030ed4b2d8bbc62277448ae645304051d8925c612a8e4710aaee3e9e055024a4

Analysis

max time kernel
147s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20/10/2022, 21:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

030ed4b2d8bbc62277448ae645304051d8925c612a8e4710aaee3e9e055024a4.exe
Size

392KB
MD5

5c5208cf7e3c9a2709932932eb054010
SHA1

2a956e9870aed81cd456f5ffe6533750455e5060
SHA256

030ed4b2d8bbc62277448ae645304051d8925c612a8e4710aaee3e9e055024a4
SHA512

764b0cbeef1ce4ae3f8765d7ea7eba5b570c6b4338e58677d1351ea26ebad3a2c538ec345b6725162f0e98eb252a4aad47aba4f88464cba1ebda97badfdf39db
SSDEEP

6144:q/fSAZL+95MNqWyzuna26X7xkvF3k+zxS3W34FZWrBIx:Ki6NqWAnp7xkvF3k+BMUk

Score

10^/10

bootkit evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\lsass.exe"	030ed4b2d8bbc62277448ae645304051d8925c612a8e4710aaee3e9e055024a4.exe

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\MSWUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\lsass.exe"	030ed4b2d8bbc62277448ae645304051d8925c612a8e4710aaee3e9e055024a4.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	030ed4b2d8bbc62277448ae645304051d8925c612a8e4710aaee3e9e055024a4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\MSWUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\lsass.exe"	030ed4b2d8bbc62277448ae645304051d8925c612a8e4710aaee3e9e055024a4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	030ed4b2d8bbc62277448ae645304051d8925c612a8e4710aaee3e9e055024a4.exe

Executes dropped EXE 3 IoCs

pid	Process
228	lsass.exe
1328	lsass.exe
3488	lsass.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
4320	netsh.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	030ed4b2d8bbc62277448ae645304051d8925c612a8e4710aaee3e9e055024a4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\lsass.exe"	030ed4b2d8bbc62277448ae645304051d8925c612a8e4710aaee3e9e055024a4.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	030ed4b2d8bbc62277448ae645304051d8925c612a8e4710aaee3e9e055024a4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSWUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\lsass.exe"	030ed4b2d8bbc62277448ae645304051d8925c612a8e4710aaee3e9e055024a4.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	030ed4b2d8bbc62277448ae645304051d8925c612a8e4710aaee3e9e055024a4.exe
File opened for modification	\??\PhysicalDrive0	lsass.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2320 set thread context of 760	2320	030ed4b2d8bbc62277448ae645304051d8925c612a8e4710aaee3e9e055024a4.exe	83
PID 760 set thread context of 2968	760	030ed4b2d8bbc62277448ae645304051d8925c612a8e4710aaee3e9e055024a4.exe	84
PID 228 set thread context of 1328	228	lsass.exe	88
PID 1328 set thread context of 3488	1328	lsass.exe	89

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2320	030ed4b2d8bbc62277448ae645304051d8925c612a8e4710aaee3e9e055024a4.exe
760	030ed4b2d8bbc62277448ae645304051d8925c612a8e4710aaee3e9e055024a4.exe
2968	030ed4b2d8bbc62277448ae645304051d8925c612a8e4710aaee3e9e055024a4.exe
228	lsass.exe
1328	lsass.exe
3488	lsass.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 760	2320	030ed4b2d8bbc62277448ae645304051d8925c612a8e4710aaee3e9e055024a4.exe	83
PID 2320 wrote to memory of 760	2320	030ed4b2d8bbc62277448ae645304051d8925c612a8e4710aaee3e9e055024a4.exe	83
PID 2320 wrote to memory of 760	2320	030ed4b2d8bbc62277448ae645304051d8925c612a8e4710aaee3e9e055024a4.exe	83
PID 2320 wrote to memory of 760	2320	030ed4b2d8bbc62277448ae645304051d8925c612a8e4710aaee3e9e055024a4.exe	83
PID 2320 wrote to memory of 760	2320	030ed4b2d8bbc62277448ae645304051d8925c612a8e4710aaee3e9e055024a4.exe	83
PID 2320 wrote to memory of 760	2320	030ed4b2d8bbc62277448ae645304051d8925c612a8e4710aaee3e9e055024a4.exe	83
PID 2320 wrote to memory of 760	2320	030ed4b2d8bbc62277448ae645304051d8925c612a8e4710aaee3e9e055024a4.exe	83
PID 2320 wrote to memory of 760	2320	030ed4b2d8bbc62277448ae645304051d8925c612a8e4710aaee3e9e055024a4.exe	83
PID 760 wrote to memory of 2968	760	030ed4b2d8bbc62277448ae645304051d8925c612a8e4710aaee3e9e055024a4.exe	84
PID 760 wrote to memory of 2968	760	030ed4b2d8bbc62277448ae645304051d8925c612a8e4710aaee3e9e055024a4.exe	84
PID 760 wrote to memory of 2968	760	030ed4b2d8bbc62277448ae645304051d8925c612a8e4710aaee3e9e055024a4.exe	84
PID 760 wrote to memory of 2968	760	030ed4b2d8bbc62277448ae645304051d8925c612a8e4710aaee3e9e055024a4.exe	84
PID 760 wrote to memory of 2968	760	030ed4b2d8bbc62277448ae645304051d8925c612a8e4710aaee3e9e055024a4.exe	84
PID 760 wrote to memory of 2968	760	030ed4b2d8bbc62277448ae645304051d8925c612a8e4710aaee3e9e055024a4.exe	84
PID 760 wrote to memory of 2968	760	030ed4b2d8bbc62277448ae645304051d8925c612a8e4710aaee3e9e055024a4.exe	84
PID 760 wrote to memory of 2968	760	030ed4b2d8bbc62277448ae645304051d8925c612a8e4710aaee3e9e055024a4.exe	84
PID 2968 wrote to memory of 4320	2968	030ed4b2d8bbc62277448ae645304051d8925c612a8e4710aaee3e9e055024a4.exe	85
PID 2968 wrote to memory of 4320	2968	030ed4b2d8bbc62277448ae645304051d8925c612a8e4710aaee3e9e055024a4.exe	85
PID 2968 wrote to memory of 4320	2968	030ed4b2d8bbc62277448ae645304051d8925c612a8e4710aaee3e9e055024a4.exe	85
PID 2968 wrote to memory of 228	2968	030ed4b2d8bbc62277448ae645304051d8925c612a8e4710aaee3e9e055024a4.exe	87
PID 2968 wrote to memory of 228	2968	030ed4b2d8bbc62277448ae645304051d8925c612a8e4710aaee3e9e055024a4.exe	87
PID 2968 wrote to memory of 228	2968	030ed4b2d8bbc62277448ae645304051d8925c612a8e4710aaee3e9e055024a4.exe	87
PID 228 wrote to memory of 1328	228	lsass.exe	88
PID 228 wrote to memory of 1328	228	lsass.exe	88
PID 228 wrote to memory of 1328	228	lsass.exe	88
PID 228 wrote to memory of 1328	228	lsass.exe	88
PID 228 wrote to memory of 1328	228	lsass.exe	88
PID 228 wrote to memory of 1328	228	lsass.exe	88
PID 228 wrote to memory of 1328	228	lsass.exe	88
PID 228 wrote to memory of 1328	228	lsass.exe	88
PID 1328 wrote to memory of 3488	1328	lsass.exe	89
PID 1328 wrote to memory of 3488	1328	lsass.exe	89
PID 1328 wrote to memory of 3488	1328	lsass.exe	89
PID 1328 wrote to memory of 3488	1328	lsass.exe	89
PID 1328 wrote to memory of 3488	1328	lsass.exe	89
PID 1328 wrote to memory of 3488	1328	lsass.exe	89
PID 1328 wrote to memory of 3488	1328	lsass.exe	89
PID 1328 wrote to memory of 3488	1328	lsass.exe	89

