Overview

overview

7

Static

static

7

a16c972d09...53.exe

windows7-x64

7

a16c972d09...53.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-02-2024 08:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a16c972d094318c4f9cc6e9550daeb53.exe

  • Size

    516KB

  • MD5

    a16c972d094318c4f9cc6e9550daeb53

  • SHA1

    02d5f9d5274257ab20ac6a657135f7248db50916

  • SHA256

    505f6f1e7b1fcc12646a2a569dd31f6af4d05fee8109b8541c466b05fc6d94ad

  • SHA512

    0ec6737a0524a3fa68b736c14f06092516dc787ae9870f6264019a807749ad8deaa11bfbceb71bd83f949e74f34828242685df46b28f60c812746e4508ee0dc2

  • SSDEEP

    12288:hwsebt1Yw1s2zn0gMljRJz5YF4uvctghYxGDHCt2BeFOoS:BeIw1Tzn07/Jt2BND+2w

Score
7/10
bootkitpersistenceupx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in System32 directory 11 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Gathers network information 2 TTPs 2 IoCs

    Uses commandline utility to view network configuration.

  • Modifies Internet Explorer settings 1 TTPs 17 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3464
      • C:\Users\Admin\AppData\Local\Temp\a16c972d094318c4f9cc6e9550daeb53.exe
        "C:\Users\Admin\AppData\Local\Temp\a16c972d094318c4f9cc6e9550daeb53.exe"
        2⤵
        • Checks computer location settings
        • Writes to the Master Boot Record (MBR)
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Modifies Internet Explorer settings
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4256
        • C:\Windows\SysWOW64\ipconfig.exe
          ipconfig.exe /flushdns
          3⤵
          • Gathers network information
          PID:5096
        • C:\Windows\SysWOW64\yeipwmro.exe
          "C:\Windows\SysWOW64\yeipwmro.exe"
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Loads dropped DLL
          • Writes to the Master Boot Record (MBR)
          • Drops file in System32 directory
          • Modifies Internet Explorer settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2200
          • C:\Windows\SysWOW64\ipconfig.exe
            ipconfig.exe /flushdns
            4⤵
            • Gathers network information
            PID:64
          • C:\Windows\SysWOW64\Tdshow.exe
            "C:\Windows\SysWOW64\Tdshow.exe"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetWindowsHookEx
            PID:3500

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\SysWOW64\Apachio.dll
      Filesize

      72KB

      MD5

      65adbe53fbcf4400c136d16d219bee34

      SHA1

      691411ab93c7e4dc9e5d3c0f22d15ceea0f3e9af

      SHA256

      335c2952101a2a1708099634c67b06d4d0da3e02d4c70149c21b14d507de0c88

      SHA512

      4ba299f761ec14be6828f4fac85403aae6798d89570333f8b18f1fbddf43d360b91365b6dd4247fefba0b199b1183e7df0675999a6d4e5e2a9c9eabb86dc55bf

      Download Submit

    • C:\Windows\SysWOW64\Tdshow.exe
      Filesize

      134KB

      MD5

      7e009efa6e0fe11f448444b8d94585d0

      SHA1

      aa9108a41850ad8e1b6143361c3eb9b06995fe80

      SHA256

      13c584e65f718cfe091257ffae4bf620446c2c817b3a9da692dbc98811b5cd90

      SHA512

      ad198b78d625a1cff78870bde0e090b4630eedf1fedaa4490546803c2c57819416436abb2227a8ef63cd3d4f5616e9d8febf19a7bbe196db2b46ab736f841ee4

      Download Submit

    • C:\Windows\SysWOW64\bd.ico
      Filesize

      16KB

      MD5

      72f12806a3e162badc789ca0171f8ef4

      SHA1

      93eccaa44beb8a61b291979573eb0d7b9e79a602

      SHA256

      c1080c54e44f7fdac41a98a628714d82b4df1e50d8e6f725a750e1443be3dd92

      SHA512

      10f6b36360a34d50aad767fd9cd276ab7a3515cb93b3cb44a0852013c4180216f809a8281e7e802c479102e3a6b905de3203c67f17f4ce532125bf52767d1fdc

      Download Submit

    • C:\Windows\SysWOW64\ldguard.dll
      Filesize

      120KB

      MD5

      e6d3086a8923481381d5d4d485f6a666

      SHA1

      1644e5dea9647786e239a92f52ab5cdbb08d2d5a

      SHA256

      590df1572f1108c7aa82a8425acd3425bf0b96264b7401e8284e0525edc92447

      SHA512

      3ae9497f60a8e10a2884dcf96ee04a0490304a18a755bd2c001f9c4d27857d75799c7e15bc0a53ff606fc47b23456bc3d3b4f171468cbbd3aa008f4fab946a8b

      Download Submit

    • C:\Windows\SysWOW64\yeipwmro.exe
      Filesize

      516KB

      MD5

      a16c972d094318c4f9cc6e9550daeb53

      SHA1

      02d5f9d5274257ab20ac6a657135f7248db50916

      SHA256

      505f6f1e7b1fcc12646a2a569dd31f6af4d05fee8109b8541c466b05fc6d94ad

      SHA512

      0ec6737a0524a3fa68b736c14f06092516dc787ae9870f6264019a807749ad8deaa11bfbceb71bd83f949e74f34828242685df46b28f60c812746e4508ee0dc2

      Download Submit

    • memory/2200-11-0x0000000000400000-0x000000000056A000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/2200-27-0x0000000002300000-0x0000000002320000-memory.dmp

      Filesize

      128KB

      Download

    • memory/2200-42-0x0000000000400000-0x000000000056A000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/2200-46-0x0000000000400000-0x000000000056A000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/2200-58-0x0000000000400000-0x000000000056A000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/3500-39-0x0000000000400000-0x0000000000453000-memory.dmp

      Filesize

      332KB

      Download

    • memory/3500-43-0x0000000000400000-0x0000000000453000-memory.dmp

      Filesize

      332KB

      Download

    • memory/4256-0-0x0000000000400000-0x000000000056A000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/4256-10-0x0000000000400000-0x000000000056A000-memory.dmp

      Filesize

      1.4MB

      Download