Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
12-06-2024 10:36
Static task
static1
Behavioral task
behavioral1
Sample
88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe
Resource
win10v2004-20240611-en
General
-
Target
88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe
-
Size
1012KB
-
MD5
c6754415c6cf116c9d588b42d9b53932
-
SHA1
a8e845a34ade1430669b9fe0592fb0586bb51e77
-
SHA256
88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43
-
SHA512
d7f57f3b89cdd4d1ec334e900948e3dba4b0880830de91aabd3309a8c32aceac493d8462ce96a6e2d5f0535a567972803feeb8054a90a4e90a9118a1e8541929
-
SSDEEP
12288:OPppN1nwJrIWXoFQnUCcf7VxFssV8Uc2KD0fTMFz8eYwlfA2CdWxjFP7dxljI8wL:OrzmuV71TMFYOlfpfFPhxljI8w
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exepid process 1620 88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exedescription ioc process File opened for modification \??\PhysicalDrive0 88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 51 IoCs
Processes:
88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exepid process 1620 88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe 1620 88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe 1620 88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe 1620 88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe 1620 88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe 1620 88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe 1620 88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe 1620 88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe 1620 88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe 1620 88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe 1620 88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe 1620 88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe 1620 88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe 1620 88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe 1620 88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe 1620 88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe 1620 88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe 1620 88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe 1620 88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe 1620 88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe 1620 88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe 1620 88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe 1620 88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe 1620 88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe 1620 88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe 1620 88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe 1620 88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe 1620 88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe 1620 88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe 1620 88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe 1620 88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe 1620 88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe 1620 88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe 1620 88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe 1620 88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe 1620 88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe 1620 88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe 1620 88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe 1620 88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe 1620 88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe 1620 88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe 1620 88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe 1620 88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe 1620 88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe 1620 88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe 1620 88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe 1620 88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe 1620 88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe 1620 88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe 1620 88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe 1620 88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exepid process 1620 88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exedescription pid process Token: SeDebugPrivilege 1620 88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exepid process 1620 88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exedescription pid process target process PID 1620 wrote to memory of 2808 1620 88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe regsvr32.exe PID 1620 wrote to memory of 2808 1620 88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe regsvr32.exe PID 1620 wrote to memory of 2808 1620 88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe regsvr32.exe PID 1620 wrote to memory of 2808 1620 88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe regsvr32.exe PID 1620 wrote to memory of 2808 1620 88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe regsvr32.exe PID 1620 wrote to memory of 2808 1620 88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe regsvr32.exe PID 1620 wrote to memory of 2808 1620 88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe regsvr32.exe PID 1620 wrote to memory of 2668 1620 88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe Netsh.exe PID 1620 wrote to memory of 2668 1620 88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe Netsh.exe PID 1620 wrote to memory of 2668 1620 88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe Netsh.exe PID 1620 wrote to memory of 2668 1620 88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe Netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe"C:\Users\Admin\AppData\Local\Temp\88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe"1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\system32\regsvr32.exe" C:\Windows\system32\regsvr32.exe /u /s "C:\Users\Admin\AppData\Local\Temp\DeskmgrShellExtx64.dll"2⤵
-
C:\Windows\SysWOW64\Netsh.exe"C:\Windows\system32\Netsh.exe" exec "C:\Users\Admin\AppData\Local\Temp\UNI7A3D.tmp\firewallLog.txt"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Tencent\DeskGo\DeskGoUninst_20240612103645.LogFilesize
6KB
MD5504f91f57777bd4627607d14db6fbb18
SHA1b9ba3d86410f2e9ff3d8ab07f7ba5ef25be34310
SHA256ff1dd094265dc8e7ac3cea200590ebfe5506f946fac45bdfa99ffc1e7573707b
SHA51284ca8294b058971a4780bebde1b6916b2041b8455e63c9d22f58897320c55189d27cba4717e58690675c4675fe394c19a2a3a9f8e80bc9d2af3c99daeb9b088a
-
C:\Users\Admin\AppData\Local\Temp\UNI7A3D.tmp\firewallLog.txtFilesize
104B
MD5bb2bc660ceba457e96e328d6771f93cb
SHA15387c389561eee423fc284a887ae752d478e3dd6
SHA256c784f85e2d745af795236284f46b9c0a0cab51d8cd5dffc7d94e2421cefeae5c
SHA5126ced4915cd8988895bf9a8f96d75508f57a20b8f5f7952f09706bdc5c8dd651d0f2ea52397a370abd8a578215e7828dbffba36e695c80920475d859ba3de00a0
-
\Users\Admin\AppData\Local\Temp\UNI7A3D.tmp\dr.dllFilesize
427KB
MD568a34245c650829c613e9068bdc6f79d
SHA1f877ad637c2097915ba894fdccb1a596a52a726e
SHA256c72cc19b9ee4546378d22483d5cbe612805be585658df9d28677174b19c2b3bf
SHA5121c9181c1693f3fb4c3044f57f9113f1858cb709c56ea7beec1d41026c4a64070e221dcb61669fbdab63fc0669df24f4a126ea517a157a738b9a35d784cef9afe
-
memory/1620-84-0x0000000000A40000-0x0000000000B41000-memory.dmpFilesize
1.0MB