Analysis

  • max time kernel
    142s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    15-06-2024 02:41

General

  • Target

    f069c599fb95c28f7f92c4ecd5a7472efa44471f8d38ec6628b116d8518e5d3f.exe

  • Size

    10.4MB

  • MD5

    806b4399e2524e0c38ea076a4f5c4154

  • SHA1

    0e133677799df2506404dc4b6e992179bdbe9f3f

  • SHA256

    f069c599fb95c28f7f92c4ecd5a7472efa44471f8d38ec6628b116d8518e5d3f

  • SHA512

    1d60fc9940e96efb0d8a1c8bede83842872fb981f4c3b8c7b74c38ca18c9ada92ea8262967128c951c1543a11f585244c6d45bc41ef8292a015036d651b8bc0b

  • SSDEEP

    196608:KaUo1YyjJpXQlXZMJ0MowNZYx4S0BVoKLBFSlMDqAu7/1f6b+QFH2m5Yn10Cd:Kto1YaXQlXZw0M3zYy1oKDSlMLu7Ne/Q

Malware Config

Signatures

  • UPX dump on OEP (original entry point) 32 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 32 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f069c599fb95c28f7f92c4ecd5a7472efa44471f8d38ec6628b116d8518e5d3f.exe
    "C:\Users\Admin\AppData\Local\Temp\f069c599fb95c28f7f92c4ecd5a7472efa44471f8d38ec6628b116d8518e5d3f.exe"
    1⤵
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2064
    • C:\Windows\SysWOW64\nslookup.exe
      nslookup -qt=TXT dlf.cps5.com
      2⤵
        PID:2500
      • C:\Windows\SysWOW64\nslookup.exe
        nslookup -qt=TXT dlwebf.cps5.com
        2⤵
          PID:2896

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Persistence

      Pre-OS Boot

      1
      T1542

      Bootkit

      1
      T1542.003

      Defense Evasion

      Pre-OS Boot

      1
      T1542

      Bootkit

      1
      T1542.003

      Discovery

      System Information Discovery

      1
      T1082

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • \Users\Admin\AppData\Local\Temp\E2EECore.3.3.9.dll
        Filesize

        10.6MB

        MD5

        50c266e46ccf9bc8956279f78d51f205

        SHA1

        0ba5b98a91a9a019cd9b87cf01796c65ee6a0839

        SHA256

        c58e066a293ff260037487d37e37bf3d890c16383d817c7573dab51c514cbd00

        SHA512

        7350a82820faeba3172fad3d87b04c6a2967b797a321a78a53e7156c37fed4661a66d2f78e2f3ddbcbc0d10a56f5d761f7eb761f05d2841568b34841c17e0d37

      • memory/2064-24-0x0000000010000000-0x000000001003E000-memory.dmp
        Filesize

        248KB

      • memory/2064-55-0x0000000010000000-0x000000001003E000-memory.dmp
        Filesize

        248KB

      • memory/2064-28-0x0000000010000000-0x000000001003E000-memory.dmp
        Filesize

        248KB

      • memory/2064-0-0x0000000000400000-0x000000000104B000-memory.dmp
        Filesize

        12.3MB

      • memory/2064-54-0x0000000010000000-0x000000001003E000-memory.dmp
        Filesize

        248KB

      • memory/2064-53-0x0000000010000000-0x000000001003E000-memory.dmp
        Filesize

        248KB

      • memory/2064-52-0x0000000010000000-0x000000001003E000-memory.dmp
        Filesize

        248KB

      • memory/2064-49-0x0000000010000000-0x000000001003E000-memory.dmp
        Filesize

        248KB

      • memory/2064-47-0x0000000010000000-0x000000001003E000-memory.dmp
        Filesize

        248KB

      • memory/2064-45-0x0000000010000000-0x000000001003E000-memory.dmp
        Filesize

        248KB

      • memory/2064-43-0x0000000010000000-0x000000001003E000-memory.dmp
        Filesize

        248KB

      • memory/2064-40-0x0000000010000000-0x000000001003E000-memory.dmp
        Filesize

        248KB

      • memory/2064-38-0x0000000010000000-0x000000001003E000-memory.dmp
        Filesize

        248KB

      • memory/2064-36-0x0000000010000000-0x000000001003E000-memory.dmp
        Filesize

        248KB

      • memory/2064-34-0x0000000010000000-0x000000001003E000-memory.dmp
        Filesize

        248KB

      • memory/2064-30-0x0000000010000000-0x000000001003E000-memory.dmp
        Filesize

        248KB

      • memory/2064-32-0x0000000010000000-0x000000001003E000-memory.dmp
        Filesize

        248KB

      • memory/2064-22-0x0000000010000000-0x000000001003E000-memory.dmp
        Filesize

        248KB

      • memory/2064-5-0x0000000010000000-0x000000001003E000-memory.dmp
        Filesize

        248KB

      • memory/2064-20-0x0000000010000000-0x000000001003E000-memory.dmp
        Filesize

        248KB

      • memory/2064-18-0x0000000010000000-0x000000001003E000-memory.dmp
        Filesize

        248KB

      • memory/2064-16-0x0000000010000000-0x000000001003E000-memory.dmp
        Filesize

        248KB

      • memory/2064-14-0x0000000010000000-0x000000001003E000-memory.dmp
        Filesize

        248KB

      • memory/2064-12-0x0000000010000000-0x000000001003E000-memory.dmp
        Filesize

        248KB

      • memory/2064-10-0x0000000010000000-0x000000001003E000-memory.dmp
        Filesize

        248KB

      • memory/2064-9-0x0000000010000000-0x000000001003E000-memory.dmp
        Filesize

        248KB

      • memory/2064-8-0x0000000010000000-0x000000001003E000-memory.dmp
        Filesize

        248KB

      • memory/2064-7-0x0000000010000000-0x000000001003E000-memory.dmp
        Filesize

        248KB

      • memory/2064-56-0x000000007637F000-0x0000000076380000-memory.dmp
        Filesize

        4KB

      • memory/2064-57-0x0000000076310000-0x0000000076410000-memory.dmp
        Filesize

        1024KB

      • memory/2064-62-0x0000000000400000-0x000000000104B000-memory.dmp
        Filesize

        12.3MB

      • memory/2064-63-0x0000000010000000-0x000000001003E000-memory.dmp
        Filesize

        248KB

      • memory/2064-65-0x000000007637F000-0x0000000076380000-memory.dmp
        Filesize

        4KB

      • memory/2064-66-0x0000000076310000-0x0000000076410000-memory.dmp
        Filesize

        1024KB

      • memory/2064-68-0x0000000000400000-0x000000000104B000-memory.dmp
        Filesize

        12.3MB

      • memory/2064-71-0x0000000000400000-0x000000000104B000-memory.dmp
        Filesize

        12.3MB