527d6ebb89a030e8b97bc4b0e9e91afb44537e7240d09c8c3b085b1c14f874cb

Analysis

max time kernel
36s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11-10-2022 19:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

527d6ebb89a030e8b97bc4b0e9e91afb44537e7240d09c8c3b085b1c14f874cb.exe
Size

772KB
MD5

243532bbc8c8b100de94534d97c5e4e9
SHA1

63cfa53fd88e18c314184516d0e817fe9dc02737
SHA256

527d6ebb89a030e8b97bc4b0e9e91afb44537e7240d09c8c3b085b1c14f874cb
SHA512

2917c3f52d55f3962a31ccdf10cbeec88fa50c35a0f12461f2925faade31713d26a1685f63bf07b946b5e599b338016b02401b6fd3a6e1e54c082119036dcf52
SSDEEP

12288:F/ezy90B4ilasnPRo/BpVxChgX1R9QLOPX6wgjCSPRfiuB8p:QyniEuREauXH9Qqv6wg2SJfj

Score

8^/10

bootkit persistence

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\drivers\CeeOnbo.exe	Xai.exe
File opened for modification	C:\WINDOWS\SysWOW64\drivers\CeeOnbo.exe	Xai.exe

Executes dropped EXE 3 IoCs

pid	Process
1092	chrome.exe
604	Xai.exe
900	Xai.exe

Loads dropped DLL 7 IoCs

pid	Process
1636	527d6ebb89a030e8b97bc4b0e9e91afb44537e7240d09c8c3b085b1c14f874cb.exe
1092	chrome.exe
1636	527d6ebb89a030e8b97bc4b0e9e91afb44537e7240d09c8c3b085b1c14f874cb.exe
1636	527d6ebb89a030e8b97bc4b0e9e91afb44537e7240d09c8c3b085b1c14f874cb.exe
604	Xai.exe
604	Xai.exe
900	Xai.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	527d6ebb89a030e8b97bc4b0e9e91afb44537e7240d09c8c3b085b1c14f874cb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	527d6ebb89a030e8b97bc4b0e9e91afb44537e7240d09c8c3b085b1c14f874cb.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	Xai.exe

Drops autorun.inf file 1 TTPs 18 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	\??\N:\autorun.inf	Xai.exe
File opened for modification	\??\A:\autorun.inf	Xai.exe
File opened for modification	\??\B:\autorun.inf	Xai.exe
File opened for modification	\??\H:\autorun.inf	Xai.exe
File opened for modification	\??\i:\autorun.inf	Xai.exe
File opened for modification	\??\K:\autorun.inf	Xai.exe
File opened for modification	\??\M:\autorun.inf	Xai.exe
File opened for modification	D:\autorun.inf	Xai.exe
File opened for modification	\??\E:\autorun.inf	Xai.exe
File opened for modification	\??\G:\autorun.inf	Xai.exe
File opened for modification	\??\P:\autorun.inf	Xai.exe
File opened for modification	\??\R:\autorun.inf	Xai.exe
File opened for modification	\??\Y:\autorun.inf	Xai.exe
File opened for modification	\??\L:\autorun.inf	Xai.exe
File opened for modification	\??\O:\autorun.inf	Xai.exe
File opened for modification	C:\autorun.inf	Xai.exe
File opened for modification	\??\F:\autorun.inf	Xai.exe
File opened for modification	\??\J:\autorun.inf	Xai.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\SysWOW64\CeeOnbo.exe	Xai.exe
File created	C:\WINDOWS\SysWOW64\CeeOnbo.exe	Xai.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 604 set thread context of 900	604	Xai.exe	29

