Analysis
-
max time kernel
122s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
26/05/2024, 09:19
Static task
static1
Behavioral task
behavioral1
Sample
1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe
Resource
win10v2004-20240426-en
General
-
Target
1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe
-
Size
10.3MB
-
MD5
d2e8cfb12ce010eecd8ac33dae650027
-
SHA1
3b988d0bca1bf4dde9d3cce7ed9e03015a932e0e
-
SHA256
1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a
-
SHA512
d7764753a51b825ff66a89a7e18342d811fff40c7d0ca18b217f6dfc6b3e7a0c9446e7dd8266d4ce64eeb17acac66d8aaa9fedebf4018fc857bd66ca2d2f3fb8
-
SSDEEP
196608:ScvijmrWdYtMEY1nxKU5ltd1VNTdfgxBD29qfHJhIdg6DnoVOX:ScvkuSDnzHd7SjCephIr
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 2712 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 564 ²Ôñ·µÀ¶Ü.exe 596 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 2152 ²Ôñ·µÀ¶Ü.exe -
resource yara_rule behavioral1/memory/2456-41-0x0000000000360000-0x0000000000368000-memory.dmp upx behavioral1/memory/2456-40-0x0000000000350000-0x000000000035B000-memory.dmp upx behavioral1/memory/2456-39-0x0000000000340000-0x000000000034B000-memory.dmp upx behavioral1/files/0x000100000000002e-143.dat upx -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe File opened (read-only) \??\F: 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe File opened for modification \??\PhysicalDrive0 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ²Ôñ·µÀ¶Ü.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ²Ôñ·µÀ¶Ü.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS ²Ôñ·µÀ¶Ü.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer ²Ôñ·µÀ¶Ü.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName ²Ôñ·µÀ¶Ü.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion ²Ôñ·µÀ¶Ü.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2456 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 2456 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 2712 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 2712 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 2712 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 2712 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 596 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 596 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 596 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 596 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
description pid Process Token: SeDebugPrivilege 2456 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe Token: SeDebugPrivilege 2456 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe Token: SeDebugPrivilege 2456 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe Token: SeDebugPrivilege 2456 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe Token: SeDebugPrivilege 2456 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe Token: SeDebugPrivilege 2456 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe Token: SeDebugPrivilege 2712 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe Token: SeDebugPrivilege 2712 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe Token: SeDebugPrivilege 2712 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe Token: SeDebugPrivilege 2712 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe Token: SeDebugPrivilege 2712 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe Token: SeDebugPrivilege 2712 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe Token: SeDebugPrivilege 596 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe Token: SeDebugPrivilege 596 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe Token: SeDebugPrivilege 596 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe Token: SeDebugPrivilege 596 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe Token: SeDebugPrivilege 596 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe -
Suspicious use of FindShellTrayWindow 9 IoCs
pid Process 2456 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 2456 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 2712 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 2712 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 2712 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 2712 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 596 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 596 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 596 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe -
Suspicious use of SendNotifyMessage 6 IoCs
pid Process 2456 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 2712 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 2712 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 2712 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 596 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 596 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2456 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 2456 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 2712 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 2712 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 596 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 596 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2456 wrote to memory of 2712 2456 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 28 PID 2456 wrote to memory of 2712 2456 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 28 PID 2456 wrote to memory of 2712 2456 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 28 PID 2456 wrote to memory of 2712 2456 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 28 PID 2712 wrote to memory of 564 2712 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 30 PID 2712 wrote to memory of 564 2712 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 30 PID 2712 wrote to memory of 564 2712 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 30 PID 2712 wrote to memory of 564 2712 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 30 PID 2712 wrote to memory of 596 2712 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 31 PID 2712 wrote to memory of 596 2712 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 31 PID 2712 wrote to memory of 596 2712 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 31 PID 2712 wrote to memory of 596 2712 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 31 PID 596 wrote to memory of 2152 596 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 32 PID 596 wrote to memory of 2152 596 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 32 PID 596 wrote to memory of 2152 596 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 32 PID 596 wrote to memory of 2152 596 1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe"C:\Users\Admin\AppData\Local\Temp\1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2456 -
F:\²Ôñ·µÀ¶Ü(΢¶Ë)\1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe"F:\²Ôñ·µÀ¶Ü(΢¶Ë)\1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2712 -
F:\²Ôñ·µÀ¶Ü(΢¶Ë)\²Ôñ·µÀ¶Ü.exe"F:\²Ôñ·µÀ¶Ü(΢¶Ë)\²Ôñ·µÀ¶Ü.exe"3⤵
- Executes dropped EXE
PID:564
-
-
F:\²Ôñ·µÀ¶Ü(΢¶Ë)\1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exeF:\²Ôñ·µÀ¶Ü(΢¶Ë)\1a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:596 -
F:\²Ôñ·µÀ¶Ü(΢¶Ë)\²Ôñ·µÀ¶Ü.exe"F:\²Ôñ·µÀ¶Ü(΢¶Ë)\²Ôñ·µÀ¶Ü.exe"4⤵
- Executes dropped EXE
- Checks processor information in registry
- Enumerates system info in registry
PID:2152
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10.3MB
MD5d2e8cfb12ce010eecd8ac33dae650027
SHA13b988d0bca1bf4dde9d3cce7ed9e03015a932e0e
SHA2561a2dcf169e541ba2d4ef4bed07e7c69e7c58b35cd28d07afad4cebfd115b145a
SHA512d7764753a51b825ff66a89a7e18342d811fff40c7d0ca18b217f6dfc6b3e7a0c9446e7dd8266d4ce64eeb17acac66d8aaa9fedebf4018fc857bd66ca2d2f3fb8
-
Filesize
53B
MD5e5666f715e663e72dcfda51d9f4fea6f
SHA193fc4cb8b23e7ad69d96b021ca74127394c668e8
SHA2565576df7017eea51de1039ea8b1a8576f0a0b1c65beb513cfcc6f27acf66bed7f
SHA512d8230587cec9c05e5b096a6897086cae54307a19379e21ddd0db0681cd67ab5f170ae6b995d27f38dee12403f8412ef7f0c848e0985d145cbb563c5cc8b300cf
-
Filesize
4.9MB
MD53d962aa83c022d0cd5e6b62bcd42e03b
SHA140ea7aaed96708e8796e0e95a8350cca7c481be9
SHA256f029682c2a565d84f81af6710c65cf80e4fa3a0ae2ce83348c17bb9ae011895a
SHA51273fec89ac082f4c0713423c8ff89880130f9bebb084ac97ad52735b3501c35bc7da1c54a50d124e0dc18b0cc4a6eb04ca3b9b7b039816b63f261f3b1d3f91375