Overview
overview
8Static
static
grldrinst.exe
windows7_x64
1grldrinst.exe
windows10-2004_x64
1grubinstGui2.exe
windows7_x64
8grubinstGui2.exe
windows10-2004_x64
8msvbvm60.dll
windows7_x64
1msvbvm60.dll
windows10-2004_x64
1mtldrinst.exe
windows7_x64
1mtldrinst.exe
windows10-2004_x64
1myvolume.dll
windows7_x64
3myvolume.dll
windows10-2004_x64
3下载说明.htm
windows7_x64
1下载说明.htm
windows10-2004_x64
1使用帮...).url
windows7_x64
1使用帮...).url
windows10-2004_x64
1欢迎来...t2.doc
windows7_x64
4欢迎来...t2.doc
windows10-2004_x64
1Analysis
-
max time kernel
152s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 04:30
Static task
static1
Behavioral task
behavioral1
Sample
grldrinst.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
grldrinst.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
grubinstGui2.exe
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
grubinstGui2.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral5
Sample
msvbvm60.dll
Resource
win7-20220414-en
Behavioral task
behavioral6
Sample
msvbvm60.dll
Resource
win10v2004-20220414-en
Behavioral task
behavioral7
Sample
mtldrinst.exe
Resource
win7-20220414-en
Behavioral task
behavioral8
Sample
mtldrinst.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral9
Sample
myvolume.dll
Resource
win7-20220414-en
Behavioral task
behavioral10
Sample
myvolume.dll
Resource
win10v2004-20220414-en
Behavioral task
behavioral11
Sample
下载说明.htm
Resource
win7-20220414-en
Behavioral task
behavioral12
Sample
下载说明.htm
Resource
win10v2004-20220414-en
Behavioral task
behavioral13
Sample
使用帮助(河东软件园).url
Resource
win7-20220414-en
Behavioral task
behavioral14
Sample
使用帮助(河东软件园).url
Resource
win10v2004-20220414-en
Behavioral task
behavioral15
Sample
欢迎来到 grubinst2.doc
Resource
win7-20220414-en
Behavioral task
behavioral16
Sample
欢迎来到 grubinst2.doc
Resource
win10v2004-20220414-en
General
-
Target
grubinstGui2.exe
-
Size
216KB
-
MD5
3b23e12bff983d52dbca22c700e9338a
-
SHA1
52dcde5bc8934ab70b76a21f6a559626129834c6
-
SHA256
974a20e3681cbedd1674c4fadacf1481e6e7f1985f69589caf37313464fa1a19
-
SHA512
991fd833b1a3363680fa35cf709c39a9bce426d6e6e0d0453b7fe263a5b0f2174f9eacdc8e03d468c6001e2b25f4eb1a27b391fcb05ad0237d6cab6397740426
Malware Config
Signatures
-
Executes dropped EXE 11 IoCs
Processes:
mtldrinst.exemtldrinst.exemtldrinst.exemtldrinst.exemtldrinst.exemtldrinst.exemtldrinst.exemtldrinst.exemtldrinst.exemtldrinst.exemtldrinst.exepid process 1548 mtldrinst.exe 5004 mtldrinst.exe 1052 mtldrinst.exe 1932 mtldrinst.exe 4664 mtldrinst.exe 4632 mtldrinst.exe 4608 mtldrinst.exe 1432 mtldrinst.exe 4360 mtldrinst.exe 204 mtldrinst.exe 4816 mtldrinst.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
mtldrinst.exedescription ioc process File opened for modification \??\PhysicalDrive0 mtldrinst.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
grubinstGui2.exepid process 3572 grubinstGui2.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
