7a7848da6e229abc1681d01407679d1dfdc9e7f7756b49fec1802d49be10f45c

Analysis

max time kernel
151s
max time network
156s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
30-06-2023 15:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

32.5MB
MD5

40462cb1d8678ec6103aa71655f15fe1
SHA1

be4a958b79ab7c410b51911e272ec3e2e04f4ed7
SHA256

7a7848da6e229abc1681d01407679d1dfdc9e7f7756b49fec1802d49be10f45c
SHA512

2f4777b6104ce04baf2009e36bc3048ecc3deefa342d12f9ebfaeaa1eb6db36fb4600915fd3b52d0764e609527778150e1a1c8b0f227372458997dbdca439af5
SSDEEP

786432:RNhjKQH/s50/ChVnfAz/DCGEBqscfa+IWpSxk8unu/3T7nrNtm:vhjKQHA0/yVnIz/H3fJnpKSu/TVc

Score

7^/10

bootkit persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
752	tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
752	tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1728	tmp.exe
752	tmp.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	tmp.exe
File opened (read-only)	\??\G:	tmp.exe
File opened (read-only)	\??\I:	tmp.exe
File opened (read-only)	\??\A:	tmp.exe
File opened (read-only)	\??\S:	tmp.exe
File opened (read-only)	\??\T:	tmp.exe
File opened (read-only)	\??\K:	tmp.exe
File opened (read-only)	\??\M:	tmp.exe
File opened (read-only)	\??\O:	tmp.exe
File opened (read-only)	\??\Q:	tmp.exe
File opened (read-only)	\??\L:	tmp.exe
File opened (read-only)	\??\F:	tmp.exe
File opened (read-only)	\??\J:	tmp.exe
File opened (read-only)	\??\N:	tmp.exe
File opened (read-only)	\??\S:	tmp.exe
File opened (read-only)	\??\V:	tmp.exe
File opened (read-only)	\??\R:	tmp.exe
File opened (read-only)	\??\U:	tmp.exe
File opened (read-only)	\??\W:	tmp.exe
File opened (read-only)	\??\X:	tmp.exe
File opened (read-only)	\??\I:	tmp.exe
File opened (read-only)	\??\R:	tmp.exe
File opened (read-only)	\??\W:	tmp.exe
File opened (read-only)	\??\X:	tmp.exe
File opened (read-only)	\??\N:	tmp.exe
File opened (read-only)	\??\Q:	tmp.exe
File opened (read-only)	\??\O:	tmp.exe
File opened (read-only)	\??\H:	tmp.exe
File opened (read-only)	\??\P:	tmp.exe
File opened (read-only)	\??\U:	tmp.exe
File opened (read-only)	\??\Z:	tmp.exe
File opened (read-only)	\??\J:	tmp.exe
File opened (read-only)	\??\P:	tmp.exe
File opened (read-only)	\??\V:	tmp.exe
File opened (read-only)	\??\B:	tmp.exe
File opened (read-only)	\??\G:	tmp.exe
File opened (read-only)	\??\L:	tmp.exe
File opened (read-only)	\??\E:	tmp.exe
File opened (read-only)	\??\T:	tmp.exe
File opened (read-only)	\??\F:	tmp.exe
File opened (read-only)	\??\H:	tmp.exe
File opened (read-only)	\??\K:	tmp.exe
File opened (read-only)	\??\M:	tmp.exe
File opened (read-only)	\??\Y:	tmp.exe
File opened (read-only)	\??\Z:	tmp.exe
File opened (read-only)	\??\Y:	tmp.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	tmp.exe
File opened for modification	\??\PHYSICALDRIVE0	tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000\Software\Microsoft\Internet Explorer\Main	tmp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
752	tmp.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1728	tmp.exe
1728	tmp.exe
1728	tmp.exe
752	tmp.exe
752	tmp.exe
752	tmp.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 752	1728	tmp.exe	27
PID 1728 wrote to memory of 752	1728	tmp.exe	27
PID 1728 wrote to memory of 752	1728	tmp.exe	27
PID 1728 wrote to memory of 752	1728	tmp.exe	27

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Users\Admin\AppData\Local\Temp\ÏÐÔÆ³ÁÄ¬\tmp.exe
  C:\Users\Admin\AppData\Local\Temp\ÏÐÔÆ³ÁÄ¬\tmp.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Writes to the Master Boot Record (MBR)
  - Modifies Internet Explorer settings
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:752

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HZMQ0AZF\20221203[1].htm

Filesize
2KB

MD5
b74044159bc87d1e9b0053b05ee8c13b

SHA1
bdfd7cbcc86f3b900344754e1da6cd22d15f1b9a

SHA256
e6f5617910b0ae36ee54ee66aa80915372615a385e825b769b6660213d7c0f4b

SHA512
75878a30633bc68819ec014224adc9c2e8fcd11901a728bda8ef596275ac28d34d4de1144f45245429f9c0e2e83e6498c91514f27e038b745a45ada7e5575c43

Download Submit
C:\Users\Admin\AppData\Local\Temp\ÏÐÔÆ³ÁÄ¬\LoginFail.ini

Filesize
65B

MD5
af441ee6cc63a15272f02b63b41130bf

SHA1
23868ed627cdc35dc83bc25df29c32e0c2d07a09

SHA256
c6b9dd4898fae4007953e62330b7dd5444ed062dea4436298d23c6338f3317c9

SHA512
e8c2851f7cf9fedb0b706e76064b7bc19ecf14bd280902e5dce0d6092a2461280646f294d608965b42af9d618c70590171fe8fa6851d10a87ae92dcd4522879d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ÏÐÔÆ³ÁÄ¬\LoginTemp.ini

Filesize
30B

MD5
9b2456363290ba7d3b58b22d66ce6a18

SHA1
43f3a27739354d6a21dab842e5910205eb7ebe6b

SHA256
95b5335823c05e3acf512d08169bf4cc9925d70e96b72e83b472cb55b094e218

SHA512
3eceb636eb660bf20d558a396a0ac186902974e9737354577b301765407c98c94f800c62083f6e648bd576da8a84e414919a7a99144b409befea5bb86b48cbba

Download Submit
C:\Users\Admin\AppData\Local\Temp\ÏÐÔÆ³ÁÄ¬\tmp.exe

Filesize
32.5MB

MD5
40462cb1d8678ec6103aa71655f15fe1

SHA1
be4a958b79ab7c410b51911e272ec3e2e04f4ed7

SHA256
7a7848da6e229abc1681d01407679d1dfdc9e7f7756b49fec1802d49be10f45c

SHA512
2f4777b6104ce04baf2009e36bc3048ecc3deefa342d12f9ebfaeaa1eb6db36fb4600915fd3b52d0764e609527778150e1a1c8b0f227372458997dbdca439af5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ÏÐÔÆ³ÁÄ¬\tmp.exe

Filesize
32.5MB

MD5
40462cb1d8678ec6103aa71655f15fe1

SHA1
be4a958b79ab7c410b51911e272ec3e2e04f4ed7

SHA256
7a7848da6e229abc1681d01407679d1dfdc9e7f7756b49fec1802d49be10f45c

SHA512
2f4777b6104ce04baf2009e36bc3048ecc3deefa342d12f9ebfaeaa1eb6db36fb4600915fd3b52d0764e609527778150e1a1c8b0f227372458997dbdca439af5

Download Submit
C:\Users\Admin\Desktop\ÏÐÔÆ³ÁÄ¬v2x.lnk

Filesize
964B

MD5
2b10eb7aa3e7e7a05a4055ceff458918

SHA1
74bb9a0bf9c58f696ca987a2e66301b37b96bd66

SHA256
9dcbd8f1146cd3be4f81a38d923989c4f266f7bcbc8543cb742f7e49bb8bc50e

SHA512
e16fb899de4804f787d7d66a4350c046e16033a0f1dec0bf3de21f9da9ef5669d5b41857bdfdfe753decac490e7bc8ca2414fab7abafe14a5934375d6f8fae6c

Download Submit
\Users\Admin\AppData\Local\Temp\ÏÐÔÆ³ÁÄ¬\tmp.exe

Filesize
32.5MB

MD5
40462cb1d8678ec6103aa71655f15fe1

SHA1
be4a958b79ab7c410b51911e272ec3e2e04f4ed7

SHA256
7a7848da6e229abc1681d01407679d1dfdc9e7f7756b49fec1802d49be10f45c

SHA512
2f4777b6104ce04baf2009e36bc3048ecc3deefa342d12f9ebfaeaa1eb6db36fb4600915fd3b52d0764e609527778150e1a1c8b0f227372458997dbdca439af5

Download Submit
\Users\Admin\AppData\Local\Temp\ÏÐÔÆ³ÁÄ¬\tmp.exe

Filesize
32.5MB

MD5
40462cb1d8678ec6103aa71655f15fe1

SHA1
be4a958b79ab7c410b51911e272ec3e2e04f4ed7

SHA256
7a7848da6e229abc1681d01407679d1dfdc9e7f7756b49fec1802d49be10f45c

SHA512
2f4777b6104ce04baf2009e36bc3048ecc3deefa342d12f9ebfaeaa1eb6db36fb4600915fd3b52d0764e609527778150e1a1c8b0f227372458997dbdca439af5

Download Submit
memory/752-71-0x0000000000400000-0x0000000002D7D000-memory.dmp

Filesize
41.5MB

Download
memory/752-74-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/752-75-0x0000000006350000-0x0000000006360000-memory.dmp

Filesize
64KB

Download
memory/752-76-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/752-97-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/752-108-0x0000000000400000-0x0000000002D7D000-memory.dmp

Filesize
41.5MB

Download
memory/752-109-0x0000000006350000-0x0000000006360000-memory.dmp

Filesize
64KB

Download
memory/1728-57-0x00000000063D0000-0x00000000063E0000-memory.dmp

Filesize
64KB

Download
memory/1728-54-0x0000000000400000-0x0000000002D7D000-memory.dmp

Filesize
41.5MB

Download
memory/1728-58-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1728-55-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1728-107-0x0000000000400000-0x0000000002D7D000-memory.dmp

Filesize
41.5MB

Download