5557bc2b4439f7e348cc30dfab22714f051296d8906691256d1280715cb40825

Analysis

max time kernel
121s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10-03-2024 11:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be8cfc2526efcc21da279e97faac0ccd.exe
Size

1.8MB
MD5

be8cfc2526efcc21da279e97faac0ccd
SHA1

cde7dc54797056c2afcb852fa178db49fa529657
SHA256

5557bc2b4439f7e348cc30dfab22714f051296d8906691256d1280715cb40825
SHA512

5951360882c7790700d6907dc9915f181f9446538cb44c03a59f0cf45b53d85a1ad05293b4b4c24c59771fe73fb6f1e0134968c640db8db3f610da3fe1f00bed
SSDEEP

49152:RMumM6xRN9GfpB9EbWMVjHg9/chd/ww1vQr/wi6LfUwRD:qZRSfprEW/0zisLtRD

Score

7^/10

bootkit discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2740	ddqjh_wqeqd.exe

Loads dropped DLL 7 IoCs

pid	Process
3028	be8cfc2526efcc21da279e97faac0ccd.exe
3028	be8cfc2526efcc21da279e97faac0ccd.exe
3028	be8cfc2526efcc21da279e97faac0ccd.exe
3028	be8cfc2526efcc21da279e97faac0ccd.exe
3028	be8cfc2526efcc21da279e97faac0ccd.exe
3028	be8cfc2526efcc21da279e97faac0ccd.exe
2740	ddqjh_wqeqd.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	ddqjh_wqeqd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3028	be8cfc2526efcc21da279e97faac0ccd.exe
3028	be8cfc2526efcc21da279e97faac0ccd.exe
2740	ddqjh_wqeqd.exe
2740	ddqjh_wqeqd.exe
2740	ddqjh_wqeqd.exe
2740	ddqjh_wqeqd.exe
2740	ddqjh_wqeqd.exe
2740	ddqjh_wqeqd.exe
2740	ddqjh_wqeqd.exe
2740	ddqjh_wqeqd.exe
2740	ddqjh_wqeqd.exe
2740	ddqjh_wqeqd.exe
2740	ddqjh_wqeqd.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 2740	3028	be8cfc2526efcc21da279e97faac0ccd.exe	28
PID 3028 wrote to memory of 2740	3028	be8cfc2526efcc21da279e97faac0ccd.exe	28
PID 3028 wrote to memory of 2740	3028	be8cfc2526efcc21da279e97faac0ccd.exe	28
PID 3028 wrote to memory of 2740	3028	be8cfc2526efcc21da279e97faac0ccd.exe	28

C:\Users\Admin\AppData\Local\Temp\be8cfc2526efcc21da279e97faac0ccd.exe
"C:\Users\Admin\AppData\Local\Temp\be8cfc2526efcc21da279e97faac0ccd.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Users\Admin\AppData\Roaming\mang2\ddqjh_wqeqd.exe
  "C:\Users\Admin\AppData\Roaming\mang2\ddqjh_wqeqd.exe" /setupsucc
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Suspicious behavior: EnumeratesProcesses
  PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mang2\config.dll

Filesize
1.6MB

MD5
86d6bdfc762e0eb60606d8c227a9a50b

SHA1
0eb0f7cbceed4ba18be76108be2480693cb94d0c

SHA256
09a6579d86a8d7627229e336f846cfc71f5d76f0c5be92ee4125be719f659530

SHA512
4e83cf8ac1bd38058dd0d45e09282edf284f98639c7e25f70e69a3ac8686c585dfde6389ddb2c6617b0d102d6f9845817b565593ab61b8ff91c733aafe7b11a5

Download Submit
C:\Users\Admin\AppData\Roaming\mang2\config.ini

Filesize
363B

MD5
917ec9d7b3a7a0ad3e2ba8ef7e1c6668

SHA1
abed79adcd3a1e3db705fb2bdc6eddafb5f06e22

SHA256
d3897767261d7bdf9b3044189d66f2d554792d59650d12c46b3423e179e34c38

SHA512
3e07438e858b100e7255a8926927ea8cd716777e4f76a197c3c204982652b8ef8a1e69f2c804ed0dfea27f62ce4e96b8bd7b5ff2849bde25a0b22b9648680552

Download Submit
C:\Users\Admin\AppData\Roaming\mang2\config.ini

Filesize
382B

MD5
32009fa414ff392fa28a1fbc9118ae78

SHA1
fe211c12f8d58728304db2f705688fcb69bddeed

SHA256
f9cd288bdc3072944efb98800cc78b5eb907a2a3f863077d98e753e10720924b

SHA512
72014dbe9638d1dbdbce0440320044140b15e1f5137d2c08f734e5b493b1b16d06014840fc252ba8474ecb1459bc18a9d04f05722c77d95e6f50eb7e5aab5aa5

Download Submit
\Users\Admin\AppData\Local\Temp\nst19E9.tmp\FindProcDLL.dll

Filesize
3KB

MD5
8614c450637267afacad1645e23ba24a

SHA1
e7b7b09b5bbc13e910aa36316d9cc5fc5d4dcdc2

SHA256
0fa04f06a6de18d316832086891e9c23ae606d7784d5d5676385839b21ca2758

SHA512
af46cd679097584ff9a1d894a729b6397f4b3af17dff3e6f07bef257bc7e48ffa341d82daf298616cd5df1450fc5ab7435cacb70f27302b6db193f01a9f8391b

Download Submit
\Users\Admin\AppData\Local\Temp\nst19E9.tmp\System.dll

Filesize
10KB

MD5
56a321bd011112ec5d8a32b2f6fd3231

SHA1
df20e3a35a1636de64df5290ae5e4e7572447f78

SHA256
bb6df93369b498eaa638b0bcdc4bb89f45e9b02ca12d28bcedf4629ea7f5e0f1

SHA512
5354890cbc53ce51081a78c64ba9c4c8c4dc9e01141798c1e916e19c5776dac7c82989fad0f08c73e81aaba332dad81205f90d0663119af45550b97b338b9cc3

Download Submit
\Users\Admin\AppData\Roaming\mang2\ddqjh_wqeqd.exe

Filesize
31KB

MD5
c35a26f177a905feb02adbb2d7db5c00

SHA1
70f5a756fa020fedad901014206f4069cdd024c3

SHA256
362a34664946a5fe654fe5f3286392d88c256962a1a0dc4342dc4fd0db47f299

SHA512
79c62acc778f131ae4ab070c309a4452c2d84b22b06ca499e5bf158a80aff20f0c1fcbb810374f8c1b9b8314aecc52f7818e7a241d354c0675ac2e73e8c233c1

Download Submit
memory/3028-12-0x00000000003E0000-0x00000000003E3000-memory.dmp

Filesize
12KB

Download