Overview

overview

7

Static

static

3

7e62fabd24...dc.exe

windows7-x64

7

7e62fabd24...dc.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    151s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-10-2023 04:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7e62fabd24864f6e937e3f4eb7b0d584eab1c7a1fea79074ae458d9d838a6edc.exe

  • Size

    1.8MB

  • MD5

    aeec9d4e8e49b8c3cbd8ec691e0c071c

  • SHA1

    e24dfe791a6d0f988c76e1bdda149abde418fd6f

  • SHA256

    7e62fabd24864f6e937e3f4eb7b0d584eab1c7a1fea79074ae458d9d838a6edc

  • SHA512

    858280134baefb8a8076c966f665145573efc7a9c620a4e33725bd80217b396f4dfc57ed485224e96327ee4729e88a66a269c9df611023c42095ead833d42c5c

  • SSDEEP

    49152:07DYbVtugvKlSA+n32pWx43UxThfAToZqScjc3tu:O+rvgz+n32kCUxTRog

Score
7/10
bootkitevasionpersistencetrojan

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 38 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3136
      • C:\Users\Admin\AppData\Local\Temp\7e62fabd24864f6e937e3f4eb7b0d584eab1c7a1fea79074ae458d9d838a6edc.exe
        "C:\Users\Admin\AppData\Local\Temp\7e62fabd24864f6e937e3f4eb7b0d584eab1c7a1fea79074ae458d9d838a6edc.exe"
        2⤵
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:2264
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8695.bat
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4380
          • C:\Users\Admin\AppData\Local\Temp\7e62fabd24864f6e937e3f4eb7b0d584eab1c7a1fea79074ae458d9d838a6edc.exe
            "C:\Users\Admin\AppData\Local\Temp\7e62fabd24864f6e937e3f4eb7b0d584eab1c7a1fea79074ae458d9d838a6edc.exe"
            4⤵
            • Executes dropped EXE
            • Checks whether UAC is enabled
            • Writes to the Master Boot Record (MBR)
            • Modifies Internet Explorer settings
            • Suspicious behavior: EnumeratesProcesses
            PID:1704
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4448
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4680
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
                PID:440

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files\7-Zip\7z.exe
        Filesize

        484KB

        MD5

        c6d74bb54c8490994fbcee53ed3d7104

        SHA1

        61896a81c095d9327925f3779047707bb3b90ae6

        SHA256

        5fd194326856bc19a3e9121f8d1f6c56039ef475c867bc6c8fa7c62f71af824d

        SHA512

        85a1b9fd25b89b282f3ced2f995e42aa28ebf576627d039045eff0ae7122e7ead6efc96980ac3185b549df26dc69d2ebcb3a3c8b9651a3eb681e95e9990c9d58

        Download Submit

      • C:\Program Files\_desktop.ini
        Filesize

        9B

        MD5

        872506f1dadcc0cedd1e9dee11f54da4

        SHA1

        d1e87145ed1d918f10ae4e93ccdbb994bc906ed5

        SHA256

        a0049e98811438481e150df54f7b555026746c943cb03106677bf75b4e412104

        SHA512

        6cf3aeeed18e66a16ed653a5c33133ec8d5fb58cf42aab9e712cf473233e506d4f14692dff04b7c20847718e5c344ec2651e57d2ae7a034610b07679b786344c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\$$a8695.bat
        Filesize

        722B

        MD5

        54c3a45699e28f82bfeffc8ff047abe5

        SHA1

        f1ffbf9ea85423fdd37426687bf6a7bd2632ada0

        SHA256

        57db0fc93efd2c37cf6004eee1c14a95d89903978c4e32dbad199ee1feda662e

        SHA512

        dc05d0653fc9c98743d764d4ea8aa33e18f19263ce9d43c6808232eb425722d0d59d713b03cec9fd1f050ef2037f4439d136548a473fb29626096fcf26fdb9cf

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7e62fabd24864f6e937e3f4eb7b0d584eab1c7a1fea79074ae458d9d838a6edc.exe
        Filesize

