Analysis

  • max time kernel
    135s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/04/2023, 22:18

General

  • Target

    krnl_bootstrapper.exe

  • Size

    1.2MB

  • MD5

    f14153bbd95fc26d9ccea77c49cf09b9

  • SHA1

    cb59f900711ea751c4322b4dab50fa2c0ee70b33

  • SHA256

    27eab496d0b63d52c18cee063110d9d479523b58426bfcb58e420a5cae087c54

  • SHA512

    7f7618cf6f15d85e82cbfff07ca6e1df0aa763d64d6a37fb659f1612b950d16a15b723ec053765e991485e74a7301617019b166dcaa759ed6f1a281a9ebc4ed0

  • SSDEEP

    12288:aBVCrK2jsP3zv+FSF68GANNhWLS0B6L+FOCN+AzrnxdanvzFzho:SU7ecSgL6y+gk+rnxdarFu

Score
8/10

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\krnl_bootstrapper.exe
    "C:\Users\Admin\AppData\Local\Temp\krnl_bootstrapper.exe"
    1⤵
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1816
    • C:\Users\Admin\Documents\krnl\7za.exe
      "C:\Users\Admin\Documents\krnl\7za.exe" x "C:\Users\Admin\Documents\krnl\bin\Monaco.zip" -o"C:\Users\Admin\Documents\krnl\bin" -aoa -bsp1
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3860
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 2428
      2⤵
      • Program crash
      PID:2556
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:3160
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1816 -ip 1816
      1⤵
        PID:4464

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\Documents\krnl\7za.exe

              Filesize

              628KB

              MD5

              ec79cabd55a14379e4d676bb17d9e3df

              SHA1

              15626d505da35bfdb33aea5c8f7831f616cabdba

              SHA256

              44a55f5d9c31d0990de47b9893e0c927478930cef06fbe2d1f520a6d6cba587d

              SHA512

              00bbb601a685cbfb3c51c1da9f3b77c2b318c79e87d88a31c0e215288101753679e1586b170ccc9c2cb0b5ce05c2090c0737a1e4a616ad1d9658392066196d47

            • C:\Users\Admin\Documents\krnl\7za.exe

              Filesize

              628KB

              MD5

              ec79cabd55a14379e4d676bb17d9e3df

              SHA1

              15626d505da35bfdb33aea5c8f7831f616cabdba

              SHA256

              44a55f5d9c31d0990de47b9893e0c927478930cef06fbe2d1f520a6d6cba587d

              SHA512

              00bbb601a685cbfb3c51c1da9f3b77c2b318c79e87d88a31c0e215288101753679e1586b170ccc9c2cb0b5ce05c2090c0737a1e4a616ad1d9658392066196d47

            • C:\Users\Admin\Documents\krnl\bin\Monaco.zip

              Filesize

              641KB

              MD5

              1a19fd7c42169c76e75e685dca02c190

              SHA1

              f16b4697bcd348d44965bf9ded731523db9bd606

              SHA256

              d686209afbbe718dc0506356e934ff190c1259a174aba12ef40a2fe7a014a331

              SHA512

              93d27188aab662ffffd78cfc31d100f161656ef37fe4f420a2cc2d514c935bce85b1e9b54eb374c94ba0ac75d0624e24676f8e359c32c9d3485aa5d7bbb14dd4

            • memory/1816-133-0x0000000000450000-0x000000000057A000-memory.dmp

              Filesize

              1.2MB

            • memory/1816-134-0x0000000002A00000-0x0000000002A10000-memory.dmp

              Filesize

              64KB

            • memory/1816-135-0x00000000097B0000-0x00000000097B8000-memory.dmp

              Filesize

              32KB

            • memory/1816-136-0x0000000009880000-0x00000000098B8000-memory.dmp

              Filesize

              224KB

            • memory/1816-137-0x0000000009860000-0x000000000986E000-memory.dmp

              Filesize

              56KB