940179d4c08efa4c19b30d24983371dca5c29bd319692c95c21199634a6b42c9

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
03/09/2024, 02:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

940179d4c08efa4c19b30d24983371dca5c29bd319692c95c21199634a6b42c9.exe
Size

848KB
MD5

24dfb62c9d169cd000023f5b4afee161
SHA1

a0312218ea7eec4b4671bb5998bc0a8f5584b344
SHA256

940179d4c08efa4c19b30d24983371dca5c29bd319692c95c21199634a6b42c9
SHA512

a5cf736a535d854400670b8a5065c1cb0481a21da986f8866f853f2e1acb4e8b508cd413f40405893a05bf8d9c4e1fe37adc8bbf278a4bc60f8f2926efa4d5dc
SSDEEP

24576:5zvr9fhwnu/cCE/85xbigwXvIepwZOMLn20zg:Rvl/ZzbiUBgMLn20s

Score

7^/10

bootkit discovery persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2064	sausage.exe
2020	sausage.exe

Loads dropped DLL 7 IoCs

pid	Process
2660	940179d4c08efa4c19b30d24983371dca5c29bd319692c95c21199634a6b42c9.exe
2660	940179d4c08efa4c19b30d24983371dca5c29bd319692c95c21199634a6b42c9.exe
2660	940179d4c08efa4c19b30d24983371dca5c29bd319692c95c21199634a6b42c9.exe
2660	940179d4c08efa4c19b30d24983371dca5c29bd319692c95c21199634a6b42c9.exe
2660	940179d4c08efa4c19b30d24983371dca5c29bd319692c95c21199634a6b42c9.exe
2660	940179d4c08efa4c19b30d24983371dca5c29bd319692c95c21199634a6b42c9.exe
2660	940179d4c08efa4c19b30d24983371dca5c29bd319692c95c21199634a6b42c9.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	sausage.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	940179d4c08efa4c19b30d24983371dca5c29bd319692c95c21199634a6b42c9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sausage.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sausage.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2660	940179d4c08efa4c19b30d24983371dca5c29bd319692c95c21199634a6b42c9.exe
2660	940179d4c08efa4c19b30d24983371dca5c29bd319692c95c21199634a6b42c9.exe
2020	sausage.exe
2020	sausage.exe
2020	sausage.exe
2020	sausage.exe
2020	sausage.exe
2020	sausage.exe
2020	sausage.exe
2020	sausage.exe
2020	sausage.exe
2020	sausage.exe
2020	sausage.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2064	sausage.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2660 wrote to memory of 2064	2660	940179d4c08efa4c19b30d24983371dca5c29bd319692c95c21199634a6b42c9.exe	31
PID 2660 wrote to memory of 2064	2660	940179d4c08efa4c19b30d24983371dca5c29bd319692c95c21199634a6b42c9.exe	31
PID 2660 wrote to memory of 2064	2660	940179d4c08efa4c19b30d24983371dca5c29bd319692c95c21199634a6b42c9.exe	31
PID 2660 wrote to memory of 2064	2660	940179d4c08efa4c19b30d24983371dca5c29bd319692c95c21199634a6b42c9.exe	31
PID 2660 wrote to memory of 2020	2660	940179d4c08efa4c19b30d24983371dca5c29bd319692c95c21199634a6b42c9.exe	33
PID 2660 wrote to memory of 2020	2660	940179d4c08efa4c19b30d24983371dca5c29bd319692c95c21199634a6b42c9.exe	33
PID 2660 wrote to memory of 2020	2660	940179d4c08efa4c19b30d24983371dca5c29bd319692c95c21199634a6b42c9.exe	33
PID 2660 wrote to memory of 2020	2660	940179d4c08efa4c19b30d24983371dca5c29bd319692c95c21199634a6b42c9.exe	33

