Overview

overview

10

Static

static

8

0032588b8d...091.js

windows7_x64

1

0032588b8d...091.js

windows10_x64

1

09002c686e...2b.exe

windows7_x64

10

09002c686e...2b.exe

windows10_x64

10

0b1551c0be...16.exe

windows7_x64

1

0b1551c0be...16.exe

windows10_x64

1

1048caa70a...29.exe

windows7_x64

10

1048caa70a...29.exe

windows10_x64

10

1c3170b776...b0.exe

windows7_x64

3

1c3170b776...b0.exe

windows10_x64

3

240387329d...62.exe

windows7_x64

1

240387329d...62.exe

windows10_x64

1

2573b35645...9a.exe

windows7_x64

10

2573b35645...9a.exe

windows10_x64

10

2df6c36b47...51.exe

windows7_x64

7

2df6c36b47...51.exe

windows10_x64

7

2df6c36b47...1).exe

windows7_x64

7

2df6c36b47...1).exe

windows10_x64

7

2e4319ff62...8b.dll

windows7_x64

1

2e4319ff62...8b.dll

windows10_x64

3

2fba2aba4b...07.exe

windows7_x64

1

2fba2aba4b...07.exe

windows10_x64

1

3ed5d687a4...bd.exe

windows7_x64

3

3ed5d687a4...bd.exe

windows10_x64

3

4fc17a5cf8...d5.exe

windows7_x64

6

4fc17a5cf8...d5.exe

windows10_x64

6

5942a02bc0...d3.dll

windows7_x64

10

5942a02bc0...d3.dll

windows10_x64

10

6e7785213d...3d.exe

windows7_x64

8

6e7785213d...3d.exe

windows10_x64

8

83c64ed85d...a0.exe

windows7_x64

10

83c64ed85d...a0.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    15-03-2021 09:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    83c64ed85d0245b22a7fb1e1f529ccd4db58b49fc6cf656c8d56712fa0b9fea0.exe

  • Size

    270KB

  • MD5

    bcc1d244f31ebe1bd48e91671a902486

  • SHA1

    7803926b6bbb704ed8f63809d6635ae811bdbdc2

  • SHA256

    83c64ed85d0245b22a7fb1e1f529ccd4db58b49fc6cf656c8d56712fa0b9fea0

  • SHA512

    654161503f7c3ead23dad8ba37ebd3e56a8c41826a2ed82d7247b350e11cb5749996daaeb69af200f32c8a27716db09d18818b126d5df992b5e44f5d541c8933

