Overview

overview

8

Static

static

5

51bf33a62a...82.exe

windows7_x64

8

51bf33a62a...82.exe

windows10-2004_x64

8

Analysis

  • max time kernel
    78s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    24-05-2022 14:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    51bf33a62aa0ea28abaf917f1f82da3823b2ea31e04c6d122a96f7dbde4a2182.exe

  • Size

    3.3MB

  • MD5

    095408d1abc0817739b86c3e7e4d0dfd

  • SHA1

    161d670c99c1ede6f26f97f90532236a0f4a6415

  • SHA256

    51bf33a62aa0ea28abaf917f1f82da3823b2ea31e04c6d122a96f7dbde4a2182

  • SHA512

    c6ecb1dd97007e4a8ad3793a7ea040433bfd26b049540aa989542e9f4ff83417d1f60767441ff59f1236e6208e3eca4c739961c124329fda82da84b7f0d6afdd

Score
8/10
bootkitdiscoveryevasionpersistencetrojan

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 8 IoCs
  • Modifies file permissions 1 TTPs 3 IoCs
    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • AutoIT Executable 6 IoCs

    AutoIT scripts compiled to PE executables.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 53 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\51bf33a62aa0ea28abaf917f1f82da3823b2ea31e04c6d122a96f7dbde4a2182.exe
    "C:\Users\Admin\AppData\Local\Temp\51bf33a62aa0ea28abaf917f1f82da3823b2ea31e04c6d122a96f7dbde4a2182.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:536
    • C:\Users\Admin\AppData\Roaming\Z21754918\CLIPPER.exe
      "C:\Users\Admin\AppData\Roaming\Z21754918\CLIPPER.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1644
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c icacls "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..linetools.resources_31bf3856ad364e35_10.0.17763.1_ru-ru_beb9970b5fb42661" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)" & icacls "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..linetools.resources_31bf3856ad364e35_10.0.17763.1_ru-ru_beb9970b5fb42661" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)" & icacls "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..linetools.resources_31bf3856ad364e35_10.0.17763.1_ru-ru_beb9970b5fb42661" /inheritance:e /deny "Admin:(R,REA,RA,RD)"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1696
        • C:\Windows\SysWOW64\icacls.exe
          icacls "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..linetools.resources_31bf3856ad364e35_10.0.17763.1_ru-ru_beb9970b5fb42661" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
          4⤵
          • Modifies file permissions
          PID:1732
        • C:\Windows\SysWOW64\icacls.exe
          icacls "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..linetools.resources_31bf3856ad364e35_10.0.17763.1_ru-ru_beb9970b5fb42661" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
          4⤵
          • Modifies file permissions
          PID:1980
        • C:\Windows\SysWOW64\icacls.exe
          icacls "C:\Users\Admin\AppData\Roaming\amd64_microsoft-windows-t..linetools.resources_31bf3856ad364e35_10.0.17763.1_ru-ru_beb9970b5fb42661" /inheritance:e /deny "Admin:(R,REA,RA,RD)"
          4⤵
          • Modifies file permissions
          PID:468
    • C:\Users\Admin\AppData\Roaming\Z21754918\hardware.exe
      "C:\Users\Admin\AppData\Roaming\Z21754918\hardware.exe"
      2⤵
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Checks whether UAC is enabled
      • Writes to the Master Boot Record (MBR)
      • Enumerates system info in registry
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1716
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {E6915D9F-9E1E-4F33-9D29-7856677247E2} S-1-5-21-1819626980-2277161760-1023733287-1000:TBHNEBSE\Admin:Interactive:[1]
    1⤵
      PID:1060
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -startmediumtab -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1932
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1932 CREDAT:275457 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1788

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Bootkit

    1
    T1067

    Privilege Escalation

    Defense Evasion

    File Permissions Modification

    1
    T1222

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    4
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A053CFB63FC8E6507871752236B5CCD5_CEC273363E767B922208DE98D79F0556
      Filesize

