accbc757ec3c240af68a8ebf80e70505588b1e121072af3042bb27c2eff1f06d

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
06-08-2024 08:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

accbc757ec3c240af68a8ebf80e70505588b1e121072af3042bb27c2eff1f06d.exe
Size

4.8MB
MD5

aa7f35ee80297c395aa123dfa0e61763
SHA1

3d2d1982f24ffd38918ce2db0180a3eb3692cd15
SHA256

accbc757ec3c240af68a8ebf80e70505588b1e121072af3042bb27c2eff1f06d
SHA512

bc305144ad9bf239a19afeb08a9c2683db31d93d0d46596ee1cb8b836c86410f6777e9ecc0de5958f7f3dc5d2fc836f43cf5728fd3802aa985f74af25605bcc0
SSDEEP

98304:/Ittu8xEqIARodvGzPGGhRiCu/CVUdVEy9qMBNP/qxct8qgspGnqu6:AttRodOA4UdVEy9qMBNLtzD

Score

7^/10

bootkit discovery persistence

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
2796	accbc757ec3c240af68a8ebf80e70505588b1e121072af3042bb27c2eff1f06d.exe
2796	accbc757ec3c240af68a8ebf80e70505588b1e121072af3042bb27c2eff1f06d.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	accbc757ec3c240af68a8ebf80e70505588b1e121072af3042bb27c2eff1f06d.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1924	2796	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	accbc757ec3c240af68a8ebf80e70505588b1e121072af3042bb27c2eff1f06d.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 1924	2796	accbc757ec3c240af68a8ebf80e70505588b1e121072af3042bb27c2eff1f06d.exe	30
PID 2796 wrote to memory of 1924	2796	accbc757ec3c240af68a8ebf80e70505588b1e121072af3042bb27c2eff1f06d.exe	30
PID 2796 wrote to memory of 1924	2796	accbc757ec3c240af68a8ebf80e70505588b1e121072af3042bb27c2eff1f06d.exe	30
PID 2796 wrote to memory of 1924	2796	accbc757ec3c240af68a8ebf80e70505588b1e121072af3042bb27c2eff1f06d.exe	30

C:\Users\Admin\AppData\Local\Temp\accbc757ec3c240af68a8ebf80e70505588b1e121072af3042bb27c2eff1f06d.exe
"C:\Users\Admin\AppData\Local\Temp\accbc757ec3c240af68a8ebf80e70505588b1e121072af3042bb27c2eff1f06d.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 728
  2⤵
  - Program crash
  PID:1924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\netul.dll

Filesize
1.9MB

MD5
b434b1eff14158cb7708d70478b4f89a

SHA1
3e1411c5d7a5cffcf3c0b998cc7ea0b187c90ffb

SHA256
e62f24419a4e9a511f95183a276b6eb27a685c64f37b9f2449ab993d33e9d708

SHA512
303809947f45576cee4690fc90a85840d805bc42da2a0737f9f64d58b4ad5b170c5b3cbc89e3d12b1d7d0d554f87d22bb33644a64ad587d201d7fb47d43b0b75

Download Submit
\Users\Admin\AppData\Local\Temp\{FE53DEE9-A69C-43a3-ABA3-8D8012859DE4}.tmp\7z.dll

Filesize
1.1MB

MD5
46a8c8e98929ee2a4be53587720f040e

SHA1
30d2388ca8432fa5f30f62177dbf3f3299030060

SHA256
37a8fa83a0cfe03114167ddf52c104be13f2374e2dc747e09ed7f4c65eeb0c75

SHA512
e5c52cb6f236ff1407a00510b259a0985b37603ddefaa0b14cd328ecbd809dee46f2584c5a99577dc4b13f2ee45d0c44d82f2006d4ddb547406fd42b65b05432

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads