Overview

overview

9

Static

static

7

3e330e58b7...3d.exe

windows7-x64

9

3e330e58b7...3d.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    1s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    25-12-2023 21:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3e330e58b7d79a91570e4b12bb00a03d.exe

  • Size

    3.2MB

  • MD5

    3e330e58b7d79a91570e4b12bb00a03d

  • SHA1

    671c52189036c478a15adc99dc9c080f8e08a9f5

  • SHA256

    66e6cf410bb79cd5dce9d9c345be2773a1c5f3f92fed65677f854e61f5918ca9

  • SHA512

    61868814d8cf78010f1babd2e739ece531db8826e9b001c3f8c3a0345d3b34cffa45a64a5464122015f17aabfcab2c13431c1da526edc8bc103fc8e93ecb9108

  • SSDEEP

    49152:NcbZrshAtKEMU9WzmWfgXRRQg6F6BKbKKbe3sQ5pXvfSRWY7yRwExWInmEJVeT9f:SbGacEMGWzm6EDHZX3HhmE6T9

Score
9/10
bootkitdiscoveryevasionpersistenceupx

Malware Config

Signatures

  • Checks for common network interception software 1 TTPs

    Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    evasion
  • Enumerates VirtualBox registry keys 2 TTPs 1 IoCs
    evasion
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3e330e58b7d79a91570e4b12bb00a03d.exe
    "C:\Users\Admin\AppData\Local\Temp\3e330e58b7d79a91570e4b12bb00a03d.exe"
    1⤵
    • Enumerates VirtualBox registry keys
    • Enumerates connected drives
    • Writes to the Master Boot Record (MBR)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2316
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 228
      2⤵
      • Program crash
      PID:1736
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\del.bat"
      2⤵
        PID:2044

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\del.bat
      Filesize

      183B

      MD5

      5a2c159b07268677044227b0710481ae

      SHA1

      1f2af18f23ff653a317d36ba06c989e46d9a196f

      SHA256

      34f6043d4869eb678f97837414b718404d581820032cd1e1c38cada4032ec412

      SHA512

      805316a990641884e1be5c3f7497fe7568f9fe1184194a2653878d40c9cfe470a15b479e87d6f644c28dfb1c128659f3fd21621401eff44fbed911d25a6052c9

      Download Submit

    • memory/2316-0-0x0000000000230000-0x0000000000234000-memory.dmp

      Filesize

      16KB

      Download

    • memory/2316-2-0x0000000000230000-0x0000000000234000-memory.dmp

      Filesize

      16KB

      Download

    • memory/2316-1-0x0000000013140000-0x000000001378B000-memory.dmp

      Filesize

      6.3MB

      Download

    • memory/2316-5-0x0000000000230000-0x0000000000231000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2316-4-0x0000000013140000-0x000000001378B000-memory.dmp

      Filesize

      6.3MB

      Download

    • memory/2316-7-0x0000000013140000-0x000000001378B000-memory.dmp

      Filesize

      6.3MB

      Download