Overview

overview

8

Static

static

3

4a9fa940e8...07.exe

windows7-x64

7

4a9fa940e8...07.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    08-01-2024 06:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4a9fa940e898ebcc4f723cad30f0ad07.exe

  • Size

    838KB

  • MD5

    4a9fa940e898ebcc4f723cad30f0ad07

  • SHA1

    d4bf4aa1811c33145d8fd41966f28fd5cdae2f88

  • SHA256

    e1a4f84716f597d3bdb3097fd7d3cf6db230f853c2719156cc5a1ae1b7b5051c

  • SHA512

    c23c3bbfda82df201f5f5ea429e0aa6c14ccfd8cbd43addbbfc5d77dfa0717ed02d60c7ab8a581cdfc651653223b339246374bd892cb7c546b5245e1ea0206bc

  • SSDEEP

    12288:SXo30W26PmYn4QqWJgksAQYUT6eETMaICXadZe09CKEvYzQq6E+UFRZECNzYlL:SXo526e49CbaMavt0IfY8vE+MRGizML

Score
7/10
bootkitpersistencespywarestealer

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 17 IoCs
  • Suspicious use of SendNotifyMessage 17 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4a9fa940e898ebcc4f723cad30f0ad07.exe
    "C:\Users\Admin\AppData\Local\Temp\4a9fa940e898ebcc4f723cad30f0ad07.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2136
    • C:\ProgramData\isecurity.exe
      C:\ProgramData\isecurity.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Enumerates connected drives
      • Writes to the Master Boot Record (MBR)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:2760

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\isecurity.exe
    Filesize

    167KB

    MD5

    1cd9a151ba2a7248009264105ae53115

    SHA1

    2f99f897a1e1ba64518e0f1505dd1720ce5272f0

    SHA256

    4e84ceaeb2853eb3db6dd47815475ca1ab8c374e42fee67a08a5a2d0f4af0d92

    SHA512

    1a6b883a602f59f66d8a834fef4df54da987961abb31fc6151fd249041385081b9200abda27784df596c1a95e7fae4f0d44f6e59600ff0ca9fc95af38aacf125

    Download Submit
  • C:\ProgramData\isecurity.exe
    Filesize

    112KB

    MD5

    195520ab18c979a519484063c6afdc63

    SHA1

    5b3bf70dc0b5d8384f46b6763a4e5bb5ae0064b1

    SHA256

    5be6fc11f58345a2a082cc75f475b3488b0e1f9f68e337bec9c6959590dd9c69

    SHA512

    804e9fd440c56558171814d1b4a955330daba4961b58ad199008056a5c16f530b6a14539a09288588741135d5f60d1358c011cefe5f8b991e7c4947240f4aaf2

    Download Submit
  • \ProgramData\isecurity.exe
    Filesize

    89KB

    MD5

    5b4e62a5cd20c3211b39659d6d39434b

    SHA1

    50eee7e0fbe9a6be973ff336d58e5a167d8bfda9

    SHA256

    47aff75beb2cecf23e9a78dd85628cdb05e3f8cc68eb3d304aa913b5d5f58e09

    SHA512

    9d697c244bde94d3d43e80427ca12c7f4074583975df2583843dff6377ac21c26858c60a89aba6149d1965da31cb89fade604d1d3fbb320cc58cabae8a507938

    Download Submit
  • \ProgramData\isecurity.exe
    Filesize

    57KB

    MD5

    0080e98e3984f5d11e216a6e6f61f709

    SHA1

    179089992b79e70ea4a3e0c77e45ac49119af72f

    SHA256

    41e947fee88e8b3d4a34fab0f2f41c9848ebeb02992c9cf307c44efef5cdf6b1

    SHA512

    45938bbf33077902357139df4de518a451a0668a247e0907560739d604e121f97e6adb6a46155fa59a160498bcb6817353aee293ae0effc8b2788a307f65633a

    Download Submit
  • \ProgramData\isecurity.exe
    Filesize

    136KB

    MD5

    fa815fe63806f436f2682cd330c00213

    SHA1

    48271ac11ea578e1d3382be2c6c6d4261de696da

    SHA256

    fb80752ad92fa64bc549e0feaec80f7c312f949851420582c7fec45be3441af7

    SHA512

    2a4989910390f13e30d6ad77ae37c19a69d17d47a086e13f9ad7b4198d6d1caf0700809e96e56a1e206eb7f1f8bc349d6db5003468acb393548fc757ec3a73e7

    Download Submit
  • memory/2136-2-0x0000000000230000-0x0000000000231000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2136-1-0x0000000000400000-0x00000000004FC000-memory.dmp
    Filesize

    1008KB

    Download
  • memory/2136-5-0x0000000077C70000-0x0000000077C71000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2136-12-0x0000000000400000-0x00000000004FC000-memory.dmp
    Filesize

    1008KB

    Download
  • memory/2136-0-0x0000000000400000-0x00000000004FC000-memory.dmp
    Filesize

    1008KB

    Download
  • memory/2760-28-0x0000000000400000-0x0000000000A3F000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/2760-34-0x0000000000400000-0x0000000000A3F000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/2760-24-0x0000000000400000-0x0000000000A3F000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/2760-23-0x0000000000400000-0x0000000000A3F000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/2760-21-0x0000000000400000-0x0000000000A3F000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/2760-27-0x0000000000400000-0x0000000000A3F000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/2760-20-0x0000000000400000-0x0000000000A3F000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/2760-29-0x0000000000400000-0x0000000000A3F000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/2760-30-0x0000000000400000-0x0000000000A3F000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/2760-31-0x0000000000240000-0x0000000000241000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2760-33-0x0000000000400000-0x0000000000A3F000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/2760-25-0x0000000000240000-0x0000000000241000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2760-35-0x0000000000400000-0x0000000000A3F000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/2760-36-0x0000000000400000-0x0000000000A3F000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/2760-37-0x0000000000400000-0x0000000000A3F000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/2760-38-0x0000000000400000-0x0000000000A3F000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/2760-39-0x0000000000400000-0x0000000000A3F000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/2760-40-0x0000000000400000-0x0000000000A3F000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/2760-41-0x0000000000400000-0x0000000000A3F000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/2760-42-0x0000000000400000-0x0000000000A3F000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/2760-43-0x0000000000400000-0x0000000000A3F000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/2760-44-0x0000000000400000-0x0000000000A3F000-memory.dmp
    Filesize

    6.2MB

    Download