Analysis
-
max time kernel
41s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
29-01-2023 17:42
Static task
static1
Behavioral task
behavioral1
Sample
f1b2446558e35df613366ca1bff2e0120113e21aa593c4f1f449f1e554d1dc3e.exe
Resource
win7-20220812-en
General
-
Target
f1b2446558e35df613366ca1bff2e0120113e21aa593c4f1f449f1e554d1dc3e.exe
-
Size
286KB
-
MD5
2ea0561bb3cdae9cf682703de2933a43
-
SHA1
827696cf98926dea8bfde038de228b7778d0ff56
-
SHA256
f1b2446558e35df613366ca1bff2e0120113e21aa593c4f1f449f1e554d1dc3e
-
SHA512
e6fac7e489e967cb2174016e3236b0acfe60625b8286bc35dd35c0c5cd5716b284891f68033b05b211380dd135aabd93ff25e18ed8ddeb0c536e29bbc7f92cdb
-
SSDEEP
6144:FBeVV56G+JCBe35SVPilxd50wX2n9RzozaFCu6/u3W:FBgVNPwdR2oOkuku3W
Malware Config
Extracted
gootkit
6546
servicemanager.icu
partnerservice.xyz
-
vendor_id
6546
Signatures
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion f1b2446558e35df613366ca1bff2e0120113e21aa593c4f1f449f1e554d1dc3e.exe -
Deletes itself 1 IoCs
pid Process 1352 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1636 wrote to memory of 1352 1636 f1b2446558e35df613366ca1bff2e0120113e21aa593c4f1f449f1e554d1dc3e.exe 27 PID 1636 wrote to memory of 1352 1636 f1b2446558e35df613366ca1bff2e0120113e21aa593c4f1f449f1e554d1dc3e.exe 27 PID 1636 wrote to memory of 1352 1636 f1b2446558e35df613366ca1bff2e0120113e21aa593c4f1f449f1e554d1dc3e.exe 27 PID 1636 wrote to memory of 1352 1636 f1b2446558e35df613366ca1bff2e0120113e21aa593c4f1f449f1e554d1dc3e.exe 27 PID 1352 wrote to memory of 952 1352 cmd.exe 29 PID 1352 wrote to memory of 952 1352 cmd.exe 29 PID 1352 wrote to memory of 952 1352 cmd.exe 29 PID 1352 wrote to memory of 952 1352 cmd.exe 29 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 952 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f1b2446558e35df613366ca1bff2e0120113e21aa593c4f1f449f1e554d1dc3e.exe"C:\Users\Admin\AppData\Local\Temp\f1b2446558e35df613366ca1bff2e0120113e21aa593c4f1f449f1e554d1dc3e.exe"1⤵
- Checks BIOS information in registry
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7076876.bat" "C:\Users\Admin\AppData\Local\Temp\f1b2446558e35df613366ca1bff2e0120113e21aa593c4f1f449f1e554d1dc3e.exe""2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Windows\SysWOW64\attrib.exeattrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\f1b2446558e35df613366ca1bff2e0120113e21aa593c4f1f449f1e554d1dc3e.exe"3⤵
- Views/modifies file attributes
PID:952
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
72B
MD57dc5cd6c3a9e7b5a1e51cf7e6a8a2e68
SHA1125b2d5a82e1cedcb03f187f75794ae55e7df617
SHA2563227f23f12b2ae5b620cbe398976c865a8f0eae1c453a2fc8d3aac1e5c12c90c
SHA512f280b22bd64bab9bf11b489f96b8fff2196f09aca855a3e61803fe75c5aa31c7e759d5aa9c9a243f84df04685e858280695a324d2668b396b9ebdf22a0e01098