Analysis
-
max time kernel
122s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
26-05-2024 09:19
General
-
Target
1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe
-
Size
10.3MB
-
MD5
d2e8cfb12ce010eecd8ac33dae650027
-
SHA1
3b988d0bca1bf4dde9d3cce7ed9e03015a932e0e
-
SHA256
1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a
-
SHA512
d7764753a51b825ff66a89a7e18342d811fff40c7d0ca18b217f6dfc6b3e7a0c9446e7dd8266d4ce64eeb17acac66d8aaa9fedebf4018fc857bd66ca2d2f3fb8
-
SSDEEP
196608:ScvijmrWdYtMEY1nxKU5ltd1VNTdfgxBD29qfHJhIdg6DnoVOX:ScvkuSDnzHd7SjCephIr
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 4 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 17 IoCs
-
Suspicious use of FindShellTrayWindow 9 IoCs
-
Suspicious use of SendNotifyMessage 6 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe"C:\Users\Admin\AppData\Local\Temp\1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
F:\²Ôñ·µÀ¶Ü(΢¶Ë)\1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe"F:\²Ôñ·µÀ¶Ü(΢¶Ë)\1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
F:\²Ôñ·µÀ¶Ü(΢¶Ë)\²Ôñ·µÀ¶Ü.exe"F:\²Ôñ·µÀ¶Ü(΢¶Ë)\²Ôñ·µÀ¶Ü.exe"3⤵
- Executes dropped EXE
-
F:\²Ôñ·µÀ¶Ü(΢¶Ë)\1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exeF:\²Ôñ·µÀ¶Ü(΢¶Ë)\1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
F:\²Ôñ·µÀ¶Ü(΢¶Ë)\²Ôñ·µÀ¶Ü.exe"F:\²Ôñ·µÀ¶Ü(΢¶Ë)\²Ôñ·µÀ¶Ü.exe"4⤵
- Executes dropped EXE
- Checks processor information in registry
- Enumerates system info in registry
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
F:\²Ôñ·µÀ¶Ü(΢¶Ë)\1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exeFilesize
10.3MB
MD5d2e8cfb12ce010eecd8ac33dae650027
SHA13b988d0bca1bf4dde9d3cce7ed9e03015a932e0e
SHA2561a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a
SHA512d7764753a51b825ff66a89a7e18342d811fff40c7d0ca18b217f6dfc6b3e7a0c9446e7dd8266d4ce64eeb17acac66d8aaa9fedebf4018fc857bd66ca2d2f3fb8
-
F:\²Ôñ·µÀ¶Ü(΢¶Ë)\Hero.iniFilesize
53B
MD5e5666f715e663e72dcfda51d9f4fea6f
SHA193fc4cb8b23e7ad69d96b021ca74127394c668e8
SHA2565576df7017eea51de1039ea8b1a8576f0a0b1c65beb513cfcc6f27acf66bed7f
SHA512d8230587cec9c05e5b096a6897086cae54307a19379e21ddd0db0681cd67ab5f170ae6b995d27f38dee12403f8412ef7f0c848e0985d145cbb563c5cc8b300cf
-
F:\²Ôñ·µÀ¶Ü(΢¶Ë)\²Ôñ·µÀ¶Ü.exeFilesize
4.9MB
MD53d962aa83c022d0cd5e6b62bcd42e03b
SHA140ea7aaed96708e8796e0e95a8350cca7c481be9
SHA256f029682c2a565d84f81af6710c65cf80e4fa3a0ae2ce83348c17bb9ae011895a
SHA51273fec89ac082f4c0713423c8ff89880130f9bebb084ac97ad52735b3501c35bc7da1c54a50d124e0dc18b0cc4a6eb04ca3b9b7b039816b63f261f3b1d3f91375
-
memory/2456-42-0x0000000000400000-0x00000000020FA000-memory.dmpFilesize
29.0MB
-
memory/2456-10-0x0000000000250000-0x0000000000251000-memory.dmpFilesize
4KB
-
memory/2456-46-0x0000000000400000-0x00000000020FA000-memory.dmpFilesize
29.0MB
-
memory/2456-20-0x00000000002F0000-0x00000000002F1000-memory.dmpFilesize
4KB
-
memory/2456-18-0x00000000002F0000-0x00000000002F1000-memory.dmpFilesize
