Overview

overview

8

Static

static

8

3364d47625...ec.exe

windows7_x64

8

3364d47625...ec.exe

windows10-2004_x64

8

Analysis

  • max time kernel
    150s
  • max time network
    177s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    20-05-2022 03:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3364d476259221501252167627d3d9ae1bd0b488c4e68343593d94fea37a71ec.exe

  • Size

    5.0MB

  • MD5

    2747aa7b8dd712fdc6e2baeb9fa7b708

  • SHA1

    50d2875a2dcb62ab3ee2af662f804747f2e92dfb

  • SHA256

    3364d476259221501252167627d3d9ae1bd0b488c4e68343593d94fea37a71ec

  • SHA512

    83be96162542d7e35eb4b429b62c245264dcc14f4191b84a1973855a01854ac6c14858499cb879f0a02b145b221f97d30faecdf25f8079b60fa223fae2bb6c00

Score
8/10
bootkitpersistenceupx

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 30 IoCs
  • Suspicious use of SendNotifyMessage 30 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3364d476259221501252167627d3d9ae1bd0b488c4e68343593d94fea37a71ec.exe
    "C:\Users\Admin\AppData\Local\Temp\3364d476259221501252167627d3d9ae1bd0b488c4e68343593d94fea37a71ec.exe"
    1⤵
    • Enumerates connected drives
    • Maps connected drives based on registry
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1652
    • C:\Users\Admin\AppData\Roaming\WININST~140\ComInfo.dll
      C:\Users\Admin\AppData\Roaming\WININST~140\ComInfo.dll
      2⤵
      • Executes dropped EXE
      • Writes to the Master Boot Record (MBR)
      • NTFS ADS
      PID:1876
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WININST~140\ShowDrive.dl_ *
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2244
      • C:\Users\Admin\AppData\Roaming\WININST~140\ShowDrive.dl_
        C:\Users\Admin\AppData\Roaming\WININST~140\ShowDrive.dl_ *
        3⤵
        • Executes dropped EXE
        • Enumerates connected drives
        PID:2148
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WININST~140\ShowEFI.dl_
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4884
      • C:\Users\Admin\AppData\Roaming\WININST~140\ShowEFI.dl_
        C:\Users\Admin\AppData\Roaming\WININST~140\ShowEFI.dl_
        3⤵
        • Executes dropped EXE
        • Writes to the Master Boot Record (MBR)
        PID:1356
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\WININST~140\Getptw.dll -a/part
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4344
      • C:\Users\Admin\AppData\Roaming\WININST~140\Getptw.dll
        C:\Users\Admin\AppData\Roaming\WININST~140\Getptw.dll -a/part
        3⤵
        • Executes dropped EXE
        • Writes to the Master Boot Record (MBR)
        • Suspicious behavior: EnumeratesProcesses
        PID:1472

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

1
T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

2
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\WININST~140\ComInfo.dll
    Filesize

    368KB

    MD5

    d27d87f0f87816f71f6ffddbbbd34213

    SHA1

    ccc9192b3aa179033756fdd0e0b5210305cf870d

    SHA256

    7e9fba8991d7f901f671bfb38dbf81600c70e6f603b48b2e65f6745c178217f0

    SHA512

    bde4a6d8627027a9fc31e08975f07f9a01220806d8bce1c774204443d182cd454d74b2e11da21e0d74f9284ea3f84b4954507b0f40beadb996a7c9be8a6c8e10

    Download Submit
  • C:\Users\Admin\AppData\Roaming\WININST~140\ComInfo.dll
    Filesize

    368KB

    MD5

    d27d87f0f87816f71f6ffddbbbd34213

    SHA1

    ccc9192b3aa179033756fdd0e0b5210305cf870d

    SHA256

    7e9fba8991d7f901f671bfb38dbf81600c70e6f603b48b2e65f6745c178217f0

    SHA512

    bde4a6d8627027a9fc31e08975f07f9a01220806d8bce1c774204443d182cd454d74b2e11da21e0d74f9284ea3f84b4954507b0f40beadb996a7c9be8a6c8e10

    Download Submit
  • C:\Users\Admin\AppData\Roaming\WININST~140\Getptw.dll
    Filesize

