faf0b906501ec9fd41ba46a920055eed58ff6fa5ef227e1feb42fb66bbf23ec1 | Triage

Submit
Reports

Overview

overview

8

Static

static

TencentMee...sh.exe

windows7_x64

8

TencentMee...sh.exe

windows10-2004_x64

8

Sharing

General

Target

TencentMeeting_0300000000_3.7.9.426.publish.exe
Size

148.1MB
Sample

220526-nnnlqaehcr
MD5

fe7d7cb3026cb7e537b947964cabd2c1
SHA1

c22094f75eb5c03fd53269c4deefafb26df58b0c
SHA256

faf0b906501ec9fd41ba46a920055eed58ff6fa5ef227e1feb42fb66bbf23ec1
SHA512

b3f257e60dae651a8d547ac16a87c4aa5a58f07b0aea0c536b6a5abe0b9d4e8f14d135097a380819e58d555eb7b2fa31565bc9ba263a23468032da5085adda41

Score

8^/10

bootkit discovery persistence

Static task

static1

Behavioral task

behavioral1

Sample

TencentMeeting_0300000000_3.7.9.426.publish.exe

Resource

win7-20220414-en

bootkit discovery persistence

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

TencentMeeting_0300000000_3.7.9.426.publish.exe

Resource

win10v2004-20220414-en

bootkit discovery persistence

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  TencentMeeting_0300000000_3.7.9.426.publish.exe
- Size
  
  148.1MB
- MD5
  
  fe7d7cb3026cb7e537b947964cabd2c1
- SHA1
  
  c22094f75eb5c03fd53269c4deefafb26df58b0c
- SHA256
  
  faf0b906501ec9fd41ba46a920055eed58ff6fa5ef227e1feb42fb66bbf23ec1
- SHA512
  
  b3f257e60dae651a8d547ac16a87c4aa5a58f07b0aea0c536b6a5abe0b9d4e8f14d135097a380819e58d555eb7b2fa31565bc9ba263a23468032da5085adda41
Score

8^/10

bootkit discovery persistence
- Executes dropped EXE
- Registers COM server for autorun
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Modifies file permissions
  discovery
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Bootkit

Privilege Escalation

Defense Evasion

File Permissions Modification

Install Root Certificate

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

bootkitdiscoverypersistence

behavioral2

bootkitdiscoverypersistence

© 2018-2024

Terms | Privacy