Analysis
-
max time kernel
142s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
15-06-2024 02:41
Behavioral task
behavioral1
Sample
f069c599fb95c28f7f92c4ecd5a7472efa44471f8d38ec6628b116d8518e5d3f.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
f069c599fb95c28f7f92c4ecd5a7472efa44471f8d38ec6628b116d8518e5d3f.exe
Resource
win10v2004-20240611-en
General
-
Target
f069c599fb95c28f7f92c4ecd5a7472efa44471f8d38ec6628b116d8518e5d3f.exe
-
Size
10.4MB
-
MD5
806b4399e2524e0c38ea076a4f5c4154
-
SHA1
0e133677799df2506404dc4b6e992179bdbe9f3f
-
SHA256
f069c599fb95c28f7f92c4ecd5a7472efa44471f8d38ec6628b116d8518e5d3f
-
SHA512
1d60fc9940e96efb0d8a1c8bede83842872fb981f4c3b8c7b74c38ca18c9ada92ea8262967128c951c1543a11f585244c6d45bc41ef8292a015036d651b8bc0b
-
SSDEEP
196608:KaUo1YyjJpXQlXZMJ0MowNZYx4S0BVoKLBFSlMDqAu7/1f6b+QFH2m5Yn10Cd:Kto1YaXQlXZw0M3zYy1oKDSlMLu7Ne/Q
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 32 IoCs
Processes:
resource yara_rule behavioral1/memory/2064-0-0x0000000000400000-0x000000000104B000-memory.dmp UPX behavioral1/memory/2064-5-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral1/memory/2064-32-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral1/memory/2064-55-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral1/memory/2064-54-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral1/memory/2064-53-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral1/memory/2064-52-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral1/memory/2064-49-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral1/memory/2064-47-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral1/memory/2064-45-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral1/memory/2064-43-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral1/memory/2064-40-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral1/memory/2064-38-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral1/memory/2064-36-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral1/memory/2064-34-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral1/memory/2064-30-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral1/memory/2064-28-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral1/memory/2064-24-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral1/memory/2064-22-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral1/memory/2064-20-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral1/memory/2064-18-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral1/memory/2064-16-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral1/memory/2064-14-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral1/memory/2064-12-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral1/memory/2064-10-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral1/memory/2064-9-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral1/memory/2064-8-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral1/memory/2064-7-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral1/memory/2064-62-0x0000000000400000-0x000000000104B000-memory.dmp UPX behavioral1/memory/2064-63-0x0000000010000000-0x000000001003E000-memory.dmp UPX behavioral1/memory/2064-68-0x0000000000400000-0x000000000104B000-memory.dmp UPX behavioral1/memory/2064-71-0x0000000000400000-0x000000000104B000-memory.dmp UPX -
Loads dropped DLL 1 IoCs
Processes:
f069c599fb95c28f7f92c4ecd5a7472efa44471f8d38ec6628b116d8518e5d3f.exepid process 2064 f069c599fb95c28f7f92c4ecd5a7472efa44471f8d38ec6628b116d8518e5d3f.exe -
Processes:
resource yara_rule behavioral1/memory/2064-0-0x0000000000400000-0x000000000104B000-memory.dmp upx behavioral1/memory/2064-5-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2064-32-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2064-55-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2064-54-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2064-53-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2064-52-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2064-49-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2064-47-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2064-45-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2064-43-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2064-40-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2064-38-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2064-36-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2064-34-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2064-30-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2064-28-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2064-24-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2064-22-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2064-20-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2064-18-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2064-16-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2064-14-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2064-12-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2064-10-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2064-9-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2064-8-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2064-7-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2064-62-0x0000000000400000-0x000000000104B000-memory.dmp upx behavioral1/memory/2064-63-0x0000000010000000-0x000000001003E000-memory.dmp upx behavioral1/memory/2064-68-0x0000000000400000-0x000000000104B000-memory.dmp upx behavioral1/memory/2064-71-0x0000000000400000-0x000000000104B000-memory.dmp upx -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
