Analysis
-
max time kernel
142s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
20-12-2023 17:19
Static task
static1
Behavioral task
behavioral1
Sample
f541e92a4ee6f86571a04d03eeeb7d5b.exe
Resource
win7-20231129-en
General
-
Target
f541e92a4ee6f86571a04d03eeeb7d5b.exe
-
Size
288KB
-
MD5
f541e92a4ee6f86571a04d03eeeb7d5b
-
SHA1
84b0c8994ef2cdec0bc1d31633cdb50afb4eb824
-
SHA256
1615ac8c21cce75cb9e66d60151215e368f6b2aef2547feee2bf68f998702eb9
-
SHA512
31f0369142456fa5f091168aefbcb3994c94dd9e1dcfa78b07f34d5c5340b5b55a8801c25b8ac6ec644674b7e73853a19a749cc363b017aca9b21b6025109373
-
SSDEEP
6144:wxILdTokcUhDTuDchi3Pc/t4Jnn2lTPCbmNsdOod:l5czghif2O2lTPWOsdOa
Malware Config
Extracted
gootkit
3008
tratata.zinjibil.com
buyyou.org
trktrk.org
fields.mobi
-
vendor_id
3008
Signatures
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion f541e92a4ee6f86571a04d03eeeb7d5b.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4072 mstsc.exe 4072 mstsc.exe 4072 mstsc.exe 4072 mstsc.exe 4072 mstsc.exe 4072 mstsc.exe 4072 mstsc.exe 4072 mstsc.exe 4072 mstsc.exe 4072 mstsc.exe 4072 mstsc.exe 4072 mstsc.exe 4072 mstsc.exe 4072 mstsc.exe 4072 mstsc.exe 4072 mstsc.exe 4072 mstsc.exe 4072 mstsc.exe 4072 mstsc.exe 4072 mstsc.exe 4072 mstsc.exe 4072 mstsc.exe 4072 mstsc.exe 4072 mstsc.exe 4072 mstsc.exe 4072 mstsc.exe 4072 mstsc.exe 4072 mstsc.exe 4072 mstsc.exe 4072 mstsc.exe 4072 mstsc.exe 4072 mstsc.exe 4072 mstsc.exe 4072 mstsc.exe 4072 mstsc.exe 4072 mstsc.exe 4072 mstsc.exe 4072 mstsc.exe 4072 mstsc.exe 4072 mstsc.exe 4072 mstsc.exe 4072 mstsc.exe 4072 mstsc.exe 4072 mstsc.exe 4072 mstsc.exe 4072 mstsc.exe 4072 mstsc.exe 4072 mstsc.exe 4072 mstsc.exe 4072 mstsc.exe 4072 mstsc.exe 4072 mstsc.exe 4072 mstsc.exe 4072 mstsc.exe 4072 mstsc.exe 4072 mstsc.exe 4072 mstsc.exe 4072 mstsc.exe 4072 mstsc.exe 4072 mstsc.exe 4072 mstsc.exe 4072 mstsc.exe 4072 mstsc.exe 4072 mstsc.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 3448 f541e92a4ee6f86571a04d03eeeb7d5b.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 3448 wrote to memory of 4072 3448 f541e92a4ee6f86571a04d03eeeb7d5b.exe 94 PID 3448 wrote to memory of 4072 3448 f541e92a4ee6f86571a04d03eeeb7d5b.exe 94 PID 3448 wrote to memory of 4072 3448 f541e92a4ee6f86571a04d03eeeb7d5b.exe 94 PID 3448 wrote to memory of 4072 3448 f541e92a4ee6f86571a04d03eeeb7d5b.exe 94 PID 3448 wrote to memory of 4072 3448 f541e92a4ee6f86571a04d03eeeb7d5b.exe 94 PID 3448 wrote to memory of 4072 3448 f541e92a4ee6f86571a04d03eeeb7d5b.exe 94 PID 3448 wrote to memory of 4072 3448 f541e92a4ee6f86571a04d03eeeb7d5b.exe 94 PID 3448 wrote to memory of 4072 3448 f541e92a4ee6f86571a04d03eeeb7d5b.exe 94 PID 4072 wrote to memory of 4404 4072 mstsc.exe 95 PID 4072 wrote to memory of 4404 4072 mstsc.exe 95 PID 4072 wrote to memory of 4404 4072 mstsc.exe 95 PID 4404 wrote to memory of 4756 4404 cmd.exe 97 PID 4404 wrote to memory of 4756 4404 cmd.exe 97 PID 4404 wrote to memory of 4756 4404 cmd.exe 97 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 4756 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f541e92a4ee6f86571a04d03eeeb7d5b.exe"C:\Users\Admin\AppData\Local\Temp\f541e92a4ee6f86571a04d03eeeb7d5b.exe"1⤵
- Checks BIOS information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3448 -
C:\Windows\SysWOW64\mstsc.exeC:\Windows\System32\mstsc.exe "C:\Users\Admin\AppData\Local\Temp\f541e92a4ee6f86571a04d03eeeb7d5b.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4072 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240642078.bat" "C:\Users\Admin\AppData\Local\Temp\f541e92a4ee6f86571a04d03eeeb7d5b.exe""3⤵
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Windows\SysWOW64\attrib.exeattrib -r -s -h "C:\Users\Admin\AppData\Local\Temp\f541e92a4ee6f86571a04d03eeeb7d5b.exe"4⤵
- Views/modifies file attributes
PID:4756
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
76B
MD50940a591f34c6c8baa728b32ba55aac9
SHA1da91c6f35ffc386fb19d1b87de4f6405b1c27825
SHA256a1d2bc5d2ee430581313b35e0fad1dc16d3e07869c7b00c8a8770bbc7bb0acda
SHA51275064f154ec57b6a768bb818b66ebd858f6286ab843f190902e46081da6faf95b40ca092832c70cd5b9b780d804bcac8a04e6eb114e877e884c603893cdec5a7