14da57e0a50752df45cc24faa469950ab990be96a89aa5addf3b840b722e2ae3

Analysis

max time kernel
134s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2022 07:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14da57e0a50752df45cc24faa469950ab990be96a89aa5addf3b840b722e2ae3.exe
Size

2.4MB
MD5

925f778b054cc8f19aa0a3685cb87d5c
SHA1

60cb0fba6afeec14bf52e67f364ce220f5434e56
SHA256

14da57e0a50752df45cc24faa469950ab990be96a89aa5addf3b840b722e2ae3
SHA512

dd06e95e42ce70cb354987ee0ce067da8afd18c9636ee64b6a2f80c11e828cb7b6f0902079792c7d25892f445f61e8bd17c8db4280efd9b143ae47cddcf0cdfa
SSDEEP

49152:YZU8WZwv6cL1TWWe3iwYe0W13CXBEoyHvZQcKKvDWp59lbNJN+nDNS5wVds:MU1avzdWflJt3CFyPuc7AbbADNSGc

Score

8^/10

bootkit evasion persistence upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4080	load.exe
4164	SuperRecovery.EXE

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/456-132-0x0000000000400000-0x00000000004AE000-memory.dmp	upx
behavioral2/memory/456-147-0x0000000000400000-0x00000000004AE000-memory.dmp	upx

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SuperRecovery.EXE

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Wine	SuperRecovery.EXE

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	SuperRecovery.EXE

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4164	SuperRecovery.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4164	SuperRecovery.EXE
4164	SuperRecovery.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
456	14da57e0a50752df45cc24faa469950ab990be96a89aa5addf3b840b722e2ae3.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
456	14da57e0a50752df45cc24faa469950ab990be96a89aa5addf3b840b722e2ae3.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4164	SuperRecovery.EXE
4164	SuperRecovery.EXE
4164	SuperRecovery.EXE
4164	SuperRecovery.EXE
4164	SuperRecovery.EXE
4164	SuperRecovery.EXE
4164	SuperRecovery.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 456 wrote to memory of 4080	456	14da57e0a50752df45cc24faa469950ab990be96a89aa5addf3b840b722e2ae3.exe	84
PID 456 wrote to memory of 4080	456	14da57e0a50752df45cc24faa469950ab990be96a89aa5addf3b840b722e2ae3.exe	84
PID 456 wrote to memory of 4080	456	14da57e0a50752df45cc24faa469950ab990be96a89aa5addf3b840b722e2ae3.exe	84
PID 4080 wrote to memory of 4164	4080	load.exe	89
PID 4080 wrote to memory of 4164	4080	load.exe	89
PID 4080 wrote to memory of 4164	4080	load.exe	89
PID 4080 wrote to memory of 4164	4080	load.exe	89
PID 4080 wrote to memory of 4164	4080	load.exe	89
PID 4080 wrote to memory of 4164	4080	load.exe	89
PID 4080 wrote to memory of 4164	4080	load.exe	89
PID 4080 wrote to memory of 4164	4080	load.exe	89
PID 4080 wrote to memory of 4164	4080	load.exe	89
PID 4080 wrote to memory of 4164	4080	load.exe	89
PID 4080 wrote to memory of 4164	4080	load.exe	89
PID 4080 wrote to memory of 4164	4080	load.exe	89
PID 4080 wrote to memory of 4164	4080	load.exe	89
PID 4080 wrote to memory of 4164	4080	load.exe	89
PID 4080 wrote to memory of 4164	4080	load.exe	89
PID 4080 wrote to memory of 4164	4080	load.exe	89
PID 4080 wrote to memory of 4164	4080	load.exe	89
PID 4080 wrote to memory of 4164	4080	load.exe	89
PID 4080 wrote to memory of 4164	4080	load.exe	89
PID 4080 wrote to memory of 4164	4080	load.exe	89
PID 4080 wrote to memory of 4164	4080	load.exe	89
PID 4080 wrote to memory of 4164	4080	load.exe	89
PID 4080 wrote to memory of 4164	4080	load.exe	89
PID 4080 wrote to memory of 4164	4080	load.exe	89
PID 4080 wrote to memory of 4164	4080	load.exe	89
PID 4080 wrote to memory of 4164	4080	load.exe	89
PID 4080 wrote to memory of 4164	4080	load.exe	89
PID 4080 wrote to memory of 4164	4080	load.exe	89
PID 4080 wrote to memory of 4164	4080	load.exe	89
PID 4080 wrote to memory of 4164	4080	load.exe	89
PID 4080 wrote to memory of 4164	4080	load.exe	89
PID 4080 wrote to memory of 4164	4080	load.exe	89
PID 4080 wrote to memory of 4164	4080	load.exe	89
PID 4080 wrote to memory of 4164	4080	load.exe	89
PID 4080 wrote to memory of 4164	4080	load.exe	89
PID 4080 wrote to memory of 4164	4080	load.exe	89
PID 4080 wrote to memory of 4164	4080	load.exe	89
PID 4080 wrote to memory of 4164	4080	load.exe	89
PID 4080 wrote to memory of 4164	4080	load.exe	89
PID 4080 wrote to memory of 4164	4080	load.exe	89
PID 4080 wrote to memory of 4164	4080	load.exe	89
PID 4080 wrote to memory of 4164	4080	load.exe	89
PID 4080 wrote to memory of 4164	4080	load.exe	89
PID 4080 wrote to memory of 4164	4080	load.exe	89
PID 4080 wrote to memory of 4164	4080	load.exe	89
PID 4080 wrote to memory of 4164	4080	load.exe	89
PID 4080 wrote to memory of 4164	4080	load.exe	89
PID 4080 wrote to memory of 4164	4080	load.exe	89
PID 4080 wrote to memory of 4164	4080	load.exe	89
PID 4080 wrote to memory of 4164	4080	load.exe	89
PID 4080 wrote to memory of 4164	4080	load.exe	89
PID 4080 wrote to memory of 4164	4080	load.exe	89
PID 4080 wrote to memory of 4164	4080	load.exe	89
PID 4080 wrote to memory of 4164	4080	load.exe	89
PID 4080 wrote to memory of 4164	4080	load.exe	89
PID 4080 wrote to memory of 4164	4080	load.exe	89
PID 4080 wrote to memory of 4164	4080	load.exe	89
PID 4080 wrote to memory of 4164	4080	load.exe	89
PID 4080 wrote to memory of 4164	4080	load.exe	89
PID 4080 wrote to memory of 4164	4080	load.exe	89
PID 4080 wrote to memory of 4164	4080	load.exe	89

