7fa2bf61405ac573a21334e34bf713dcb5d1fc0c72674e6cebc48d33a4a14d44

Analysis

max time kernel
13s
max time network
15s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06-04-2023 17:21

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe
Size

1.2MB
MD5

e0340f456f76993fc047bc715dfdae6a
SHA1

d47f6f7e553c4bc44a2fe88c2054de901390b2d7
SHA256

1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887
SHA512

cac10c675d81630eefca49b2ac4cc83f3eb29115ee28a560db4d6c33f70bf24980e48bb48ce20375349736e3e6b23a1ca504b9367917328853fffc5539626bbc
SSDEEP

24576:/4GHnhIzOasqUgEOr69/BRH7dCibu+XoAX0eOTva49ttrSpt81ekHPyWe:AshdasJgEOrGBRxCihH7OO49rveMG

Score

8^/10

bootkit persistence ransomware upx

Malware Config

Signatures

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe

description	ioc	process
File created	C:\Users\Admin\Pictures\EnableEdit.tif.locked	1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe
File created	C:\Users\Admin\Pictures\GrantStart.raw.locked	1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe
File created	C:\Users\Admin\Pictures\PublishSwitch.png.locked	1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe
File created	C:\Users\Admin\Pictures\SaveHide.crw.locked	1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe

Executes dropped EXE 3 IoCs

Processes:

protect.exeassembler.exeoverwrite.exe

pid process

1428 protect.exe
1116 assembler.exe
2016 overwrite.exe

Loads dropped DLL 5 IoCs

Processes:

1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe

pid	process
1968	1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe
1968	1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe
1968	1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe
1968	1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe
1968	1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1968-101-0x00000000000D0000-0x000000000035E000-memory.dmp	upx
behavioral1/memory/1968-252-0x00000000000D0000-0x000000000035E000-memory.dmp	upx

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

overwrite.exe

description ioc process

File opened for modification \??\PhysicalDrive0 overwrite.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	overwrite.exe

AutoIT Executable 5 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
\Users\Admin\98379046\protect.exe	autoit_exe
C:\Users\Admin\98379046\protect.exe	autoit_exe
C:\Users\Admin\98379046\protect.exe	autoit_exe
behavioral1/memory/1968-101-0x00000000000D0000-0x000000000035E000-memory.dmp	autoit_exe
behavioral1/memory/1968-252-0x00000000000D0000-0x000000000035E000-memory.dmp	autoit_exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

protect.exe

pid	process
1428	protect.exe
1428	protect.exe
1428	protect.exe
1428	protect.exe
1428	protect.exe
1428	protect.exe
1428	protect.exe
1428	protect.exe
1428	protect.exe
1428	protect.exe
1428	protect.exe
1428	protect.exe
1428	protect.exe
1428	protect.exe
1428	protect.exe
1428	protect.exe
1428	protect.exe
1428	protect.exe
1428	protect.exe
1428	protect.exe
1428	protect.exe
1428	protect.exe
1428	protect.exe
1428	protect.exe
1428	protect.exe
1428	protect.exe
1428	protect.exe
1428	protect.exe
1428	protect.exe
1428	protect.exe
1428	protect.exe
1428	protect.exe
1428	protect.exe
1428	protect.exe
1428	protect.exe
1428	protect.exe
1428	protect.exe
1428	protect.exe
1428	protect.exe
1428	protect.exe
1428	protect.exe
1428	protect.exe
1428	protect.exe
1428	protect.exe
1428	protect.exe
1428	protect.exe
1428	protect.exe
1428	protect.exe
1428	protect.exe
1428	protect.exe
1428	protect.exe
1428	protect.exe
1428	protect.exe
1428	protect.exe
1428	protect.exe
1428	protect.exe
1428	protect.exe
1428	protect.exe
1428	protect.exe
1428	protect.exe
1428	protect.exe
1428	protect.exe
1428	protect.exe
1428	protect.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe

pid process

1968 1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exeAUDIODG.EXE

description	pid	process
Token: SeShutdownPrivilege	1968	1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe
Token: 9799832789535366509	1968	1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe
Token: 58873693722225944	1968	1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe
Token: 33	1908	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1908	AUDIODG.EXE
Token: 33	1908	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1908	AUDIODG.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe

description	pid	process	target process
PID 1968 wrote to memory of 1428	1968	1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe	protect.exe
PID 1968 wrote to memory of 1428	1968	1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe	protect.exe
PID 1968 wrote to memory of 1428	1968	1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe	protect.exe
PID 1968 wrote to memory of 1428	1968	1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe	protect.exe
PID 1968 wrote to memory of 1116	1968	1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe	assembler.exe
PID 1968 wrote to memory of 1116	1968	1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe	assembler.exe
PID 1968 wrote to memory of 1116	1968	1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe	assembler.exe
PID 1968 wrote to memory of 1116	1968	1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe	assembler.exe
PID 1968 wrote to memory of 2016	1968	1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe	overwrite.exe
PID 1968 wrote to memory of 2016	1968	1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe	overwrite.exe
PID 1968 wrote to memory of 2016	1968	1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe	overwrite.exe
PID 1968 wrote to memory of 2016	1968	1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe	overwrite.exe

