Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
23/02/2024, 11:33
Static task
static1
Behavioral task
behavioral1
Sample
fabda82b69857866e19c933af976f4d8779fe8a797a0c92338d4ef5cbb68d6a4.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
fabda82b69857866e19c933af976f4d8779fe8a797a0c92338d4ef5cbb68d6a4.exe
Resource
win10v2004-20240221-en
General
-
Target
fabda82b69857866e19c933af976f4d8779fe8a797a0c92338d4ef5cbb68d6a4.exe
-
Size
3.8MB
-
MD5
bb6125e59ee56310c627ecead3e4b319
-
SHA1
d99df8e3249441a9d58003ac1cf2a63c000e899c
-
SHA256
fabda82b69857866e19c933af976f4d8779fe8a797a0c92338d4ef5cbb68d6a4
-
SHA512
3efec680dd34ed5044cbb39f95391a834def0f60e2eaa838e19b8542f7f5795e5d3288db56d71257ffdc84207d5897e2b0d11f736c6ecee1172c5b6f0a7fa537
-
SSDEEP
49152:v7Idf70vsomJNLUhLaV+fYmKMuSGOp09B/pwJrN6GFVfoPpNf9CXOnMh61RpvPNy:DIdfiKLegiKBVPG5o28N15nMApRq
Malware Config
Signatures
-
Loads dropped DLL 2 IoCs
pid Process 2704 fabda82b69857866e19c933af976f4d8779fe8a797a0c92338d4ef5cbb68d6a4.exe 2704 fabda82b69857866e19c933af976f4d8779fe8a797a0c92338d4ef5cbb68d6a4.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 fabda82b69857866e19c933af976f4d8779fe8a797a0c92338d4ef5cbb68d6a4.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\LuDaShi\{D94A1F80-6229-45ec-B654-986B8C6D8AB0}.tf fabda82b69857866e19c933af976f4d8779fe8a797a0c92338d4ef5cbb68d6a4.exe File created C:\Program Files (x86)\LuDaShi\{D1197744-151D-4cd9-9A12-B02FDC09A974}.tmp\{6993F3EE-0309-413b-96A2-C62BEAD5E7A5}.tf fabda82b69857866e19c933af976f4d8779fe8a797a0c92338d4ef5cbb68d6a4.exe -
Program crash 1 IoCs
pid pid_target Process 2496 2704 WerFault.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2704 wrote to memory of 2496 2704 fabda82b69857866e19c933af976f4d8779fe8a797a0c92338d4ef5cbb68d6a4.exe 1 PID 2704 wrote to memory of 2496 2704 fabda82b69857866e19c933af976f4d8779fe8a797a0c92338d4ef5cbb68d6a4.exe 1 PID 2704 wrote to memory of 2496 2704 fabda82b69857866e19c933af976f4d8779fe8a797a0c92338d4ef5cbb68d6a4.exe 1 PID 2704 wrote to memory of 2496 2704 fabda82b69857866e19c933af976f4d8779fe8a797a0c92338d4ef5cbb68d6a4.exe 1
Processes
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 8121⤵
- Program crash
PID:2496
-
C:\Users\Admin\AppData\Local\Temp\fabda82b69857866e19c933af976f4d8779fe8a797a0c92338d4ef5cbb68d6a4.exe"C:\Users\Admin\AppData\Local\Temp\fabda82b69857866e19c933af976f4d8779fe8a797a0c92338d4ef5cbb68d6a4.exe"1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2704
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
238KB
MD58786d469338c30e0ba9fedfc62bd5197
SHA15fb12028ceae9772f938e1b98b699f0e02e32718
SHA256beeaf8b72f7008e9adabacfcd85e32a50747a0dfb5c86802aeb973bd1f5c3d2f
SHA5125db1e5b78e62cda81a63e8e712e720f87a7c7a539237a55a9098c076f9fb4e0b5adb83383c23657b4ccc90c117e55e3946a399cdf3d15cb94444b203d9d6c45c
-
Filesize
1.1MB
MD52706693dda10c6cc79eed24c56d4e5ef
SHA14f34ef1bd49273a0d260b9dab15c73eb0ccb6383
SHA2560edad8a1af22d5b97c1f324791c86243a6ecce7b5a9d2f30415af99aba9129c3
SHA5127e7f7ae894528587ba33b6e10999549bb9a2ec2748b5662fa1b8806e5f4ce33af47507b3ef2954f2747a76b5b7c775c1cd671061f577c5016d1f8ba165bbe21c