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files\Messenger\CeeOnbo.exe	Xai.exe
File opened for modification	C:\Program Files\WinRAR\CeeOnbo.exe	Xai.exe
File opened for modification	C:\Program Files\Messenger\CeeOnbo.exe	Xai.exe
File opened for modification	C:\Program Files\Internet Download Manager\CeeOnbo.exe	Xai.exe
File created	C:\Program Files\CeeOnbo.exe	Xai.exe
File opened for modification	C:\Program Files\CeeOnbo.exe	Xai.exe
File created	C:\Program Files\WinRAR\CeeOnbo.exe	Xai.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\CeeOnbo.exe	Xai.exe
File opened for modification	C:\WINDOWS\Help\CeeOnbo.exe	Xai.exe
File created	C:\WINDOWS\CeeOnbo.exe	Xai.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	Xai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	Xai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	Xai.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
900	Xai.exe
900	Xai.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
604	Xai.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 1092	1636	527d6ebb89a030e8b97bc4b0e9e91afb44537e7240d09c8c3b085b1c14f874cb.exe	27
PID 1636 wrote to memory of 1092	1636	527d6ebb89a030e8b97bc4b0e9e91afb44537e7240d09c8c3b085b1c14f874cb.exe	27
PID 1636 wrote to memory of 1092	1636	527d6ebb89a030e8b97bc4b0e9e91afb44537e7240d09c8c3b085b1c14f874cb.exe	27
PID 1636 wrote to memory of 1092	1636	527d6ebb89a030e8b97bc4b0e9e91afb44537e7240d09c8c3b085b1c14f874cb.exe	27
PID 1636 wrote to memory of 1092	1636	527d6ebb89a030e8b97bc4b0e9e91afb44537e7240d09c8c3b085b1c14f874cb.exe	27
PID 1636 wrote to memory of 1092	1636	527d6ebb89a030e8b97bc4b0e9e91afb44537e7240d09c8c3b085b1c14f874cb.exe	27
PID 1636 wrote to memory of 1092	1636	527d6ebb89a030e8b97bc4b0e9e91afb44537e7240d09c8c3b085b1c14f874cb.exe	27
PID 1636 wrote to memory of 604	1636	527d6ebb89a030e8b97bc4b0e9e91afb44537e7240d09c8c3b085b1c14f874cb.exe	28
PID 1636 wrote to memory of 604	1636	527d6ebb89a030e8b97bc4b0e9e91afb44537e7240d09c8c3b085b1c14f874cb.exe	28
PID 1636 wrote to memory of 604	1636	527d6ebb89a030e8b97bc4b0e9e91afb44537e7240d09c8c3b085b1c14f874cb.exe	28
PID 1636 wrote to memory of 604	1636	527d6ebb89a030e8b97bc4b0e9e91afb44537e7240d09c8c3b085b1c14f874cb.exe	28
PID 1636 wrote to memory of 604	1636	527d6ebb89a030e8b97bc4b0e9e91afb44537e7240d09c8c3b085b1c14f874cb.exe	28
PID 1636 wrote to memory of 604	1636	527d6ebb89a030e8b97bc4b0e9e91afb44537e7240d09c8c3b085b1c14f874cb.exe	28
PID 1636 wrote to memory of 604	1636	527d6ebb89a030e8b97bc4b0e9e91afb44537e7240d09c8c3b085b1c14f874cb.exe	28
PID 604 wrote to memory of 900	604	Xai.exe	29
PID 604 wrote to memory of 900	604	Xai.exe	29
PID 604 wrote to memory of 900	604	Xai.exe	29
PID 604 wrote to memory of 900	604	Xai.exe	29
PID 604 wrote to memory of 900	604	Xai.exe	29
PID 604 wrote to memory of 900	604	Xai.exe	29
PID 604 wrote to memory of 900	604	Xai.exe	29
PID 604 wrote to memory of 900	604	Xai.exe	29
PID 604 wrote to memory of 900	604	Xai.exe	29
PID 604 wrote to memory of 900	604	Xai.exe	29
PID 604 wrote to memory of 900	604	Xai.exe	29
PID 900 wrote to memory of 1340	900	Xai.exe	12
PID 900 wrote to memory of 1340	900	Xai.exe	12
PID 900 wrote to memory of 1340	900	Xai.exe	12
PID 900 wrote to memory of 1340	900	Xai.exe	12