        1.8MB

        MD5

        8f6a1effaab5bc3aa41a210fbe858148

        SHA1

        daab0e4852dfeb944d5fa13f5a9039880c9023f9

        SHA256

        ce537a333ddb3271a3bc68b9f1cd1d22808c0808eac1fe4225c9ad95e771c7e5

        SHA512

        bbe79b942937cf19a76ee5b320bf46e33323e09d587dc42066131ab83ad4da86181725560dd919c9316e67e34fded1f472a43235f99c4e3d3e1b780f4d5263b1

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\7e62fabd24864f6e937e3f4eb7b0d584eab1c7a1fea79074ae458d9d838a6edc.exe.exe
        Filesize

        1.8MB

        MD5

        8f6a1effaab5bc3aa41a210fbe858148

        SHA1

        daab0e4852dfeb944d5fa13f5a9039880c9023f9

        SHA256

        ce537a333ddb3271a3bc68b9f1cd1d22808c0808eac1fe4225c9ad95e771c7e5

        SHA512

        bbe79b942937cf19a76ee5b320bf46e33323e09d587dc42066131ab83ad4da86181725560dd919c9316e67e34fded1f472a43235f99c4e3d3e1b780f4d5263b1

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        26KB

        MD5

        c438cd45dba79de60cfe6dedf51add8b

        SHA1

        9a84bde939cfeae643e96ce34a3bceee2e9f640e

        SHA256

        2d8f4cf4e9edb7b563432e0974e2de11b776c274739521674577c9242e509f9c

        SHA512

        7f28a39c22247d5ff2c14f02c415defa68f960b7448f87ca8c50ea2ca0f41454c313b57e76505f24ac5430da4f2afd487b3e32c10841fea01c86c5816a4f997c

        Download Submit

      • C:\Windows\Logo1_.exe
        Filesize

        26KB

        MD5

        c438cd45dba79de60cfe6dedf51add8b

        SHA1

        9a84bde939cfeae643e96ce34a3bceee2e9f640e

        SHA256

        2d8f4cf4e9edb7b563432e0974e2de11b776c274739521674577c9242e509f9c

        SHA512

        7f28a39c22247d5ff2c14f02c415defa68f960b7448f87ca8c50ea2ca0f41454c313b57e76505f24ac5430da4f2afd487b3e32c10841fea01c86c5816a4f997c

        Download Submit

      • C:\Windows\rundl132.exe
        Filesize

        26KB

        MD5

        c438cd45dba79de60cfe6dedf51add8b

        SHA1

        9a84bde939cfeae643e96ce34a3bceee2e9f640e

        SHA256

        2d8f4cf4e9edb7b563432e0974e2de11b776c274739521674577c9242e509f9c

        SHA512

        7f28a39c22247d5ff2c14f02c415defa68f960b7448f87ca8c50ea2ca0f41454c313b57e76505f24ac5430da4f2afd487b3e32c10841fea01c86c5816a4f997c

        Download Submit

      • F:\$RECYCLE.BIN\S-1-5-21-919254492-3979293997-764407192-1000\_desktop.ini
        Filesize

        10B

        MD5

        81570c50286369016cef7a9f904c4b04

        SHA1

        b5758b23667cb35cad0adb23371b830fcee4f4e5

        SHA256

        b882f41a5c84d248a75714eaf215a9e363a49361b6a14beedb921ee3dfdb46a1

        SHA512

        0e6c479b0252e24635810b7d030cc9b5b17603ee20ccf62812446b8d15884521c6c7be65dfc0090bb1502e859fae27c2a63b3e58be714021f473a88407982162

        Download Submit

      • memory/1704-24-0x0000000000CF0000-0x0000000000ED0000-memory.dmp

        Filesize

        1.9MB

        Download

      • memory/1704-32-0x0000000000CF0000-0x0000000000ED0000-memory.dmp

        Filesize

        1.9MB

        Download

      • memory/1704-18-0x0000000000CF0000-0x0000000000ED0000-memory.dmp

        Filesize

        1.9MB

        Download

      • memory/2264-12-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/2264-0-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4448-38-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4448-30-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4448-19-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4448-43-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4448-47-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4448-8-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4448-23-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4448-1121-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4448-1284-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download

      • memory/4448-2759-0x0000000000400000-0x0000000000434000-memory.dmp

        Filesize

        208KB

        Download