Overview

overview

10

Static

static

8

0032588b8d...091.js

windows7_x64

1

0032588b8d...091.js

windows10_x64

1

09002c686e...2b.exe

windows7_x64

10

09002c686e...2b.exe

windows10_x64

10

0b1551c0be...16.exe

windows7_x64

1

0b1551c0be...16.exe

windows10_x64

1

1048caa70a...29.exe

windows7_x64

10

1048caa70a...29.exe

windows10_x64

10

1c3170b776...b0.exe

windows7_x64

3

1c3170b776...b0.exe

windows10_x64

3

240387329d...62.exe

windows7_x64

1

240387329d...62.exe

windows10_x64

1

2573b35645...9a.exe

windows7_x64

10

2573b35645...9a.exe

windows10_x64

10

2df6c36b47...51.exe

windows7_x64

7

2df6c36b47...51.exe

windows10_x64

7

2df6c36b47...1).exe

windows7_x64

7

2df6c36b47...1).exe

windows10_x64

7

2e4319ff62...8b.dll

windows7_x64

1

2e4319ff62...8b.dll

windows10_x64

3

2fba2aba4b...07.exe

windows7_x64

1

2fba2aba4b...07.exe

windows10_x64

1

3ed5d687a4...bd.exe

windows7_x64

3

3ed5d687a4...bd.exe

windows10_x64

3

4fc17a5cf8...d5.exe

windows7_x64

6

4fc17a5cf8...d5.exe

windows10_x64

6

5942a02bc0...d3.dll

windows7_x64

10

5942a02bc0...d3.dll

windows10_x64

10

6e7785213d...3d.exe

windows7_x64

8

6e7785213d...3d.exe

windows10_x64

8

83c64ed85d...a0.exe

windows7_x64

10

83c64ed85d...a0.exe

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    148s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    15-03-2021 09:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    83c64ed85d0245b22a7fb1e1f529ccd4db58b49fc6cf656c8d56712fa0b9fea0.exe

  • Size

    270KB

  • MD5

    bcc1d244f31ebe1bd48e91671a902486

  • SHA1

    7803926b6bbb704ed8f63809d6635ae811bdbdc2

  • SHA256

    83c64ed85d0245b22a7fb1e1f529ccd4db58b49fc6cf656c8d56712fa0b9fea0

  • SHA512

    654161503f7c3ead23dad8ba37ebd3e56a8c41826a2ed82d7247b350e11cb5749996daaeb69af200f32c8a27716db09d18818b126d5df992b5e44f5d541c8933

Score
10/10
bootkitdiscoverypersistencespywarestealer

Malware Config

Signatures

  • Registers COM server for autorun 1 TTPs
    persistence
  • Executes dropped EXE 9 IoCs
  • Checks BIOS information in registry 2 TTPs 8 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 64 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 5 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 44 IoCs
  • Suspicious use of SendNotifyMessage 42 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\83c64ed85d0245b22a7fb1e1f529ccd4db58b49fc6cf656c8d56712fa0b9fea0.exe
    "C:\Users\Admin\AppData\Local\Temp\83c64ed85d0245b22a7fb1e1f529ccd4db58b49fc6cf656c8d56712fa0b9fea0.exe"
    1⤵
    • Modifies system certificate store
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:640
    • C:\Users\Admin\AppData\Local\Temp\BDFED914-D1FC-4308-8683-F3E750A4096E_boost-speed_setup.exe
      "C:\Users\Admin\AppData\Local\Temp\BDFED914-D1FC-4308-8683-F3E750A4096E_boost-speed_setup.exe" /verysilent /FromStubInstall /OpenWebPage /RunApplication
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1968
      • C:\Users\Admin\AppData\Local\Temp\is-LCPAT.tmp\BDFED914-D1FC-4308-8683-F3E750A4096E_boost-speed_setup.tmp
        "C:\Users\Admin\AppData\Local\Temp\is-LCPAT.tmp\BDFED914-D1FC-4308-8683-F3E750A4096E_boost-speed_setup.tmp" /SL5="$90054,29009203,505856,C:\Users\Admin\AppData\Local\Temp\BDFED914-D1FC-4308-8683-F3E750A4096E_boost-speed_setup.exe" /verysilent /FromStubInstall /OpenWebPage /RunApplication
        3⤵
        • Executes dropped EXE
        • Checks BIOS information in registry
        • Checks computer location settings
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:1008
        • C:\Windows\system32\regsvr32.exe
          "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Auslogics\BoostSpeed\DiskDoctorChecker.x64.dll"
          4⤵
          • Loads dropped DLL
          • Modifies registry class
          PID:3964
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Auslogics\BoostSpeed\DiskDoctorChecker.x32.dll"
          4⤵
          • Loads dropped DLL
          • Modifies registry class
          PID:4064
        • C:\Windows\system32\regsvr32.exe
          "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Auslogics\BoostSpeed\TaskManagerHelper.Agent.x64.dll"
          4⤵
          • Loads dropped DLL
          • Modifies registry class
          PID:3668
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Auslogics\BoostSpeed\TaskManagerHelper.Agent.x32.dll"
          4⤵
          • Loads dropped DLL
          • Modifies registry class
          PID:3928
        • C:\Windows\system32\regsvr32.exe
          "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Auslogics\BoostSpeed\BrowserPluginsHelper.Agent.x64.dll"
          4⤵
          • Loads dropped DLL
          • Modifies registry class
          PID:1164
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Auslogics\BoostSpeed\BrowserPluginsHelper.Agent.x32.dll"
          4⤵
          • Loads dropped DLL
          • Modifies registry class
          PID:3888
        • C:\Program Files (x86)\Auslogics\BoostSpeed\Integrator.exe
          "C:\Program Files (x86)\Auslogics\BoostSpeed\Integrator.exe" /install /setscheduledefault /FromStubInstall /setautostart
          4⤵
          • Executes dropped EXE
          • Checks BIOS information in registry
          • Loads dropped DLL
          • Modifies system certificate store
          • Suspicious behavior: EnumeratesProcesses
          PID:1188
        • C:\Program Files (x86)\Auslogics\BoostSpeed\DiskDefrag.exe
          "C:\Program Files (x86)\Auslogics\BoostSpeed\DiskDefrag.exe" /install
          4⤵
          • Executes dropped EXE
          • Checks BIOS information in registry
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          PID:3968
        • C:\Program Files (x86)\Auslogics\BoostSpeed\Integrator.exe
          "C:\Program Files (x86)\Auslogics\BoostSpeed\Integrator.exe" /FromStubInstall
          4⤵
          • Executes dropped EXE
          • Checks BIOS information in registry
          • Checks computer location settings
          • Writes to the Master Boot Record (MBR)
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:3668
          • C:\Program Files (x86)\Auslogics\BoostSpeed\TabDashboard.exe
            "C:\Program Files (x86)\Auslogics\BoostSpeed\TabDashboard.exe" /ShowTab:Main
            5⤵
            • Executes dropped EXE
            • Checks BIOS information in registry
            • Checks computer location settings
            • Writes to the Master Boot Record (MBR)
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3444
          • C:\Program Files (x86)\Auslogics\BoostSpeed\TabMyTasks.exe
            "C:\Program Files (x86)\Auslogics\BoostSpeed\TabMyTasks.exe"
            5⤵
            • Executes dropped EXE
            • Checks BIOS information in registry
            • Suspicious behavior: EnumeratesProcesses
            PID:3996
          • C:\Program Files (x86)\Auslogics\BoostSpeed\TabCareCenter.exe
            "C:\Program Files (x86)\Auslogics\BoostSpeed\TabCareCenter.exe"
            5⤵
            • Executes dropped EXE
            • Checks BIOS information in registry
            • Suspicious behavior: EnumeratesProcesses
            PID:3812
          • C:\Program Files (x86)\Auslogics\BoostSpeed\TabAllTools.exe
            "C:\Program Files (x86)\Auslogics\BoostSpeed\TabAllTools.exe"
            5⤵
            • Executes dropped EXE
            • Checks BIOS information in registry
            • Drops file in Program Files directory
            • Suspicious behavior: EnumeratesProcesses
            PID:3272
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4276

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1008-29-0x000000000BDD1000-0x000000000BDE6000-memory.dmp

