Overview

overview

7

Static

static

1

[email protected]

windows10-1703-x64

7

[email protected]

windows7-x64

6

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    05-04-2023 19:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    [email protected]

  • Size

    14KB

  • MD5

    19dbec50735b5f2a72d4199c4e184960

  • SHA1

    6fed7732f7cb6f59743795b2ab154a3676f4c822

  • SHA256

    a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

  • SHA512

    aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

  • SSDEEP

    192:sIvxdXSQeWSg9JJS/lcIEiwqZKBkDFR43xWTM3LHn8f26gyr6yfFCj3r:sMVSaSEglcIqq3agmLc+6gyWqFCj

Score
6/10
bootkitpersistence

Malware Config

Signatures

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 38 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\[email protected]
    "C:\Users\Admin\AppData\Local\Temp\[email protected]"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1276
    • C:\Users\Admin\AppData\Local\Temp\[email protected]
      "C:\Users\Admin\AppData\Local\Temp\[email protected]" /main
      2⤵
      • Writes to the Master Boot Record (MBR)
      • Suspicious use of WriteProcessMemory
      PID:1360
      • C:\Windows\SysWOW64\notepad.exe
        "C:\Windows\System32\notepad.exe" \note.txt
        3⤵
          PID:1176
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" http://google.co.ck/search?q=how+to+download+memz
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:584
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:584 CREDAT:275457 /prefetch:2
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1580
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x57c
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1832

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Bootkit

    1
    T1067

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      61KB

      MD5

      e71c8443ae0bc2e282c73faead0a6dd3

      SHA1

      0c110c1b01e68edfacaeae64781a37b1995fa94b

      SHA256

      95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

      SHA512

      b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      9844ecd92931aefb60b248739611b9c4

      SHA1

      714a693a89727cfb692b2fa9e3570e4b6ffa7c35

      SHA256

      8df46153bc33a2854adcaa8fe52c2f663af486436ac935358276129df6f6fb39

      SHA512

      ced61498d981386c0793c2abff3e2964ded15ee9ce578dcc8dd85c57dcb987f2d21e19a9bf3022393ec8c958b00f8c39b2d2f8e97d7317edc374d03276b1e61c

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      d6fef21af2c0ea77da9003d5ce4e6c9b

      SHA1

      9996d3d6eb6d4476a25aad46c54e9e5dc5e0ba23

      SHA256

      e1d0d6c7dae3585d74c07535d38a71bdf706edaad154b01293e0aa7d7dc20a84

      SHA512

      44739e403690a9f080de4028c21c36e68eff68e70a840199a1f4368cd88d8ce25da262f91135c4e02aea06af312313d6d138c5020d0e19fe847fc17c9503f2ee

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      f906431d75fd832c86fb493846d14216

      SHA1

      8ef1690344c477aca06761f72a429e9e0d9359b5

      SHA256

      9644223d4a67d73cc04a67f742538d435dfcaf361ab6cc03c7526304e6d9f5c7

      SHA512

      afaae6d889b082315ee7876757f009115bf1d0f4ac4fe2a830249ad444b7ca17398fb26c58aef53ccf24d69a325370e2062af3bfc7e6282c910c12b9653d3acb

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      4d63b9762d1d52ebf6d05d52a061aa3d

      SHA1

      03dbac0255ab5b3c6493b4782535877c7787dfe1

      SHA256

      16132033e99b62eb63c1bc9b1cfcb34b237f7f860f7f0f38138cbbfe11df5e93

      SHA512

      ef370d8e672ab1c0c74cf5c92dc3f7772163219a53e1392a48edf11d18ec31ff1afa783eeba30f6902c41d20c3f92c165524b6a22bc6bd2a5050ebb28ece80ef

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      d1f727a23e876b0efa636d9bc5d4d5a5

      SHA1

      0364f249bc985431761ab394ecbec7394e20b2e0

      SHA256

      6ec376e8dcbfb04a765ab8b0827da9e5065cec2ad25d6e506b012cc0c9dd5e0c

      SHA512

      17547246ee6a1327d7bb4095c3e606a30c6e9df6126b7888a319fa1bd92c50038e426fc92b0c7c5ec2a51d2e1d21a01953ce446e0e04590c4628b75fab58f916

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      37bb2ebc45a34aad433db19b303807a4

      SHA1

      e9e5748a21d32073a48db327e3958ae49651826c

      SHA256

      62fdbbddee244fb8e7f7273d3f63d9dd290e4a0e9dc04be02f6c00f7ac4f140f

      SHA512

      3aa2e25fa0aa1fe783d16ac980eef3cb581aac894df02daf9cd44cf90f9c403fbc8dd5be4e17ac4b1f0828127fb03d519c4cc845689af0543edd1e3790157d6b

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\07asiie\imagestore.dat
      Filesize

      9KB

      MD5

      caa36fdcf6351049838143592173ee7e

      SHA1

      8255fc09a314953d28904357d078c6c13219c65d

      SHA256

      b2c8a01e2a9c5bb37661e6dc8cc39e1fb8ff3465955714cb08fce1a065d2ba03

      SHA512

      4c3e6fafb5c2cfa59ef5f8441deb2ac72b26ae40597f8b43b591f181b6a92d23d7bebbc84370f406731835492f742e859b7bdda14b4adb69c98de92e0e3bf945

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T210ZMR0\favicon[2].ico
      Filesize

      5KB

      MD5

      f3418a443e7d841097c714d69ec4bcb8

      SHA1

      49263695f6b0cdd72f45cf1b775e660fdc36c606

      SHA256

      6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

      SHA512

      82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TF0W5LQL\suggestions[1].en-US
      Filesize

      17KB

      MD5

      5a34cb996293fde2cb7a4ac89587393a

      SHA1

      3c96c993500690d1a77873cd62bc639b3a10653f

      SHA256

      c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

      SHA512

      e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\CabBC8.tmp
      Filesize

      61KB

      MD5

      fc4666cbca561e864e7fdf883a9e6661

      SHA1

      2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

      SHA256

      10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

      SHA512

      c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\TarBC7.tmp
      Filesize

      161KB

      MD5

      73b4b714b42fc9a6aaefd0ae59adb009

      SHA1

      efdaffd5b0ad21913d22001d91bf6c19ecb4ac41

      SHA256

      c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd

      SHA512

      73af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\TarE3F.tmp
      Filesize

      161KB

      MD5

      be2bec6e8c5653136d3e72fe53c98aa3

      SHA1

      a8182d6db17c14671c3d5766c72e58d87c0810de

      SHA256

      1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

      SHA512

      0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\FOKSYQLO.txt
      Filesize

      601B

      MD5

      b25c06067df2b5bcc860bd54ea468810

      SHA1

      776852e3b48b037ac6f7c24543a9a09b35d53e93

      SHA256

      906471ee855b168a69cee7026e40051416c1f3b5f21d6dda7679dbe5afaaff44

      SHA512

      ccb0131772857a07cc4d25dfe8621394f3a74fd7678569f4b2924d51a5aea5a306486d00d82a6025e248c1f98e3d404dcf015b572162b46c90f326d1aa217dac

      Download Submit
    • C:\note.txt
      Filesize

      218B

      MD5

      afa6955439b8d516721231029fb9ca1b

      SHA1

      087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

      SHA256

      8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

      SHA512

      5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

      Download Submit