Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    25-12-2023 03:48

General

  • Target

    03cd9e81719c06c5c8a29cdcfac3ae7e.exe

  • Size

    548KB

  • MD5

    03cd9e81719c06c5c8a29cdcfac3ae7e

  • SHA1

    95d18fc034c40fcea3cd6f4b72ed9e4d29e858bb

  • SHA256

    73fb68e2ea01ff336c410d3b98c7d3e4c8e48c1565bcc50be7f262b58726d9e7

  • SHA512

    da4bedf781a2adb08674cf88c79fe12e24689b0c532c30c70ae26c35727dafe082457e637ba1c8f9b34def7f998bf37d725ddef96bc0c584a9e7090bb5febc90

  • SSDEEP

    6144:kB/RFtlUYA5xHtSl8rVj+8GkYJTIRT68O:8lWjt+8WWTK

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Suspicious use of SetThreadContext 4 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\03cd9e81719c06c5c8a29cdcfac3ae7e.exe
    "C:\Users\Admin\AppData\Local\Temp\03cd9e81719c06c5c8a29cdcfac3ae7e.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3000
    • C:\Users\Admin\AppData\Local\Temp\03cd9e81719c06c5c8a29cdcfac3ae7e.exe
      "C:\Users\Admin\AppData\Local\Temp\03cd9e81719c06c5c8a29cdcfac3ae7e.exe"
      2⤵
      • Writes to the Master Boot Record (MBR)
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1700
      • C:\Users\Admin\AppData\Local\Temp\03cd9e81719c06c5c8a29cdcfac3ae7e.exe
        "C:\Users\Admin\AppData\Local\Temp\03cd9e81719c06c5c8a29cdcfac3ae7e.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Loads dropped DLL
        • Adds Run key to start application
        • Modifies system certificate store
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2316
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\spoolsv.exe" CityScape Enable
          4⤵
          • Modifies Windows Firewall
          PID:2884
        • C:\Users\Admin\AppData\Roaming\spoolsv.exe
          /d C:\Users\Admin\AppData\Local\Temp\03cd9e81719c06c5c8a29cdcfac3ae7e.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetThreadContext
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2916
          • C:\Users\Admin\AppData\Roaming\spoolsv.exe
            /d C:\Users\Admin\AppData\Local\Temp\03cd9e81719c06c5c8a29cdcfac3ae7e.exe
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Writes to the Master Boot Record (MBR)
            • Suspicious use of SetThreadContext
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1628
            • C:\Users\Admin\AppData\Roaming\spoolsv.exe
              /d C:\Users\Admin\AppData\Local\Temp\03cd9e81719c06c5c8a29cdcfac3ae7e.exe
              6⤵
              • Modifies WinLogon for persistence
              • Deletes itself
              • Executes dropped EXE
              • Adds Run key to start application
              • Suspicious use of SetWindowsHookEx
              PID:2872

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\CabBB65.tmp

    Filesize

    65KB

    MD5

    ac05d27423a85adc1622c714f2cb6184

    SHA1

    b0fe2b1abddb97837ea0195be70ab2ff14d43198

    SHA256

    c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

    SHA512

    6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

  • C:\Users\Admin\AppData\Local\Temp\TarBBD5.tmp

    Filesize

    171KB

    MD5

    9c0c641c06238516f27941aa1166d427

    SHA1

    64cd549fb8cf014fcd9312aa7a5b023847b6c977

    SHA256

    4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

    SHA512

    936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

  • C:\Users\Admin\AppData\Roaming\vKqiwIpF

    Filesize

    39KB

    MD5

    5084c479bc345c16bd5539bcda389cd0

    SHA1

    58cd1fdeaf85b30afe1ce693275b02f796a069a9

    SHA256

    35523bcdaba71becb0cf4cb7d1d7b92a8227caf2a75df1883a2e3ff45845ce58

    SHA512

    23ddd10f3a17c004e59bd1066085c3426595b356d97dc5fc7634c8f19bd6a89ba21c8f0b58035fd1518db1f853f159fcfc839617a55ae47d7c262096602a37f2

  • \Users\Admin\AppData\Roaming\spoolsv.exe

    Filesize

    548KB

    MD5

    cb267aa747c53b9ffc8d8e28674b0a89

    SHA1

    9d9bafaab2e2d205a036023e3e9cd07f69eacdc5

    SHA256

    9b8b4aa2fd479723cadd603f7bce0046f394fc0387f182c80ce502292728aaf7

    SHA512

    d65386d7874e536dee87adafb67e3b704df8613af42014b60ded50214ddde04834de3436ad0ec3b6b63e3f704b1e7446db2d3c56a5a0097b45aae9596100b3b9

  • memory/1628-133-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

  • memory/1628-119-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

  • memory/1700-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/1700-2-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

  • memory/1700-14-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

  • memory/1700-12-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

  • memory/1700-27-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

  • memory/1700-6-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

  • memory/1700-4-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

  • memory/2316-17-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

  • memory/2316-25-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

  • memory/2316-97-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

  • memory/2316-21-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

  • memory/2316-19-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

  • memory/2872-139-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

  • memory/2872-138-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

  • memory/2872-137-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

  • memory/2872-141-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

  • memory/2872-142-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

  • memory/2872-143-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

  • memory/2872-144-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

  • memory/2872-145-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB

  • memory/2872-146-0x0000000000400000-0x0000000000422000-memory.dmp

    Filesize

    136KB