Analysis

  • max time kernel
    121s
  • max time network
    129s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    07/09/2024, 14:05

General

  • Target

    AspSWeb.exe

  • Size

    688KB

  • MD5

    3b12a13eedbe6e6816f3cb62baf8751a

  • SHA1

    d02c4b830efa1cbce5ec39f71a2290a4d9ccb7e9

  • SHA256

    e6a580c6ed95ffb1a29f4a862370db60ea2295d75e3100b987196361f403d187

  • SHA512

    071220c5c2d6d05fb79ae96a48069a18a698d983adef7f588ce7672dc16a380f1e180ba167d1c66bef76f5dc770bab3f66244d87f41d944252f69be919350cec

  • SSDEEP

    12288:7/JFZqYMOaQ0q9nV/zsnK23KHVI6nodVdyMLiqyVcxwtVxgpMiuzOT6:7BFZqhOBnVyK23C6OoYMLiVcKtVx4Mij

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Drops file in System32 directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AspSWeb.exe
    "C:\Users\Admin\AppData\Local\Temp\AspSWeb.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2776
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c netstat /na
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2836
      • C:\Windows\SysWOW64\NETSTAT.EXE
        netstat /na
        3⤵
        • System Location Discovery: System Language Discovery
        • Gathers network information
        • Suspicious use of AdjustPrivilegeToken
        PID:2688
    • C:\Windows\SysWOW64\TMPNB28.tmp
      C:\Windows\system32\TMPNB28.tmp -run C:\Users\Admin\AppData\Local\Temp\nb28.tmp
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Writes to the Master Boot Record (MBR)
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2588

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nb28.tmp

    Filesize

    2KB

    MD5

    b9fabc9c8a8024d47651300032402d96

    SHA1

    f974e93bc3352b1e042ebdc6327cdc41e92d7ced

    SHA256

    e310a45cf5bda24644736a30880f1c2af8c3714831f14c25365ae12c30432a78

    SHA512

    6273d041544cf6c044d8b0fb19805fb8e407523de1b69af8ee77d80a7271cacab8abd752dd99351e7593388c87c0c94591f788c946343dfbd19436b431a9f7c4

  • \Windows\SysWOW64\TMPNB28.tmp

    Filesize

    633KB

    MD5

    3545fd00d2ba6c1c192b05bd75aa1f4f

    SHA1

    30fa4c33d66a073113d9d971baae38120d320601

    SHA256

    d6272081522372d09a11ca7c0825b8c6a743ba02b450cea1402c03a05f3e2159

    SHA512

    ab79f44e7c428ea0434bced04256174a7d87131ddef2488a71ca67e242bce9676cb88830779aa0a0c3d5b12e097bd32bb99a87c12a248329d9c8a52d777a1c85

  • memory/2588-13-0x0000000000400000-0x0000000000597000-memory.dmp

    Filesize

    1.6MB

  • memory/2588-15-0x0000000074AB1000-0x0000000074AB2000-memory.dmp

    Filesize

    4KB

  • memory/2588-16-0x0000000074AB0000-0x0000000074AEB000-memory.dmp

    Filesize

    236KB

  • memory/2588-20-0x0000000000400000-0x0000000000597000-memory.dmp

    Filesize

    1.6MB

  • memory/2588-21-0x0000000074AB0000-0x0000000074AEB000-memory.dmp

    Filesize

    236KB

  • memory/2776-6-0x0000000003660000-0x00000000037F7000-memory.dmp

    Filesize

    1.6MB

  • memory/2776-11-0x0000000003660000-0x00000000037F7000-memory.dmp

    Filesize

    1.6MB