112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079

Analysis

max time kernel
152s
max time network
50s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03-10-2022 15:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe
Size

454KB
MD5

69182c8b9c7417b5122e8f1cab557210
SHA1

85ab95a7f13951bb1002224fb10cd5e5f0999773
SHA256

112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079
SHA512

3fdc78f171c4a43eaab1ea30756757abfc5635a02eed47bc83645ac749d3a6d7894b7fb50478e162474c54ca0048864640bd51fd4247ac58c35d4209ed7c80ab
SSDEEP

12288:kbzq8pqz1uKSE9EzMTOBW1K3Dns9HeXrw5:uzuMrZzpW4Ds9HeXra

Score

8^/10

bootkit persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1504	wininit.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2012-59-0x0000000000280000-0x0000000000290000-memory.dmp	upx
behavioral1/memory/2012-60-0x0000000000280000-0x0000000000290000-memory.dmp	upx
behavioral1/memory/1504-73-0x0000000000260000-0x0000000000270000-memory.dmp	upx
behavioral1/memory/2012-76-0x0000000000280000-0x0000000000290000-memory.dmp	upx
behavioral1/memory/1504-77-0x0000000000260000-0x0000000000270000-memory.dmp	upx
behavioral1/memory/1504-80-0x0000000000260000-0x0000000000270000-memory.dmp	upx

Loads dropped DLL 3 IoCs

pid	Process
2012	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe
2012	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe
2012	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe
File opened for modification	\??\PhysicalDrive0	wininit.exe

Modifies registry class 38 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9F8CF594-4896-47D7-23A3-D44EABAA890D}\ = "Dadiclir.Xiqomizno.Rajena Object"	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2D66CC9C-C2BF-92B5-D55E-2AAAAE4486E9}\1.0\HELPDIR	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9F8CF594-4896-47D7-23A3-D44EABAA890D}\ProgID	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2D66CC9C-C2BF-92B5-D55E-2AAAAE4486E9}\1.0\0\	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2D66CC9C-C2BF-92B5-D55E-2AAAAE4486E9}\1.0\FLAGS\	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9F8CF594-4896-47D7-23A3-D44EABAA890D}	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2D66CC9C-C2BF-92B5-D55E-2AAAAE4486E9}\	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2D66CC9C-C2BF-92B5-D55E-2AAAAE4486E9}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\"	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2D66CC9C-C2BF-92B5-D55E-2AAAAE4486E9}\1.0\0\win32\ = "C:\\PROGRA~2\\MICROS~1\\Office14\\GROOVE.EXE\\25"	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2D66CC9C-C2BF-92B5-D55E-2AAAAE4486E9}\1.0\FLAGS\ = "4"	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9F8CF594-4896-47D7-23A3-D44EABAA890D}\Programmable	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2D66CC9C-C2BF-92B5-D55E-2AAAAE4486E9}\1.0	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2D66CC9C-C2BF-92B5-D55E-2AAAAE4486E9}\1.0\0\win32\	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9F8CF594-4896-47D7-23A3-D44EABAA890D}\TypeLib\ = "{2D66CC9C-C2BF-92B5-D55E-2AAAAE4486E9}"	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	wininit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9F8CF594-4896-47D7-23A3-D44EABAA890D}\ProgID\	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9F8CF594-4896-47D7-23A3-D44EABAA890D}\ProgID\ = "LocationDisp.DispCivicAddressReport.1"	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2D66CC9C-C2BF-92B5-D55E-2AAAAE4486E9}\1.0\ = "GrooveStorageSecurityContextPrivate"	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2D66CC9C-C2BF-92B5-D55E-2AAAAE4486E9}\1.0\0	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2D66CC9C-C2BF-92B5-D55E-2AAAAE4486E9}\1.0\FLAGS	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9F8CF594-4896-47D7-23A3-D44EABAA890D}\InprocServer32	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9F8CF594-4896-47D7-23A3-D44EABAA890D}\InprocServer32\ = "%SystemRoot%\\SysWow64\\LocationApi.dll"	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2D66CC9C-C2BF-92B5-D55E-2AAAAE4486E9}\1.0\0\win32	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2D66CC9C-C2BF-92B5-D55E-2AAAAE4486E9}\1.0\HELPDIR\	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9F8CF594-4896-47D7-23A3-D44EABAA890D}\TypeLib	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9F8CF594-4896-47D7-23A3-D44EABAA890D}\VersionIndependentProgID	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9F8CF594-4896-47D7-23A3-D44EABAA890D}\VersionIndependentProgID\ = "LocationDisp.DispCivicAddressReport"	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9F8CF594-4896-47D7-23A3-D44EABAA890D}\InprocServer32\	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9F8CF594-4896-47D7-23A3-D44EABAA890D}\Programmable\	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9F8CF594-4896-47D7-23A3-D44EABAA890D}\TypeLib\	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9F8CF594-4896-47D7-23A3-D44EABAA890D}\VersionIndependentProgID\	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	wininit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	wininit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2D66CC9C-C2BF-92B5-D55E-2AAAAE4486E9}	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2D66CC9C-C2BF-92B5-D55E-2AAAAE4486E9}\1.0\	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

pid	Process
2012	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe
2012	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe
1504	wininit.exe
1504	wininit.exe
1504	wininit.exe
1504	wininit.exe
1504	wininit.exe
1504	wininit.exe
1504	wininit.exe
1504	wininit.exe
1504	wininit.exe
1504	wininit.exe
1504	wininit.exe
1504	wininit.exe
1504	wininit.exe
1504	wininit.exe
1504	wininit.exe
1504	wininit.exe
1504	wininit.exe
1504	wininit.exe
1504	wininit.exe
1504	wininit.exe
1504	wininit.exe
1504	wininit.exe
1504	wininit.exe
1504	wininit.exe
1504	wininit.exe
1504	wininit.exe
1504	wininit.exe
1504	wininit.exe
1504	wininit.exe
1504	wininit.exe
1504	wininit.exe
1504	wininit.exe
1504	wininit.exe
1504	wininit.exe
1504	wininit.exe
1504	wininit.exe
1504	wininit.exe
1504	wininit.exe
1504	wininit.exe
1504	wininit.exe
1504	wininit.exe
1504	wininit.exe
1504	wininit.exe
1504	wininit.exe
1504	wininit.exe
1504	wininit.exe
1504	wininit.exe
1504	wininit.exe
1504	wininit.exe
1504	wininit.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 904	2012	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe	28
PID 2012 wrote to memory of 904	2012	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe	28
PID 2012 wrote to memory of 904	2012	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe	28
PID 2012 wrote to memory of 904	2012	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe	28
PID 2012 wrote to memory of 1504	2012	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe	30
PID 2012 wrote to memory of 1504	2012	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe	30
PID 2012 wrote to memory of 1504	2012	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe	30
PID 2012 wrote to memory of 1504	2012	112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe	30
PID 1504 wrote to memory of 1476	1504	wininit.exe	31
PID 1504 wrote to memory of 1476	1504	wininit.exe	31
PID 1504 wrote to memory of 1476	1504	wininit.exe	31
PID 1504 wrote to memory of 1476	1504	wininit.exe	31

C:\Users\Admin\AppData\Local\Temp\112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe
"C:\Users\Admin\AppData\Local\Temp\112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Windows\SysWOW64\cmd.exe
  cmd
  2⤵
  PID:904
- C:\Users\Admin\AppData\Local\Temp\wininit.exe
  C:\Users\Admin\AppData\Local\Temp\wininit.exe
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1504
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    PID:1476

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\netscape.dll

Filesize
10KB

MD5
28a57355d9583b66e51ad978384c159e

SHA1
b8fe4ddb6187cdee0e89c02bab4a104f406d16da

SHA256
81ed76156df0de1caae6730a091f29978493881b54a2d6fbfb43c47153b6fadd

SHA512
991a288ed0f033eb8f54e567a6264a6111f795bd61a1cd600e210730d7ed39c89e735480dc6f0e4026eafad730ae8dc23ec7bc7600a14a2ac9d652638c02ee3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wininit.exe