4KB
-
memory/2456-15-0x00000000002E0000-0x00000000002E1000-memory.dmpFilesize
4KB
-
memory/2456-13-0x00000000002E0000-0x00000000002E1000-memory.dmpFilesize
4KB
-
memory/2456-44-0x0000000000400000-0x00000000020FA000-memory.dmpFilesize
29.0MB
-
memory/2456-8-0x0000000000250000-0x0000000000251000-memory.dmpFilesize
4KB
-
memory/2456-6-0x0000000000250000-0x0000000000251000-memory.dmpFilesize
4KB
-
memory/2456-5-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/2456-3-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/2456-43-0x0000000000400000-0x00000000020FA000-memory.dmpFilesize
29.0MB
-
memory/2456-32-0x0000000000320000-0x0000000000321000-memory.dmpFilesize
4KB
-
memory/2456-36-0x0000000000320000-0x0000000000321000-memory.dmpFilesize
4KB
-
memory/2456-34-0x0000000000320000-0x0000000000321000-memory.dmpFilesize
4KB
-
memory/2456-41-0x0000000000360000-0x0000000000368000-memory.dmpFilesize
32KB
-
memory/2456-40-0x0000000000350000-0x000000000035B000-memory.dmpFilesize
44KB
-
memory/2456-39-0x0000000000340000-0x000000000034B000-memory.dmpFilesize
44KB
-
memory/2456-0-0x0000000000400000-0x00000000020FA000-memory.dmpFilesize
29.0MB
-
memory/2456-1-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/2456-25-0x0000000000300000-0x0000000000301000-memory.dmpFilesize
4KB
-
memory/2456-23-0x0000000000300000-0x0000000000301000-memory.dmpFilesize
4KB
-
memory/2456-48-0x0000000000400000-0x00000000020FA000-memory.dmpFilesize
29.0MB
-
memory/2456-28-0x0000000000310000-0x0000000000311000-memory.dmpFilesize
4KB
-
memory/2456-54-0x0000000004630000-0x000000000632A000-memory.dmpFilesize
29.0MB
-
memory/2456-56-0x000000000138C000-0x00000000016A6000-memory.dmpFilesize
3.1MB
-
memory/2456-55-0x0000000000400000-0x00000000020FA000-memory.dmpFilesize
29.0MB
-
memory/2456-31-0x000000000138C000-0x00000000016A6000-memory.dmpFilesize
3.1MB
-
memory/2456-30-0x0000000000310000-0x0000000000311000-memory.dmpFilesize
4KB
-
memory/2712-80-0x0000000000350000-0x0000000000351000-memory.dmpFilesize
4KB
-
memory/2712-75-0x0000000000340000-0x0000000000341000-memory.dmpFilesize
4KB
-
memory/2712-72-0x0000000000330000-0x0000000000331000-memory.dmpFilesize
4KB
-
memory/2712-70-0x0000000000330000-0x0000000000331000-memory.dmpFilesize
4KB
-
memory/2712-67-0x0000000000320000-0x0000000000321000-memory.dmpFilesize
4KB
-
memory/2712-65-0x0000000000320000-0x0000000000321000-memory.dmpFilesize
4KB
-
memory/2712-62-0x00000000002F0000-0x00000000002F1000-memory.dmpFilesize
4KB
-
memory/2712-60-0x00000000002F0000-0x00000000002F1000-memory.dmpFilesize
4KB
-
memory/2712-138-0x0000000008DB0000-0x0000000008DC0000-memory.dmpFilesize
64KB
-
memory/2712-77-0x0000000000340000-0x0000000000341000-memory.dmpFilesize
4KB
-
memory/2712-229-0x0000000000400000-0x00000000020FA000-memory.dmpFilesize
29.0MB
-
memory/2712-57-0x0000000000400000-0x00000000020FA000-memory.dmpFilesize
29.0MB