      1KB

      MD5

      353ea810c544d9b8d2c0abc88e93a655

      SHA1

      eb960990003221fab9efcf67e46732d831f77d39

      SHA256

      25a720f1fb0b266a93f9dc30c307066f9b8dca2bb334c4f0f5e208297eacb6e7

      SHA512

      5a43748ea7e51a0719c9bee698f96b2f03660b11ac839a3b6f8f8c7cd2e69699a1df7382b64e37293c4d98fd42dd9f22e72b4d2254cc2eae2afeb5042e4e3649

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C
      Filesize

      1KB

      MD5

      2a9342e928868b3aa3cb44335e149475

      SHA1

      4528e096dd8f508a3f47bc98c6fe500be94cab63

      SHA256

      81a11d126e503c3c20af7f8456b464e0396685a9605bce321e68f2beafa05529

      SHA512

      3766a4e288cbb1933ad0586603dae0a24918460d50e9ad7f92df41edb599c1489f9ba2a28b1406709277bb6a446989605a74a6d0b547e5d53686ed51767b87c0

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      7e324aaf51c12f1c37930a2e777b64a5

      SHA1

      ad0fe3a12ea83e363701c1b5fa93e8221ed4f016

      SHA256

      f717891f0627e440d0dfc32f047ab7c8a3591b6095b2bbedd15f68d34bf6b0cd

      SHA512

      3b6b18dcef0fe78c2a585f890acaf8ea1e1c2078cea398f7d77f043614d076e208b584f4fb86815c17a8bd6e552d0ae5028f6d001e3bc7dc8679022ea9a9318a

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A053CFB63FC8E6507871752236B5CCD5_CEC273363E767B922208DE98D79F0556
      Filesize

      540B

      MD5

      b53765bc3858cb0b3217058af53bf96d

      SHA1

      cd17af6e1fbba4f18735b7c6275b6ccd86053b39

      SHA256

      2fc8915beedd906eb62c009512b1ffac0b2c7959236d0f1b7f65342db4c839dc

      SHA512

      4c17d358e1c4f15d3ce815c785ab4c22aa8cedc8a0653d00dbbc5e33618fd32925b61204e3b24a48501c30f4ec34e944b905cabfcf72185d9416682356c2dc49

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C
      Filesize

      492B

      MD5

      3700ac8141e18ffbef5750753d2030cc

      SHA1

      8c32b90871321fbd9f421dddcfe574961b17d486

      SHA256

      1baeaa4f0d617595080e3f369fc9d9618fe90e1338b3c0a46b74cdf05a0adaed

      SHA512

      60b50f85c4c3ecd2e5829fa96f0ee0c9135609e97fab7a1a6085a4de792e13ce57855331cd9496867440307feb5ed5b9ccd2359c933eceded01ba689bf2bae80

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\ezmz917\imagestore.dat
      Filesize

      5KB

      MD5

      d4fdc8b563572df0f7741eaa9d1b066c

      SHA1

      758cc0627f9a17e832ecc22e40536aa7b7c32c2a

      SHA256

      389456804517feffb9675f2fa2d89f7497758263c529857e947561e7a8d8de1d

      SHA512

      da8be00d506568cad0d5aa8fa1ea5ebb0f7da824537175da937a48fc331155f414f6a7f3ddb615e79edf346e762de42ca2312a0bf1e6d2d53b332a52d2c732c8

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\0T0E51IR.txt
      Filesize

      606B

      MD5

      adbeba648fb1ccd99d5a59b1e0dc649b

      SHA1

      abca80212629e7077b331a12e5481f8f2be98ec1

      SHA256

      972b6d4e1c203ef16f9260be5d70e6b99f11433083b04c424d341beeffe41cd2

      SHA512

      068422d0a9009f314c612631a8827d8195cdbd5c44ee18096d6f63c819f69933b9ed40d6136be0014e7341d6ee09c3dba98f264113ff3758bff16ba98a14ec30

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\0V6085XD.txt
      Filesize

