Overview

overview

8

Static

static

2c8406cceb...9d.exe

windows7-x64

8

2c8406cceb...9d.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    169s
  • max time network
    172s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-10-2022 01:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2c8406cceb353bae116d283f3aea53862bdad900f49bd33583cdab6df036c99d.exe

  • Size

    809KB

  • MD5

    027c75ff36cefd1a2fa149748e4a3861

  • SHA1

    c753ed6bea73f2aa39721a6ad15a22c82d6e3024

  • SHA256

    2c8406cceb353bae116d283f3aea53862bdad900f49bd33583cdab6df036c99d

  • SHA512

    d36d6f19c28c252d563edb57d58c49c0a25f3ac523d3cddff97ca5ef7fb2e6520148128ad2776427bbb44fd5a4ab0599086a1cd8e35093cbcde3c26aa3daf8ce

  • SSDEEP

    12288:L++ZN1QhEj0FK1e7fW+fFc7JpOpCZf2mKGubY354PE3u1YV6SU3Z3CssE7CyJdn9:XnehAzeLDFWtZf2hPE3ww6Zp3N66i

Score
8/10
bootkitpersistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 40 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 53 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 34 IoCs
  • Suspicious use of FindShellTrayWindow 49 IoCs
  • Suspicious use of SendNotifyMessage 32 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2c8406cceb353bae116d283f3aea53862bdad900f49bd33583cdab6df036c99d.exe
    "C:\Users\Admin\AppData\Local\Temp\2c8406cceb353bae116d283f3aea53862bdad900f49bd33583cdab6df036c99d.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:5068
    • C:\ProgramData\privacy.exe
      C:\ProgramData\privacy.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Enumerates connected drives
      • Writes to the Master Boot Record (MBR)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:4272
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:3404
    • C:\Windows\explorer.exe
      explorer.exe /LOADSAVEDWINDOWS
      2⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2944
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 2944 -s 4372
        3⤵
        • Program crash
        PID:4892
  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
    "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:4504
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1912
    • C:\Windows\explorer.exe
      explorer.exe /LOADSAVEDWINDOWS
      2⤵
      • Modifies registry class
      PID:3340
  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
    "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:2600
  • C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -pss -s 480 -p 2944 -ip 2944
    1⤵
      PID:4248
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:1204
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
      1⤵
        PID:1124
      • C:\Windows\system32\sihost.exe
        sihost.exe
        1⤵
        • Suspicious use of FindShellTrayWindow
        PID:1368
      • C:\Windows\system32\sihost.exe
        sihost.exe
        1⤵
        • Suspicious use of FindShellTrayWindow
        PID:3920
      • C:\Windows\system32\sihost.exe
        sihost.exe
        1⤵
        • Suspicious use of FindShellTrayWindow
        PID:1696
      • C:\Windows\system32\sihost.exe
        sihost.exe
        1⤵
        • Suspicious use of FindShellTrayWindow
        PID:1380

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Registry Run Keys / Startup Folder

      2
      T1060

      Bootkit

      1
      T1067

      Privilege Escalation

      Defense Evasion

      Modify Registry

      3
      T1112

      Credential Access

      Discovery

      Query Registry

      2
      T1012

      Peripheral Device Discovery

      2
      T1120

      System Information Discovery

      3
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\privacy.exe
        Filesize

        802KB

        MD5

        3ca47fc665b4b9e26e48262135ad77d1

        SHA1

        3ee223f553fbbb538c859ba8e9adc71a311fff82

        SHA256

        50dcdb185106b601a4f746fa96d4d27b24aee24df66189972ce20a7269fe6b89

        SHA512

        25c4937b22285a58df915040d9f305ae3a35f1972f8e6fc4eb81af42b8a4a4aa5305e74705cda085054b284dd7c798a52c5868aad2918e17170cc9de89d845f6

        Download Submit
      • C:\ProgramData\privacy.exe
        Filesize

        802KB

        MD5

        3ca47fc665b4b9e26e48262135ad77d1

        SHA1

        3ee223f553fbbb538c859ba8e9adc71a311fff82

        SHA256

        50dcdb185106b601a4f746fa96d4d27b24aee24df66189972ce20a7269fe6b89

        SHA512

        25c4937b22285a58df915040d9f305ae3a35f1972f8e6fc4eb81af42b8a4a4aa5305e74705cda085054b284dd7c798a52c5868aad2918e17170cc9de89d845f6

        Download Submit
      • C:\Users\Public\Desktop\Privacy Protection.lnk
        Filesize

        672B

        MD5

        18ff8ba265ca85e20133213dd143619e

        SHA1

        1769782b20d4ffa013b0f03b189b8b70ed56a32d

        SHA256

        38ebb3ad4d4e5bd8ba420edb13f3a53d18517bff8d23ee4e2c06690db20daa4e

        SHA512

        a4c60c035242a17b8a01f22b5e43abbb5b2e4061596451cd436a6c87fb3091041b311a1f28165bbadd7d44a6d173ba10ffa3d9a3da7e1a15ed0db694a0bcce76

        Download Submit
      • memory/2944-141-0x0000000000000000-mapping.dmp
        Download
      • memory/3340-143-0x0000000000000000-mapping.dmp
        Download
      • memory/4272-134-0x0000000000000000-mapping.dmp
        Download
      • memory/4272-137-0x0000000000400000-0x0000000000AF0000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/4272-139-0x0000000002780000-0x0000000002787000-memory.dmp
        Filesize

        28KB

        Download
      • memory/4272-140-0x0000000000400000-0x0000000000AF0000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/4272-144-0x0000000000400000-0x0000000000AF0000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/5068-132-0x0000000000400000-0x00000000005B5000-memory.dmp
        Filesize

        1.7MB

        Download
      • memory/5068-133-0x00000000006C0000-0x00000000006C6000-memory.dmp
        Filesize

        24KB

        Download