1264-64-0x0000000000400000-0x00000000004FC000-memory.dmp
    Filesize

    1008KB

    Download