f069c599fb95c28f7f92c4ecd5a7472efa44471f8d38ec6628b116d8518e5d3f.exedescription ioc process File opened for modification \??\PhysicalDrive0 f069c599fb95c28f7f92c4ecd5a7472efa44471f8d38ec6628b116d8518e5d3f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
f069c599fb95c28f7f92c4ecd5a7472efa44471f8d38ec6628b116d8518e5d3f.exepid process 2064 f069c599fb95c28f7f92c4ecd5a7472efa44471f8d38ec6628b116d8518e5d3f.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
f069c599fb95c28f7f92c4ecd5a7472efa44471f8d38ec6628b116d8518e5d3f.exepid process 2064 f069c599fb95c28f7f92c4ecd5a7472efa44471f8d38ec6628b116d8518e5d3f.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
f069c599fb95c28f7f92c4ecd5a7472efa44471f8d38ec6628b116d8518e5d3f.exepid process 2064 f069c599fb95c28f7f92c4ecd5a7472efa44471f8d38ec6628b116d8518e5d3f.exe 2064 f069c599fb95c28f7f92c4ecd5a7472efa44471f8d38ec6628b116d8518e5d3f.exe 2064 f069c599fb95c28f7f92c4ecd5a7472efa44471f8d38ec6628b116d8518e5d3f.exe 2064 f069c599fb95c28f7f92c4ecd5a7472efa44471f8d38ec6628b116d8518e5d3f.exe 2064 f069c599fb95c28f7f92c4ecd5a7472efa44471f8d38ec6628b116d8518e5d3f.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
f069c599fb95c28f7f92c4ecd5a7472efa44471f8d38ec6628b116d8518e5d3f.exedescription pid process target process PID 2064 wrote to memory of 2500 2064 f069c599fb95c28f7f92c4ecd5a7472efa44471f8d38ec6628b116d8518e5d3f.exe nslookup.exe PID 2064 wrote to memory of 2500 2064 f069c599fb95c28f7f92c4ecd5a7472efa44471f8d38ec6628b116d8518e5d3f.exe nslookup.exe PID 2064 wrote to memory of 2500 2064 f069c599fb95c28f7f92c4ecd5a7472efa44471f8d38ec6628b116d8518e5d3f.exe nslookup.exe PID 2064 wrote to memory of 2500 2064 f069c599fb95c28f7f92c4ecd5a7472efa44471f8d38ec6628b116d8518e5d3f.exe nslookup.exe PID 2064 wrote to memory of 2896 2064 f069c599fb95c28f7f92c4ecd5a7472efa44471f8d38ec6628b116d8518e5d3f.exe nslookup.exe PID 2064 wrote to memory of 2896 2064 f069c599fb95c28f7f92c4ecd5a7472efa44471f8d38ec6628b116d8518e5d3f.exe nslookup.exe PID 2064 wrote to memory of 2896 2064 f069c599fb95c28f7f92c4ecd5a7472efa44471f8d38ec6628b116d8518e5d3f.exe nslookup.exe PID 2064 wrote to memory of 2896 2064 f069c599fb95c28f7f92c4ecd5a7472efa44471f8d38ec6628b116d8518e5d3f.exe nslookup.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f069c599fb95c28f7f92c4ecd5a7472efa44471f8d38ec6628b116d8518e5d3f.exe"C:\Users\Admin\AppData\Local\Temp\f069c599fb95c28f7f92c4ecd5a7472efa44471f8d38ec6628b116d8518e5d3f.exe"1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\nslookup.exenslookup -qt=TXT dlf.cps5.com2⤵
-
C:\Windows\SysWOW64\nslookup.exenslookup -qt=TXT dlwebf.cps5.com2⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\E2EECore.3.3.9.dllFilesize
10.6MB
MD550c266e46ccf9bc8956279f78d51f205
SHA10ba5b98a91a9a019cd9b87cf01796c65ee6a0839
SHA256c58e066a293ff260037487d37e37bf3d890c16383d817c7573dab51c514cbd00
SHA5127350a82820faeba3172fad3d87b04c6a2967b797a321a78a53e7156c37fed4661a66d2f78e2f3ddbcbc0d10a56f5d761f7eb761f05d2841568b34841c17e0d37
-
memory/2064-24-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/2064-55-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/2064-28-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/2064-0-0x0000000000400000-0x000000000104B000-memory.dmpFilesize
12.3MB
-
memory/2064-54-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/2064-53-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/2064-52-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/2064-49-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/2064-47-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/2064-45-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/2064-43-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/2064-40-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/2064-38-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/2064-36-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/2064-34-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/2064-30-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/2064-32-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/2064-22-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/2064-5-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/2064-20-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/2064-18-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/2064-16-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/2064-14-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/2064-12-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/2064-10-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/2064-9-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/2064-8-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/2064-7-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/2064-56-0x000000007637F000-0x0000000076380000-memory.dmpFilesize
4KB
-
memory/2064-57-0x0000000076310000-0x0000000076410000-memory.dmpFilesize
1024KB
-
memory/2064-62-0x0000000000400000-0x000000000104B000-memory.dmpFilesize
12.3MB
-
memory/2064-63-0x0000000010000000-0x000000001003E000-memory.dmpFilesize
248KB
-
memory/2064-65-0x000000007637F000-0x0000000076380000-memory.dmpFilesize
4KB
-
memory/2064-66-0x0000000076310000-0x0000000076410000-memory.dmpFilesize
1024KB
-
memory/2064-68-0x0000000000400000-0x000000000104B000-memory.dmpFilesize
12.3MB
-
memory/2064-71-0x0000000000400000-0x000000000104B000-memory.dmpFilesize
12.3MB