Overview

overview

6

Static

static

c8aeab9d69faff...47.exe

windows7_x64

6

c8aeab9d69faff...47.exe

windows10-2004_x64

6
General
Target

c8aeab9d69faff3486bbd01383f76f837ef7ac7f25d1b0088add95c8ec35a247.exe

Filesize

815KB

Completed

20-05-2022 23:06

Task

behavioral1

Score
6/10
MD5

21ce894ccbef788a1b2af896e2aaf2a0

SHA1

7ca645c7855bff3e2f1575d50f89a516b870d6de

SHA256

c8aeab9d69faff3486bbd01383f76f837ef7ac7f25d1b0088add95c8ec35a247

SHA256

6fa7a28936d70d2b94a89443988d8a81fe3c3cf6a91500ebf02c6c3962126e0c2e1a219c485c5dc90bc7d815f15533414d184056e675e348061e11cb82e22993

Malware Config
Signatures 5

Filter: none

Defense Evasion
Persistence
  • Writes to the Master Boot Record (MBR)
    c8aeab9d69faff3486bbd01383f76f837ef7ac7f25d1b0088add95c8ec35a247.exe

    Description

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    Tags

    TTPs

    Bootkit

    Reported IOCs

    descriptioniocprocess
    File opened for modification\??\PhysicalDrive0c8aeab9d69faff3486bbd01383f76f837ef7ac7f25d1b0088add95c8ec35a247.exe
  • Modifies Internet Explorer settings
    c8aeab9d69faff3486bbd01383f76f837ef7ac7f25d1b0088add95c8ec35a247.exe

    Tags

    TTPs

    Modify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (int)\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\c8aeab9d69faff3486bbd01383f76f837ef7ac7f25d1b0088add95c8ec35a247.exe = "11000"c8aeab9d69faff3486bbd01383f76f837ef7ac7f25d1b0088add95c8ec35a247.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\7654.com\NumberOfSubdomains = "1"c8aeab9d69faff3486bbd01383f76f837ef7ac7f25d1b0088add95c8ec35a247.exe
    Key created\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\Totalc8aeab9d69faff3486bbd01383f76f837ef7ac7f25d1b0088add95c8ec35a247.exe
    Key created\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\news.7654.comc8aeab9d69faff3486bbd01383f76f837ef7ac7f25d1b0088add95c8ec35a247.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\7654.com\Total = "63"c8aeab9d69faff3486bbd01383f76f837ef7ac7f25d1b0088add95c8ec35a247.exe
    Key created\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATIONc8aeab9d69faff3486bbd01383f76f837ef7ac7f25d1b0088add95c8ec35a247.exe
    Key created\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Main\FeatureControlc8aeab9d69faff3486bbd01383f76f837ef7ac7f25d1b0088add95c8ec35a247.exe
    Key created\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\7654.comc8aeab9d69faff3486bbd01383f76f837ef7ac7f25d1b0088add95c8ec35a247.exe
    Key created\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStoragec8aeab9d69faff3486bbd01383f76f837ef7ac7f25d1b0088add95c8ec35a247.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"c8aeab9d69faff3486bbd01383f76f837ef7ac7f25d1b0088add95c8ec35a247.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\DOMStorage\news.7654.com\ = "63"c8aeab9d69faff3486bbd01383f76f837ef7ac7f25d1b0088add95c8ec35a247.exe
    Key created\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Internet Explorer\Mainc8aeab9d69faff3486bbd01383f76f837ef7ac7f25d1b0088add95c8ec35a247.exe
  • Suspicious behavior: EnumeratesProcesses
    c8aeab9d69faff3486bbd01383f76f837ef7ac7f25d1b0088add95c8ec35a247.exe

    Reported IOCs

    pidprocess
    1788c8aeab9d69faff3486bbd01383f76f837ef7ac7f25d1b0088add95c8ec35a247.exe
    1788c8aeab9d69faff3486bbd01383f76f837ef7ac7f25d1b0088add95c8ec35a247.exe
  • Suspicious use of FindShellTrayWindow
    c8aeab9d69faff3486bbd01383f76f837ef7ac7f25d1b0088add95c8ec35a247.exe

    Reported IOCs

    pidprocess
    1788c8aeab9d69faff3486bbd01383f76f837ef7ac7f25d1b0088add95c8ec35a247.exe
  • Suspicious use of SetWindowsHookEx
    c8aeab9d69faff3486bbd01383f76f837ef7ac7f25d1b0088add95c8ec35a247.exe

    Reported IOCs

    pidprocess
    1788c8aeab9d69faff3486bbd01383f76f837ef7ac7f25d1b0088add95c8ec35a247.exe
    1788c8aeab9d69faff3486bbd01383f76f837ef7ac7f25d1b0088add95c8ec35a247.exe
    1788c8aeab9d69faff3486bbd01383f76f837ef7ac7f25d1b0088add95c8ec35a247.exe
    1788c8aeab9d69faff3486bbd01383f76f837ef7ac7f25d1b0088add95c8ec35a247.exe
    1788c8aeab9d69faff3486bbd01383f76f837ef7ac7f25d1b0088add95c8ec35a247.exe
    1788c8aeab9d69faff3486bbd01383f76f837ef7ac7f25d1b0088add95c8ec35a247.exe
    1788c8aeab9d69faff3486bbd01383f76f837ef7ac7f25d1b0088add95c8ec35a247.exe
Processes 1
  • C:\Users\Admin\AppData\Local\Temp\c8aeab9d69faff3486bbd01383f76f837ef7ac7f25d1b0088add95c8ec35a247.exe
    "C:\Users\Admin\AppData\Local\Temp\c8aeab9d69faff3486bbd01383f76f837ef7ac7f25d1b0088add95c8ec35a247.exe"
    Writes to the Master Boot Record (MBR)
    Modifies Internet Explorer settings
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of FindShellTrayWindow
    Suspicious use of SetWindowsHookEx
    PID:1788
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Discovery
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads

                      • memory/1788-54-0x0000000075DB1000-0x0000000075DB3000-memory.dmp

                        Download