Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
25-05-2024 19:09
Behavioral task
behavioral1
Sample
25eee366bfc5df2863f171c9de0fe6c2ae899e0588fc5485a5be31a3fad93ac9.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
25eee366bfc5df2863f171c9de0fe6c2ae899e0588fc5485a5be31a3fad93ac9.exe
Resource
win10v2004-20240426-en
General
-
Target
25eee366bfc5df2863f171c9de0fe6c2ae899e0588fc5485a5be31a3fad93ac9.exe
-
Size
10.2MB
-
MD5
64868096512b6e0abee29d12645a9077
-
SHA1
c272a484aca1b52eca12fb565a36d19904fa8c1b
-
SHA256
25eee366bfc5df2863f171c9de0fe6c2ae899e0588fc5485a5be31a3fad93ac9
-
SHA512
61cd7bfd7cf959d31193c127a9de94694bdba6fbd5fda73ac24232c136dc49d34887ff983f0ca3a3f20887819730f20399b3ce84c29a79015d8b0e82292b8746
-
SSDEEP
196608:D5IDVaHSbvxMVl1WDtyvJl2IMizYV0GRvZcDEYtOJzCLg+DJeCk8L+TtWLH:VIFvxW+tyhl2jahtWClzk8OOH
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2980 certmgr.exe -
Loads dropped DLL 2 IoCs
pid Process 2584 cmd.exe 2584 cmd.exe -
resource yara_rule behavioral1/memory/3016-14-0x0000000010000000-0x00000000106F0000-memory.dmp upx behavioral1/memory/3016-22-0x0000000003BB0000-0x0000000003CEB000-memory.dmp upx behavioral1/memory/3016-21-0x0000000003BB0000-0x0000000003CEB000-memory.dmp upx behavioral1/memory/3016-19-0x0000000003BB0000-0x0000000003CEB000-memory.dmp upx behavioral1/memory/3016-18-0x0000000010000000-0x00000000106F0000-memory.dmp upx behavioral1/memory/3016-17-0x0000000010000000-0x00000000106F0000-memory.dmp upx behavioral1/memory/2304-44-0x0000000004660000-0x000000000479B000-memory.dmp upx behavioral1/memory/2304-43-0x0000000004660000-0x000000000479B000-memory.dmp upx behavioral1/memory/2304-41-0x0000000004660000-0x000000000479B000-memory.dmp upx behavioral1/memory/3048-61-0x0000000004560000-0x000000000469B000-memory.dmp upx behavioral1/memory/3048-63-0x0000000004560000-0x000000000469B000-memory.dmp upx behavioral1/memory/3048-64-0x0000000004560000-0x000000000469B000-memory.dmp upx behavioral1/files/0x0036000000016cc3-68.dat upx behavioral1/memory/2980-72-0x0000000001000000-0x0000000001016000-memory.dmp upx behavioral1/memory/3048-75-0x0000000003590000-0x00000000035DB000-memory.dmp upx behavioral1/memory/3048-76-0x0000000003590000-0x00000000035DB000-memory.dmp upx behavioral1/memory/3048-73-0x0000000003590000-0x00000000035DB000-memory.dmp upx -
resource yara_rule behavioral1/memory/3016-0-0x0000000000400000-0x0000000001C6F000-memory.dmp vmprotect behavioral1/memory/3016-11-0x0000000000400000-0x0000000001C6F000-memory.dmp vmprotect behavioral1/memory/3016-13-0x0000000000400000-0x0000000001C6F000-memory.dmp vmprotect behavioral1/memory/3016-16-0x0000000000400000-0x0000000001C6F000-memory.dmp vmprotect behavioral1/memory/3016-23-0x0000000000400000-0x0000000001C6F000-memory.dmp vmprotect behavioral1/memory/2304-33-0x0000000000400000-0x0000000001C6F000-memory.dmp vmprotect behavioral1/memory/3016-35-0x0000000000400000-0x0000000001C6F000-memory.dmp vmprotect behavioral1/memory/3048-53-0x0000000000400000-0x0000000001C6F000-memory.dmp vmprotect behavioral1/memory/2304-56-0x0000000000400000-0x0000000001C6F000-memory.dmp vmprotect -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 25EEE3~1.EXE -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 3016 25eee366bfc5df2863f171c9de0fe6c2ae899e0588fc5485a5be31a3fad93ac9.exe 2304 25EEE3~1.EXE 3048 25EEE3~1.