e0e866b57a0767d237df3c54b9ced798a0407af00cc8a9f7d19c96fa66cd4e80 | Triage

Submit
Reports

Overview

overview

Static

static

VooVMeetin...sh.exe

windows7_x64

VooVMeetin...sh.exe

windows10-2004_x64

Sharing

General

Target

VooVMeeting_1410000197_3.3.5.510.publish.exe
Size

139.9MB
Sample

220525-r95nxafcer
MD5

f5a4eddee715fc8bb9f0ac6cd888edc2
SHA1

5c7b6fbceef08f8798251e8495007428d013dc29
SHA256

e0e866b57a0767d237df3c54b9ced798a0407af00cc8a9f7d19c96fa66cd4e80
SHA512

0f982bebce1d4337e1e42cda6f57140e0b985dd76be99de1a09bf2245dd41ca815dfdb7c0c0d5180eac5db00c6283378ac034b0866d32286f0e5897a50411a16

Score

10^/10

bootkit collection discovery persistence

Static task

static1

Behavioral task

behavioral1

Sample

VooVMeeting_1410000197_3.3.5.510.publish.exe

Resource

win7-20220414-en

bootkit collection discovery persistence

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

VooVMeeting_1410000197_3.3.5.510.publish.exe

Resource

win10v2004-20220414-en

bootkit discovery persistence

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  VooVMeeting_1410000197_3.3.5.510.publish.exe
- Size
  
  139.9MB
- MD5
  
  f5a4eddee715fc8bb9f0ac6cd888edc2
- SHA1
  
  5c7b6fbceef08f8798251e8495007428d013dc29
- SHA256
  
  e0e866b57a0767d237df3c54b9ced798a0407af00cc8a9f7d19c96fa66cd4e80
- SHA512
  
  0f982bebce1d4337e1e42cda6f57140e0b985dd76be99de1a09bf2245dd41ca815dfdb7c0c0d5180eac5db00c6283378ac034b0866d32286f0e5897a50411a16
Score

10^/10

bootkit collection discovery persistence
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Modifies file permissions
  discovery
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

Install Root Certificate

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

bootkitcollectiondiscoverypersistence

behavioral2

bootkitdiscoverypersistence

© 2018-2024

Terms | Privacy