Overview

overview

7

Static

static

7

Aws.exe

windows7-x64

6

Aws.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    100s
  • max time network
    131s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    13-06-2023 16:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Aws.exe

  • Size

    717KB

  • MD5

    8f903f5e72c2e75be929ba9387eca6e0

  • SHA1

    35f72f4c3cd30b4edcbefdcfa1e6eb4005c9dbab

  • SHA256

    507462d586444bb57dfc8a7962a018c30891855e1187f79472eb87bacd346389

  • SHA512

    ce8c33dda613d79ecdcb2e8483f541deeb6d6e57f070ab128600369bf506c2c466385a015ce8b2d3209e5b470edf6b604cfed3fd99efe5ac5b5b42aa38b524ce

  • SSDEEP

    12288:EAjq4FpXdEQVyDLYRx1DOkl4vF4iPlAVrV2nc9dnbPk41C5DJsJNQ:7+mXmtLYRKkI4ilAV0nIRbkhJ3

Score
6/10
bootkitpersistence

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in Windows directory 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Aws.exe
    "C:\Users\Admin\AppData\Local\Temp\Aws.exe"
    1⤵
    • Enumerates connected drives
    • Writes to the Master Boot Record (MBR)
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:272
    • \??\c:\program files\internet explorer\iexplore.exe
      "c:\program files\internet explorer\iexplore.exe" Http://10.127.0.83:80/
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:972
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:972 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:752

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

1
T1067

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    62KB

    MD5

    3ac860860707baaf32469fa7cc7c0192

    SHA1

    c33c2acdaba0e6fa41fd2f00f186804722477639

    SHA256

    d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

    SHA512

    d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    58553f88ae28b15a758eee6829c1edea

    SHA1

    b2d2bd5652ef472ffdeb2584dd2fc4b509c58a0e

    SHA256

    5356fdb574561c47a5a2408116a846894f03c6d04d478699cc32fe681c0635bb

    SHA512

    4ef0fad36d0c2116f90bf8ee0d0431f0dbaa6e3b5789a0a1beeece7441f23c8e83efe9bf07ce746bcbca7de3bf7fef10efec2f42de4cc4c28b08f8d0e3f4be49

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    73ee64933bca3246040385844d11e4d7

    SHA1

    10e4a90e74d4d35219fc7e9f4bf899c6ac61cf6d

    SHA256

    71889b2067e8b0840b6b1db94ed497affd3d762eb16371f015f2a4a0463804bd

    SHA512

    c0ab94b97b526289d1779dc638d66e0f52454ff262ba82e7c0c8c398f7969bb3b96fe2066625cb81a9b191de0f442ba736eb8bd0ceb00be4a965d9b525460451

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    264177dc62d7aff7bfed76dba3771ff4

    SHA1

    4c05e4b9ab62649c577e04547478ca68c0d9a689

    SHA256

    11ee7171eda73ae3c7616581d1b589fd8f2be67a078cd03e4035dcc1e5350e7d

    SHA512

    d76990ec8df0a339d669312e8bed51d0058a21db2d7e6f75006722aa87f8a840d6983ae8fc886ee2da9f52d788f53bbe6e6cfffd1ff1da08d892382461c8ace6

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    1e913b57515a559bb86f1dafad97e101

    SHA1

    5ad4866601c3ebe61913b53df3c7fcf454eedadb

    SHA256

    33801447c79451eb3ceecf94e8e84fa2e1131f17a4a4e95d2b1109aaee60cea1

    SHA512

    c50f237b7aab8feb5d4062cbb4911a5a023b036cb219f005e0eeec7960770e058ea592ee52d05a9c95895c71de3086108330110917b93db731c516cf0c2b1a61

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    6a968896f86fa159a0488eadd97f9315

    SHA1

    7c7c2160bf44f8444597864eb05f566e91df8523

    SHA256

    b1cf7a80796d33c8a91757613e9b74d7166e159faeb9a95dda68a8a2d3dd77ad

    SHA512

    ca6864146f2fe8043c19d4cdff3bbb29282bae451abef18706291e1605c7962db39014dc37dca7307c355d2ad3bbf6d7d4a6a8106a8e2670a87f19f998c78431

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    e66c94eceec41ee0774de12877e424b6