      93B

      MD5

      616b8b5c152b5c017759f9cb7cb37918

      SHA1

      46d331f410b43541d7d293f0ea60137b7b7cee35

      SHA256

      74180da5e335090b46a41b282f4942f3edd1dc5f9379b951801261c26ea9b155

      SHA512

      f4c1d8a4b8eda5244a367a4f02f3f58b60b64d505e57b884ef4c14d312ecf6f85be5a0894868cbc64d46b54aa9233533a02c442ee6b8e56429a62b18872ebc14

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Z21754918\CLIPPER.exe
      Filesize

      978KB

      MD5

      c19991ba8335387ae24c6cd7ef25e9d4

      SHA1

      6464ef5c79840112e56bd733b2fd6db599f46467

      SHA256

      bca3c1292b0beafbd725258334d59de4c97f4f8aca77bed161da7f1733d1a6fb

      SHA512

      f12d32dd3f2209f4a672b7efd8630f7a92f306a02031714bc3b73bb2ffadf070eb668d2b40b5eb884e67bdfdda256e13db390c7e994465989395fc182a80b2d3

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Z21754918\CLIPPER.exe
      Filesize

      978KB

      MD5

      c19991ba8335387ae24c6cd7ef25e9d4

      SHA1

      6464ef5c79840112e56bd733b2fd6db599f46467

      SHA256

      bca3c1292b0beafbd725258334d59de4c97f4f8aca77bed161da7f1733d1a6fb

      SHA512

      f12d32dd3f2209f4a672b7efd8630f7a92f306a02031714bc3b73bb2ffadf070eb668d2b40b5eb884e67bdfdda256e13db390c7e994465989395fc182a80b2d3

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Z21754918\hardware.exe
      Filesize

      2.0MB

      MD5

      1c4a6c4af547084522341fd581796e7b

      SHA1

      465609a615eb247b83d011317943f30ceeb46904

      SHA256

      e1ae2039b5fa61865bdd9d46c12b9523ff96b52560d2232a12a36129b5621a1e

      SHA512

      186e80059859f885feb983e6f99c2e4c57fd50d7314716a3b28db31886bc88a583113e2c1ec3a1ec99de8a1fdd085f51492ba35945d852b12bfe90671a349068

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Z21754918\hardware.exe
      Filesize

      2.0MB

      MD5

      1c4a6c4af547084522341fd581796e7b

      SHA1

      465609a615eb247b83d011317943f30ceeb46904

      SHA256

      e1ae2039b5fa61865bdd9d46c12b9523ff96b52560d2232a12a36129b5621a1e

      SHA512

      186e80059859f885feb983e6f99c2e4c57fd50d7314716a3b28db31886bc88a583113e2c1ec3a1ec99de8a1fdd085f51492ba35945d852b12bfe90671a349068

      Download Submit
    • \Users\Admin\AppData\Roaming\Z21754918\CLIPPER.exe
      Filesize

      978KB

      MD5

      c19991ba8335387ae24c6cd7ef25e9d4

      SHA1

      6464ef5c79840112e56bd733b2fd6db599f46467

      SHA256

      bca3c1292b0beafbd725258334d59de4c97f4f8aca77bed161da7f1733d1a6fb

      SHA512

      f12d32dd3f2209f4a672b7efd8630f7a92f306a02031714bc3b73bb2ffadf070eb668d2b40b5eb884e67bdfdda256e13db390c7e994465989395fc182a80b2d3

      Download Submit
    • \Users\Admin\AppData\Roaming\Z21754918\CLIPPER.exe
      Filesize

      978KB

      MD5

      c19991ba8335387ae24c6cd7ef25e9d4

      SHA1

      6464ef5c79840112e56bd733b2fd6db599f46467

      SHA256

      bca3c1292b0beafbd725258334d59de4c97f4f8aca77bed161da7f1733d1a6fb

      SHA512

      f12d32dd3f2209f4a672b7efd8630f7a92f306a02031714bc3b73bb2ffadf070eb668d2b40b5eb884e67bdfdda256e13db390c7e994465989395fc182a80b2d3

      Download Submit
    • \Users\Admin\AppData\Roaming\Z21754918\CLIPPER.exe
      Filesize