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION 25eee366bfc5df2863f171c9de0fe6c2ae899e0588fc5485a5be31a3fad93ac9.exe Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\25eee366bfc5df2863f171c9de0fe6c2ae899e0588fc5485a5be31a3fad93ac9.exe = "7000" 25eee366bfc5df2863f171c9de0fe6c2ae899e0588fc5485a5be31a3fad93ac9.exe Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\25EEE3~1.EXE = "7000" 25EEE3~1.EXE Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION 25eee366bfc5df2863f171c9de0fe6c2ae899e0588fc5485a5be31a3fad93ac9.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main 25eee366bfc5df2863f171c9de0fe6c2ae899e0588fc5485a5be31a3fad93ac9.exe Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl 25eee366bfc5df2863f171c9de0fe6c2ae899e0588fc5485a5be31a3fad93ac9.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B47DABE24A4E3F9F808716BA294AB25F4B19B9E certmgr.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B47DABE24A4E3F9F808716BA294AB25F4B19B9E\Blob = 0300000001000000140000002b47dabe24a4e3f9f808716ba294ab25f4b19b9e20000000010000000504000030820401308202e9a003020102020900976270bfb63b01e2300d06092a864886f70d01010b0500308195310b300906035504061302434e3110300e06035504080c076265696a696e673110300e06035504070c076265696a696e67310d300b060355040a0c04656d6963310d300b060355040b0c0474656368311e301c06035504030c156b7379772e7a7878732e656d69732e6564752e636e3124302206092a864886f70d010901161561646d696e40656d69632e6564752e676f762e636e3020170d3139303232333130313534305a180f32313139303133303130313534305a308195310b300906035504061302434e3110300e06035504080c076265696a696e673110300e06035504070c076265696a696e67310d300b060355040a0c04656d6963310d300b060355040b0c0474656368311e301c06035504030c156b7379772e7a7878732e656d69732e6564752e636e3124302206092a864886f70d010901161561646d696e40656d69632e6564752e676f762e636e30820122300d06092a864886f70d01010105000382010f003082010a0282010100dadfc5aea0e2d7358e7895f14bafa1dd80ad41a95ac03cc40de34c12cb7c8dfa54ee412955b6f24006aa4a600d488017cff34e44d33d9c803d9d323807bba6882ca9c4bdbb8fca7cb86d06dd80a49c99da125693a8f99114f63c1ebdaa222e0033ebea44087613e9943433855edc3e0b15d8786ac07e769a8cdc10e10d1e96adbc7739f69b8b4977a1fbddfc628322cb756f82277a6713b5654f8686b584743e0ce6c627aa79b758b77a79862e76b38bf2ab0f9809d9bcea71a3e394256a785b8f721135b3b9538b2e58be25c3135a397c20863b58a518fdfbdb312b326b9e570733127b55a7d3c2129f89ac868eadad01b0f7e0fd39f10752e8bd04881296870203010001a350304e301d0603551d0e04160414513edb47cf09de0ee23f363f8f440c1be5ab7961301f0603551d23041830168014513edb47cf09de0ee23f363f8f440c1be5ab7961300c0603551d13040530030101ff300d06092a864886f70d01010b0500038201010033d3a6481b61d23310b49e9a408eacd14bd6c9812f13442a37552f69230dff6aed86d59c040490607a326f7285802ab6ba592d7116f490be1f0808aaeb7dea5acc3ef9cc1d07e09724229dd76f3b7efded78863b3a84f1e84033773aa51b87a0647229712f734ebab87f4d494b4b5acb0c56d9f22ad32280e53f51fde5fbf9fc166af4fa6e9735102dae6ce20a54a0b9c57f82697401afb0d568a4685259a672df02901e2703abac4049a32327e0ff3c25d8d624d196b04f6ac694026ce40aaba1a02ce7541ad8a5123e65e9a14483a2b4f0b434616089207d1411e37c22bb692be6f684aa96adead03d78e14ca9937211c94db5724889a5635dd9a9968fa6db certmgr.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3016 25eee366bfc5df2863f171c9de0fe6c2ae899e0588fc5485a5be31a3fad93ac9.exe 2304 25EEE3~1.EXE 3048 25EEE3~1.EXE 3048 25EEE3~1.EXE 3048 25EEE3~1.EXE 3048 25EEE3~1.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 3016 25eee366bfc5df2863f171c9de0fe6c2ae899e0588fc5485a5be31a3fad93ac9.exe 3016 25eee366bfc5df2863f171c9de0fe6c2ae899e0588fc5485a5be31a3fad93ac9.exe 3016 25eee366bfc5df2863f171c9de0fe6c2ae899e0588fc5485a5be31a3fad93ac9.exe 3016 25eee366bfc5df2863f171c9de0fe6c2ae899e0588fc5485a5be31a3fad93ac9.exe 2304 25EEE3~1.EXE 2304 25EEE3~1.EXE 2304 25EEE3~1.EXE 2304 25EEE3~1.EXE 3048 25EEE3~1.EXE 3048 25EEE3~1.EXE 3048 25EEE3~1.EXE 3048 25EEE3~1.