2b7d7ce067b9bd88ec725a5be9f1c0773071066df06a878a3a7b7af341e61c99

Analysis

max time kernel
151s
max time network
157s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29-11-2022 13:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b7d7ce067b9bd88ec725a5be9f1c0773071066df06a878a3a7b7af341e61c99.exe
Size

204KB
MD5

e1551ae30787dc1917a3931c0a78eead
SHA1

7fa225695fb6a7cf8ed1fe9b6273dc6d2d4e49d6
SHA256

2b7d7ce067b9bd88ec725a5be9f1c0773071066df06a878a3a7b7af341e61c99
SHA512

5cf6dd99953ff002cb40f2a3216c23ebb4bd7bdc2b6128c361dc3efaa1e5950bbebfcd7a5a653cfb3698f1df6034ea46c80d6e0c4d7b6d480f92a31d16ee49d2
SSDEEP

6144:dfH74N0nUFxFFWYxofKx/8GcsMBvMCmJpw:pb5ngLFE+esTCmE

Score

8^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1288	ikenl.exe
604	ikenl.exe

Deletes itself 1 IoCs

pid	Process
1940	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
960	2b7d7ce067b9bd88ec725a5be9f1c0773071066df06a878a3a7b7af341e61c99.exe
960	2b7d7ce067b9bd88ec725a5be9f1c0773071066df06a878a3a7b7af341e61c99.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\Currentversion\Run	ikenl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\{45820DC6-F01B-0DB9-C0DB-DAA71D23FA3D} = "C:\\Users\\Admin\\AppData\\Roaming\\Ivuvc\\ikenl.exe"	ikenl.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	2b7d7ce067b9bd88ec725a5be9f1c0773071066df06a878a3a7b7af341e61c99.exe
File opened for modification	\??\PhysicalDrive0	ikenl.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1968 set thread context of 960	1968	2b7d7ce067b9bd88ec725a5be9f1c0773071066df06a878a3a7b7af341e61c99.exe	27
PID 1288 set thread context of 604	1288	ikenl.exe	29

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Privacy	2b7d7ce067b9bd88ec725a5be9f1c0773071066df06a878a3a7b7af341e61c99.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	2b7d7ce067b9bd88ec725a5be9f1c0773071066df06a878a3a7b7af341e61c99.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
604	ikenl.exe
604	ikenl.exe
604	ikenl.exe
604	ikenl.exe
604	ikenl.exe
604	ikenl.exe
604	ikenl.exe
604	ikenl.exe
604	ikenl.exe
604	ikenl.exe
604	ikenl.exe
604	ikenl.exe
604	ikenl.exe
604	ikenl.exe
604	ikenl.exe
604	ikenl.exe
604	ikenl.exe
604	ikenl.exe
604	ikenl.exe
604	ikenl.exe
604	ikenl.exe
604	ikenl.exe
604	ikenl.exe
604	ikenl.exe
604	ikenl.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeSecurityPrivilege	960	2b7d7ce067b9bd88ec725a5be9f1c0773071066df06a878a3a7b7af341e61c99.exe
Token: SeSecurityPrivilege	960	2b7d7ce067b9bd88ec725a5be9f1c0773071066df06a878a3a7b7af341e61c99.exe
Token: SeSecurityPrivilege	960	2b7d7ce067b9bd88ec725a5be9f1c0773071066df06a878a3a7b7af341e61c99.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 960	1968	2b7d7ce067b9bd88ec725a5be9f1c0773071066df06a878a3a7b7af341e61c99.exe	27
PID 1968 wrote to memory of 960	1968	2b7d7ce067b9bd88ec725a5be9f1c0773071066df06a878a3a7b7af341e61c99.exe	27
PID 1968 wrote to memory of 960	1968	2b7d7ce067b9bd88ec725a5be9f1c0773071066df06a878a3a7b7af341e61c99.exe	27
PID 1968 wrote to memory of 960	1968	2b7d7ce067b9bd88ec725a5be9f1c0773071066df06a878a3a7b7af341e61c99.exe	27
PID 1968 wrote to memory of 960	1968	2b7d7ce067b9bd88ec725a5be9f1c0773071066df06a878a3a7b7af341e61c99.exe	27
PID 1968 wrote to memory of 960	1968	2b7d7ce067b9bd88ec725a5be9f1c0773071066df06a878a3a7b7af341e61c99.exe	27
PID 1968 wrote to memory of 960	1968	2b7d7ce067b9bd88ec725a5be9f1c0773071066df06a878a3a7b7af341e61c99.exe	27
PID 1968 wrote to memory of 960	1968	2b7d7ce067b9bd88ec725a5be9f1c0773071066df06a878a3a7b7af341e61c99.exe	27
PID 1968 wrote to memory of 960	1968	2b7d7ce067b9bd88ec725a5be9f1c0773071066df06a878a3a7b7af341e61c99.exe	27
PID 960 wrote to memory of 1288	960	2b7d7ce067b9bd88ec725a5be9f1c0773071066df06a878a3a7b7af341e61c99.exe	28
PID 960 wrote to memory of 1288	960	2b7d7ce067b9bd88ec725a5be9f1c0773071066df06a878a3a7b7af341e61c99.exe	28
PID 960 wrote to memory of 1288	960	2b7d7ce067b9bd88ec725a5be9f1c0773071066df06a878a3a7b7af341e61c99.exe	28
PID 960 wrote to memory of 1288	960	2b7d7ce067b9bd88ec725a5be9f1c0773071066df06a878a3a7b7af341e61c99.exe	28
PID 1288 wrote to memory of 604	1288	ikenl.exe	29
PID 1288 wrote to memory of 604	1288	ikenl.exe	29
PID 1288 wrote to memory of 604	1288	ikenl.exe	29
PID 1288 wrote to memory of 604	1288	ikenl.exe	29
PID 1288 wrote to memory of 604	1288	ikenl.exe	29
PID 1288 wrote to memory of 604	1288	ikenl.exe	29
PID 1288 wrote to memory of 604	1288	ikenl.exe	29
PID 1288 wrote to memory of 604	1288	ikenl.exe	29
PID 1288 wrote to memory of 604	1288	ikenl.exe	29
PID 604 wrote to memory of 1140	604	ikenl.exe	13
PID 604 wrote to memory of 1140	604	ikenl.exe	13
PID 604 wrote to memory of 1140	604	ikenl.exe	13
PID 604 wrote to memory of 1140	604	ikenl.exe	13
PID 604 wrote to memory of 1140	604	ikenl.exe	13
PID 604 wrote to memory of 1240	604	ikenl.exe	12
PID 604 wrote to memory of 1240	604	ikenl.exe	12
PID 604 wrote to memory of 1240	604	ikenl.exe	12
PID 604 wrote to memory of 1240	604	ikenl.exe	12
PID 604 wrote to memory of 1240	604	ikenl.exe	12
PID 604 wrote to memory of 1296	604	ikenl.exe	11
PID 604 wrote to memory of 1296	604	ikenl.exe	11
PID 604 wrote to memory of 1296	604	ikenl.exe	11
PID 604 wrote to memory of 1296	604	ikenl.exe	11
PID 604 wrote to memory of 1296	604	ikenl.exe	11
PID 604 wrote to memory of 960	604	ikenl.exe	27
PID 604 wrote to memory of 960	604	ikenl.exe	27
PID 604 wrote to memory of 960	604	ikenl.exe	27
PID 604 wrote to memory of 960	604	ikenl.exe	27
PID 604 wrote to memory of 960	604	ikenl.exe	27
PID 960 wrote to memory of 1940	960	2b7d7ce067b9bd88ec725a5be9f1c0773071066df06a878a3a7b7af341e61c99.exe	30
PID 960 wrote to memory of 1940	960	2b7d7ce067b9bd88ec725a5be9f1c0773071066df06a878a3a7b7af341e61c99.exe	30
PID 960 wrote to memory of 1940	960	2b7d7ce067b9bd88ec725a5be9f1c0773071066df06a878a3a7b7af341e61c99.exe	30
PID 960 wrote to memory of 1940	960	2b7d7ce067b9bd88ec725a5be9f1c0773071066df06a878a3a7b7af341e61c99.exe	30
PID 604 wrote to memory of 1940	604	ikenl.exe	30
PID 604 wrote to memory of 1940	604	ikenl.exe	30
PID 604 wrote to memory of 1940	604	ikenl.exe	30
PID 604 wrote to memory of 1940	604	ikenl.exe	30
PID 604 wrote to memory of 1940	604	ikenl.exe	30
PID 604 wrote to memory of 640	604	ikenl.exe	31
PID 604 wrote to memory of 1928	604	ikenl.exe	32
PID 604 wrote to memory of 1928	604	ikenl.exe	32
PID 604 wrote to memory of 1928	604	ikenl.exe	32
PID 604 wrote to memory of 1928	604	ikenl.exe	32
PID 604 wrote to memory of 1928	604	ikenl.exe	32
PID 604 wrote to memory of 1192	604	ikenl.exe	33
PID 604 wrote to memory of 1192	604	ikenl.exe	33
PID 604 wrote to memory of 1192	604	ikenl.exe	33
PID 604 wrote to memory of 1192	604	ikenl.exe	33
PID 604 wrote to memory of 1192	604	ikenl.exe	33
PID 604 wrote to memory of 900	604	ikenl.exe	34
PID 604 wrote to memory of 900	604	ikenl.exe	34