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1340
- C:\Users\Admin\AppData\Local\Temp\527d6ebb89a030e8b97bc4b0e9e91afb44537e7240d09c8c3b085b1c14f874cb.exe
  "C:\Users\Admin\AppData\Local\Temp\527d6ebb89a030e8b97bc4b0e9e91afb44537e7240d09c8c3b085b1c14f874cb.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1636
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\chrome.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\chrome.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1092
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Xai.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Xai.exe
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Writes to the Master Boot Record (MBR)
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:604
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Xai.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Xai.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Bootkit

T1067

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Xai.exe

Filesize
202KB

MD5
b23f55ab59d7a62a8760524581c09548

SHA1
5c2a21c489f5065c721ba24be3138dbc5fdd360a

SHA256
1639202e8846d8943c84d119041295a4c3353ccfe88f9a666f697ddfc2208c42

SHA512
3a24776862dd63401da66567c9fbc7a1f3e9dcf95e4f7949949d1203c0e586345fe3f0e232e889de2b4aace21fde45e8bf9ffe2d9d19c58ea154f902fb6360aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Xai.exe

Filesize
202KB

MD5
b23f55ab59d7a62a8760524581c09548

SHA1
5c2a21c489f5065c721ba24be3138dbc5fdd360a

SHA256
1639202e8846d8943c84d119041295a4c3353ccfe88f9a666f697ddfc2208c42

SHA512
3a24776862dd63401da66567c9fbc7a1f3e9dcf95e4f7949949d1203c0e586345fe3f0e232e889de2b4aace21fde45e8bf9ffe2d9d19c58ea154f902fb6360aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Xai.exe

Filesize
202KB

MD5
b23f55ab59d7a62a8760524581c09548

SHA1
5c2a21c489f5065c721ba24be3138dbc5fdd360a

SHA256
1639202e8846d8943c84d119041295a4c3353ccfe88f9a666f697ddfc2208c42

SHA512
3a24776862dd63401da66567c9fbc7a1f3e9dcf95e4f7949949d1203c0e586345fe3f0e232e889de2b4aace21fde45e8bf9ffe2d9d19c58ea154f902fb6360aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\chrome.exe

Filesize
994KB

MD5
249d235e3b321a3cd07c658f9e985cb4

SHA1
39dc8488fedd3516e137a6edabf0dbb0f8666ede

SHA256
7645b9b4dbfe7c3d07f06355adb5ae39a71e64b8ff5335882769af5bd9a3f999

SHA512
4a2532cab3d734d73027a84394accebf60c52e193857801a89c9e126cf3c946648f50b65ac60553c15d8b8ef024b6681e2465e0ff7917f3f4e6b3889bb39ac32

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\chrome.exe

Filesize
994KB

MD5
249d235e3b321a3cd07c658f9e985cb4

SHA1
39dc8488fedd3516e137a6edabf0dbb0f8666ede

SHA256
7645b9b4dbfe7c3d07f06355adb5ae39a71e64b8ff5335882769af5bd9a3f999

SHA512
4a2532cab3d734d73027a84394accebf60c52e193857801a89c9e126cf3c946648f50b65ac60553c15d8b8ef024b6681e2465e0ff7917f3f4e6b3889bb39ac32

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\debug.log

Filesize
195B

MD5
24e382843fe09826463faf21460238e1

SHA1
9458ac48dd55da3d53f0d19ac4232bb81771bd59

SHA256
dc773b8041cb365df44ea34e6d5b6231c61c55cb00ad7387558dcb879aa0deaf

SHA512
a2b1aaaca698f495798f9aa4dc50143fd0e03564b2a29d07f15ebddeb8e96487397c4ed88a3ef33889b0c853403bff939272e2adce3cb07bc332aeb460571ae4

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Xai.exe

Filesize
202KB

MD5
b23f55ab59d7a62a8760524581c09548

SHA1
5c2a21c489f5065c721ba24be3138dbc5fdd360a

SHA256
1639202e8846d8943c84d119041295a4c3353ccfe88f9a666f697ddfc2208c42

SHA512
3a24776862dd63401da66567c9fbc7a1f3e9dcf95e4f7949949d1203c0e586345fe3f0e232e889de2b4aace21fde45e8bf9ffe2d9d19c58ea154f902fb6360aa

