Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
resource tags
arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system -
submitted
16-07-2022 15:06
Static task
static1
Behavioral task
behavioral1
Sample
bootsvc.exe
Resource
win7-20220414-en
General
-
Target
bootsvc.exe
-
Size
81KB
-
MD5
70bff3f4d233bacd4970bdcc2d9c1922
-
SHA1
1c12235447ded3e5909da1a54286ccc7e044eff7
-
SHA256
22c96890feb3ba58ca20a314d560e38f419f2eb2629b3c039b32815ec9539916
-
SHA512
34fb1bd76d2dea6cfb702662d30db5b3695659b7dcce65fd745cdc3f3c5298a8d1c6cf49ac582d8e38e1fce4ef01c924d3da2b97a10ee6e6d7ea9af0d650d032
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
bootsvc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" bootsvc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" bootsvc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" bootsvc.exe -
Processes:
bootsvc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bootsvc.exe -
Processes:
bootsvc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" bootsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" bootsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" bootsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" bootsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" bootsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" bootsvc.exe -
suricata: ET MALWARE Cobalt Strike Beacon Observed
suricata: ET MALWARE Cobalt Strike Beacon Observed
-
Processes:
resource yara_rule behavioral2/memory/3136-130-0x0000000002970000-0x00000000039FE000-memory.dmp upx behavioral2/memory/3136-132-0x0000000002970000-0x00000000039FE000-memory.dmp upx behavioral2/memory/3136-135-0x0000000002970000-0x00000000039FE000-memory.dmp upx -
Processes:
bootsvc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc bootsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" bootsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" bootsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" bootsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" bootsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" bootsvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" bootsvc.exe -
Processes:
bootsvc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bootsvc.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
bootsvc.exedescription ioc process File opened (read-only) \??\F: bootsvc.exe File opened (read-only) \??\H: bootsvc.exe File opened (read-only) \??\W: bootsvc.exe File opened (read-only) \??\Y: bootsvc.exe File opened (read-only) \??\N: bootsvc.exe File opened (read-only) \??\P: bootsvc.exe File opened (read-only) \??\Q: bootsvc.exe File opened (read-only) \??\T: bootsvc.exe File opened (read-only) \??\V: bootsvc.exe File opened (read-only) \??\E: bootsvc.exe File opened (read-only) \??\G: bootsvc.exe File opened (read-only) \??\L: bootsvc.exe File opened (read-only) \??\M: bootsvc.exe File opened (read-only) \??\O: bootsvc.exe File opened (read-only) \??\R: bootsvc.exe File opened (read-only) \??\U: bootsvc.exe File opened (read-only) \??\X: bootsvc.exe File opened (read-only) \??\I: bootsvc.exe File opened (read-only) \??\J: bootsvc.exe File opened (read-only) \??\K: bootsvc.exe File opened (read-only) \??\S: bootsvc.exe File opened (read-only) \??\Z: bootsvc.exe -
Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
bootsvc.exedescription ioc process File opened for modification C:\autorun.inf bootsvc.exe -
Drops file in Program Files directory 11 IoCs
Processes:
bootsvc.exedescription ioc process File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe bootsvc.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe bootsvc.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe bootsvc.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe bootsvc.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe bootsvc.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe bootsvc.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe bootsvc.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe bootsvc.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe bootsvc.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe bootsvc.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe bootsvc.exe -