C:\Users\Admin\AppData\Local\Temp\2b7d7ce067b9bd88ec725a5be9f1c0773071066df06a878a3a7b7af341e61c99.exe
"C:\Users\Admin\AppData\Local\Temp\2b7d7ce067b9bd88ec725a5be9f1c0773071066df06a878a3a7b7af341e61c99.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Users\Admin\AppData\Local\Temp\2b7d7ce067b9bd88ec725a5be9f1c0773071066df06a878a3a7b7af341e61c99.exe
  C:\Users\Admin\AppData\Local\Temp\2b7d7ce067b9bd88ec725a5be9f1c0773071066df06a878a3a7b7af341e61c99.exe
  2⤵
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:960
- - C:\Users\Admin\AppData\Roaming\Ivuvc\ikenl.exe
    "C:\Users\Admin\AppData\Roaming\Ivuvc\ikenl.exe"
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1288
  - - C:\Users\Admin\AppData\Roaming\Ivuvc\ikenl.exe
      C:\Users\Admin\AppData\Roaming\Ivuvc\ikenl.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:604
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpad87dd0c.bat"
    3⤵
    - Deletes itself
    PID:1940

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1296

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1240

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1140

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-594222987-1705384543-1246904202816142774-1906589764-5432774812129558536-74692761"
1⤵
PID:640

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1928

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1192

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:900

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1496

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpad87dd0c.bat

Filesize
307B

MD5
b5a386deeafd64ef86da38106ea2b49a

SHA1
9437ce7c9c49061b7f675c9eba462ef05542400f

SHA256
5c666998840880f462769f5f28668823d49aebf1e8430182f059c62286947e5e

SHA512
c36c0f8289fbc166478d2b086d243cc1a73250226eef33714a35f14851e74168ea5fe1743ebe6b67bf9a37abbe5e97245eaf73f6545b707cdc5131c3d252c33e

Download Submit
C:\Users\Admin\AppData\Roaming\Ivuvc\ikenl.exe

Filesize
204KB

MD5
b74419611946ac01e9afcaf61c915a35

SHA1
0cb758b0919b38d445efbcf4346fd12ca493b7c4

SHA256
b233427307bcd49b7992ddcb8db89b9ba7f95d4084cefa51a29b6711f4c4f64b

SHA512
333aa7caafcd739de0dd56976d11b7e3761dd3b59d5ea2bc5220ff3887b80c3ebc3d13290909011273a85eef63cf139dab79f5fea4b4492a77d86a557f3d3bc3

Download Submit
C:\Users\Admin\AppData\Roaming\Ivuvc\ikenl.exe

Filesize
204KB

MD5
b74419611946ac01e9afcaf61c915a35

SHA1
0cb758b0919b38d445efbcf4346fd12ca493b7c4

SHA256
b233427307bcd49b7992ddcb8db89b9ba7f95d4084cefa51a29b6711f4c4f64b

SHA512
333aa7caafcd739de0dd56976d11b7e3761dd3b59d5ea2bc5220ff3887b80c3ebc3d13290909011273a85eef63cf139dab79f5fea4b4492a77d86a557f3d3bc3

Download Submit
C:\Users\Admin\AppData\Roaming\Ivuvc\ikenl.exe

Filesize
204KB

MD5
b74419611946ac01e9afcaf61c915a35

SHA1
0cb758b0919b38d445efbcf4346fd12ca493b7c4

SHA256
b233427307bcd49b7992ddcb8db89b9ba7f95d4084cefa51a29b6711f4c4f64b

SHA512
333aa7caafcd739de0dd56976d11b7e3761dd3b59d5ea2bc5220ff3887b80c3ebc3d13290909011273a85eef63cf139dab79f5fea4b4492a77d86a557f3d3bc3

Download Submit
C:\Users\Admin\AppData\Roaming\Worio\xaub.vum

Filesize
398B

MD5
f6b9fe7dc425fd6f62460ffa8077f1d7

SHA1
85f72dbe7398edd7d00bae98498b1408252a8315

SHA256
cfb91c98a1ca33406b26d59c9a2b1489da98da657e48e4d22ab3b6a5440b7a8c

SHA512
f7f72579634acdc86ae60450498f388170f37cdfe661fbe5a7d3ef5641d99041e6030a510672d4f7a3593eeb0f3ed3f4023f6b0c16e2785632dc253759ce76d0

Download Submit
\Users\Admin\AppData\Roaming\Ivuvc\ikenl.exe

Filesize
204KB

MD5
b74419611946ac01e9afcaf61c915a35

SHA1
0cb758b0919b38d445efbcf4346fd12ca493b7c4

SHA256
b233427307bcd49b7992ddcb8db89b9ba7f95d4084cefa51a29b6711f4c4f64b

SHA512
333aa7caafcd739de0dd56976d11b7e3761dd3b59d5ea2bc5220ff3887b80c3ebc3d13290909011273a85eef63cf139dab79f5fea4b4492a77d86a557f3d3bc3

Download Submit
\Users\Admin\AppData\Roaming\Ivuvc\ikenl.exe

Filesize
204KB

MD5
b74419611946ac01e9afcaf61c915a35

SHA1
0cb758b0919b38d445efbcf4346fd12ca493b7c4

SHA256
b233427307bcd49b7992ddcb8db89b9ba7f95d4084cefa51a29b6711f4c4f64b

SHA512
333aa7caafcd739de0dd56976d11b7e3761dd3b59d5ea2bc5220ff3887b80c3ebc3d13290909011273a85eef63cf139dab79f5fea4b4492a77d86a557f3d3bc3

Download Submit
memory/604-86-0x000000000040574D-mapping.dmp

Download
memory/960-61-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/960-74-0x0000000001DA0000-0x0000000001DED000-memory.dmp

Filesize
308KB

Download
memory/960-68-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/960-67-0x0000000075141000-0x0000000075143000-memory.dmp

