Overview

overview

10

Static

static

17af39b94d...d1.dll

windows7_x64

10

17af39b94d...d1.dll

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5164354715287552.zip

  • Size

    7.1MB

  • Sample

    210302-1b1ba2l1d2

  • MD5

    bd5fc7268220a1e675a30b4e094c3878

  • SHA1

    29e816744c6065d23f16e114896bebd5c32c2631

  • SHA256

    6de6f09e3eedcc6788dc0e82bd5151d7f1d60684da062753453ee8fc92ef9438

  • SHA512

    73b327c694680dd29c05aa1516898ec05df8b75fef576d8bd3a626caa864b28025503059872379343abb9109778e9514d477678dadae6ea35eef60686f8ace5b

Score
10/10
bootkitpersistence

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://dhxx2phjrf4w5.cloudfront.net/v4/gtg/heartdisk_qm00013?action=mio.1

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://dhxx2phjrf4w5.cloudfront.net/v4/gtg/heartdisk_qm00013?action=mio.4

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://dhxx2phjrf4w5.cloudfront.net/v4/gtg/heartdisk_qm00013?action=mid.3

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://dhxx2phjrf4w5.cloudfront.net/v4/gtg/heartdisk_qm00013?action=mio.1

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://dhxx2phjrf4w5.cloudfront.net/v4/gtg/heartdisk_qm00013?action=mio.4

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://d2hrpnfyb3wv3k.cloudfront.net/provide?clients=131FE87CDBB64F6CF0472E3C44322407&reqs=visit.install

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://d2hrpnfyb3wv3k.cloudfront.net/provide?clients=131FE87CDBB64F6CF0472E3C44322407&reqs=visit.startload

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://dhxx2phjrf4w5.cloudfront.net/v4/gtg/heartdisk_qm00013?action=mid.3

Targets

    • Target

      17af39b94d7b43990fddfb2a1f761e5d3cfc5cfb0ebbe1b92f586d8ab77ee2d1

    • Size

      7.3MB

    • MD5

      0c935fa1f51f9d60e1fc1885a429e20c

    • SHA1

      b2c968e2c465d12bb1db81b04a58125349df9086

    • SHA256

      17af39b94d7b43990fddfb2a1f761e5d3cfc5cfb0ebbe1b92f586d8ab77ee2d1

    • SHA512

      4cbcf97cd4b842f56ac82285cd0d21c8d140608c52ecc4076b43008dbe898cc2f9771b02de38e620fa043cc930d93fd454d41df6d3bb2991081d71e9cc6e495c

    Score
    10/10
    bootkitpersistence

    • Executes dropped EXE

    • Sets DLL path for service in the registry

      persistence

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Bootkit

1
T1067

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks