Overview

overview

9

Static

static

7

1001a8c7f3...87.exe

windows7-x64

1001a8c7f3...87.exe

windows10-2004-x64

Analysis

  • max time kernel
    6s
  • max time network
    6s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    08/08/2024, 06:47

Sharing

Copy URL Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe

  • Size

    1.2MB

  • MD5

    e0340f456f76993fc047bc715dfdae6a

  • SHA1

    d47f6f7e553c4bc44a2fe88c2054de901390b2d7

  • SHA256

    1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887

  • SHA512

    cac10c675d81630eefca49b2ac4cc83f3eb29115ee28a560db4d6c33f70bf24980e48bb48ce20375349736e3e6b23a1ca504b9367917328853fffc5539626bbc

  • SSDEEP

    24576:/4GHnhIzOasqUgEOr69/BRH7dCibu+XoAX0eOTva49ttrSpt81ekHPyWe:AshdasJgEOrGBRxCihH7OO49rveMG

Score
9/10
bootkitdiscoverypersistenceransomwareupx

Malware Config

Signatures

  • Renames multiple (189) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • AutoIT Executable 2 IoCs

    AutoIT scripts compiled to PE executables.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe
    "C:\Users\Admin\AppData\Local\Temp\1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: RenamesItself
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:528
    • C:\Users\Admin\81857530\protect.exe
      "C:\Users\Admin\81857530\protect.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2836
    • C:\Users\Admin\81857530\assembler.exe
      "C:\Users\Admin\81857530\assembler.exe" -f bin "C:\Users\Admin\81857530\boot.asm" -o "C:\Users\Admin\81857530\boot.bin"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2980
    • C:\Users\Admin\81857530\overwrite.exe
      "C:\Users\Admin\81857530\overwrite.exe" "C:\Users\Admin\81857530\boot.bin"
      2⤵
      • Executes dropped EXE
      • Writes to the Master Boot Record (MBR)
      PID:3020
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0
    1⤵
      PID:692
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x1
      1⤵
        PID:1504

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\81857530\boot.asm
              Filesize

              825B

              MD5

              def1219cfb1c0a899e5c4ea32fe29f70

              SHA1

              88aedde59832576480dfc7cd3ee6f54a132588a8

              SHA256

              91e74c438099172b057bedf693d877bd08677d5f2173763986be4974c0970581

              SHA512

              1e735d588cb1bb42324eaff1b9190ec6a8254f419d1ba4a13d03716ff5c102a335532b573a5befb08da90586e5670617066564ef9872f8c415b9a480836df423

              Download Submit

            • C:\Users\Admin\81857530\boot.bin
              Filesize

              512B

              MD5

              90053233e561c8bf7a7b14eda0fa0e84

              SHA1

              16a7138387f7a3366b7da350c598f71de3e1cde2

              SHA256

              a760d8bc77ad8c0c839d4ef162ce44d5897af6fa84e0cc05ecc0747759ea76c2

              SHA512

              63fda509cd02fd9d1374435f95515bc74f1ca8a9650b87d2299f8eee3a1c5a41b1cb8a4e1360c75f876f1dae193fdf4a96eba244683308f34d64d7ce37af2bb4

              Download Submit

            • C:\Users\Admin\Documents\WatchWait.xlsx.locked
              Filesize

              12KB

              MD5

              1b6699b2e2da6e4372cc7618fd1a2b5e

              SHA1

              34b0c8dc2b455a6716ec3d490826352484f325e7

              SHA256

              26d060839ece7d3b0267264d56692fb0995638884266c1f291c2419343902550

              SHA512

              e82c8774c18a7eccb14b4e5b49fe815f415e27bd419ed43326ea62a5b9eb9fed4d489a0374fad2018debef1c79ab415e3b8bf046ec6c8773b1f450accfc9b1a5

              Download Submit

            • \Users\Admin\81857530\assembler.exe
              Filesize

              589KB

              MD5

              7e3cea1f686207563c8369f64ea28e5b

              SHA1

              a1736fd61555841396b0406d5c9ca55c4b6cdf41

              SHA256

              2a5305369edb9c2d7354b2f210e91129e4b8c546b0adf883951ea7bf7ee0f2b2

              SHA512

              4629bc32094bdb030e6c9be247068e7295599203284cb95921c98fcbe3ac60286670be7e5ee9f0374a4017286c7af9db211bd831e3ea871d31a509d7bbc1d6a3

              Download Submit

            • \Users\Admin\81857530\overwrite.exe
              Filesize

              288KB

              MD5

              bc160318a6e8dadb664408fb539cd04b

              SHA1

              4b5eb324eebe3f84e623179a8e2c3743ccf32763

              SHA256

              f2bc5886b0f189976a367a69da8745bf66842f9bba89f8d208790db3dad0c7d2

              SHA512

              51bc090f2821c57d94cfe4399b1f372a68d2811ea0b87d1ac1d6cf8ae39b167038ac21c471b168f1d19c6b213762024abb7e9e5ca311b246b46af0888289e46c

              Download Submit

            • \Users\Admin\81857530\protect.exe
              Filesize

              837KB

              MD5

              fd414666a5b2122c3d9e3e380cf225ed

              SHA1

              de139747b42a807efa8a2dcc1a8304f9a29b862d

              SHA256

              e61a8382f7293e40cb993ddcbcaa53a4e5f07a3d6b6a1bfe5377a1a74a8dcac6

              SHA512

              9ab2163d7deff29c202ed88dba36d5b28f6c67e647a0cadb3d03cc725796e19e5f298c04b1c8523d1d1ee4307e1a5d6f8156fa4021627d6ca1bbd0830695ae05

              Download Submit

            • memory/528-0-0x0000000000C50000-0x0000000000EDE000-memory.dmp

              Filesize

              2.6MB

              Download

            • memory/528-239-0x0000000000C50000-0x0000000000EDE000-memory.dmp

              Filesize

              2.6MB

              Download

            • memory/692-240-0x0000000002D90000-0x0000000002D91000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2980-38-0x0000000000400000-0x000000000049B000-memory.dmp

              Filesize

              620KB

              Download

            • memory/3020-48-0x0000000000400000-0x000000000043E000-memory.dmp

              Filesize

              248KB

              Download