    21KB

    MD5

    94d297ccb80b1f7940ea98ffdfc25257

    SHA1

    9461b88f14384e5e5a0dd0147552e81bf5dbfa1e

    SHA256

    dd4694e89ae067e49e4f9581782a277eb0fab052aa1539717fecf8449a872f75

    SHA512

    303f81ffc71d5aa8a8ce733c9104d5e4172c098a78f78baac001a90161493f21c907bc49dc28a6424596862deec9311e12bdd3d92df8ba08c041786b262b4256

    Download Submit
  • C:\Users\Admin\AppData\Roaming\WININST~140\Getptw.dll
    Filesize

    21KB

    MD5

    94d297ccb80b1f7940ea98ffdfc25257

    SHA1

    9461b88f14384e5e5a0dd0147552e81bf5dbfa1e

    SHA256

    dd4694e89ae067e49e4f9581782a277eb0fab052aa1539717fecf8449a872f75

    SHA512

    303f81ffc71d5aa8a8ce733c9104d5e4172c098a78f78baac001a90161493f21c907bc49dc28a6424596862deec9311e12bdd3d92df8ba08c041786b262b4256

    Download Submit
  • C:\Users\Admin\AppData\Roaming\WININST~140\ShowDrive.dl_
    Filesize

    4KB

    MD5

    63f0697283a67db3f50b440f142044ed

    SHA1

    ea3ceae6750d9a481bf88012adfab874bcb67f80

    SHA256

    09c07db40dacd999e726786fc9a8f5e37688d94997f2692da63746f417851f0f

    SHA512

    967ca158809ecfc2baf99092f425876e137842b96446ca4b5b61fb75a244e479e739049895289de70b7656e5fafd1cb792ac1ce5d8eeb015e6ede7224898a028

    Download Submit
  • C:\Users\Admin\AppData\Roaming\WININST~140\ShowDrive.dl_
    Filesize

    4KB

    MD5

    63f0697283a67db3f50b440f142044ed

    SHA1

    ea3ceae6750d9a481bf88012adfab874bcb67f80

    SHA256

    09c07db40dacd999e726786fc9a8f5e37688d94997f2692da63746f417851f0f

    SHA512

    967ca158809ecfc2baf99092f425876e137842b96446ca4b5b61fb75a244e479e739049895289de70b7656e5fafd1cb792ac1ce5d8eeb015e6ede7224898a028

    Download Submit
  • C:\Users\Admin\AppData\Roaming\WININST~140\ShowEFI.dl_
    Filesize

    19KB

    MD5

    5aadc3b8ad1735a7a0e89c574e90c50f

    SHA1

    7370502043a42d434632f7221fbea2a7062f1f84

    SHA256

    cfe2144727f11e2cfb42e64be6773ad58cd6f6036c3027a2b9aad2c40946734f

    SHA512

    3e1c83824e2e58378e5e48399959f75addd251a83d6f01612f37c647cb940a6afbd7fed935f62ee9a02d2bddfb806f212c948f93b10463cb61795970b774be3e

    Download Submit
  • C:\Users\Admin\AppData\Roaming\WININST~140\ShowEFI.dl_
    Filesize

    19KB

    MD5

    5aadc3b8ad1735a7a0e89c574e90c50f

    SHA1

    7370502043a42d434632f7221fbea2a7062f1f84

    SHA256

    cfe2144727f11e2cfb42e64be6773ad58cd6f6036c3027a2b9aad2c40946734f

    SHA512

    3e1c83824e2e58378e5e48399959f75addd251a83d6f01612f37c647cb940a6afbd7fed935f62ee9a02d2bddfb806f212c948f93b10463cb61795970b774be3e

    Download Submit
  • memory/1356-138-0x0000000000000000-mapping.dmp
    Download
  • memory/1472-142-0x0000000000000000-mapping.dmp
    Download
  • memory/1876-130-0x0000000000000000-mapping.dmp
    Download
  • memory/2148-134-0x0000000000000000-mapping.dmp
    Download
  • memory/2244-133-0x0000000000000000-mapping.dmp
    Download
  • memory/4344-141-0x0000000000000000-mapping.dmp
    Download
  • memory/4884-137-0x0000000000000000-mapping.dmp
    Download