Analysis

  • max time kernel
    121s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    31/10/2024, 15:03

General

  • Target

    3046e250f66eaeb477cb3ceca8b23bcf866e1187a6a7852a58aabd58ed8d30f3.exe

  • Size

    255KB

  • MD5

    7c3d7d46bf65848821f3b59d9d6aa5ce

  • SHA1

    b142bcc8d47ba993fade8673db45cf1e8235a759

  • SHA256

    3046e250f66eaeb477cb3ceca8b23bcf866e1187a6a7852a58aabd58ed8d30f3

  • SHA512

    e4baf0f2b443baf28da57597d0c3e29544d8b372eea27d186baed2d03d1fdbb87ff90b83f37a8c1fc2048161488e0e868630f677dcf78d7fd8a615a0f9b404c9

  • SSDEEP

    3072:OX5bx/ZvAtc0Udi+EhwPAD0JJa+tS5bRZnShxB6xY5LzqUC+8kz5m5pohjhEEn+Y:OBxL0HwPXtShRZSExgQDhuIy

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Checks for any installed AV software in registry 1 TTPs 3 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3046e250f66eaeb477cb3ceca8b23bcf866e1187a6a7852a58aabd58ed8d30f3.exe
    "C:\Users\Admin\AppData\Local\Temp\3046e250f66eaeb477cb3ceca8b23bcf866e1187a6a7852a58aabd58ed8d30f3.exe"
    1⤵
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:772
    • C:\Windows\Temp\asw.207f1679667a49a7\avast_one_essential_setup_online_x64.exe
      "C:\Windows\Temp\asw.207f1679667a49a7\avast_one_essential_setup_online_x64.exe" /cookie:mmm_aon_998_999_000_m:dlid_AVAST-ONE-FREE-WIN-HP /ga_clientid:8592bc03-3772-46fa-aa2c-3aab605f4c6d /edat_dir:C:\Windows\Temp\asw.207f1679667a49a7
      2⤵
      • Executes dropped EXE
      • Checks for any installed AV software in registry
      • Writes to the Master Boot Record (MBR)
      • Checks processor information in registry
      • Suspicious use of AdjustPrivilegeToken
      PID:2836

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\CabEE66.tmp

          Filesize

          70KB

          MD5

          49aebf8cbd62d92ac215b2923fb1b9f5

          SHA1

          1723be06719828dda65ad804298d0431f6aff976

          SHA256

          b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

          SHA512

          bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

        • \Windows\Temp\asw.207f1679667a49a7\avast_one_essential_setup_online_x64.exe

          Filesize

          10.6MB

          MD5

          4c13bc2b1caecbf324785475de2ef0ae

          SHA1

          98199b8679aca9c3adad8fe10b5c4a7a8f4c66db

          SHA256

          b817b1a59d48f02d34f28727db9956b932aa89660194289ba14f0a1911a63638

          SHA512

          fcb80682fd302a3f3df8ce1886eaf779e8504ef17dc73e1558bcf2758ae1436be6b29545b2fbe765b8a0d1a82ab459187253be05590a7bf7c22b08a252716c88