Drops file in Windows directory 1 IoCs
Processes:
bootsvc.exedescription ioc process File opened for modification C:\Windows\SYSTEM.INI bootsvc.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
bootsvc.exepid process 3136 bootsvc.exe 3136 bootsvc.exe 3136 bootsvc.exe 3136 bootsvc.exe 3136 bootsvc.exe 3136 bootsvc.exe 3136 bootsvc.exe 3136 bootsvc.exe 3136 bootsvc.exe 3136 bootsvc.exe 3136 bootsvc.exe 3136 bootsvc.exe 3136 bootsvc.exe 3136 bootsvc.exe 3136 bootsvc.exe 3136 bootsvc.exe 3136 bootsvc.exe 3136 bootsvc.exe 3136 bootsvc.exe 3136 bootsvc.exe 3136 bootsvc.exe 3136 bootsvc.exe 3136 bootsvc.exe 3136 bootsvc.exe 3136 bootsvc.exe 3136 bootsvc.exe 3136 bootsvc.exe 3136 bootsvc.exe 3136 bootsvc.exe 3136 bootsvc.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
bootsvc.exedescription pid process Token: SeDebugPrivilege 3136 bootsvc.exe Token: SeDebugPrivilege 3136 bootsvc.exe Token: SeDebugPrivilege 3136 bootsvc.exe Token: SeDebugPrivilege 3136 bootsvc.exe Token: SeDebugPrivilege 3136 bootsvc.exe Token: SeDebugPrivilege 3136 bootsvc.exe Token: SeDebugPrivilege 3136 bootsvc.exe Token: SeDebugPrivilege 3136 bootsvc.exe Token: SeDebugPrivilege 3136 bootsvc.exe Token: SeDebugPrivilege 3136 bootsvc.exe Token: SeDebugPrivilege 3136 bootsvc.exe Token: SeDebugPrivilege 3136 bootsvc.exe Token: SeDebugPrivilege 3136 bootsvc.exe Token: SeDebugPrivilege 3136 bootsvc.exe Token: SeDebugPrivilege 3136 bootsvc.exe Token: SeDebugPrivilege 3136 bootsvc.exe Token: SeDebugPrivilege 3136 bootsvc.exe Token: SeDebugPrivilege 3136 bootsvc.exe Token: SeDebugPrivilege 3136 bootsvc.exe Token: SeDebugPrivilege 3136 bootsvc.exe Token: SeDebugPrivilege 3136 bootsvc.exe Token: SeDebugPrivilege 3136 bootsvc.exe Token: SeDebugPrivilege 3136 bootsvc.exe Token: SeDebugPrivilege 3136 bootsvc.exe Token: SeDebugPrivilege 3136 bootsvc.exe Token: SeDebugPrivilege 3136 bootsvc.exe Token: SeDebugPrivilege 3136 bootsvc.exe Token: SeDebugPrivilege 3136 bootsvc.exe Token: SeDebugPrivilege 3136 bootsvc.exe Token: SeDebugPrivilege 3136 bootsvc.exe Token: SeDebugPrivilege 3136 bootsvc.exe Token: SeDebugPrivilege 3136 bootsvc.exe Token: SeDebugPrivilege 3136 bootsvc.exe Token: SeDebugPrivilege 3136 bootsvc.exe Token: SeDebugPrivilege 3136 bootsvc.exe Token: SeDebugPrivilege 3136 bootsvc.exe Token: SeDebugPrivilege 3136 bootsvc.exe Token: SeDebugPrivilege 3136 bootsvc.exe Token: SeDebugPrivilege 3136 bootsvc.exe Token: SeDebugPrivilege 3136 bootsvc.exe Token: SeDebugPrivilege 3136 bootsvc.exe Token: SeDebugPrivilege 3136 bootsvc.exe Token: SeDebugPrivilege 3136 bootsvc.exe Token: SeDebugPrivilege 3136 bootsvc.exe Token: SeDebugPrivilege 3136 bootsvc.exe Token: SeDebugPrivilege 3136 bootsvc.exe Token: SeDebugPrivilege 3136 bootsvc.exe Token: SeDebugPrivilege 3136 bootsvc.exe Token: SeDebugPrivilege 3136 bootsvc.exe Token: SeDebugPrivilege 3136 bootsvc.exe Token: SeDebugPrivilege 3136 bootsvc.exe Token: SeDebugPrivilege 3136 bootsvc.exe Token: SeDebugPrivilege 3136 bootsvc.exe Token: SeDebugPrivilege 3136 bootsvc.exe Token: SeDebugPrivilege 3136 bootsvc.exe Token: SeDebugPrivilege 3136 bootsvc.exe Token: SeDebugPrivilege 3136 bootsvc.exe Token: SeDebugPrivilege 3136 bootsvc.exe Token: SeDebugPrivilege 3136 bootsvc.exe Token: SeDebugPrivilege 3136 bootsvc.exe Token: SeDebugPrivilege 3136 bootsvc.exe Token: SeDebugPrivilege 3136 bootsvc.exe Token: SeDebugPrivilege 3136 bootsvc.exe Token: SeDebugPrivilege 3136 bootsvc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
bootsvc.exedescription pid process target process PID 3136 wrote to memory of 800 3136 bootsvc.exe fontdrvhost.exe PID 3136 wrote to memory of 808 3136 bootsvc.exe fontdrvhost.exe PID 3136 wrote to memory of 64 3136 bootsvc.exe dwm.exe PID 3136 wrote to memory of 2648 3136 bootsvc.exe sihost.exe PID 3136 wrote to memory of 2716 3136 bootsvc.exe svchost.exe PID 3136 wrote to memory of 2792 3136 bootsvc.exe taskhostw.exe PID 3136 wrote to memory of 3144 3136 bootsvc.exe Explorer.EXE PID 3136 wrote to memory of 3248 3136 bootsvc.exe svchost.exe PID 3136 wrote to memory of 3440 3136 bootsvc.exe DllHost.exe PID 3136 wrote to memory of 3544 3136 bootsvc.exe StartMenuExperienceHost.exe PID 3136 wrote to memory of 3608 3136 bootsvc.exe