C:\Users\Admin\AppData\Local\Temp\030ed4b2d8bbc62277448ae645304051d8925c612a8e4710aaee3e9e055024a4.exe
"C:\Users\Admin\AppData\Local\Temp\030ed4b2d8bbc62277448ae645304051d8925c612a8e4710aaee3e9e055024a4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Users\Admin\AppData\Local\Temp\030ed4b2d8bbc62277448ae645304051d8925c612a8e4710aaee3e9e055024a4.exe
  "C:\Users\Admin\AppData\Local\Temp\030ed4b2d8bbc62277448ae645304051d8925c612a8e4710aaee3e9e055024a4.exe"
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:760
- - C:\Users\Admin\AppData\Local\Temp\030ed4b2d8bbc62277448ae645304051d8925c612a8e4710aaee3e9e055024a4.exe
    "C:\Users\Admin\AppData\Local\Temp\030ed4b2d8bbc62277448ae645304051d8925c612a8e4710aaee3e9e055024a4.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Adds policy Run key to start application
    - Adds Run key to start application
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2968
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="ImgBurn" dir=in action=allow description="Multimedia suite" program="C:\Users\Admin\AppData\Roaming\Microsoft\lsass.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:4320
  - - C:\Users\Admin\AppData\Roaming\Microsoft\lsass.exe
      /k C:\Users\Admin\AppData\Local\Temp\030ed4b2d8bbc62277448ae645304051d8925c612a8e4710aaee3e9e055024a4.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:228
    - - C:\Users\Admin\AppData\Roaming\Microsoft\lsass.exe
        
        /k C:\Users\Admin\AppData\Local\Temp\030ed4b2d8bbc62277448ae645304051d8925c612a8e4710aaee3e9e055024a4.exe
        5⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1328
      - C:\Users\Admin\AppData\Roaming\Microsoft\lsass.exe
        
        /k C:\Users\Admin\AppData\Local\Temp\030ed4b2d8bbc62277448ae645304051d8925c612a8e4710aaee3e9e055024a4.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3488

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\lsass.exe

Filesize
392KB

MD5
5c5208cf7e3c9a2709932932eb054010

SHA1
2a956e9870aed81cd456f5ffe6533750455e5060

SHA256
030ed4b2d8bbc62277448ae645304051d8925c612a8e4710aaee3e9e055024a4

SHA512
764b0cbeef1ce4ae3f8765d7ea7eba5b570c6b4338e58677d1351ea26ebad3a2c538ec345b6725162f0e98eb252a4aad47aba4f88464cba1ebda97badfdf39db

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\lsass.exe

Filesize
392KB

MD5
5c5208cf7e3c9a2709932932eb054010

SHA1
2a956e9870aed81cd456f5ffe6533750455e5060

SHA256
030ed4b2d8bbc62277448ae645304051d8925c612a8e4710aaee3e9e055024a4

SHA512
764b0cbeef1ce4ae3f8765d7ea7eba5b570c6b4338e58677d1351ea26ebad3a2c538ec345b6725162f0e98eb252a4aad47aba4f88464cba1ebda97badfdf39db

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\lsass.exe

Filesize
392KB

MD5
5c5208cf7e3c9a2709932932eb054010

SHA1
2a956e9870aed81cd456f5ffe6533750455e5060

SHA256
030ed4b2d8bbc62277448ae645304051d8925c612a8e4710aaee3e9e055024a4

SHA512
764b0cbeef1ce4ae3f8765d7ea7eba5b570c6b4338e58677d1351ea26ebad3a2c538ec345b6725162f0e98eb252a4aad47aba4f88464cba1ebda97badfdf39db

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\lsass.exe

Filesize
392KB

MD5
5c5208cf7e3c9a2709932932eb054010

SHA1
2a956e9870aed81cd456f5ffe6533750455e5060

SHA256
030ed4b2d8bbc62277448ae645304051d8925c612a8e4710aaee3e9e055024a4

SHA512
764b0cbeef1ce4ae3f8765d7ea7eba5b570c6b4338e58677d1351ea26ebad3a2c538ec345b6725162f0e98eb252a4aad47aba4f88464cba1ebda97badfdf39db

Download Submit
memory/760-135-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/760-144-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1328-164-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2968-146-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2968-152-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2968-140-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3488-166-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3488-167-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads