Overview

overview

7

Static

static

7

e9469fbac2...6b.exe

windows7-x64

7

e9469fbac2...6b.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    133s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-03-2023 02:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e9469fbac29978f34cd6603768086ce17ad0808376ba203c70964f42a318c86b.exe

  • Size

    1.4MB

  • MD5

    8a4d81dbc2c12e6c1dca9822d8d4e373

  • SHA1

    fba629cce2b148d7220088421b031cb8d6cdbdeb

  • SHA256

    e9469fbac29978f34cd6603768086ce17ad0808376ba203c70964f42a318c86b

  • SHA512

    9962187b57da69b0bf2da2e4ea12cdfda2c4f5a531ed1cea5b2d95087e4973af5e7c970c490f08728d1ef15b38b303f6666304b833e73cff2ee62d9f93e9f586

  • SSDEEP

    24576:qjpl25IzQ4JnFbMzqaIYtWXwjqebU0XvgwuQ9PrEfAHAKF/:qjPOkFSqa3tWXwFbdXIwu0Ik/

Score
7/10
bootkitpersistenceupx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 2 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\e9469fbac29978f34cd6603768086ce17ad0808376ba203c70964f42a318c86b.exe
    "C:\Users\Admin\AppData\Local\Temp\e9469fbac29978f34cd6603768086ce17ad0808376ba203c70964f42a318c86b.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:932
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2360
      • C:\Windows\system32\attrib.exe
        attrib +h "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000"
        3⤵
        • Views/modifies file attributes
        PID:4512
    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\cpuz_x64.exe
      "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\cpuz_x64.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Writes to the Master Boot Record (MBR)
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4244
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Windows\temp\cpuz_driver_4244.log
        3⤵
        • Opens file in notepad (likely ransom note)
        PID:552

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

1
T1067

Hidden Files and Directories

1
T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

1
T1158

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\cpuz.ini
    Filesize

    48B

    MD5

    70a3a3428b742aeff30451ef3df6aa76

    SHA1

    70a2f56779d831aa51fcd4cab11fee51edca145e

    SHA256

    a67f746b3db06b634cec9604b7c37b4b0a783cb2cbddad8818ad04e0db6b1c90

    SHA512

    e2fbdbe6cd4aaf8401c261b08bc60723d832d087ff06c7882aa21fbf06916522ab5115a37ae312d39102037f12bd1f7fd60d24e1c934f135c4d81a6f52c091c8

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\cpuz_x64.exe
    Filesize

    4.3MB

    MD5

    0035ba75c4387f632654db37899e74a7

    SHA1

    f2bd794e308155e56d5e9829ee229170d0b4414c

    SHA256

    8e42ad74b41fa853204b9e3e5af9db401c07f5ccfb82362ee66673662236ad3a

    SHA512

    a1e839fc3ea72a4c001ac4d62fa3f209812fb1badbaee47bd10ad6156b2cbf7746abda152217b26fc94ef73ac9047b5e3cc8f468380d92b8d3851a0dab54f91c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\cpuz_x64.exe
    Filesize

    4.3MB

    MD5

    0035ba75c4387f632654db37899e74a7

    SHA1

    f2bd794e308155e56d5e9829ee229170d0b4414c

    SHA256

    8e42ad74b41fa853204b9e3e5af9db401c07f5ccfb82362ee66673662236ad3a

    SHA512

    a1e839fc3ea72a4c001ac4d62fa3f209812fb1badbaee47bd10ad6156b2cbf7746abda152217b26fc94ef73ac9047b5e3cc8f468380d92b8d3851a0dab54f91c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\cpuz_x64.exe
    Filesize

    4.3MB

    MD5

    0035ba75c4387f632654db37899e74a7

    SHA1

    f2bd794e308155e56d5e9829ee229170d0b4414c

    SHA256

    8e42ad74b41fa853204b9e3e5af9db401c07f5ccfb82362ee66673662236ad3a

    SHA512

    a1e839fc3ea72a4c001ac4d62fa3f209812fb1badbaee47bd10ad6156b2cbf7746abda152217b26fc94ef73ac9047b5e3cc8f468380d92b8d3851a0dab54f91c

    Download Submit
  • C:\Windows\Temp\cpuz_driver_4244.log
    Filesize

    2KB

    MD5

    4d54ea26e39e526e7d3323f13402aecc

    SHA1

    f571b948748dce4232a74ffa093bb13a598814d9

    SHA256

    bd24648bcb24c20db4ca7a9ce7179e1a0a9c71492d91d006dd951fd3bcabcbfa

    SHA512

    f38192de4e1102eef70bcba101564dcff036c272b9cf57483a423bb64ccfd1892330042b9b4b452007daf6d241e448258ba1b4596040e88e9977381b7e7ffe96

    Download Submit
  • C:\Windows\temp\cpuz_driver_4244.log
    Filesize

    2KB

    MD5

    8c2d5575dce6ddcff8f2f9cd65e54dfb

    SHA1

    ea1b0275aef4afb74154dd8264958b331ca41190

    SHA256

    d3697fe634ee61a1c9b99c9fbeb079922fa15bd3b9e8919bf71b6460e5944a62

    SHA512

    88ed55bbcd7ae50fb1024b39fadb2587de8c4aaf63f6e35d3c5d64ef2fb8d49728e62c322cafd3c90c086f5f26250138733e160613efbafc321c4ea6ebfc849e

    Download Submit
  • memory/932-133-0x0000000000400000-0x000000000045F000-memory.dmp
    Filesize

    380KB

    Download
  • memory/932-192-0x0000000000400000-0x000000000045F000-memory.dmp
    Filesize

    380KB

    Download