RuntimeBroker.exe PID 3136 wrote to memory of 3692 3136 bootsvc.exe SearchApp.exe PID 3136 wrote to memory of 3976 3136 bootsvc.exe RuntimeBroker.exe PID 3136 wrote to memory of 3864 3136 bootsvc.exe backgroundTaskHost.exe PID 3136 wrote to memory of 800 3136 bootsvc.exe fontdrvhost.exe PID 3136 wrote to memory of 808 3136 bootsvc.exe fontdrvhost.exe PID 3136 wrote to memory of 64 3136 bootsvc.exe dwm.exe PID 3136 wrote to memory of 2648 3136 bootsvc.exe sihost.exe PID 3136 wrote to memory of 2716 3136 bootsvc.exe svchost.exe PID 3136 wrote to memory of 2792 3136 bootsvc.exe taskhostw.exe PID 3136 wrote to memory of 3144 3136 bootsvc.exe Explorer.EXE PID 3136 wrote to memory of 3248 3136 bootsvc.exe svchost.exe PID 3136 wrote to memory of 3440 3136 bootsvc.exe DllHost.exe PID 3136 wrote to memory of 3544 3136 bootsvc.exe StartMenuExperienceHost.exe PID 3136 wrote to memory of 3608 3136 bootsvc.exe RuntimeBroker.exe PID 3136 wrote to memory of 3692 3136 bootsvc.exe SearchApp.exe PID 3136 wrote to memory of 3976 3136 bootsvc.exe RuntimeBroker.exe PID 3136 wrote to memory of 3864 3136 bootsvc.exe backgroundTaskHost.exe PID 3136 wrote to memory of 800 3136 bootsvc.exe fontdrvhost.exe PID 3136 wrote to memory of 808 3136 bootsvc.exe fontdrvhost.exe PID 3136 wrote to memory of 64 3136 bootsvc.exe dwm.exe PID 3136 wrote to memory of 2648 3136 bootsvc.exe sihost.exe PID 3136 wrote to memory of 2716 3136 bootsvc.exe svchost.exe PID 3136 wrote to memory of 2792 3136 bootsvc.exe taskhostw.exe PID 3136 wrote to memory of 3144 3136 bootsvc.exe Explorer.EXE PID 3136 wrote to memory of 3248 3136 bootsvc.exe svchost.exe PID 3136 wrote to memory of 3440 3136 bootsvc.exe DllHost.exe PID 3136 wrote to memory of 3544 3136 bootsvc.exe StartMenuExperienceHost.exe PID 3136 wrote to memory of 3608 3136 bootsvc.exe RuntimeBroker.exe PID 3136 wrote to memory of 3692 3136 bootsvc.exe SearchApp.exe PID 3136 wrote to memory of 3976 3136 bootsvc.exe RuntimeBroker.exe PID 3136 wrote to memory of 3864 3136 bootsvc.exe backgroundTaskHost.exe PID 3136 wrote to memory of 800 3136 bootsvc.exe fontdrvhost.exe PID 3136 wrote to memory of 808 3136 bootsvc.exe fontdrvhost.exe PID 3136 wrote to memory of 64 3136 bootsvc.exe dwm.exe PID 3136 wrote to memory of 2648 3136 bootsvc.exe sihost.exe PID 3136 wrote to memory of 2716 3136 bootsvc.exe svchost.exe PID 3136 wrote to memory of 2792 3136 bootsvc.exe taskhostw.exe PID 3136 wrote to memory of 3144 3136 bootsvc.exe Explorer.EXE PID 3136 wrote to memory of 3248 3136 bootsvc.exe svchost.exe PID 3136 wrote to memory of 3440 3136 bootsvc.exe DllHost.exe PID 3136 wrote to memory of 3544 3136 bootsvc.exe StartMenuExperienceHost.exe PID 3136 wrote to memory of 3608 3136 bootsvc.exe RuntimeBroker.exe PID 3136 wrote to memory of 3692 3136 bootsvc.exe SearchApp.exe PID 3136 wrote to memory of 3976 3136 bootsvc.exe RuntimeBroker.exe PID 3136 wrote to memory of 3864 3136 bootsvc.exe backgroundTaskHost.exe PID 3136 wrote to memory of 800 3136 bootsvc.exe fontdrvhost.exe PID 3136 wrote to memory of 808 3136 bootsvc.exe fontdrvhost.exe PID 3136 wrote to memory of 64 3136 bootsvc.exe dwm.exe PID 3136 wrote to memory of 2648 3136 bootsvc.exe sihost.exe PID 3136 wrote to memory of 2716 3136 bootsvc.exe svchost.exe PID 3136 wrote to memory of 2792 3136 bootsvc.exe taskhostw.exe PID 3136 wrote to memory of 3144 3136 bootsvc.exe Explorer.EXE PID 3136 wrote to memory of 3248 3136 bootsvc.exe svchost.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
bootsvc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bootsvc.exe
Processes
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\bootsvc.exe"C:\Users\Admin\AppData\Local\Temp\bootsvc.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3136-130-0x0000000002970000-0x00000000039FE000-memory.dmpFilesize
16.6MB
-
memory/3136-131-0x0000000000400000-0x000000000041A000-memory.dmpFilesize
104KB
-
memory/3136-132-0x0000000002970000-0x00000000039FE000-memory.dmpFilesize
16.6MB
-
memory/3136-133-0x0000000006AD0000-0x0000000006ED0000-memory.dmpFilesize
4.0MB
-
memory/3136-134-0x0000000006ED0000-0x0000000006F0E000-memory.dmpFilesize
248KB
-
memory/3136-135-0x0000000002970000-0x00000000039FE000-memory.dmpFilesize
16.6MB