C:\Users\Admin\AppData\Local\Temp\1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe
"C:\Users\Admin\AppData\Local\Temp\1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe"
1⤵
- Modifies extensions of user files
- Loads dropped DLL
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1968

C:\Users\Admin\98379046\protect.exe
"C:\Users\Admin\98379046\protect.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1428

C:\Users\Admin\98379046\assembler.exe
"C:\Users\Admin\98379046\assembler.exe" -f bin "C:\Users\Admin\98379046\boot.asm" -o "C:\Users\Admin\98379046\boot.bin"
2⤵
- Executes dropped EXE
PID:1116

C:\Users\Admin\98379046\overwrite.exe
"C:\Users\Admin\98379046\overwrite.exe" "C:\Users\Admin\98379046\boot.bin"
2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:2016

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:832

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x470
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1908

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1684

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\98379046\assembler.exe
Filesize
589KB

MD5
7e3cea1f686207563c8369f64ea28e5b

SHA1
a1736fd61555841396b0406d5c9ca55c4b6cdf41

SHA256
2a5305369edb9c2d7354b2f210e91129e4b8c546b0adf883951ea7bf7ee0f2b2

SHA512
4629bc32094bdb030e6c9be247068e7295599203284cb95921c98fcbe3ac60286670be7e5ee9f0374a4017286c7af9db211bd831e3ea871d31a509d7bbc1d6a3

Download Submit
C:\Users\Admin\98379046\assembler.exe
Filesize
589KB

MD5
7e3cea1f686207563c8369f64ea28e5b

SHA1
a1736fd61555841396b0406d5c9ca55c4b6cdf41

SHA256
2a5305369edb9c2d7354b2f210e91129e4b8c546b0adf883951ea7bf7ee0f2b2

SHA512
4629bc32094bdb030e6c9be247068e7295599203284cb95921c98fcbe3ac60286670be7e5ee9f0374a4017286c7af9db211bd831e3ea871d31a509d7bbc1d6a3

Download Submit
C:\Users\Admin\98379046\boot.asm
Filesize
825B

MD5
def1219cfb1c0a899e5c4ea32fe29f70

SHA1
88aedde59832576480dfc7cd3ee6f54a132588a8

SHA256
91e74c438099172b057bedf693d877bd08677d5f2173763986be4974c0970581

SHA512
1e735d588cb1bb42324eaff1b9190ec6a8254f419d1ba4a13d03716ff5c102a335532b573a5befb08da90586e5670617066564ef9872f8c415b9a480836df423

Download Submit
C:\Users\Admin\98379046\boot.bin
Filesize
512B

MD5
90053233e561c8bf7a7b14eda0fa0e84

SHA1
16a7138387f7a3366b7da350c598f71de3e1cde2

SHA256
a760d8bc77ad8c0c839d4ef162ce44d5897af6fa84e0cc05ecc0747759ea76c2

SHA512
63fda509cd02fd9d1374435f95515bc74f1ca8a9650b87d2299f8eee3a1c5a41b1cb8a4e1360c75f876f1dae193fdf4a96eba244683308f34d64d7ce37af2bb4

Download Submit
C:\Users\Admin\98379046\overwrite.exe
Filesize
288KB

MD5
bc160318a6e8dadb664408fb539cd04b

SHA1
4b5eb324eebe3f84e623179a8e2c3743ccf32763

SHA256
f2bc5886b0f189976a367a69da8745bf66842f9bba89f8d208790db3dad0c7d2

SHA512
51bc090f2821c57d94cfe4399b1f372a68d2811ea0b87d1ac1d6cf8ae39b167038ac21c471b168f1d19c6b213762024abb7e9e5ca311b246b46af0888289e46c

Download Submit
C:\Users\Admin\98379046\overwrite.exe
Filesize
288KB

MD5
bc160318a6e8dadb664408fb539cd04b

SHA1
4b5eb324eebe3f84e623179a8e2c3743ccf32763

SHA256
f2bc5886b0f189976a367a69da8745bf66842f9bba89f8d208790db3dad0c7d2

SHA512
51bc090f2821c57d94cfe4399b1f372a68d2811ea0b87d1ac1d6cf8ae39b167038ac21c471b168f1d19c6b213762024abb7e9e5ca311b246b46af0888289e46c