grubinstGui2.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 3572 wrote to memory of 3056 3572 grubinstGui2.exe cmd.exe PID 3572 wrote to memory of 3056 3572 grubinstGui2.exe cmd.exe PID 3572 wrote to memory of 3056 3572 grubinstGui2.exe cmd.exe PID 3056 wrote to memory of 1548 3056 cmd.exe mtldrinst.exe PID 3056 wrote to memory of 1548 3056 cmd.exe mtldrinst.exe PID 3056 wrote to memory of 1548 3056 cmd.exe mtldrinst.exe PID 3572 wrote to memory of 1188 3572 grubinstGui2.exe cmd.exe PID 3572 wrote to memory of 1188 3572 grubinstGui2.exe cmd.exe PID 3572 wrote to memory of 1188 3572 grubinstGui2.exe cmd.exe PID 1188 wrote to memory of 5004 1188 cmd.exe mtldrinst.exe PID 1188 wrote to memory of 5004 1188 cmd.exe mtldrinst.exe PID 1188 wrote to memory of 5004 1188 cmd.exe mtldrinst.exe PID 3572 wrote to memory of 5024 3572 grubinstGui2.exe cmd.exe PID 3572 wrote to memory of 5024 3572 grubinstGui2.exe cmd.exe PID 3572 wrote to memory of 5024 3572 grubinstGui2.exe cmd.exe PID 5024 wrote to memory of 1052 5024 cmd.exe mtldrinst.exe PID 5024 wrote to memory of 1052 5024 cmd.exe mtldrinst.exe PID 5024 wrote to memory of 1052 5024 cmd.exe mtldrinst.exe PID 3572 wrote to memory of 4220 3572 grubinstGui2.exe cmd.exe PID 3572 wrote to memory of 4220 3572 grubinstGui2.exe cmd.exe PID 3572 wrote to memory of 4220 3572 grubinstGui2.exe cmd.exe PID 4220 wrote to memory of 1932 4220 cmd.exe mtldrinst.exe PID 4220 wrote to memory of 1932 4220 cmd.exe mtldrinst.exe PID 4220 wrote to memory of 1932 4220 cmd.exe mtldrinst.exe PID 3572 wrote to memory of 2428 3572 grubinstGui2.exe cmd.exe PID 3572 wrote to memory of 2428 3572 grubinstGui2.exe cmd.exe PID 3572 wrote to memory of 2428 3572 grubinstGui2.exe cmd.exe PID 2428 wrote to memory of 4664 2428 cmd.exe mtldrinst.exe PID 2428 wrote to memory of 4664 2428 cmd.exe mtldrinst.exe PID 2428 wrote to memory of 4664 2428 cmd.exe mtldrinst.exe PID 3572 wrote to memory of 4576 3572 grubinstGui2.exe cmd.exe PID 3572 wrote to memory of 4576 3572 grubinstGui2.exe cmd.exe PID 3572 wrote to memory of 4576 3572 grubinstGui2.exe cmd.exe PID 4576 wrote to memory of 4632 4576 cmd.exe mtldrinst.exe PID 4576 wrote to memory of 4632 4576 cmd.exe mtldrinst.exe PID 4576 wrote to memory of 4632 4576 cmd.exe mtldrinst.exe PID 3572 wrote to memory of 4156 3572 grubinstGui2.exe cmd.exe PID 3572 wrote to memory of 4156 3572 grubinstGui2.exe cmd.exe PID 3572 wrote to memory of 4156 3572 grubinstGui2.exe cmd.exe PID 4156 wrote to memory of 4608 4156 cmd.exe mtldrinst.exe PID 4156 wrote to memory of 4608 4156 cmd.exe mtldrinst.exe PID 4156 wrote to memory of 4608 4156 cmd.exe mtldrinst.exe PID 3572 wrote to memory of 1200 3572 grubinstGui2.exe cmd.exe PID 3572 wrote to memory of 1200 3572 grubinstGui2.exe cmd.exe PID 3572 wrote to memory of 1200 3572 grubinstGui2.exe cmd.exe PID 1200 wrote to memory of 1432 1200 cmd.exe mtldrinst.exe PID 1200 wrote to memory of 1432 1200 cmd.exe mtldrinst.exe PID 1200 wrote to memory of 1432 1200 cmd.exe mtldrinst.exe PID 3572 wrote to memory of 2892 3572 grubinstGui2.exe cmd.exe PID 3572 wrote to memory of 2892 3572 grubinstGui2.exe cmd.exe PID 3572 wrote to memory of 2892 3572 grubinstGui2.exe cmd.exe PID 2892 wrote to memory of 4360 