Filesize
8KB

Download
memory/960-113-0x0000000000370000-0x000000000038A000-memory.dmp

Filesize
104KB

Download
memory/960-112-0x0000000000370000-0x000000000038A000-memory.dmp

Filesize
104KB

Download
memory/960-114-0x0000000000370000-0x000000000038A000-memory.dmp

Filesize
104KB

Download
memory/960-57-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/960-56-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/960-111-0x0000000000370000-0x000000000038A000-memory.dmp

Filesize
104KB

Download
memory/960-63-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/960-65-0x000000000040574D-mapping.dmp

Download
memory/960-59-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/960-115-0x0000000000370000-0x000000000038A000-memory.dmp

Filesize
104KB

Download
memory/1140-93-0x0000000000410000-0x000000000042A000-memory.dmp

Filesize
104KB

Download
memory/1140-94-0x0000000000410000-0x000000000042A000-memory.dmp

Filesize
104KB

Download
memory/1140-95-0x0000000000410000-0x000000000042A000-memory.dmp

Filesize
104KB

Download
memory/1140-96-0x0000000000410000-0x000000000042A000-memory.dmp

Filesize
104KB

Download
memory/1192-137-0x0000000003A50000-0x0000000003A6A000-memory.dmp

Filesize
104KB

Download
memory/1192-136-0x0000000003A50000-0x0000000003A6A000-memory.dmp

Filesize
104KB

Download
memory/1192-135-0x0000000003A50000-0x0000000003A6A000-memory.dmp

Filesize
104KB

Download
memory/1192-134-0x0000000003A50000-0x0000000003A6A000-memory.dmp

Filesize
104KB

Download
memory/1240-99-0x0000000001AD0000-0x0000000001AEA000-memory.dmp

Filesize
104KB

Download
memory/1240-102-0x0000000001AD0000-0x0000000001AEA000-memory.dmp

Filesize
104KB

Download
memory/1240-100-0x0000000001AD0000-0x0000000001AEA000-memory.dmp

Filesize
104KB

Download
memory/1240-101-0x0000000001AD0000-0x0000000001AEA000-memory.dmp

Filesize
104KB

Download
memory/1288-89-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1288-71-0x0000000000000000-mapping.dmp

Download
memory/1288-75-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1288-76-0x0000000000310000-0x0000000000352000-memory.dmp

Filesize
264KB

Download
memory/1296-107-0x00000000029D0000-0x00000000029EA000-memory.dmp

Filesize
104KB

Download
memory/1296-108-0x00000000029D0000-0x00000000029EA000-memory.dmp

Filesize
104KB

Download
memory/1296-105-0x00000000029D0000-0x00000000029EA000-memory.dmp

Filesize
104KB

Download
memory/1296-106-0x00000000029D0000-0x00000000029EA000-memory.dmp

Filesize
104KB

Download
memory/1928-128-0x0000000000110000-0x000000000012A000-memory.dmp

Filesize
104KB

Download
memory/1928-129-0x0000000000110000-0x000000000012A000-memory.dmp

Filesize
104KB

Download
memory/1928-130-0x0000000000110000-0x000000000012A000-memory.dmp

Filesize
104KB

Download
memory/1928-131-0x0000000000110000-0x000000000012A000-memory.dmp

Filesize
104KB

Download
memory/1940-122-0x0000000000020000-0x000000000003A000-memory.dmp

Filesize
104KB

Download
memory/1940-121-0x0000000000020000-0x000000000003A000-memory.dmp

Filesize
104KB

Download
memory/1940-120-0x0000000000020000-0x000000000003A000-memory.dmp

Filesize
104KB

Download
memory/1940-119-0x0000000000020000-0x000000000003A000-memory.dmp

Filesize
104KB

Download
memory/1940-116-0x0000000000000000-mapping.dmp

Download
memory/1968-54-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1968-66-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1968-55-0x0000000000270000-0x00000000002B2000-memory.dmp

Filesize
264KB

Download