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Xai.exe

Filesize
202KB

MD5
b23f55ab59d7a62a8760524581c09548

SHA1
5c2a21c489f5065c721ba24be3138dbc5fdd360a

SHA256
1639202e8846d8943c84d119041295a4c3353ccfe88f9a666f697ddfc2208c42

SHA512
3a24776862dd63401da66567c9fbc7a1f3e9dcf95e4f7949949d1203c0e586345fe3f0e232e889de2b4aace21fde45e8bf9ffe2d9d19c58ea154f902fb6360aa

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Xai.exe

Filesize
202KB

MD5
b23f55ab59d7a62a8760524581c09548

SHA1
5c2a21c489f5065c721ba24be3138dbc5fdd360a

SHA256
1639202e8846d8943c84d119041295a4c3353ccfe88f9a666f697ddfc2208c42

SHA512
3a24776862dd63401da66567c9fbc7a1f3e9dcf95e4f7949949d1203c0e586345fe3f0e232e889de2b4aace21fde45e8bf9ffe2d9d19c58ea154f902fb6360aa

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Xai.exe

Filesize
202KB

MD5
b23f55ab59d7a62a8760524581c09548

SHA1
5c2a21c489f5065c721ba24be3138dbc5fdd360a

SHA256
1639202e8846d8943c84d119041295a4c3353ccfe88f9a666f697ddfc2208c42

SHA512
3a24776862dd63401da66567c9fbc7a1f3e9dcf95e4f7949949d1203c0e586345fe3f0e232e889de2b4aace21fde45e8bf9ffe2d9d19c58ea154f902fb6360aa

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Xai.exe

Filesize
202KB

MD5
b23f55ab59d7a62a8760524581c09548

SHA1
5c2a21c489f5065c721ba24be3138dbc5fdd360a

SHA256
1639202e8846d8943c84d119041295a4c3353ccfe88f9a666f697ddfc2208c42

SHA512
3a24776862dd63401da66567c9fbc7a1f3e9dcf95e4f7949949d1203c0e586345fe3f0e232e889de2b4aace21fde45e8bf9ffe2d9d19c58ea154f902fb6360aa

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\chrome.exe

Filesize
994KB

MD5
249d235e3b321a3cd07c658f9e985cb4

SHA1
39dc8488fedd3516e137a6edabf0dbb0f8666ede

SHA256
7645b9b4dbfe7c3d07f06355adb5ae39a71e64b8ff5335882769af5bd9a3f999

SHA512
4a2532cab3d734d73027a84394accebf60c52e193857801a89c9e126cf3c946648f50b65ac60553c15d8b8ef024b6681e2465e0ff7917f3f4e6b3889bb39ac32

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\chrome.exe

Filesize
994KB

MD5
249d235e3b321a3cd07c658f9e985cb4

SHA1
39dc8488fedd3516e137a6edabf0dbb0f8666ede

SHA256
7645b9b4dbfe7c3d07f06355adb5ae39a71e64b8ff5335882769af5bd9a3f999

SHA512
4a2532cab3d734d73027a84394accebf60c52e193857801a89c9e126cf3c946648f50b65ac60553c15d8b8ef024b6681e2465e0ff7917f3f4e6b3889bb39ac32

Download Submit
memory/604-63-0x0000000000000000-mapping.dmp

Download
memory/604-79-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/604-69-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/900-73-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/900-74-0x0000000000407C89-mapping.dmp

Download
memory/900-81-0x0000000000400000-0x0000000000408960-memory.dmp

Filesize
34KB

Download
memory/900-85-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/1092-56-0x0000000000000000-mapping.dmp

Download
memory/1340-82-0x000000007FFF0000-0x000000007FFF7000-memory.dmp

Filesize
28KB

Download
memory/1636-68-0x0000000000350000-0x00000000003FE000-memory.dmp

Filesize
696KB

Download
memory/1636-54-0x0000000075E51000-0x0000000075E53000-memory.dmp

Filesize
8KB

Download