Download Submit
C:\Users\Admin\98379046\protect.exe
Filesize
837KB

MD5
fd414666a5b2122c3d9e3e380cf225ed

SHA1
de139747b42a807efa8a2dcc1a8304f9a29b862d

SHA256
e61a8382f7293e40cb993ddcbcaa53a4e5f07a3d6b6a1bfe5377a1a74a8dcac6

SHA512
9ab2163d7deff29c202ed88dba36d5b28f6c67e647a0cadb3d03cc725796e19e5f298c04b1c8523d1d1ee4307e1a5d6f8156fa4021627d6ca1bbd0830695ae05

Download Submit
C:\Users\Admin\98379046\protect.exe
Filesize
837KB

MD5
fd414666a5b2122c3d9e3e380cf225ed

SHA1
de139747b42a807efa8a2dcc1a8304f9a29b862d

SHA256
e61a8382f7293e40cb993ddcbcaa53a4e5f07a3d6b6a1bfe5377a1a74a8dcac6

SHA512
9ab2163d7deff29c202ed88dba36d5b28f6c67e647a0cadb3d03cc725796e19e5f298c04b1c8523d1d1ee4307e1a5d6f8156fa4021627d6ca1bbd0830695ae05

Download Submit
\Users\Admin\98379046\assembler.exe
Filesize
589KB

MD5
7e3cea1f686207563c8369f64ea28e5b

SHA1
a1736fd61555841396b0406d5c9ca55c4b6cdf41

SHA256
2a5305369edb9c2d7354b2f210e91129e4b8c546b0adf883951ea7bf7ee0f2b2

SHA512
4629bc32094bdb030e6c9be247068e7295599203284cb95921c98fcbe3ac60286670be7e5ee9f0374a4017286c7af9db211bd831e3ea871d31a509d7bbc1d6a3

Download Submit
\Users\Admin\98379046\assembler.exe
Filesize
589KB

MD5
7e3cea1f686207563c8369f64ea28e5b

SHA1
a1736fd61555841396b0406d5c9ca55c4b6cdf41

SHA256
2a5305369edb9c2d7354b2f210e91129e4b8c546b0adf883951ea7bf7ee0f2b2

SHA512
4629bc32094bdb030e6c9be247068e7295599203284cb95921c98fcbe3ac60286670be7e5ee9f0374a4017286c7af9db211bd831e3ea871d31a509d7bbc1d6a3

Download Submit
\Users\Admin\98379046\overwrite.exe
Filesize
288KB

MD5
bc160318a6e8dadb664408fb539cd04b

SHA1
4b5eb324eebe3f84e623179a8e2c3743ccf32763

SHA256
f2bc5886b0f189976a367a69da8745bf66842f9bba89f8d208790db3dad0c7d2

SHA512
51bc090f2821c57d94cfe4399b1f372a68d2811ea0b87d1ac1d6cf8ae39b167038ac21c471b168f1d19c6b213762024abb7e9e5ca311b246b46af0888289e46c

Download Submit
\Users\Admin\98379046\overwrite.exe
Filesize
288KB

MD5
bc160318a6e8dadb664408fb539cd04b

SHA1
4b5eb324eebe3f84e623179a8e2c3743ccf32763

SHA256
f2bc5886b0f189976a367a69da8745bf66842f9bba89f8d208790db3dad0c7d2

SHA512
51bc090f2821c57d94cfe4399b1f372a68d2811ea0b87d1ac1d6cf8ae39b167038ac21c471b168f1d19c6b213762024abb7e9e5ca311b246b46af0888289e46c

Download Submit
\Users\Admin\98379046\protect.exe
Filesize
837KB

MD5
fd414666a5b2122c3d9e3e380cf225ed

SHA1
de139747b42a807efa8a2dcc1a8304f9a29b862d

SHA256
e61a8382f7293e40cb993ddcbcaa53a4e5f07a3d6b6a1bfe5377a1a74a8dcac6

SHA512
9ab2163d7deff29c202ed88dba36d5b28f6c67e647a0cadb3d03cc725796e19e5f298c04b1c8523d1d1ee4307e1a5d6f8156fa4021627d6ca1bbd0830695ae05

Download Submit
memory/832-253-0x0000000002900000-0x0000000002901000-memory.dmp

Filesize
4KB

Download
memory/1116-90-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/1684-254-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download
memory/1968-101-0x00000000000D0000-0x000000000035E000-memory.dmp

Filesize
2.6MB

Download
memory/1968-252-0x00000000000D0000-0x000000000035E000-memory.dmp

Filesize
2.6MB

Download
memory/2016-100-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads