Analysis
-
max time kernel
139s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
29-08-2023 20:36
Static task
static1
Behavioral task
behavioral1
Sample
5a13743c8329f8e2e0c1fe3eab30387b67a8389f8ae0a97cea1eae390aa888fe.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
5a13743c8329f8e2e0c1fe3eab30387b67a8389f8ae0a97cea1eae390aa888fe.exe
Resource
win10v2004-20230703-en
General
-
Target
5a13743c8329f8e2e0c1fe3eab30387b67a8389f8ae0a97cea1eae390aa888fe.exe
-
Size
10.8MB
-
MD5
ee7515422d65f240df68f18f3dcdfc0b
-
SHA1
eb46ba6139a06ad5c7ca9d25b8796eeb58f9ed8c
-
SHA256
5a13743c8329f8e2e0c1fe3eab30387b67a8389f8ae0a97cea1eae390aa888fe
-
SHA512
26ca67e5e09aa536311b0b93f68987671f6808f6b53d7403133dcde59fd93dbe8c6db36ed5a9a4d904186679938550da60fd7f2128864c8c8c03b4d2801aa139
-
SSDEEP
196608:8/MYYLlQ4qHSk3zE9DyW7m+/5VZZWbatu7Q0Mgrjz0h/FWwiU2q:ZbMjcDmba0c0My30j8U2
Malware Config
Signatures
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 5a13743c8329f8e2e0c1fe3eab30387b67a8389f8ae0a97cea1eae390aa888fe.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 400 5a13743c8329f8e2e0c1fe3eab30387b67a8389f8ae0a97cea1eae390aa888fe.exe 400 5a13743c8329f8e2e0c1fe3eab30387b67a8389f8ae0a97cea1eae390aa888fe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
pid Process 4872 systeminfo.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 400 5a13743c8329f8e2e0c1fe3eab30387b67a8389f8ae0a97cea1eae390aa888fe.exe 400 5a13743c8329f8e2e0c1fe3eab30387b67a8389f8ae0a97cea1eae390aa888fe.exe 400 5a13743c8329f8e2e0c1fe3eab30387b67a8389f8ae0a97cea1eae390aa888fe.exe 400 5a13743c8329f8e2e0c1fe3eab30387b67a8389f8ae0a97cea1eae390aa888fe.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 400 5a13743c8329f8e2e0c1fe3eab30387b67a8389f8ae0a97cea1eae390aa888fe.exe 400 5a13743c8329f8e2e0c1fe3eab30387b67a8389f8ae0a97cea1eae390aa888fe.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 400 wrote to memory of 3856 400 5a13743c8329f8e2e0c1fe3eab30387b67a8389f8ae0a97cea1eae390aa888fe.exe 84 PID 400 wrote to memory of 3856 400 5a13743c8329f8e2e0c1fe3eab30387b67a8389f8ae0a97cea1eae390aa888fe.exe 84 PID 400 wrote to memory of 3856 400 5a13743c8329f8e2e0c1fe3eab30387b67a8389f8ae0a97cea1eae390aa888fe.exe 84 PID 3856 wrote to memory of 4872 3856 cmd.exe 85 PID 3856 wrote to memory of 4872 3856 cmd.exe 85 PID 3856 wrote to memory of 4872 3856 cmd.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\5a13743c8329f8e2e0c1fe3eab30387b67a8389f8ae0a97cea1eae390aa888fe.exe"C:\Users\Admin\AppData\Local\Temp\5a13743c8329f8e2e0c1fe3eab30387b67a8389f8ae0a97cea1eae390aa888fe.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Windows\SysWOW64\cmd.execmd.exe /c systeminfo2⤵
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\Windows\SysWOW64\systeminfo.exesysteminfo3⤵
- Gathers system information
PID:4872
-
-