Overview

overview

10

Static

static

663698248f...ef.exe

windows7-x64

10

663698248f...ef.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    169s
  • max time network
    176s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    26-11-2022 21:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    663698248f8b0e3ab5d58abe2a6fb2e7be21e4e4c4cf65693b7b3bbc6be7c1ef.exe

  • Size

    3.9MB

  • MD5

    fd27fec87ff61b77b815fc3d6b77a9c4

  • SHA1

    9a250fa16fa7a00dfa01e1384d00d902df71fcd6

  • SHA256

    663698248f8b0e3ab5d58abe2a6fb2e7be21e4e4c4cf65693b7b3bbc6be7c1ef

  • SHA512

    f6f490ed00fcf460e25b77483b04fa8c452c91ddeeb0a64c434763e6f7d2df2d7eacd56727615cea9b37ed9a0ccf10fe81ce8992cbb80b4b02b0daecc71c1bfc

  • SSDEEP

    98304:SyIyGXk/2gPQDUEJ7qw7P8fpmr5GPInWXh+nboj3aVA:myG0/2KyDH7kfpo5GrXh+nbY3v

Score
10/10
bootkitevasionpersistencespywarestealerthemidatrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 6 IoCs
    evasiontrojan
  • Blocks application from running via registry modification 18 IoCs

    Adds application to list of disallowed applications.

    evasion
  • Drops file in Drivers directory 5 IoCs
  • Sets file execution options in registry 2 TTPs 64 IoCs
    persistence
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 8 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Checks for any installed AV software in registry 1 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 11 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 6 IoCs
  • Modifies registry class 16 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • System policy modification 1 TTPs 7 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\663698248f8b0e3ab5d58abe2a6fb2e7be21e4e4c4cf65693b7b3bbc6be7c1ef.exe
    "C:\Users\Admin\AppData\Local\Temp\663698248f8b0e3ab5d58abe2a6fb2e7be21e4e4c4cf65693b7b3bbc6be7c1ef.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1984
    • C:\Users\Admin\AppData\Local\Temp\663698248f8b0e3ab5d58abe2a6fb2e7be21e4e4c4cf65693b7b3bbc6be7c1ef.exe
      C:\Users\Admin\AppData\Local\Temp\663698248f8b0e3ab5d58abe2a6fb2e7be21e4e4c4cf65693b7b3bbc6be7c1ef.exe
      2⤵
      • UAC bypass
      • Blocks application from running via registry modification
      • Drops file in Drivers directory
      • Sets file execution options in registry
      • Identifies Wine through registry keys
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks for any installed AV software in registry
      • Checks whether UAC is enabled
      • Enumerates connected drives
      • Writes to the Master Boot Record (MBR)
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Modifies Internet Explorer settings
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2000
      • C:\Windows\SysWOW64\wbem\mofcomp.exe
        "C:\Windows\System32\wbem\mofcomp.exe" "C:\Users\Admin\AppData\Local\Temp\886.mof"
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1100
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\System32\netsh.exe" "firewall" add allowedprogram "C:\Users\Admin\AppData\Local\Temp\663698248f8b0e3ab5d58abe2a6fb2e7be21e4e4c4cf65693b7b3bbc6be7c1ef.exe" "Smart Security" ENABLE
        3⤵
          PID:1912

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    2
    T1060

    Bootkit

    1
    T1067

    Privilege Escalation

    Bypass User Account Control

    1
    T1088

    Defense Evasion

    Bypass User Account Control

    1
    T1088

    Disabling Security Tools

    1
    T1089

    Modify Registry

    5
    T1112

    Virtualization/Sandbox Evasion

    1
    T1497

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Query Registry

    2
    T1012

    Virtualization/Sandbox Evasion

    1
    T1497

    Security Software Discovery

    1
    T1063

    System Information Discovery

    3
    T1082

    Peripheral Device Discovery

    1
    T1120

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\886.mof
      Filesize

      326B

      MD5

      0546a7439cf725fbd2bfbd3ccda93c92

      SHA1

      ede39926dbeee95ca39425ed788fac64a7f30abf

      SHA256

      4cd9f90581e97b7b046f4afd67bf75afd8645dc883968ead4f9ae0f2e7ef7ec2

      SHA512

      c9fd85db8e7e9e09c6374d20a38dea35a937265c069784e08911f6db680094ab41df90e60aa5f66c51793748aa3f0730519bbde8dbe665d342c0310f9484cfe1

