Overview

overview

9

Static

static

7

fbc208d4a5...b6.exe

windows7-x64

9

fbc208d4a5...b6.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    1s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    28/12/2023, 22:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fbc208d4a525f449c25074b21a1784b6.exe

  • Size

    3.2MB

  • MD5

    fbc208d4a525f449c25074b21a1784b6

  • SHA1

    128dfd563f281370b3f34ac15de96875bf47c148

  • SHA256

    6f8978e9e9dfbabd48136fa088d5d4aec70365714a023f600469a8019dd99c2d

  • SHA512

    ebbc3ba7a4d5297f92ef3452259dde760dce6092dd2183af5a4c8f78a0e1f99334d61bcbb9957914aaa41daac8a0af775300fcb56073fb6eac9ee81cc0286738

  • SSDEEP

    49152:taj0As03hf/c40nIFkR9hv5ZDLg45V9gVfW7dvdryINFQY/kxrJEIpEHmkeY:20URJ0nIFkD/ZZ32AvELukxN/EG

Score
9/10
bootkitdiscoveryevasionpersistenceupx

Malware Config

Signatures

  • Checks for common network interception software 1 TTPs

    Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    evasion
  • Enumerates VirtualBox registry keys 2 TTPs 1 IoCs
    evasion
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fbc208d4a525f449c25074b21a1784b6.exe
    "C:\Users\Admin\AppData\Local\Temp\fbc208d4a525f449c25074b21a1784b6.exe"
    1⤵
    • Enumerates VirtualBox registry keys
    • Enumerates connected drives
    • Writes to the Master Boot Record (MBR)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2444
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\del.bat"
      2⤵
        PID:1628
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2444 -s 336
        2⤵
        • Program crash
        PID:2708

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2444-2-0x0000000000470000-0x0000000000476000-memory.dmp

      Filesize

      24KB

      Download

    • memory/2444-3-0x0000000000470000-0x0000000000476000-memory.dmp

      Filesize

      24KB

      Download

    • memory/2444-0-0x0000000013140000-0x0000000013782000-memory.dmp

      Filesize

      6.3MB

      Download

    • memory/2444-5-0x0000000000470000-0x0000000000471000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2444-4-0x0000000013140000-0x0000000013782000-memory.dmp

      Filesize

      6.3MB

      Download

    • memory/2444-8-0x0000000013140000-0x0000000013782000-memory.dmp

      Filesize

      6.3MB

      Download

    • memory/2444-10-0x0000000000470000-0x0000000000471000-memory.dmp

      Filesize

      4KB

      Download