Analysis
-
max time kernel
146s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
13/10/2023, 01:49 UTC
Static task
static1
Behavioral task
behavioral1
Sample
6b273cd6710214d321ebea12c2c05348f04b5a5bfe15da1d5fbd8f4c50c36f95.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
6b273cd6710214d321ebea12c2c05348f04b5a5bfe15da1d5fbd8f4c50c36f95.exe
Resource
win10v2004-20230915-en
General
-
Target
6b273cd6710214d321ebea12c2c05348f04b5a5bfe15da1d5fbd8f4c50c36f95.exe
-
Size
11.2MB
-
MD5
84e9fad559f90484f2598678f2e0208b
-
SHA1
e1e565fb75d6ec798ba8a216499ad4ef6beba616
-
SHA256
6b273cd6710214d321ebea12c2c05348f04b5a5bfe15da1d5fbd8f4c50c36f95
-
SHA512
34ce88136ae3de3b145b597cfe94d24ce31ff40c7a0291aab4b9d00f45f0767f915297bd839fc5e92329bb3aabd55a238ecd14fe8ba4de9a7b936e15588040f6
-
SSDEEP
196608:kRqt5CRk46zOnXWOEROxWUgyvK9pJkUQgJH58VWMOx:kRqt5CRkrOnXziuTvTi8UMW
Malware Config
Signatures
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 6b273cd6710214d321ebea12c2c05348f04b5a5bfe15da1d5fbd8f4c50c36f95.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\System.22668814018165733 6b273cd6710214d321ebea12c2c05348f04b5a5bfe15da1d5fbd8f4c50c36f95.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\System.22668814018165733\19766882042117985 = "1328813663" 6b273cd6710214d321ebea12c2c05348f04b5a5bfe15da1d5fbd8f4c50c36f95.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4308 6b273cd6710214d321ebea12c2c05348f04b5a5bfe15da1d5fbd8f4c50c36f95.exe 4308 6b273cd6710214d321ebea12c2c05348f04b5a5bfe15da1d5fbd8f4c50c36f95.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6b273cd6710214d321ebea12c2c05348f04b5a5bfe15da1d5fbd8f4c50c36f95.exe"C:\Users\Admin\AppData\Local\Temp\6b273cd6710214d321ebea12c2c05348f04b5a5bfe15da1d5fbd8f4c50c36f95.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4308
Network
-
Remote address:8.8.8.8:53Request64.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request108.211.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request9.228.82.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestwww.3332pk.comIN AResponsewww.3332pk.comIN CNAMEwww.3332pk.com.cdn.dnsv1.comwww.3332pk.com.cdn.dnsv1.comIN CNAMEcdn.dispatch.spcdntip.comcdn.dispatch.spcdntip.comIN A59.83.204.12cdn.dispatch.spcdntip.comIN A122.189.171.115cdn.dispatch.spcdntip.comIN A119.188.150.48
-
Remote address:8.8.8.8:53Request2.136.104.51.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request54.120.234.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request119.126.53.103.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request129.47.75.47.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request14.6.24.117.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request29.81.57.23.in-addr.arpaIN PTRResponse29.81.57.23.in-addr.arpaIN PTRa23-57-81-29deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request146.78.124.51.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request157.123.68.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request18.31.95.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request254.177.238.8.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request12.173.189.20.in-addr.arpaIN PTRResponse
-
800 B 2.5kB 7 6
-
260 B 5
-
260 B 5
-
518 B 2.5kB 6 6
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 200 B 5 5
-
518 B 2.5kB 6 5
-
260 B 5
-
260 B 160 B 5 4
-
260 B 200 B 5 5
-
72 B 158 B 1 1
DNS Request
64.159.190.20.in-addr.arpa
-
74 B 145 B 1 1
DNS Request
108.211.229.192.in-addr.arpa
-
70 B 156 B 1 1
DNS Request
9.228.82.20.in-addr.arpa
-
60 B 183 B 1 1
DNS Request
www.3332pk.com
DNS Response
59.83.204.12122.189.171.115119.188.150.48
-
71 B 157 B 1 1
DNS Request
2.136.104.51.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
54.120.234.20.in-addr.arpa
-
73 B 161 B 1 1
DNS Request
119.126.53.103.in-addr.arpa
-
71 B 142 B 1 1
DNS Request
129.47.75.47.in-addr.arpa
-
70 B 123 B 1 1
DNS Request
14.6.24.117.in-addr.arpa
-
70 B 133 B 1 1
DNS Request
29.81.57.23.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
146.78.124.51.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
157.123.68.40.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
18.31.95.13.in-addr.arpa
-
72 B 126 B 1 1
DNS Request
254.177.238.8.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
12.173.189.20.in-addr.arpa