Overview

overview

8

Static

static

511AM.png

windows10-1703-x64

8

511AM.png

windows7-x64

8

511AM.png

windows10-2004-x64

8

Resubmissions

19-11-2022 16:53

221119-vefm3sbe39 8

19-11-2022 16:41

221119-t7bddsbb32 8

Analysis

  • max time kernel
    317s
  • max time network
    291s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    19-11-2022 16:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    511AM.png

  • Size

    966B

  • MD5

    5c51a8836f1c31af4517ff739cb3e7fa

  • SHA1

    49af67355378b659a38686c6b02e7de32915a1f8

  • SHA256

    02190c5e84d7e7b3866816742f5258fbea919c2cbe581a04b7013b9bdddc565a

  • SHA512

    9cd3a607d9c9ad59f63c983a20fd8a8eb1565700cb06b8f3bf162565fece8bf7363cac6e953fd9f1b1bdf5cdb799486ace5180fbabbab69fdc4cc24d06980bda

Score
8/10
bootkitevasionpersistence

Malware Config

Signatures

  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\Admin\AppData\Local\Temp\511AM.png
    1⤵
    • Suspicious use of FindShellTrayWindow
    PID:752
  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1104,5364911902874950699,15491894406047676426,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1120 /prefetch:2
    1⤵
      PID:528
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1112,6314309400684926023,780101533533551472,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1120 /prefetch:2
      1⤵
        PID:1952
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1112,6314309400684926023,780101533533551472,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1324 /prefetch:8
        1⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1528
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1104,5364911902874950699,15491894406047676426,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1272 /prefetch:8
        1⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:816
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1112,6314309400684926023,780101533533551472,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1668 /prefetch:8
        1⤵
          PID:1084
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,6314309400684926023,780101533533551472,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2012 /prefetch:1
          1⤵
            PID:1604
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,6314309400684926023,780101533533551472,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2024 /prefetch:1
            1⤵
              PID:1704
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1112,6314309400684926023,780101533533551472,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:8
              1⤵
                PID:2168
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1112,6314309400684926023,780101533533551472,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1096 /prefetch:2
                1⤵
                  PID:2284
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,6314309400684926023,780101533533551472,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
                  1⤵
                    PID:2328
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1112,6314309400684926023,780101533533551472,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3532 /prefetch:8
                    1⤵
                      PID:2404
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1112,6314309400684926023,780101533533551472,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3676 /prefetch:8
                      1⤵
                        PID:2412
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1112,6314309400684926023,780101533533551472,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3760 /prefetch:8
                        1⤵
                          PID:2484
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,6314309400684926023,780101533533551472,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4036 /prefetch:1
                          1⤵
                            PID:2524
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,6314309400684926023,780101533533551472,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4344 /prefetch:1
                            1⤵
                              PID:2600
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,6314309400684926023,780101533533551472,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4136 /prefetch:1
                              1⤵
                                PID:2660
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1112,6314309400684926023,780101533533551472,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5016 /prefetch:8
                                1⤵
                                  PID:2848
                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1112,6314309400684926023,780101533533551472,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:8
                                  1⤵
                                    PID:2928
                                  • C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe
                                    "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe" --reenable-autoupdates --system-level
                                    1⤵
                                    • Suspicious use of WriteProcessMemory
                                    PID:2964
                                    • C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe
                                      "C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x13c,0x140,0x144,0x110,0x148,0x14006a890,0x14006a8a0,0x14006a8b0
                                      2⤵
                                        PID:2996
                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1112,6314309400684926023,780101533533551472,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4780 /prefetch:8
                                      1⤵
                                      • Suspicious behavior: EnumeratesProcesses
                                      PID:2984
                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1112,6314309400684926023,780101533533551472,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1676 /prefetch:8
                                      1⤵
                                        PID:1964
                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1112,6314309400684926023,780101533533551472,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3884 /prefetch:8
                                        1⤵
                                          PID:1548
                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1112,6314309400684926023,780101533533551472,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3856 /prefetch:8
                                          1⤵
                                          • Suspicious behavior: EnumeratesProcesses
                                          PID:1736
                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1112,6314309400684926023,780101533533551472,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4876 /prefetch:8
                                          1⤵
