Overview

overview

7

Static

static

3

2ffabee429...f6.exe

windows7-x64

7

2ffabee429...f6.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03/09/2024, 10:13

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    2ffabee429da813d42aee31a6545abce82f184f56d2ededffa1f275c98ac49f6.exe

  • Size

    4.8MB

  • MD5

    fe62f8f45717bf57a8b66f2c8987cfc1

  • SHA1

    1fbc6221f3dc1e56af05470821fbe6dec3a35da6

  • SHA256

    2ffabee429da813d42aee31a6545abce82f184f56d2ededffa1f275c98ac49f6

  • SHA512

    e364ce4cebe7a0f930909b60840f24e5b6a649e1f58252e84fb7649d178c60b45d6314d8bae8092eee5befe6a790a6d9cb9a223d6eb60743977d549171551bba

  • SSDEEP

    98304:nXHfZysNkdeOVWB4PGrx2fEyMmzHJhYlRJb:nPx1dx2f9MmzHw3

Score
7/10
bootkitdiscoverypersistence

Malware Config

Signatures

  • Loads dropped DLL 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in Program Files directory 2 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2ffabee429da813d42aee31a6545abce82f184f56d2ededffa1f275c98ac49f6.exe
    "C:\Users\Admin\AppData\Local\Temp\2ffabee429da813d42aee31a6545abce82f184f56d2ededffa1f275c98ac49f6.exe"
    1⤵
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2524
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2524 -s 912
      2⤵
      • Program crash
      PID:2764

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • \Users\Admin\AppData\Local\Temp\{D167187D-8260-4946-9858-3BB3D1D4B9E5}.tmp\7z.dll
          Filesize

          1.1MB

          MD5

          2706693dda10c6cc79eed24c56d4e5ef

          SHA1

          4f34ef1bd49273a0d260b9dab15c73eb0ccb6383

          SHA256

          0edad8a1af22d5b97c1f324791c86243a6ecce7b5a9d2f30415af99aba9129c3

          SHA512

          7e7f7ae894528587ba33b6e10999549bb9a2ec2748b5662fa1b8806e5f4ce33af47507b3ef2954f2747a76b5b7c775c1cd671061f577c5016d1f8ba165bbe21c

          Download Submit

        • \Users\Admin\AppData\Local\Temp\{EB2470B7-941C-4523-8F8A-A1933D582F86}.tmp\NetBridge.dll
          Filesize

          231KB

          MD5

          9d145902fb5b9a6da62ac85761434e31

          SHA1

          c817d77f59e3767d75cf5f5298d6b5711308f7e5

          SHA256

          98d795d55329b1057f4fd590468e648a8c34b620207fd9a0a6953f3e98d1ea43

          SHA512

          bbb3109bcd5ded909bfdaeb7f4f006fc5928a9bc501bad5ae8ba9805bc0d924a2c4da8bbd215480db936d663852abd9b0435fa241a40224a4cd93c4b7aff79a9

          Download Submit

        • memory/2524-28-0x0000000002640000-0x0000000002641000-memory.dmp

          Filesize

          4KB

          Download