2892 cmd.exe mtldrinst.exe PID 2892 wrote to memory of 4360 2892 cmd.exe mtldrinst.exe PID 2892 wrote to memory of 4360 2892 cmd.exe mtldrinst.exe PID 3572 wrote to memory of 2012 3572 grubinstGui2.exe cmd.exe PID 3572 wrote to memory of 2012 3572 grubinstGui2.exe cmd.exe PID 3572 wrote to memory of 2012 3572 grubinstGui2.exe cmd.exe PID 2012 wrote to memory of 204 2012 cmd.exe mtldrinst.exe PID 2012 wrote to memory of 204 2012 cmd.exe mtldrinst.exe PID 2012 wrote to memory of 204 2012 cmd.exe mtldrinst.exe PID 3572 wrote to memory of 4540 3572 grubinstGui2.exe cmd.exe PID 3572 wrote to memory of 4540 3572 grubinstGui2.exe cmd.exe PID 3572 wrote to memory of 4540 3572 grubinstGui2.exe cmd.exe PID 4540 wrote to memory of 4816 4540 cmd.exe mtldrinst.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\grubinstGui2.exe"C:\Users\Admin\AppData\Local\Temp\grubinstGui2.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\mtldrinst.EXE -l (hd0) > C:\Users\Admin\AppData\Local\Temp\tempch.tmp2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mtldrinst.exeC:\Users\Admin\AppData\Local\Temp\mtldrinst.EXE -l (hd0)3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\mtldrinst.EXE -l (hd1) > C:\Users\Admin\AppData\Local\Temp\tempch.tmp2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mtldrinst.exeC:\Users\Admin\AppData\Local\Temp\mtldrinst.EXE -l (hd1)3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\mtldrinst.EXE -l (hd2) > C:\Users\Admin\AppData\Local\Temp\tempch.tmp2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mtldrinst.exeC:\Users\Admin\AppData\Local\Temp\mtldrinst.EXE -l (hd2)3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\mtldrinst.EXE -l (hd3) > C:\Users\Admin\AppData\Local\Temp\tempch.tmp2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mtldrinst.exeC:\Users\Admin\AppData\Local\Temp\mtldrinst.EXE -l (hd3)3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\mtldrinst.EXE -l (hd4) > C:\Users\Admin\AppData\Local\Temp\tempch.tmp2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mtldrinst.exeC:\Users\Admin\AppData\Local\Temp\mtldrinst.EXE -l (hd4)3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\mtldrinst.EXE -l (hd5) > C:\Users\Admin\AppData\Local\Temp\tempch.tmp2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mtldrinst.exeC:\Users\Admin\AppData\Local\Temp\mtldrinst.EXE -l (hd5)3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\mtldrinst.EXE -l (hd6) > C:\Users\Admin\AppData\Local\Temp\tempch.tmp2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mtldrinst.exeC:\Users\Admin\AppData\Local\Temp\mtldrinst.EXE -l (hd6)3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\mtldrinst.EXE -l (hd7) > C:\Users\Admin\AppData\Local\Temp\tempch.tmp2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mtldrinst.exeC:\Users\Admin\AppData\Local\Temp\mtldrinst.EXE -l (hd7)3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\mtldrinst.EXE -l (hd8) > C:\Users\Admin\AppData\Local\Temp\tempch.tmp2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mtldrinst.exeC:\Users\Admin\AppData\Local\Temp\mtldrinst.EXE -l (hd8)3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\mtldrinst.EXE -l (hd9) > C:\Users\Admin\AppData\Local\Temp\tempch.tmp2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mtldrinst.exeC:\Users\Admin\AppData\Local\Temp\mtldrinst.EXE -l (hd9)3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\mtldrinst.EXE -l (hd10) > C:\Users\Admin\AppData\Local\Temp\tempch.tmp2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mtldrinst.exeC:\Users\Admin\AppData\Local\Temp\mtldrinst.EXE -l (hd10)3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\mtldrinst.exeFilesize
45KB
MD5a1d33b80e8d5b80ed549811fd3070018
SHA11967be963184532df6af0a126d26c6a9798a4ad6
SHA256fbc13115ccac312a521570df7818518ec3cc1c7f6d17dd98a44f17c96236c219
SHA512d9c9c6172d0804617abadab4bd3b50839baef013f8536b38d292345d9f07526d79ac7311a2b9c15a44fbb220b31282f857b97a1988e79f5878f9deeded322514
-
C:\Users\Admin\AppData\Local\Temp\mtldrinst.exeFilesize
45KB
MD5a1d33b80e8d5b80ed549811fd3070018
SHA11967be963184532df6af0a126d26c6a9798a4ad6
SHA256fbc13115ccac312a521570df7818518ec3cc1c7f6d17dd98a44f17c96236c219
SHA512d9c9c6172d0804617abadab4bd3b50839baef013f8536b38d292345d9f07526d79ac7311a2b9c15a44fbb220b31282f857b97a1988e79f5878f9deeded322514
-
C:\Users\Admin\AppData\Local\Temp\mtldrinst.exeFilesize
45KB
MD5a1d33b80e8d5b80ed549811fd3070018
SHA11967be963184532df6af0a126d26c6a9798a4ad6
SHA256fbc13115ccac312a521570df7818518ec3cc1c7f6d17dd98a44f17c96236c219
SHA512d9c9c6172d0804617abadab4bd3b50839baef013f8536b38d292345d9f07526d79ac7311a2b9c15a44fbb220b31282f857b97a1988e79f5878f9deeded322514
-
C:\Users\Admin\AppData\Local\Temp\mtldrinst.exeFilesize
45KB
MD5a1d33b80e8d5b80ed549811fd3070018
SHA11967be963184532df6af0a126d26c6a9798a4ad6
SHA256fbc13115ccac312a521570df7818518ec3cc1c7f6d17dd98a44f17c96236c219
SHA512d9c9c6172d0804617abadab4bd3b50839baef013f8536b38d292345d9f07526d79ac7311a2b9c15a44fbb220b31282f857b97a1988e79f5878f9deeded322514
-
C:\Users\Admin\AppData\Local\Temp\mtldrinst.exeFilesize
45KB
MD5a1d33b80e8d5b80ed549811fd3070018
SHA11967be963184532df6af0a126d26c6a9798a4ad6
SHA256fbc13115ccac312a521570df7818518ec3cc1c7f6d17dd98a44f17c96236c219
SHA512d9c9c6172d0804617abadab4bd3b50839baef013f8536b38d292345d9f07526d79ac7311a2b9c15a44fbb220b31282f857b97a1988e79f5878f9deeded322514
-
C:\Users\Admin\AppData\Local\Temp\mtldrinst.exeFilesize
45KB
MD5a1d33b80e8d5b80ed549811fd3070018
SHA11967be963184532df6af0a126d26c6a9798a4ad6
SHA256fbc13115ccac312a521570df7818518ec3cc1c7f6d17dd98a44f17c96236c219
SHA512d9c9c6172d0804617abadab4bd3b50839baef013f8536b38d292345d9f07526d79ac7311a2b9c15a44fbb220b31282f857b97a1988e79f5878f9deeded322514
-
C:\Users\Admin\AppData\Local\Temp\mtldrinst.exeFilesize
45KB
MD5a1d33b80e8d5b80ed549811fd3070018
SHA11967be963184532df6af0a126d26c6a9798a4ad6
SHA256fbc13115ccac312a521570df7818518ec3cc1c7f6d17dd98a44f17c96236c219
SHA512d9c9c6172d0804617abadab4bd3b50839baef013f8536b38d292345d9f07526d79ac7311a2b9c15a44fbb220b31282f857b97a1988e79f5878f9deeded322514
-
C:\Users\Admin\AppData\Local\Temp\mtldrinst.exeFilesize
45KB
MD5a1d33b80e8d5b80ed549811fd3070018
SHA11967be963184532df6af0a126d26c6a9798a4ad6
SHA256fbc13115ccac312a521570df7818518ec3cc1c7f6d17dd98a44f17c96236c219
SHA512d9c9c6172d0804617abadab4bd3b50839baef013f8536b38d292345d9f07526d79ac7311a2b9c15a44fbb220b31282f857b97a1988e79f5878f9deeded322514
-
C:\Users\Admin\AppData\Local\Temp\mtldrinst.exeFilesize
45KB
MD5a1d33b80e8d5b80ed549811fd3070018
SHA11967be963184532df6af0a126d26c6a9798a4ad6
SHA256fbc13115ccac312a521570df7818518ec3cc1c7f6d17dd98a44f17c96236c219
SHA512d9c9c6172d0804617abadab4bd3b50839baef013f8536b38d292345d9f07526d79ac7311a2b9c15a44fbb220b31282f857b97a1988e79f5878f9deeded322514
-
C:\Users\Admin\AppData\Local\Temp\mtldrinst.exeFilesize
45KB
MD5a1d33b80e8d5b80ed549811fd3070018
SHA11967be963184532df6af0a126d26c6a9798a4ad6
SHA256fbc13115ccac312a521570df7818518ec3cc1c7f6d17dd98a44f17c96236c219
SHA512d9c9c6172d0804617abadab4bd3b50839baef013f8536b38d292345d9f07526d79ac7311a2b9c15a44fbb220b31282f857b97a1988e79f5878f9deeded322514
-
C:\Users\Admin\AppData\Local\Temp\mtldrinst.exeFilesize
45KB
MD5a1d33b80e8d5b80ed549811fd3070018
SHA11967be963184532df6af0a126d26c6a9798a4ad6
SHA256fbc13115ccac312a521570df7818518ec3cc1c7f6d17dd98a44f17c96236c219
SHA512d9c9c6172d0804617abadab4bd3b50839baef013f8536b38d292345d9f07526d79ac7311a2b9c15a44fbb220b31282f857b97a1988e79f5878f9deeded322514
-
C:\Users\Admin\AppData\Local\Temp\mtldrinst.exeFilesize
45KB
MD5a1d33b80e8d5b80ed549811fd3070018
SHA11967be963184532df6af0a126d26c6a9798a4ad6
SHA256fbc13115ccac312a521570df7818518ec3cc1c7f6d17dd98a44f17c96236c219
SHA512d9c9c6172d0804617abadab4bd3b50839baef013f8536b38d292345d9f07526d79ac7311a2b9c15a44fbb220b31282f857b97a1988e79f5878f9deeded322514
-
C:\Users\Admin\AppData\Local\Temp\tempch.tmpFilesize
96B
MD5107fcbd4d9c40561fe52e5f95fc99c61
SHA1180e0fde39d11d683ee621838a1b5275dcb6a743
SHA256c669aa6bd63c5772beabf37cf45f0e24de34df0474f39a8aabaee616165d45ce
SHA5123f4a0c5d1fc162718a2f5dc7fb1aefa0fd040cdd9c079bc9f367aa2f19367229e843fe75a9e1984f27c7b746ec396bc1f1348074458e5e5923afc82f54b8994e
-
memory/204-162-0x0000000000000000-mapping.dmp
-
memory/1052-141-0x0000000000000000-mapping.dmp
-
memory/1188-137-0x0000000000000000-mapping.dmp
-
memory/1200-155-0x0000000000000000-mapping.dmp
-
memory/1432-156-0x0000000000000000-mapping.dmp
-
memory/1548-133-0x0000000000000000-mapping.dmp
-
memory/1932-144-0x0000000000000000-mapping.dmp
-
memory/2012-161-0x0000000000000000-mapping.dmp
-
memory/2428-146-0x0000000000000000-mapping.dmp
-
memory/2892-158-0x0000000000000000-mapping.dmp
-
memory/3056-132-0x0000000000000000-mapping.dmp
-
memory/4156-152-0x0000000000000000-mapping.dmp
-
memory/4220-143-0x0000000000000000-mapping.dmp
-
memory/4360-159-0x0000000000000000-mapping.dmp
-
memory/4540-164-0x0000000000000000-mapping.dmp
-
memory/4576-149-0x0000000000000000-mapping.dmp
-
memory/4608-153-0x0000000000000000-mapping.dmp
-
memory/4632-150-0x0000000000000000-mapping.dmp
-
memory/4664-147-0x0000000000000000-mapping.dmp
-
memory/4816-165-0x0000000000000000-mapping.dmp
-
memory/5004-138-0x0000000000000000-mapping.dmp
-
memory/5024-140-0x0000000000000000-mapping.dmp