Overview

overview

8

Static

static

b1637f5279...9a.exe

windows7_x64

8

b1637f5279...9a.exe

windows10_x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    b1637f5279b2f5047ed81d5af27ba280cbeffe351e0818689b824ebea3c6119a

  • Size

    11.1MB

  • Sample

    210509-aa686nz89x

  • MD5

    5fabfcfdd5b433c8bc1d5fa82ba9c7d1

  • SHA1

    6ecfc1bb1278f642893085b6f6d3f480d3ccbc68

  • SHA256

    b1637f5279b2f5047ed81d5af27ba280cbeffe351e0818689b824ebea3c6119a

  • SHA512

    bb4318e4f7b2e8f3b9b388e97abceee30cfa7f47477d1416c7af561a2637a7c77e4ddee628aca616e986f0741bace86c1791198345b6f4123646b725632663d3

Score
8/10
bootkitmacropersistence

Malware Config

Targets

    • Target

      b1637f5279b2f5047ed81d5af27ba280cbeffe351e0818689b824ebea3c6119a

    • Size

      11.1MB

    • MD5

      5fabfcfdd5b433c8bc1d5fa82ba9c7d1

    • SHA1

      6ecfc1bb1278f642893085b6f6d3f480d3ccbc68

    • SHA256

      b1637f5279b2f5047ed81d5af27ba280cbeffe351e0818689b824ebea3c6119a

    • SHA512

      bb4318e4f7b2e8f3b9b388e97abceee30cfa7f47477d1416c7af561a2637a7c77e4ddee628aca616e986f0741bace86c1791198345b6f4123646b725632663d3

    Score
    8/10
    bootkitpersistencemacro

    • Executes dropped EXE

    • Suspicious Office macro

      Office document equipped with macros.

      macro

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Checks for any installed AV software in registry

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks