Overview

overview

8

Static

static

3

29c612dca4...eb.exe

windows7-x64

8

29c612dca4...eb.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    133s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    25/12/2023, 15:36

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    29c612dca4e2d302445a71ddc283b5eb.exe

  • Size

    366KB

  • MD5

    29c612dca4e2d302445a71ddc283b5eb

  • SHA1

    e54e0c0dc33194a4647dfafefc0595ed8caa03b6

  • SHA256

    33d8601ed2e3d9c5d7fad96366f151c59688ab0b06c76b79abff5e29f7527e8d

  • SHA512

    2605c3730b42140d7e0485feb3010ae96a73f4bbde79c64ad1ecf743c5798b864348767c761e4db10d1a2d222ccf1550024e2c56da8f31e07c9b9499b51fc7ed

  • SSDEEP

    6144:GC3+XHmuPepeqif4ro9DC6VaZfh/m8hIHnBiXmY:SXHmuPepeXfOo9DC6gZpm82HC7

Score
8/10
bootkitpersistence

Malware Config

Signatures

  • Sets DLL path for service in the registry 2 TTPs 1 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\29c612dca4e2d302445a71ddc283b5eb.exe
    "C:\Users\Admin\AppData\Local\Temp\29c612dca4e2d302445a71ddc283b5eb.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1924
    • C:\Windows\SysWOW64\Rundll32.exe
      Rundll32.exe "C:\Windows\system32\RemoteServer.dll" InstallService
      2⤵
      • Sets DLL path for service in the registry
      • Loads dropped DLL
      • Writes to the Master Boot Record (MBR)
      PID:2536
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Windows\DelSelf.bat
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:2952
      • C:\Windows\SysWOW64\PING.EXE
        ping -n 5 127.0.0.1
        3⤵
        • Runs ping.exe
        PID:2884
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k netsvcs
    1⤵
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • Drops file in System32 directory
    PID:2360

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\DelSelf.bat
          Filesize

          221B

          MD5

          806273c86eed94986429ee6f28181c26

          SHA1

          6741e1c483a57a6b467ee1be26cef95a5f29d1b0

          SHA256

          a884de502c4389cb6576c03b2d2d5c8ba58c063b7a9afbd8107a80bf88e0aec4

          SHA512

          71f500f1e506db54db0c2d81118239a02cc7a9ec725cb0ae2644b8048f8bb10290db9941144cec5591dbfe904b182878c94a8a19e296fd57930fac32ac6b14c0

          Download Submit

        • C:\Windows\SysWOW64\3B275A5A.fn
          Filesize

          41B

          MD5

          a605162e80dab7c45266d02ac6c130d4

          SHA1

          0f2273d0f44136ee43c302ca5ac120218d47ed94

          SHA256

          fef29e5012984af4d0b17266efba3f3bae6a720ea6fd002cdcb164936bcf5346

          SHA512

          7fd0af6dac9fbd5b19b613893c0bd863cfc7427e3a9cb12c19a9214a8a5560204808781bd43f751784a7de1fe9662c2d70f105f69f80d365f928ef4a7af868c9

          Download Submit

        • C:\Windows\SysWOW64\RemoteServer.dll
          Filesize

          274KB

          MD5

          7770ed55793ddcbb601c9b78a27aa907

          SHA1

          74f6636e6ef0f80d66d06a8c8111ec1354f70134

          SHA256

          470e6aae31276874fe486c8ac11a369d076d4f8458af4e4c3e8a99642ce57d2f

          SHA512

          3ee9da66ba7f46eb8d281e5c639270d959f87df5501d0199c3af08380956be68e6f2c1562d60bfaaa631502f14bf8787e8d155fd5c97d3e098267382afa9640a

          Download Submit

        • memory/1924-21-0x0000000000400000-0x0000000000461000-memory.dmp

          Filesize

          388KB

          Download

        • memory/1924-55-0x0000000000400000-0x0000000000461000-memory.dmp

          Filesize

          388KB

          Download

        • memory/2360-8-0x0000000000550000-0x0000000000599000-memory.dmp

          Filesize

          292KB

          Download

        • memory/2360-25-0x0000000000550000-0x0000000000599000-memory.dmp

          Filesize

          292KB

          Download

        • memory/2360-105-0x0000000000550000-0x0000000000599000-memory.dmp

          Filesize

          292KB

          Download

        • memory/2536-6-0x0000000000180000-0x00000000001C9000-memory.dmp

          Filesize

          292KB

          Download

        • memory/2536-24-0x0000000000180000-0x00000000001C9000-memory.dmp

          Filesize

          292KB

          Download