Analysis
-
max time kernel
30s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
01-04-2023 16:51
Static task
static1
Behavioral task
behavioral1
Sample
infected (2)/1/Application.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
infected (2)/1/Application.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
infected (2)/1/XLGameUpdate.exe
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
infected (2)/1/XLGameUpdate.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral5
Sample
infected (2)/2/Console.exe
Resource
win7-20230220-en
Behavioral task
behavioral6
Sample
infected (2)/2/Console.exe
Resource
win10v2004-20230220-en
General
-
Target
infected (2)/1/Application.exe
-
Size
566KB
-
MD5
d39006b5f48fb225c61b75414c712a58
-
SHA1
7eb5c3dda79df5a2e958ba34e3d43c19b4bb7b4b
-
SHA256
c936f1598721a9a92d7f31c6c13b55013b8a2a344e3df4156e5b033006336544
-
SHA512
e91e47d6c11878a5a92cd6afb56b09a34c273784d00482ffe7bfbdf516b6e072083290cf5b27554d5614b13e6a8a9bfa5dce5cc6ce2f91bc3e5a98d326d27011
-
SSDEEP
12288:4SL9St9NTTTQnGBxUAh8qVoxZBlgNuyfOuZzUbA5Od1Dbp6C2H:dLEt9NTnQcxVofAEIYkybp12H
Malware Config
Signatures
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
Application.exedescription ioc process File opened for modification \??\PhysicalDrive0 Application.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
Application.exedescription pid process target process PID 2000 wrote to memory of 980 2000 Application.exe XLGameUpdate.exe PID 2000 wrote to memory of 980 2000 Application.exe XLGameUpdate.exe PID 2000 wrote to memory of 980 2000 Application.exe XLGameUpdate.exe PID 2000 wrote to memory of 980 2000 Application.exe XLGameUpdate.exe PID 2000 wrote to memory of 980 2000 Application.exe XLGameUpdate.exe PID 2000 wrote to memory of 980 2000 Application.exe XLGameUpdate.exe PID 2000 wrote to memory of 980 2000 Application.exe XLGameUpdate.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\infected (2)\1\Application.exe"C:\Users\Admin\AppData\Local\Temp\infected (2)\1\Application.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\infected (2)\1\XLGameUpdate.exe"C:\Users\Admin\AppData\Local\Temp\infected (2)\1\XLGameUpdate.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2000-54-0x000000006CE10000-0x000000006CE20000-memory.dmpFilesize
64KB