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 3016 wrote to memory of 2304 3016 25eee366bfc5df2863f171c9de0fe6c2ae899e0588fc5485a5be31a3fad93ac9.exe 28 PID 3016 wrote to memory of 2304 3016 25eee366bfc5df2863f171c9de0fe6c2ae899e0588fc5485a5be31a3fad93ac9.exe 28 PID 3016 wrote to memory of 2304 3016 25eee366bfc5df2863f171c9de0fe6c2ae899e0588fc5485a5be31a3fad93ac9.exe 28 PID 3016 wrote to memory of 2304 3016 25eee366bfc5df2863f171c9de0fe6c2ae899e0588fc5485a5be31a3fad93ac9.exe 28 PID 2304 wrote to memory of 3048 2304 25EEE3~1.EXE 29 PID 2304 wrote to memory of 3048 2304 25EEE3~1.EXE 29 PID 2304 wrote to memory of 3048 2304 25EEE3~1.EXE 29 PID 2304 wrote to memory of 3048 2304 25EEE3~1.EXE 29 PID 3048 wrote to memory of 2632 3048 25EEE3~1.EXE 30 PID 3048 wrote to memory of 2632 3048 25EEE3~1.EXE 30 PID 3048 wrote to memory of 2632 3048 25EEE3~1.EXE 30 PID 3048 wrote to memory of 2632 3048 25EEE3~1.EXE 30 PID 2632 wrote to memory of 2528 2632 cmd.exe 32 PID 2632 wrote to memory of 2528 2632 cmd.exe 32 PID 2632 wrote to memory of 2528 2632 cmd.exe 32 PID 2632 wrote to memory of 2528 2632 cmd.exe 32 PID 3048 wrote to memory of 2584 3048 25EEE3~1.EXE 33 PID 3048 wrote to memory of 2584 3048 25EEE3~1.EXE 33 PID 3048 wrote to memory of 2584 3048 25EEE3~1.EXE 33 PID 3048 wrote to memory of 2584 3048 25EEE3~1.EXE 33 PID 2584 wrote to memory of 2980 2584 cmd.exe 35 PID 2584 wrote to memory of 2980 2584 cmd.exe 35 PID 2584 wrote to memory of 2980 2584 cmd.exe 35 PID 2584 wrote to memory of 2980 2584 cmd.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\25eee366bfc5df2863f171c9de0fe6c2ae899e0588fc5485a5be31a3fad93ac9.exe"C:\Users\Admin\AppData\Local\Temp\25eee366bfc5df2863f171c9de0fe6c2ae899e0588fc5485a5be31a3fad93ac9.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Users\Admin\AppData\Local\Temp\25EEE3~1.EXEC:\Users\Admin\AppData\Local\Temp\25EEE3~1.EXE2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Users\Admin\AppData\Local\Temp\25EEE3~1.EXEC:\Users\Admin\AppData\Local\Temp\25EEE3~1.EXE3⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\cmd.execmd.exe /c certutil -store AuthRoot4⤵
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\certutil.execertutil -store AuthRoot5⤵PID:2528
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c C:\Users\Admin\AppData\Local\Temp\ksywzs\certmgr.exe /c /add C:\Users\Admin\AppData\Local\Temp\ksywzs\kspt.crt /s /r localMachine AuthRoot4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Users\Admin\AppData\Local\Temp\ksywzs\certmgr.exeC:\Users\Admin\AppData\Local\Temp\ksywzs\certmgr.exe /c /add C:\Users\Admin\AppData\Local\Temp\ksywzs\kspt.crt /s /r localMachine AuthRoot5⤵
- Executes dropped EXE
- Modifies system certificate store
PID:2980
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
35KB
MD553d93f81c9f18bb548d1d0d8ac9b0695
SHA1f7a620e722eede78493fdf45942d958cdb753820
SHA25669ecd50e3a508f32dfc246523766a557fca61817e8e1fa71718fa66a1c2ae802
SHA5124b3b942bc429bb82d073f71f115c7b5ad66191f7c51c5066431be530f03fa24a90f06286a86c3864bcd6f06e017529507f209b276635af7c9bbc8dc44b333a18
-
Filesize
1KB
MD5dccaa52994def4f24a8dc7cfc5004a7a
SHA1797d1829abb4c83f1d756056a5533b02f4011402
SHA256f14bf733e5584841b12cb9f4b4eb189649be6310324984af2242289dd31d5387
SHA512784aaeee8023f410eb9753b7080b57dca37a5e628311b5c9a24bb6f0db59f07ef674db0004e78da17b2e3007526ddafab1f1ac4524dd4b4095e43d74deeba6a9