Analysis
-
max time kernel
146s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
26/05/2024, 09:46
Static task
static1
Behavioral task
behavioral1
Sample
d0ef3ac26b3f606616d90c2484d947f2c32e451e49845ff6451a2ebb517cfe87.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
d0ef3ac26b3f606616d90c2484d947f2c32e451e49845ff6451a2ebb517cfe87.exe
Resource
win10v2004-20240226-en
General
-
Target
d0ef3ac26b3f606616d90c2484d947f2c32e451e49845ff6451a2ebb517cfe87.exe
-
Size
6.0MB
-
MD5
0f122f52f5cb0721168a95cf3fe7742b
-
SHA1
d33d6bf44b4a39aad315b2b73706078b3938e713
-
SHA256
d0ef3ac26b3f606616d90c2484d947f2c32e451e49845ff6451a2ebb517cfe87
-
SHA512
2969dd8b3a0726b4cc2f1a7b3afbe830046608c68b8eea70b1a04a27c6abf3967af25c60532d1d954c0b69581c5afb78b55a426e49ce8f48cb3cd92072e6ca55
-
SSDEEP
98304:c0G1E13HhStHxV8ItdWEZ3Xy3cB27OgUWZHwuS2JBAUZLM:nGxV8It/JiY2sWpJVA
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 3264 d0ef3ac26b3f606616d90c2484d947f2c32e451e49845ff6451a2ebb517cfe87.exe -
resource yara_rule behavioral2/memory/3264-1-0x00000000029D0000-0x00000000029DB000-memory.dmp upx behavioral2/memory/3264-2-0x00000000029D0000-0x00000000029DB000-memory.dmp upx behavioral2/memory/3264-3-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3264-4-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3264-32-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3264-36-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3264-35-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3264-47-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3264-45-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3264-43-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3264-41-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3264-39-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3264-30-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3264-27-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3264-24-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3264-22-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3264-20-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3264-48-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3264-18-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3264-14-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3264-12-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3264-10-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3264-5-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3264-8-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3264-6-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3264-28-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral2/memory/3264-16-0x0000000010000000-0x000000001003E000-memory.dmp upx -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 d0ef3ac26b3f606616d90c2484d947f2c32e451e49845ff6451a2ebb517cfe87.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 3264 d0ef3ac26b3f606616d90c2484d947f2c32e451e49845ff6451a2ebb517cfe87.exe 3264 d0ef3ac26b3f606616d90c2484d947f2c32e451e49845ff6451a2ebb517cfe87.exe 3264 d0ef3ac26b3f606616d90c2484d947f2c32e451e49845ff6451a2ebb517cfe87.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 3264 wrote to memory of 3904 3264 d0ef3ac26b3f606616d90c2484d947f2c32e451e49845ff6451a2ebb517cfe87.exe 100 PID 3264 wrote to memory of 3904 3264 d0ef3ac26b3f606616d90c2484d947f2c32e451e49845ff6451a2ebb517cfe87.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\d0ef3ac26b3f606616d90c2484d947f2c32e451e49845ff6451a2ebb517cfe87.exe"C:\Users\Admin\AppData\Local\Temp\d0ef3ac26b3f606616d90c2484d947f2c32e451e49845ff6451a2ebb517cfe87.exe"1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3264 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://changkongbao.lanzouq.com/ikW9T1cfeg5e2⤵PID:3904
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1712 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:81⤵PID:4012
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=3804 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:11⤵PID:3620
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --mojo-platform-channel-handle=5108 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:11⤵PID:1424
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1340 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:81⤵PID:2980
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=5436 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:11⤵PID:3352
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --mojo-platform-channel-handle=3688 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:11⤵PID:3272
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --mojo-platform-channel-handle=6036 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:11⤵PID:5084
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=5692 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:81⤵PID:4296
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --mojo-platform-channel-handle=5396 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:11⤵PID:1092
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD5ef48d7cc52338513cc0ce843c5e3916b
SHA120965d86b7b358edf8b5d819302fa7e0e6159c18
SHA256835bfef980ad0cedf10d8ade0cf5671d9f56062f2b22d0a0547b07772ceb25a8
SHA512fd4602bd487eaad5febb5b3e9d8fe75f4190d1e44e538e7ae2d2129087f35b72b254c85d7335a81854aa2bdb4f0f2fa22e02a892ee23ac57b78cdd03a79259b9
-
Filesize
10KB
MD5b6bffed88dc920f4daccf1a83dbf7f8b
SHA19d6e4a7b272cb725a143a588e1fe7b0ca6374b0b
SHA25688e93194d4660d8c6f3f70591eef2e73ee460bbca08932cd7bec4393a6c7a36b
SHA512d603a3aca6149b8dba1a1c3ca84d09d39459c21e10d4ef25ea88807cd0901f5a749dd7f97d4d49a9211f099e689156bc9724a73ad1e73aa580d8680d6cf25d3e
-
Filesize
8KB
MD51d67dafae0fcabbdc7ffaa3095ca3b61
SHA16ea71d27c8bf64ff601585c961a65c1adc9d7775
SHA25651037184b477771ebe0558bed508315e05de95cb170a40a975d2326e97bfe88e
SHA512b1ebb5d6d68fd2c5372114494dca30eff6107e263313b8889c4ef9b3f2311d3fc0b557bbcefa6911547727eac0b345df904993561c5a6feb87426158a4684d71
-
Filesize
204B
MD51f176fd422d932b3f73c59cd0e8a4d0b
SHA1e944c5a2805bb8809ddef9402304a12e6d3a3751
SHA256f96f94e2c2d39b65dd9ca21a66abf75ed7b4c2d03bc703c5afc71fa1ea12669e
SHA5127b0b29b2e9f0e6730541d206fde7cd2a5318a227f67b25c56b3005acd30201d11cbec7ddcdd9ad2149981ae681adffa2b161e2588375447b4add74eaea7db225
-
Filesize
64B
MD549f36aa007f23eb6c74c4a2a1a3a33b1
SHA124bc012bf366135ed5b87fa1fae78d5a2995536f
SHA2562454bb119c52184d858ad28c30a7178102ede54731a482b7168f1528516dd4cb
SHA5126788124e3da25d19c0acc3f188d6e25c1eee4aaa3df0ba1aeac17a64eca3b487e6de745ad38d47aa9fa03ce1d55c7172cfd872831034da3d7aea86e88a449474
-
Filesize
211B
MD5be1ed890b76305de558c92cdec4ac2bb
SHA1f9886e1bcb55dcfcb06294141496d8ac9eb7e014
SHA256bad4ee5b9b63fd12da271a13eb1a7120a58ee3c5a4f95daef51fab68b87ba6cb
SHA5120060156b4a7fb18c5a1fd2018fe69d3a533e5c3b8d1f14920bfd6ab88ffedb799901a635a186e35f2aa605d3bcc502142363b63aad202b3928e77180e6d56dec
-
Filesize
225B
MD50e66900340fc19323c256461904893d9
SHA1daf382f14a93f5cc7a839f0d2914a7fe699cbbee
SHA2563c0466e79066d63e524f4b8f5423409a9fcfa769334cde7b1628d5f86265be10
SHA5122c446d717530e6e73c59f965b034ca9cd92409d5eeb2f60c9d001ef0f905e09864ab0448b929deea46a25bdab707ae61d45ab78c23cb37a6dc6c0eb85300b2b8