C:\Users\Admin\AppData\Local\Temp\940179d4c08efa4c19b30d24983371dca5c29bd319692c95c21199634a6b42c9.exe
"C:\Users\Admin\AppData\Local\Temp\940179d4c08efa4c19b30d24983371dca5c29bd319692c95c21199634a6b42c9.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Users\Admin\AppData\Roaming\sausage\sausage.exe
  "C:\Users\Admin\AppData\Roaming\sausage\sausage.exe" /ShowDeskTop
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  PID:2064
- C:\Users\Admin\AppData\Roaming\sausage\sausage.exe
  "C:\Users\Admin\AppData\Roaming\sausage\sausage.exe" /setupsucc
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\ÖîÉñÄ©ÈÕ.lnk

Filesize
864B

MD5
dec84cfc59cbbd860f5b7ffa9d8ecf03

SHA1
3abe1c29915d729f9d010f2c2f65f1ee43a70e2f

SHA256
2631d018f9958ef1edcceed5d0876a76b3a69d5b572381079e187fa176ec695d

SHA512
0d7f97c4f31f01f4de527cc3af6d426ba9cc50cb538706ac1d8d3e75af6a9aff22c332a760036c359133dc18e1c3b9fdae8d511b1fdd6ee460a512792b5fc962

Download Submit
C:\Users\Admin\AppData\Roaming\sausage\lander.ini

Filesize
396B

MD5
6a9259691314e3912d220411aaa6c9bc

SHA1
b54e64bd019cf94e91bca88464dcc1d995c8dfd8

SHA256
c50ba57c56b0baf033df6c23df5f40b25d92503af00e2071a2bacd7d82273c73

SHA512
41fddd4190f786ba94e938dc51c372606b261dc7bd93be0bedb6b94cdc7af14da55710319899cf5959847f216f70f22281e0c20184cd04a233c3853c4436ea36

Download Submit
C:\Users\Admin\AppData\Roaming\sausage\lander.ini

Filesize
415B

MD5
204bd078b012f41a0f52532e70397d3f

SHA1
67946d5afccc891409c6fd36d0a297234d582756

SHA256
e79de444c911d886b921c62306aa76181d706118d7792cdc148d75b7b8f6716e

SHA512
12c6afb2b6ceffe65a06c0edb087d4680ee4edc75ebc46646c0183c688e44e57803ff5c28af4bbf9a4b330f4430b0a14b008c8e22dab164a17ef6705714e66d8

Download Submit
C:\Users\Admin\AppData\Roaming\sausage\sausage.exe

Filesize
893KB

MD5
a6d32bcc508e2afb7488257d77ee6c2b

SHA1
9d2a0d5632740dfd1bcdf417b21dca58ce09043d

SHA256
a9b43714765e548752459c815338382df53e30c079aaba3564b5990cd89ef183

SHA512
be9b5b13348ce4728e62bf92e83e72563ffc3ce7fbfaae105e39ba88890b66ff5fe78df0d42f767abd832326a8f2027af2e51c6a5385bb640a4791fc20781074

Download Submit
\Users\Admin\AppData\Local\Temp\nst9B3.tmp\FindProcDLL.dll

Filesize
3KB

MD5
8614c450637267afacad1645e23ba24a

SHA1
e7b7b09b5bbc13e910aa36316d9cc5fc5d4dcdc2

SHA256
0fa04f06a6de18d316832086891e9c23ae606d7784d5d5676385839b21ca2758

SHA512
af46cd679097584ff9a1d894a729b6397f4b3af17dff3e6f07bef257bc7e48ffa341d82daf298616cd5df1450fc5ab7435cacb70f27302b6db193f01a9f8391b

Download Submit
\Users\Admin\AppData\Local\Temp\nst9B3.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
memory/2660-13-0x00000000003D1000-0x00000000003D2000-memory.dmp

Filesize
4KB

Download
memory/2660-12-0x00000000003D0000-0x00000000003D3000-memory.dmp

Filesize
12KB

Download
memory/2660-71-0x00000000003D1000-0x00000000003D2000-memory.dmp

Filesize
4KB

Download
memory/2660-78-0x00000000003D0000-0x00000000003D3000-memory.dmp

Filesize
12KB

Download