Analysis

  • max time kernel
    141s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-06-2024 02:41

General

  • Target

    f069c599fb95c28f7f92c4ecd5a7472efa44471f8d38ec6628b116d8518e5d3f.exe

  • Size

    10.4MB

  • MD5

    806b4399e2524e0c38ea076a4f5c4154

  • SHA1

    0e133677799df2506404dc4b6e992179bdbe9f3f

  • SHA256

    f069c599fb95c28f7f92c4ecd5a7472efa44471f8d38ec6628b116d8518e5d3f

  • SHA512

    1d60fc9940e96efb0d8a1c8bede83842872fb981f4c3b8c7b74c38ca18c9ada92ea8262967128c951c1543a11f585244c6d45bc41ef8292a015036d651b8bc0b

  • SSDEEP

    196608:KaUo1YyjJpXQlXZMJ0MowNZYx4S0BVoKLBFSlMDqAu7/1f6b+QFH2m5Yn10Cd:Kto1YaXQlXZw0M3zYy1oKDSlMLu7Ne/Q

Malware Config

Signatures

  • UPX dump on OEP (original entry point) 31 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 31 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f069c599fb95c28f7f92c4ecd5a7472efa44471f8d38ec6628b116d8518e5d3f.exe
    "C:\Users\Admin\AppData\Local\Temp\f069c599fb95c28f7f92c4ecd5a7472efa44471f8d38ec6628b116d8518e5d3f.exe"
    1⤵
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4956
    • C:\Windows\SysWOW64\nslookup.exe
      nslookup -qt=TXT dlf.cps5.com
      2⤵
        PID:5048
      • C:\Windows\SysWOW64\nslookup.exe
        nslookup -qt=TXT dlwebf.cps5.com
        2⤵
          PID:4452
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4192,i,2029050989380753659,15333598055019363793,262144 --variations-seed-version --mojo-platform-channel-handle=1424 /prefetch:8
        1⤵
          PID:5028

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Persistence

        Pre-OS Boot

        1
        T1542

        Bootkit

        1
        T1542.003

        Defense Evasion

        Pre-OS Boot

        1
        T1542

        Bootkit

        1
        T1542.003

        Discovery

        System Information Discovery

        1
        T1082

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\E2EECore.3.3.9.dll
          Filesize

          10.6MB

          MD5

          50c266e46ccf9bc8956279f78d51f205

          SHA1

          0ba5b98a91a9a019cd9b87cf01796c65ee6a0839

          SHA256

          c58e066a293ff260037487d37e37bf3d890c16383d817c7573dab51c514cbd00

          SHA512

          7350a82820faeba3172fad3d87b04c6a2967b797a321a78a53e7156c37fed4661a66d2f78e2f3ddbcbc0d10a56f5d761f7eb761f05d2841568b34841c17e0d37

        • memory/4956-33-0x0000000010000000-0x000000001003E000-memory.dmp
          Filesize

          248KB

        • memory/4956-53-0x0000000010000000-0x000000001003E000-memory.dmp
          Filesize

          248KB

        • memory/4956-8-0x0000000010000000-0x000000001003E000-memory.dmp
          Filesize

          248KB

        • memory/4956-29-0x0000000010000000-0x000000001003E000-memory.dmp
          Filesize

          248KB

        • memory/4956-51-0x0000000010000000-0x000000001003E000-memory.dmp
          Filesize

          248KB

        • memory/4956-52-0x0000000010000000-0x000000001003E000-memory.dmp
          Filesize

          248KB

        • memory/4956-54-0x0000000010000000-0x000000001003E000-memory.dmp
          Filesize

          248KB

        • memory/4956-27-0x0000000010000000-0x000000001003E000-memory.dmp
          Filesize

          248KB

        • memory/4956-49-0x0000000010000000-0x000000001003E000-memory.dmp
          Filesize

          248KB

        • memory/4956-47-0x0000000010000000-0x000000001003E000-memory.dmp
          Filesize

          248KB

        • memory/4956-45-0x0000000010000000-0x000000001003E000-memory.dmp
          Filesize

          248KB

        • memory/4956-43-0x0000000010000000-0x000000001003E000-memory.dmp
          Filesize

          248KB

        • memory/4956-41-0x0000000010000000-0x000000001003E000-memory.dmp
          Filesize

          248KB

        • memory/4956-23-0x0000000010000000-0x000000001003E000-memory.dmp
          Filesize

          248KB

        • memory/4956-35-0x0000000010000000-0x000000001003E000-memory.dmp
          Filesize

          248KB

        • memory/4956-0-0x0000000000400000-0x000000000104B000-memory.dmp
          Filesize

          12.3MB

        • memory/4956-15-0x0000000010000000-0x000000001003E000-memory.dmp
          Filesize

          248KB

        • memory/4956-6-0x0000000010000000-0x000000001003E000-memory.dmp
          Filesize

          248KB

        • memory/4956-40-0x0000000010000000-0x000000001003E000-memory.dmp
          Filesize

          248KB

        • memory/4956-21-0x0000000010000000-0x000000001003E000-memory.dmp
          Filesize

          248KB

        • memory/4956-20-0x0000000010000000-0x000000001003E000-memory.dmp
          Filesize

          248KB

        • memory/4956-18-0x0000000010000000-0x000000001003E000-memory.dmp
          Filesize

          248KB

        • memory/4956-13-0x0000000010000000-0x000000001003E000-memory.dmp
          Filesize

          248KB

        • memory/4956-11-0x0000000010000000-0x000000001003E000-memory.dmp
          Filesize

          248KB

        • memory/4956-10-0x0000000010000000-0x000000001003E000-memory.dmp
          Filesize

          248KB

        • memory/4956-9-0x0000000010000000-0x000000001003E000-memory.dmp
          Filesize

          248KB

        • memory/4956-37-0x0000000010000000-0x000000001003E000-memory.dmp
          Filesize

          248KB

        • memory/4956-31-0x0000000010000000-0x000000001003E000-memory.dmp
          Filesize

          248KB

        • memory/4956-25-0x0000000010000000-0x000000001003E000-memory.dmp
          Filesize

          248KB

        • memory/4956-55-0x0000000076FC3000-0x0000000076FC4000-memory.dmp
          Filesize

          4KB

        • memory/4956-60-0x0000000000400000-0x000000000104B000-memory.dmp
          Filesize

          12.3MB

        • memory/4956-62-0x0000000076FC3000-0x0000000076FC4000-memory.dmp
          Filesize

          4KB

        • memory/4956-68-0x0000000000400000-0x000000000104B000-memory.dmp
          Filesize

          12.3MB