Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09-11-2024 20:43
Static task
static1
Behavioral task
behavioral1
Sample
bb7d99844b3b116d8fda1333dacc9089f41f761ff9df4907bb13eb1c0f959f3a.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
bb7d99844b3b116d8fda1333dacc9089f41f761ff9df4907bb13eb1c0f959f3a.exe
Resource
win10v2004-20241007-en
General
-
Target
bb7d99844b3b116d8fda1333dacc9089f41f761ff9df4907bb13eb1c0f959f3a.exe
-
Size
4.5MB
-
MD5
a21ed58c0def06ab578b206a1a06443b
-
SHA1
a109d00b850d23a7857f97b118165c1efc961e76
-
SHA256
bb7d99844b3b116d8fda1333dacc9089f41f761ff9df4907bb13eb1c0f959f3a
-
SHA512
99c6ad00469e322dfc7b9a4fb050dcb40d913a5ca5535d708ab90c5cfdb136e150f7a128bc9648c15b6fa63a33eda603185c032deabba0c53aee71835099fbb2
-
SSDEEP
98304:R5rVJK49wvMIcfRwa/yljpWRcohJBAUZLwWFh:Hrnt9ZRwljW5hJVXh
Malware Config
Signatures
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
bb7d99844b3b116d8fda1333dacc9089f41f761ff9df4907bb13eb1c0f959f3a.exedescription ioc process File opened for modification \??\PhysicalDrive0 bb7d99844b3b116d8fda1333dacc9089f41f761ff9df4907bb13eb1c0f959f3a.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
bb7d99844b3b116d8fda1333dacc9089f41f761ff9df4907bb13eb1c0f959f3a.execmd.exeipconfig.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bb7d99844b3b116d8fda1333dacc9089f41f761ff9df4907bb13eb1c0f959f3a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipconfig.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 2380 ipconfig.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
bb7d99844b3b116d8fda1333dacc9089f41f761ff9df4907bb13eb1c0f959f3a.exedescription pid process Token: SeDebugPrivilege 2644 bb7d99844b3b116d8fda1333dacc9089f41f761ff9df4907bb13eb1c0f959f3a.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
bb7d99844b3b116d8fda1333dacc9089f41f761ff9df4907bb13eb1c0f959f3a.exepid process 2644 bb7d99844b3b116d8fda1333dacc9089f41f761ff9df4907bb13eb1c0f959f3a.exe 2644 bb7d99844b3b116d8fda1333dacc9089f41f761ff9df4907bb13eb1c0f959f3a.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
bb7d99844b3b116d8fda1333dacc9089f41f761ff9df4907bb13eb1c0f959f3a.execmd.exedescription pid process target process PID 2644 wrote to memory of 2056 2644 bb7d99844b3b116d8fda1333dacc9089f41f761ff9df4907bb13eb1c0f959f3a.exe cmd.exe PID 2644 wrote to memory of 2056 2644 bb7d99844b3b116d8fda1333dacc9089f41f761ff9df4907bb13eb1c0f959f3a.exe cmd.exe PID 2644 wrote to memory of 2056 2644 bb7d99844b3b116d8fda1333dacc9089f41f761ff9df4907bb13eb1c0f959f3a.exe cmd.exe PID 2644 wrote to memory of 2056 2644 bb7d99844b3b116d8fda1333dacc9089f41f761ff9df4907bb13eb1c0f959f3a.exe cmd.exe PID 2056 wrote to memory of 2380 2056 cmd.exe ipconfig.exe PID 2056 wrote to memory of 2380 2056 cmd.exe ipconfig.exe PID 2056 wrote to memory of 2380 2056 cmd.exe ipconfig.exe PID 2056 wrote to memory of 2380 2056 cmd.exe ipconfig.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bb7d99844b3b116d8fda1333dacc9089f41f761ff9df4907bb13eb1c0f959f3a.exe"C:\Users\Admin\AppData\Local\Temp\bb7d99844b3b116d8fda1333dacc9089f41f761ff9df4907bb13eb1c0f959f3a.exe"1⤵
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\cmd.execmd /c ipconfig/all2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /all3⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:2380