                                            PID:292
                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1112,6314309400684926023,780101533533551472,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1412 /prefetch:8
                                            1⤵
                                              PID:2268
                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,6314309400684926023,780101533533551472,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3868 /prefetch:1
                                              1⤵
                                                PID:1304
                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1112,6314309400684926023,780101533533551472,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2840 /prefetch:8
                                                1⤵
                                                • Suspicious behavior: EnumeratesProcesses
                                                PID:1912
                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1112,6314309400684926023,780101533533551472,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3920 /prefetch:1
                                                1⤵
                                                  PID:2364
                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1112,6314309400684926023,780101533533551472,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3016 /prefetch:8
                                                  1⤵
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  PID:2016
                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1112,6314309400684926023,780101533533551472,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3248 /prefetch:8
                                                  1⤵
                                                    PID:2732
                                                  • C:\Windows\system32\AUDIODG.EXE
                                                    C:\Windows\system32\AUDIODG.EXE 0x540
                                                    1⤵
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:2796
                                                  • C:\Users\Admin\AppData\Local\Temp\Temp1_Holzer.zip\Holzer.exe
                                                    "C:\Users\Admin\AppData\Local\Temp\Temp1_Holzer.zip\Holzer.exe"
                                                    1⤵
                                                    • Disables RegEdit via registry modification
                                                    • Writes to the Master Boot Record (MBR)
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    • Suspicious use of WriteProcessMemory
                                                    PID:1620
                                                    • C:\Windows\SysWOW64\AdapterTroubleshooter.exe
                                                      "C:\Windows\System32\AdapterTroubleshooter.exe"
                                                      2⤵
                                                        PID:4332
                                                      • C:\Windows\SysWOW64\ARP.EXE
                                                        "C:\Windows\System32\ARP.EXE"
                                                        2⤵
                                                          PID:4116
                                                        • C:\Windows\SysWOW64\at.exe
                                                          "C:\Windows\System32\at.exe"
                                                          2⤵
                                                            PID:3784
                                                          • C:\Windows\SysWOW64\AtBroker.exe
                                                            "C:\Windows\System32\AtBroker.exe"
                                                            2⤵
                                                              PID:4788
                                                            • C:\Windows\SysWOW64\attrib.exe
                                                              "C:\Windows\System32\attrib.exe"
                                                              2⤵
                                                              • Views/modifies file attributes
                                                              PID:5020
                                                            • C:\Windows\SysWOW64\auditpol.exe
                                                              "C:\Windows\System32\auditpol.exe"
                                                              2⤵
                                                                PID:3712

                                                            Network

                                                            MITRE ATT&CK Enterprise v6

                                                            Replay Monitor

                                                            Loading Replay Monitor...

                                                            Downloads

                                                            • memory/752-54-0x000007FEFC071000-0x000007FEFC073000-memory.dmp
                                                              Filesize

                                                              8KB

                                                              Download
                                                            • memory/1620-56-0x0000000076531000-0x0000000076533000-memory.dmp
                                                              Filesize

                                                              8KB

                                                              Download
                                                            • memory/2996-55-0x0000000000000000-mapping.dmp
                                                              Download
                                                            • memory/3712-65-0x0000000000000000-mapping.dmp
                                                              Download
                                                            • memory/3784-60-0x0000000000000000-mapping.dmp
                                                              Download
                                                            • memory/4116-59-0x0000000000000000-mapping.dmp
                                                              Download
                                                            • memory/4332-57-0x0000000000000000-mapping.dmp
                                                              Download
                                                            • memory/4788-62-0x0000000000000000-mapping.dmp
                                                              Download
                                                            • memory/5020-64-0x0000000000000000-mapping.dmp
                                                              Download