      Download Submit
    • \ProgramData\2f461\SM4bb.exe
      Filesize

      3.9MB

      MD5

      fd27fec87ff61b77b815fc3d6b77a9c4

      SHA1

      9a250fa16fa7a00dfa01e1384d00d902df71fcd6

      SHA256

      663698248f8b0e3ab5d58abe2a6fb2e7be21e4e4c4cf65693b7b3bbc6be7c1ef

      SHA512

      f6f490ed00fcf460e25b77483b04fa8c452c91ddeeb0a64c434763e6f7d2df2d7eacd56727615cea9b37ed9a0ccf10fe81ce8992cbb80b4b02b0daecc71c1bfc

      Download Submit
    • \ProgramData\2f461\SM4bb.exe
      Filesize

      3.9MB

      MD5

      fd27fec87ff61b77b815fc3d6b77a9c4

      SHA1

      9a250fa16fa7a00dfa01e1384d00d902df71fcd6

      SHA256

      663698248f8b0e3ab5d58abe2a6fb2e7be21e4e4c4cf65693b7b3bbc6be7c1ef

      SHA512

      f6f490ed00fcf460e25b77483b04fa8c452c91ddeeb0a64c434763e6f7d2df2d7eacd56727615cea9b37ed9a0ccf10fe81ce8992cbb80b4b02b0daecc71c1bfc

      Download Submit
    • \ProgramData\2f461\SM4bb.exe
      Filesize

      3.9MB

      MD5

      fd27fec87ff61b77b815fc3d6b77a9c4

      SHA1

      9a250fa16fa7a00dfa01e1384d00d902df71fcd6

      SHA256

      663698248f8b0e3ab5d58abe2a6fb2e7be21e4e4c4cf65693b7b3bbc6be7c1ef

      SHA512

      f6f490ed00fcf460e25b77483b04fa8c452c91ddeeb0a64c434763e6f7d2df2d7eacd56727615cea9b37ed9a0ccf10fe81ce8992cbb80b4b02b0daecc71c1bfc

      Download Submit
    • \ProgramData\2f461\SM4bb.exe
      Filesize

      3.9MB

      MD5

      fd27fec87ff61b77b815fc3d6b77a9c4

      SHA1

      9a250fa16fa7a00dfa01e1384d00d902df71fcd6

      SHA256

      663698248f8b0e3ab5d58abe2a6fb2e7be21e4e4c4cf65693b7b3bbc6be7c1ef

      SHA512

      f6f490ed00fcf460e25b77483b04fa8c452c91ddeeb0a64c434763e6f7d2df2d7eacd56727615cea9b37ed9a0ccf10fe81ce8992cbb80b4b02b0daecc71c1bfc

      Download Submit
    • memory/1100-68-0x0000000000000000-mapping.dmp
      Download
    • memory/1912-69-0x0000000000000000-mapping.dmp
      Download
    • memory/2000-61-0x0000000075571000-0x0000000075573000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2000-65-0x0000000013140000-0x0000000013141000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2000-66-0x0000000013141000-0x000000001325E000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/2000-64-0x0000000013140000-0x0000000013141000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2000-63-0x0000000013140000-0x0000000013141000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2000-62-0x0000000013140000-0x00000000138E3000-memory.dmp
      Filesize

      7.6MB

      Download
    • memory/2000-57-0x0000000013707014-mapping.dmp
      Download
    • memory/2000-60-0x0000000013140000-0x00000000138E3000-memory.dmp
      Filesize

      7.6MB

      Download
    • memory/2000-59-0x0000000013140000-0x00000000138E3000-memory.dmp
      Filesize

      7.6MB

      Download
    • memory/2000-56-0x0000000013140000-0x00000000138E3000-memory.dmp
      Filesize

      7.6MB

      Download
    • memory/2000-76-0x0000000013140000-0x00000000138E3000-memory.dmp
      Filesize

      7.6MB

      Download