Filesize
454KB

MD5
69182c8b9c7417b5122e8f1cab557210

SHA1
85ab95a7f13951bb1002224fb10cd5e5f0999773

SHA256
112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079

SHA512
3fdc78f171c4a43eaab1ea30756757abfc5635a02eed47bc83645ac749d3a6d7894b7fb50478e162474c54ca0048864640bd51fd4247ac58c35d4209ed7c80ab

Download Submit
\Users\Admin\AppData\Local\Temp\netscape.dll

Filesize
10KB

MD5
28a57355d9583b66e51ad978384c159e

SHA1
b8fe4ddb6187cdee0e89c02bab4a104f406d16da

SHA256
81ed76156df0de1caae6730a091f29978493881b54a2d6fbfb43c47153b6fadd

SHA512
991a288ed0f033eb8f54e567a6264a6111f795bd61a1cd600e210730d7ed39c89e735480dc6f0e4026eafad730ae8dc23ec7bc7600a14a2ac9d652638c02ee3e

Download Submit
\Users\Admin\AppData\Local\Temp\wininit.exe

Filesize
454KB

MD5
69182c8b9c7417b5122e8f1cab557210

SHA1
85ab95a7f13951bb1002224fb10cd5e5f0999773

SHA256
112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079

SHA512
3fdc78f171c4a43eaab1ea30756757abfc5635a02eed47bc83645ac749d3a6d7894b7fb50478e162474c54ca0048864640bd51fd4247ac58c35d4209ed7c80ab

Download Submit
\Users\Admin\AppData\Local\Temp\wininit.exe

Filesize
454KB

MD5
69182c8b9c7417b5122e8f1cab557210

SHA1
85ab95a7f13951bb1002224fb10cd5e5f0999773

SHA256
112087c8e7c0af5c1a1e7f09856010ca50c7129ca715df67c437fda0109da079

SHA512
3fdc78f171c4a43eaab1ea30756757abfc5635a02eed47bc83645ac749d3a6d7894b7fb50478e162474c54ca0048864640bd51fd4247ac58c35d4209ed7c80ab

Download Submit
memory/904-57-0x0000000000000000-mapping.dmp

Download
memory/1476-71-0x0000000000000000-mapping.dmp

Download
memory/1504-73-0x0000000000260000-0x0000000000270000-memory.dmp

Filesize
64KB

Download
memory/1504-63-0x0000000000000000-mapping.dmp

Download
memory/1504-80-0x0000000000260000-0x0000000000270000-memory.dmp

Filesize
64KB

Download
memory/1504-79-0x0000000000400000-0x0000000000555000-memory.dmp

Filesize
1.3MB

Download
memory/1504-77-0x0000000000260000-0x0000000000270000-memory.dmp

Filesize
64KB

Download
memory/1504-68-0x0000000000400000-0x0000000000555000-memory.dmp

Filesize
1.3MB

Download
memory/1504-69-0x0000000000240000-0x0000000000251000-memory.dmp

Filesize
68KB

Download
memory/2012-59-0x0000000000280000-0x0000000000290000-memory.dmp

Filesize
64KB

Download
memory/2012-54-0x00000000001E0000-0x00000000001F1000-memory.dmp

Filesize
68KB

Download
memory/2012-74-0x0000000075281000-0x0000000075283000-memory.dmp

Filesize
8KB

Download
memory/2012-75-0x0000000000400000-0x0000000000555000-memory.dmp

Filesize
1.3MB

Download
memory/2012-76-0x0000000000280000-0x0000000000290000-memory.dmp

Filesize
64KB

Download
memory/2012-67-0x0000000002450000-0x00000000025A5000-memory.dmp

Filesize
1.3MB

Download
memory/2012-56-0x0000000000400000-0x0000000000555000-memory.dmp

Filesize
1.3MB

Download
memory/2012-66-0x0000000002450000-0x00000000025A5000-memory.dmp

Filesize
1.3MB

Download
memory/2012-60-0x0000000000280000-0x0000000000290000-memory.dmp

Filesize
64KB

Download