Score
10/10
bootkitdiscoverypersistencespywarestealer

Malware Config

Signatures

  • Registers COM server for autorun 1 TTPs
    persistence
  • Executes dropped EXE 9 IoCs
  • Checks BIOS information in registry 2 TTPs 6 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 64 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 14 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of FindShellTrayWindow 43 IoCs
  • Suspicious use of SendNotifyMessage 41 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\83c64ed85d0245b22a7fb1e1f529ccd4db58b49fc6cf656c8d56712fa0b9fea0.exe
    "C:\Users\Admin\AppData\Local\Temp\83c64ed85d0245b22a7fb1e1f529ccd4db58b49fc6cf656c8d56712fa0b9fea0.exe"
    1⤵
    • Loads dropped DLL
    • Modifies system certificate store
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1724
    • C:\Users\Admin\AppData\Local\Temp\BDFED914-D1FC-4308-8683-F3E750A4096E_boost-speed_setup.exe
      "C:\Users\Admin\AppData\Local\Temp\BDFED914-D1FC-4308-8683-F3E750A4096E_boost-speed_setup.exe" /verysilent /FromStubInstall /OpenWebPage /RunApplication
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:300
      • C:\Users\Admin\AppData\Local\Temp\is-28PHP.tmp\BDFED914-D1FC-4308-8683-F3E750A4096E_boost-speed_setup.tmp
        "C:\Users\Admin\AppData\Local\Temp\is-28PHP.tmp\BDFED914-D1FC-4308-8683-F3E750A4096E_boost-speed_setup.tmp" /SL5="$20164,29009203,505856,C:\Users\Admin\AppData\Local\Temp\BDFED914-D1FC-4308-8683-F3E750A4096E_boost-speed_setup.exe" /verysilent /FromStubInstall /OpenWebPage /RunApplication
        3⤵
        • Executes dropped EXE
        • Checks BIOS information in registry
        • Checks computer location settings
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Modifies registry class
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:816
        • C:\Windows\system32\regsvr32.exe
          "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Auslogics\BoostSpeed\DiskDoctorChecker.x64.dll"
          4⤵
          • Loads dropped DLL
          • Modifies registry class
          PID:1836
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Auslogics\BoostSpeed\DiskDoctorChecker.x32.dll"
          4⤵
          • Loads dropped DLL
          • Modifies registry class
          PID:1564
        • C:\Windows\system32\regsvr32.exe
          "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Auslogics\BoostSpeed\TaskManagerHelper.Agent.x64.dll"
          4⤵
          • Loads dropped DLL
          • Modifies registry class
          PID:1196
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Auslogics\BoostSpeed\TaskManagerHelper.Agent.x32.dll"
          4⤵
          • Loads dropped DLL
          • Modifies registry class
          PID:928
        • C:\Windows\system32\regsvr32.exe
          "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Auslogics\BoostSpeed\BrowserPluginsHelper.Agent.x64.dll"
          4⤵
          • Loads dropped DLL
          • Modifies registry class
          PID:2004
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Auslogics\BoostSpeed\BrowserPluginsHelper.Agent.x32.dll"
          4⤵
          • Loads dropped DLL
          • Modifies registry class
          PID:416
        • C:\Program Files (x86)\Auslogics\BoostSpeed\Integrator.exe
          "C:\Program Files (x86)\Auslogics\BoostSpeed\Integrator.exe" /install /setscheduledefault /FromStubInstall /setautostart
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Modifies system certificate store
          • Suspicious behavior: EnumeratesProcesses
          PID:2016
        • C:\Program Files (x86)\Auslogics\BoostSpeed\DiskDefrag.exe
          "C:\Program Files (x86)\Auslogics\BoostSpeed\DiskDefrag.exe" /install
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:872
        • C:\Program Files (x86)\Auslogics\BoostSpeed\Integrator.exe
          "C:\Program Files (x86)\Auslogics\BoostSpeed\Integrator.exe" /FromStubInstall
          4⤵
          • Executes dropped EXE
          • Checks BIOS information in registry
          • Checks computer location settings
          • Writes to the Master Boot Record (MBR)
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:308
          • C:\Program Files (x86)\Auslogics\BoostSpeed\TabDashboard.exe
            "C:\Program Files (x86)\Auslogics\BoostSpeed\TabDashboard.exe" /ShowTab:Main
            5⤵
            • Executes dropped EXE
            • Checks BIOS information in registry
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1216
          • C:\Program Files (x86)\Auslogics\BoostSpeed\TabMyTasks.exe
            "C:\Program Files (x86)\Auslogics\BoostSpeed\TabMyTasks.exe"
            5⤵
            • Executes dropped EXE
            • Checks BIOS information in registry
            • Suspicious behavior: EnumeratesProcesses
            PID:440
          • C:\Program Files (x86)\Auslogics\BoostSpeed\TabCareCenter.exe
            "C:\Program Files (x86)\Auslogics\BoostSpeed\TabCareCenter.exe"
            5⤵
            • Executes dropped EXE
            • Checks BIOS information in registry
            • Suspicious behavior: EnumeratesProcesses
            PID:1484
          • C:\Program Files (x86)\Auslogics\BoostSpeed\TabAllTools.exe
            "C:\Program Files (x86)\Auslogics\BoostSpeed\TabAllTools.exe"
            5⤵
            • Executes dropped EXE
            • Checks BIOS information in registry
            • Suspicious behavior: EnumeratesProcesses
            PID:584
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2336

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/300-9-0x0000000000401000-0x0000000000412000-memory.dmp

    Filesize

    68KB

    Download

  • memory/308-104-0x00000000003A0000-0x00000000003A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/308-103-0x0000000000380000-0x0000000000381000-memory.dmp

    Filesize

    4KB

    Download

  • memory/440-111-0x00000000003F0000-0x00000000003F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/440-113-0x0000000000580000-0x0000000000581000-memory.dmp

    Filesize

    4KB

    Download

  • memory/584-120-0x00000000014F0000-0x00000000014F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/584-119-0x00000000003F0000-0x00000000003F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/816-36-0x0000000073C60000-0x0000000073E03000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/816-32-0x0000000002190000-0x0000000002191000-memory.dmp

    Filesize

    4KB

    Download

  • memory/816-27-0x000000000A0F0000-0x000000000A110000-memory.dmp

    Filesize

    128KB

    Download

  • memory/816-14-0x0000000000250000-0x0000000000251000-memory.dmp

    Filesize

    4KB

    Download

  • memory/816-23-0x0000000009E70000-0x0000000009E90000-memory.dmp

    Filesize

    128KB

    Download

  • memory/872-100-0x00000000013C0000-0x00000000013C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/872-99-0x00000000013A0000-0x00000000013A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1172-3-0x000007FEF6AC0000-0x000007FEF6D3A000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/1216-115-0x0000000000370000-0x0000000000371000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1216-116-0x00000000003A0000-0x00000000003A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1484-118-0x0000000001290000-0x0000000001291000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1484-117-0x0000000001230000-0x0000000001231000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1656-96-0x000007FEF6AC0000-0x000007FEF6D3A000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/1724-2-0x00000000761E1000-0x00000000761E3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1836-42-0x000007FEFC601000-0x000007FEFC603000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2016-82-0x00000000009E0000-0x00000000009E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2016-83-0x0000000000A00000-0x0000000000A01000-memory.dmp

    Filesize

    4KB

    Download