    SHA1

    b8e510927a1ef1eeba098f7c3e302588ae7980b5

    SHA256

    15171a1ba2fe4494a55c3b0e8eaf70d8cf35ce995339dfb3db12f4acf8a0c5ef

    SHA512

    8fb26610297944a0506f520bdbcc8d49b05819b88b7fcea556446cafb6385f981a92018a7f6a07432ebcd5255a5270a244c0c6cf2e011bbbd4bbddadfa3db35d

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    5546e6e1f283254c448ea15792a36cb7

    SHA1

    d4b4bb5bf860f5c90a605d0943090766f79b1f5c

    SHA256

    aeffc321e0185528733635b6346012c238792e427d4dcfb125ce3d9932b66644

    SHA512

    6439d6e25efb7b7292107780954cd615c84a8de38e709a8d9f3c26cbe69a52137bd37bd8c891ca90312f9bc8502130f498fd4ebfc3e9146d4e620634b01052d6

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    b3378070e22a9195f53c2ea5bdd1e31d

    SHA1

    ce5d147aa04ba09e31947233235f66d8f5688e3b

    SHA256

    87ea92c38f11d6663977ebefba1da46d2b265413b51d1276cdd791abb93856c6

    SHA512

    1e59f1b4f4aeaeb27c48a6243835ac110f892833ac8fd3f43585fe6032a9c25940102a1f53c554079f8caf625955950e4b48d8597aa4dc6d7d5f15047625c552

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    18eb4d8d4a97aed6a465742bbd8e4e3b

    SHA1

    df94c19194f8782a7cbf332c70824937aaa65b23

    SHA256

    ca6b80e8e0a112bc0cfd99cd87796b6fe94d45d47ae692ab155085bb504fa3d4

    SHA512

    b920fb094af608bb9755882415f4a5478af659b0e4764dfd322eac2015279ea93d3a146d77fdd0075cef68c9e53e8cd3082a0a4211f1dd1c0e1d3e28e1ca2073

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    a1669cba05dfe6904d775cb04e992c17

    SHA1

    268534f4faa7cb73799cec18cd7c394a69bfba78

    SHA256

    2a1f7a9beb6070a823ccf963d35f2617eaebbe4b30cf2a75d999b653f6300a99

    SHA512

    1e0c2b0b7dc730add6c71ee6b9f0868a806a8ba0b9a3ba1f2c443f0561bf55ab83422f158dd4a297bf4b3e762d7db2e8469d210f0d93f68cde78ce64d5f7b33f

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UOYUJSME\suggestions[1].en-US
    Filesize

    17KB

    MD5

    5a34cb996293fde2cb7a4ac89587393a

    SHA1

    3c96c993500690d1a77873cd62bc639b3a10653f

    SHA256

    c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

    SHA512

    e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Cab6653.tmp
    Filesize

    61KB

    MD5

    fc4666cbca561e864e7fdf883a9e6661

    SHA1

    2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

    SHA256

    10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

    SHA512

    c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Tar690B.tmp
    Filesize

    164KB

    MD5

    4ff65ad929cd9a367680e0e5b1c08166

    SHA1

    c0af0d4396bd1f15c45f39d3b849ba444233b3a2

    SHA256

    c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

    SHA512

    f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\0RXW23ZO.txt
    Filesize

    605B

    MD5

    5abe714f13baffb828b29da700863599

    SHA1

    5012bc4e0a6e2e8c447cb472b74e48b8bbc0eca0

    SHA256

    635162de1a554de4c338d6f80110f32760f59ea78319252eeb8f54f717505bdf

    SHA512

    16a4c55967c5e405e76f0aa850280a245815d30cf566e1bb100407bc1751e5c76cd1db6e3e1160071524f7aa8893d48e65945d62c99c23b6e9870f17b203e84e

    Download Submit
  • C:\Windows\Aws.ini
    Filesize

    46B

    MD5

    5abf17ac58c8256ea0dd3c0e41ef0390

    SHA1

    e2c2e7504fbc174fa16406bd9d748bcd0fc83a42

    SHA256

    f62acee0fcf03d38a8735ba0cd0f16399acba9ef2d3d66e229bd8cadca3e42ab

    SHA512

    bc281726f559f0b4d8e3d119d966d56d3b284b4a7e0a9088624ee1513c66f0f741d80ca32244ba356328e9e9d840dc92d36d325b605129be4ba57cd3e796f0f1

    Download Submit
  • memory/272-67-0x0000000000400000-0x000000000059E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/272-55-0x0000000000400000-0x000000000059E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/972-66-0x0000000002BB0000-0x0000000002BC0000-memory.dmp
    Filesize

    64KB

    Download