    Filesize

    84KB

    Download

  • memory/1008-11-0x0000000003381000-0x00000000033E5000-memory.dmp

    Filesize

    400KB

    Download

  • memory/1008-25-0x000000000BD90000-0x000000000BDB0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/1008-32-0x000000000BE91000-0x000000000BEB1000-memory.dmp

    Filesize

    128KB

    Download

  • memory/1008-23-0x0000000003541000-0x00000000036F5000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1008-24-0x0000000003C21000-0x00000000041EF000-memory.dmp

    Filesize

    5.8MB

    Download

  • memory/1008-20-0x00000000034E1000-0x000000000351C000-memory.dmp

    Filesize

    236KB

    Download

  • memory/1008-8-0x0000000000760000-0x0000000000761000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1008-39-0x0000000004880000-0x0000000004881000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1164-63-0x00000000024C1000-0x000000000260A000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1188-89-0x0000000001A61000-0x000000000202F000-memory.dmp

    Filesize

    5.8MB

    Download

  • memory/1188-86-0x0000000001A01000-0x0000000001A3C000-memory.dmp

    Filesize

    236KB

    Download

  • memory/1188-91-0x00000000019E0000-0x00000000019E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1188-92-0x0000000003A10000-0x0000000003A11000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1188-84-0x0000000000DF1000-0x0000000000EF2000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1968-5-0x0000000000401000-0x0000000000412000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3272-128-0x0000000004880000-0x0000000004881000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3272-127-0x0000000001630000-0x0000000001631000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3272-122-0x0000000000BA1000-0x000000000116F000-memory.dmp

    Filesize

    5.8MB

    Download

  • memory/3272-121-0x0000000000B41000-0x0000000000B7C000-memory.dmp

    Filesize

    236KB

    Download

  • memory/3272-119-0x0000000000821000-0x0000000000922000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3444-108-0x0000000000D61000-0x0000000000D9C000-memory.dmp

    Filesize

    236KB

    Download

  • memory/3444-118-0x00000000019A0000-0x00000000019A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3444-120-0x0000000003690000-0x0000000003691000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3444-106-0x0000000000A81000-0x0000000000B82000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3444-109-0x0000000000DC1000-0x000000000138F000-memory.dmp

    Filesize

    5.8MB

    Download

  • memory/3668-100-0x0000000000CC1000-0x0000000000DC2000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3668-101-0x0000000000FE1000-0x000000000101C000-memory.dmp

    Filesize

    236KB

    Download

  • memory/3668-102-0x0000000001041000-0x000000000160F000-memory.dmp

    Filesize

    5.8MB

    Download

  • memory/3668-103-0x0000000004CC0000-0x0000000004CC1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3668-104-0x0000000004CE0000-0x0000000004CE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3812-124-0x0000000001720000-0x0000000001721000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3812-126-0x0000000001740000-0x0000000001741000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3812-113-0x0000000000911000-0x0000000000A12000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3812-117-0x0000000000C51000-0x000000000121F000-memory.dmp

    Filesize

    5.8MB

    Download

  • memory/3812-116-0x0000000000BF1000-0x0000000000C2C000-memory.dmp

    Filesize

    236KB

    Download

  • memory/3928-57-0x0000000002371000-0x0000000002377000-memory.dmp

    Filesize

    24KB

    Download

  • memory/3968-98-0x0000000004910000-0x0000000004911000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3968-94-0x0000000000991000-0x0000000000A92000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3968-96-0x0000000000C71000-0x000000000123F000-memory.dmp

    Filesize

    5.8MB

    Download

  • memory/3968-95-0x0000000000661000-0x000000000069C000-memory.dmp

    Filesize

    236KB

    Download

  • memory/3968-97-0x00000000048F0000-0x00000000048F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3996-115-0x0000000000C01000-0x00000000011CF000-memory.dmp

    Filesize

    5.8MB

    Download

  • memory/3996-123-0x0000000003540000-0x0000000003541000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3996-125-0x0000000003560000-0x0000000003561000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3996-112-0x0000000000BA1000-0x0000000000BDC000-memory.dmp

    Filesize

    236KB

    Download

  • memory/3996-111-0x00000000008C1000-0x00000000009C2000-memory.dmp

    Filesize

    1.0MB

    Download