Overview

overview

7

Static

static

3

0c537a43f0...1d.exe

windows7-x64

7

0c537a43f0...1d.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    96s
  • max time network
    175s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-12-2023 06:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0c537a43f020d1ba36e2b5a05d5a181d.exe

  • Size

    268KB

  • MD5

    0c537a43f020d1ba36e2b5a05d5a181d

  • SHA1

    9a745071bb4244819806000253bb5e2bd9eacf3f

  • SHA256

    8bfe749e5e0a9985833b5f6064af69476c7d165ec1ffae8479adf773f56ef71c

  • SHA512

    8bf5298c449b8e43dc8e30e87ba31a5453d789c970ef02cc5307e632c139fcd31175afa4f02deba6bfb831be2cd97aaa3bfb520b4a3f0126f82db0ec2228f272

  • SSDEEP

    6144:UJJglU4Q68qSiuDEiVy+TEa5fdmyKyjsylTopys8bG:41fuiVfPr7jsylTopbF

Score
7/10
bootkitpersistencespywarestealer

Malware Config

Signatures

  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0c537a43f020d1ba36e2b5a05d5a181d.exe
    "C:\Users\Admin\AppData\Local\Temp\0c537a43f020d1ba36e2b5a05d5a181d.exe"
    1⤵
    • Checks BIOS information in registry
    • Writes to the Master Boot Record (MBR)
    • Checks processor information in registry
    • Suspicious use of WriteProcessMemory
    PID:2824
    • C:\Users\Admin\AppData\Local\Temp\uninstall.exe
      C:\Users\Admin\AppData\Local\Temp\uninstall.exe
      2⤵
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Writes to the Master Boot Record (MBR)
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:3868

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\uninstall.exe
    Filesize

    268KB

    MD5

    0c537a43f020d1ba36e2b5a05d5a181d

    SHA1

    9a745071bb4244819806000253bb5e2bd9eacf3f

    SHA256

    8bfe749e5e0a9985833b5f6064af69476c7d165ec1ffae8479adf773f56ef71c

    SHA512

    8bf5298c449b8e43dc8e30e87ba31a5453d789c970ef02cc5307e632c139fcd31175afa4f02deba6bfb831be2cd97aaa3bfb520b4a3f0126f82db0ec2228f272

    Download Submit