      978KB

      MD5

      c19991ba8335387ae24c6cd7ef25e9d4

      SHA1

      6464ef5c79840112e56bd733b2fd6db599f46467

      SHA256

      bca3c1292b0beafbd725258334d59de4c97f4f8aca77bed161da7f1733d1a6fb

      SHA512

      f12d32dd3f2209f4a672b7efd8630f7a92f306a02031714bc3b73bb2ffadf070eb668d2b40b5eb884e67bdfdda256e13db390c7e994465989395fc182a80b2d3

      Download Submit
    • \Users\Admin\AppData\Roaming\Z21754918\CLIPPER.exe
      Filesize

      978KB

      MD5

      c19991ba8335387ae24c6cd7ef25e9d4

      SHA1

      6464ef5c79840112e56bd733b2fd6db599f46467

      SHA256

      bca3c1292b0beafbd725258334d59de4c97f4f8aca77bed161da7f1733d1a6fb

      SHA512

      f12d32dd3f2209f4a672b7efd8630f7a92f306a02031714bc3b73bb2ffadf070eb668d2b40b5eb884e67bdfdda256e13db390c7e994465989395fc182a80b2d3

      Download Submit
    • \Users\Admin\AppData\Roaming\Z21754918\hardware.exe
      Filesize

      2.0MB

      MD5

      1c4a6c4af547084522341fd581796e7b

      SHA1

      465609a615eb247b83d011317943f30ceeb46904

      SHA256

      e1ae2039b5fa61865bdd9d46c12b9523ff96b52560d2232a12a36129b5621a1e

      SHA512

      186e80059859f885feb983e6f99c2e4c57fd50d7314716a3b28db31886bc88a583113e2c1ec3a1ec99de8a1fdd085f51492ba35945d852b12bfe90671a349068

      Download Submit
    • \Users\Admin\AppData\Roaming\Z21754918\hardware.exe
      Filesize

      2.0MB

      MD5

      1c4a6c4af547084522341fd581796e7b

      SHA1

      465609a615eb247b83d011317943f30ceeb46904

      SHA256

      e1ae2039b5fa61865bdd9d46c12b9523ff96b52560d2232a12a36129b5621a1e

      SHA512

      186e80059859f885feb983e6f99c2e4c57fd50d7314716a3b28db31886bc88a583113e2c1ec3a1ec99de8a1fdd085f51492ba35945d852b12bfe90671a349068

      Download Submit
    • \Users\Admin\AppData\Roaming\Z21754918\hardware.exe
      Filesize

      2.0MB

      MD5

      1c4a6c4af547084522341fd581796e7b

      SHA1

      465609a615eb247b83d011317943f30ceeb46904

      SHA256

      e1ae2039b5fa61865bdd9d46c12b9523ff96b52560d2232a12a36129b5621a1e

      SHA512

      186e80059859f885feb983e6f99c2e4c57fd50d7314716a3b28db31886bc88a583113e2c1ec3a1ec99de8a1fdd085f51492ba35945d852b12bfe90671a349068

      Download Submit
    • \Users\Admin\AppData\Roaming\Z21754918\hardware.exe
      Filesize

      2.0MB

      MD5

      1c4a6c4af547084522341fd581796e7b

      SHA1

      465609a615eb247b83d011317943f30ceeb46904

      SHA256

      e1ae2039b5fa61865bdd9d46c12b9523ff96b52560d2232a12a36129b5621a1e

      SHA512

      186e80059859f885feb983e6f99c2e4c57fd50d7314716a3b28db31886bc88a583113e2c1ec3a1ec99de8a1fdd085f51492ba35945d852b12bfe90671a349068

      Download Submit
    • memory/468-73-0x0000000000000000-mapping.dmp
      Download
    • memory/536-54-0x0000000075B61000-0x0000000075B63000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1644-59-0x0000000000000000-mapping.dmp
      Download
    • memory/1696-70-0x0000000000000000-mapping.dmp
      Download
    • memory/1716-67-0x0000000000000000-mapping.dmp
      Download
    • memory/1732-71-0x0000000000000000-mapping.dmp
      Download
    • memory/1980-72-0x0000000000000000-mapping.dmp
      Download