C:\Users\Admin\AppData\Local\Temp\14da57e0a50752df45cc24faa469950ab990be96a89aa5addf3b840b722e2ae3.exe
"C:\Users\Admin\AppData\Local\Temp\14da57e0a50752df45cc24faa469950ab990be96a89aa5addf3b840b722e2ae3.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:456
- C:\Users\Admin\AppData\Roaming\superhf\load.exe
  C:\Users\Admin\AppData\Roaming\superhf\load.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4080
- - C:\Users\Admin\AppData\Roaming\superhf\SuperRecovery.EXE
    C:\Users\Admin\AppData\Roaming\superhf\load.exe
    3⤵
    - Executes dropped EXE
    - Checks BIOS information in registry
    - Identifies Wine through registry keys
    - Writes to the Master Boot Record (MBR)
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4164

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\superhf\SuperRecovery.EXE

Filesize
2.1MB

MD5
7a0816cf25487cbc1bc89516adeb6215

SHA1
06c83b3e807bafddcecc3e01eb7adb8f700ba079

SHA256
9a5093f92b11d724c9c1ffa492056cd547643e82f9538a9f83c9b018915184c8

SHA512
70809a3e0bfa62be6ff057e99a4971f96a6e90623737873a60080af3d0622e6bc31d1514bc0bbb93c4481b711786e599d8a176502588f1c4fa268daea083161a

Download Submit
C:\Users\Admin\AppData\Roaming\superhf\SuperRecovery.EXE

Filesize
2.1MB

MD5
7a0816cf25487cbc1bc89516adeb6215

SHA1
06c83b3e807bafddcecc3e01eb7adb8f700ba079

SHA256
9a5093f92b11d724c9c1ffa492056cd547643e82f9538a9f83c9b018915184c8

SHA512
70809a3e0bfa62be6ff057e99a4971f96a6e90623737873a60080af3d0622e6bc31d1514bc0bbb93c4481b711786e599d8a176502588f1c4fa268daea083161a

Download Submit
C:\Users\Admin\AppData\Roaming\superhf\load.exe

Filesize
237KB

MD5
95699274a1024bf158f11b9e9e535aa4

SHA1
b360407e25cb1f32e0c32fe562d78c9c542e392c

SHA256
c716ac4c90e2c21e49fd50bd62170bf3aae088d9459edd7e68b292fcacadb8dd

SHA512
6daeb09c2b378ae8352d77371648d1f2707980f48caeff7f1e9362effd38e10386071d687551efbd372599c6befd6fa0e1225e719d404792e6f18437f9ad9abb

Download Submit
C:\Users\Admin\AppData\Roaming\superhf\load.exe

Filesize
237KB

MD5
95699274a1024bf158f11b9e9e535aa4

SHA1
b360407e25cb1f32e0c32fe562d78c9c542e392c

SHA256
c716ac4c90e2c21e49fd50bd62170bf3aae088d9459edd7e68b292fcacadb8dd

SHA512
6daeb09c2b378ae8352d77371648d1f2707980f48caeff7f1e9362effd38e10386071d687551efbd372599c6befd6fa0e1225e719d404792e6f18437f9ad9abb

Download Submit
memory/456-147-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/456-132-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/4080-145-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4080-151-0x00000000005C0000-0x0000000000600000-memory.dmp

Filesize
256KB

Download
memory/4080-139-0x0000000002320000-0x00000000024C0000-memory.dmp

Filesize
1.6MB

Download
memory/4080-141-0x0000000002290000-0x00000000022B4000-memory.dmp

Filesize
144KB

Download
memory/4080-138-0x0000000002100000-0x00000000021F0000-memory.dmp

Filesize
960KB

Download
memory/4080-150-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4080-133-0x0000000000000000-mapping.dmp

Download
memory/4080-149-0x00000000005C0000-0x0000000000600000-memory.dmp

Filesize
256KB

Download
memory/4080-140-0x0000000002B30000-0x0000000002CD3000-memory.dmp

Filesize
1.6MB

Download
memory/4080-136-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4080-137-0x00000000005C0000-0x0000000000600000-memory.dmp

Filesize
256KB

Download
memory/4164-148-0x00000000025E0000-0x00000000026CF000-memory.dmp

Filesize
956KB

Download
memory/4164-143-0x0000000000000000-mapping.dmp

Download
memory/4164-146-0x0000000000400000-0x0000000000894000-memory.dmp

Filesize
4.6MB

Download
memory/4164-152-0x0000000000400000-0x0000000000894000-memory.dmp

Filesize
4.6MB

Download
memory/4164-153-0x0000000000400000-0x0000000000894000-memory.dmp

Filesize
4.6MB

Download
memory/4164-154-0x0000000000400000-0x0000000000894000-memory.dmp

Filesize
4.6MB

Download