58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f

Analysis

max time kernel
187s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 04:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe
Size

392KB
MD5

a325f38538ebeed4e980b6664a5e4c4e
SHA1

1c24415cc529e61e7036609c992f2f38eb99aa16
SHA256

58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f
SHA512

e3b10290296fab701656767c92f55b56a20bf1d050d56195aa876ba0b7c205cde7ab7f9d17b92b21224909bdf00024fe76e000407539c06a961ca1addfb88a30
SSDEEP

6144:FwalwseW0StDNY5nf4/zn3pjo0MfC4jaL/rGnn+aCyIK3ccnMxjiziQP5BfSF:dlwfytM4rnq0Utja+nW1K3DnsGr3U

Score

8^/10

bootkit persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
952	wininit.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1900-58-0x0000000000260000-0x0000000000270000-memory.dmp	upx
behavioral1/memory/1900-60-0x0000000000260000-0x0000000000270000-memory.dmp	upx
behavioral1/memory/1900-73-0x0000000000260000-0x0000000000270000-memory.dmp	upx
behavioral1/memory/952-75-0x0000000000260000-0x0000000000270000-memory.dmp	upx
behavioral1/memory/952-77-0x0000000000260000-0x0000000000270000-memory.dmp	upx

Loads dropped DLL 3 IoCs

pid	Process
1900	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe
1900	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe
1900	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe
File opened for modification	\??\PhysicalDrive0	wininit.exe

Modifies registry class 36 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F7FA096B-3A09-4978-4896-D0A536732739}\InprocServer32\	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F7FA096B-3A09-4978-4896-D0A536732739}\InprocServer32\ = "%SystemRoot%\\SysWow64\\sppcomapi.dll"	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F7FA096B-3A09-4978-4896-D0A536732739}\ProgID	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8F01D546-DBBC-8581-AE15-1C004CFB58EF}	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8F01D546-DBBC-8581-AE15-1C004CFB58EF}\1.0\0\win32\ = "C:\\Windows\\SysWOW64\\msscript.ocx"	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8F01D546-DBBC-8581-AE15-1C004CFB58EF}\1.0\FLAGS\	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8F01D546-DBBC-8581-AE15-1C004CFB58EF}\1.0\HELPDIR\	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8F01D546-DBBC-8581-AE15-1C004CFB58EF}\1.0\HELPDIR\ = "\"C:\\Windows\\system32\""	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	wininit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F7FA096B-3A09-4978-4896-D0A536732739}	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8F01D546-DBBC-8581-AE15-1C004CFB58EF}\1.0	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8F01D546-DBBC-8581-AE15-1C004CFB58EF}\1.0\FLAGS	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8F01D546-DBBC-8581-AE15-1C004CFB58EF}\1.0\0\win32\	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F7FA096B-3A09-4978-4896-D0A536732739}\InprocServer32	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8F01D546-DBBC-8581-AE15-1C004CFB58EF}\1.0\ = "Microsoft Script Control 1.0"	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8F01D546-DBBC-8581-AE15-1C004CFB58EF}\1.0\0\win32	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F7FA096B-3A09-4978-4896-D0A536732739}\TypeLib	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F7FA096B-3A09-4978-4896-D0A536732739}\TypeLib\	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F7FA096B-3A09-4978-4896-D0A536732739}\TypeLib\ = "{8F01D546-DBBC-8581-AE15-1C004CFB58EF}"	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F7FA096B-3A09-4978-4896-D0A536732739}\VersionIndependentProgID\ = "SppComApi.ModemActivation"	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	wininit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F7FA096B-3A09-4978-4896-D0A536732739}\ProgID\	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F7FA096B-3A09-4978-4896-D0A536732739}\ = "Qagafano Class"	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8F01D546-DBBC-8581-AE15-1C004CFB58EF}\	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8F01D546-DBBC-8581-AE15-1C004CFB58EF}\1.0\	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8F01D546-DBBC-8581-AE15-1C004CFB58EF}\1.0\FLAGS\ = "0"	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8F01D546-DBBC-8581-AE15-1C004CFB58EF}\1.0\HELPDIR	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F7FA096B-3A09-4978-4896-D0A536732739}\ProgID\ = "SppComApi.ModemActivation.1"	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8F01D546-DBBC-8581-AE15-1C004CFB58EF}\1.0\0	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8F01D546-DBBC-8581-AE15-1C004CFB58EF}\1.0\0\	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F7FA096B-3A09-4978-4896-D0A536732739}\VersionIndependentProgID	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F7FA096B-3A09-4978-4896-D0A536732739}\VersionIndependentProgID\	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	wininit.exe

Suspicious behavior: EnumeratesProcesses 56 IoCs

pid	Process
1900	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe
1900	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe
952	wininit.exe
952	wininit.exe
952	wininit.exe
952	wininit.exe
952	wininit.exe
952	wininit.exe
952	wininit.exe
952	wininit.exe
952	wininit.exe
952	wininit.exe
952	wininit.exe
952	wininit.exe
952	wininit.exe
952	wininit.exe
952	wininit.exe
952	wininit.exe
952	wininit.exe
952	wininit.exe
952	wininit.exe
952	wininit.exe
952	wininit.exe
952	wininit.exe
952	wininit.exe
952	wininit.exe
952	wininit.exe
952	wininit.exe
952	wininit.exe
952	wininit.exe
952	wininit.exe
952	wininit.exe
952	wininit.exe
952	wininit.exe
952	wininit.exe
952	wininit.exe
952	wininit.exe
952	wininit.exe
952	wininit.exe
952	wininit.exe
952	wininit.exe
952	wininit.exe
952	wininit.exe
952	wininit.exe
952	wininit.exe
952	wininit.exe
952	wininit.exe
952	wininit.exe
952	wininit.exe
952	wininit.exe
952	wininit.exe
952	wininit.exe
952	wininit.exe
952	wininit.exe
952	wininit.exe
952	wininit.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 1896	1900	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe	27
PID 1900 wrote to memory of 1896	1900	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe	27
PID 1900 wrote to memory of 1896	1900	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe	27
PID 1900 wrote to memory of 1896	1900	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe	27
PID 1900 wrote to memory of 952	1900	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe	29
PID 1900 wrote to memory of 952	1900	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe	29
PID 1900 wrote to memory of 952	1900	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe	29
PID 1900 wrote to memory of 952	1900	58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe	29
PID 952 wrote to memory of 2024	952	wininit.exe	30
PID 952 wrote to memory of 2024	952	wininit.exe	30
PID 952 wrote to memory of 2024	952	wininit.exe	30
PID 952 wrote to memory of 2024	952	wininit.exe	30

C:\Users\Admin\AppData\Local\Temp\58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe
"C:\Users\Admin\AppData\Local\Temp\58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Windows\SysWOW64\cmd.exe
  cmd
  2⤵
  PID:1896
- C:\Users\Admin\AppData\Local\Temp\wininit.exe
  C:\Users\Admin\AppData\Local\Temp\wininit.exe
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:952
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    PID:2024

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\netscape.dll

Filesize
10KB

MD5
28a57355d9583b66e51ad978384c159e

SHA1
b8fe4ddb6187cdee0e89c02bab4a104f406d16da

SHA256
81ed76156df0de1caae6730a091f29978493881b54a2d6fbfb43c47153b6fadd

SHA512
991a288ed0f033eb8f54e567a6264a6111f795bd61a1cd600e210730d7ed39c89e735480dc6f0e4026eafad730ae8dc23ec7bc7600a14a2ac9d652638c02ee3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wininit.exe

Filesize
392KB

MD5
a325f38538ebeed4e980b6664a5e4c4e

SHA1
1c24415cc529e61e7036609c992f2f38eb99aa16

SHA256
58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f

SHA512
e3b10290296fab701656767c92f55b56a20bf1d050d56195aa876ba0b7c205cde7ab7f9d17b92b21224909bdf00024fe76e000407539c06a961ca1addfb88a30

Download Submit
\Users\Admin\AppData\Local\Temp\netscape.dll

Filesize
10KB

MD5
28a57355d9583b66e51ad978384c159e

SHA1
b8fe4ddb6187cdee0e89c02bab4a104f406d16da

SHA256
81ed76156df0de1caae6730a091f29978493881b54a2d6fbfb43c47153b6fadd

SHA512
991a288ed0f033eb8f54e567a6264a6111f795bd61a1cd600e210730d7ed39c89e735480dc6f0e4026eafad730ae8dc23ec7bc7600a14a2ac9d652638c02ee3e

Download Submit
\Users\Admin\AppData\Local\Temp\wininit.exe

Filesize
392KB

MD5
a325f38538ebeed4e980b6664a5e4c4e

SHA1
1c24415cc529e61e7036609c992f2f38eb99aa16

SHA256
58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f

SHA512
e3b10290296fab701656767c92f55b56a20bf1d050d56195aa876ba0b7c205cde7ab7f9d17b92b21224909bdf00024fe76e000407539c06a961ca1addfb88a30

Download Submit
\Users\Admin\AppData\Local\Temp\wininit.exe

Filesize
392KB

MD5
a325f38538ebeed4e980b6664a5e4c4e

SHA1
1c24415cc529e61e7036609c992f2f38eb99aa16

SHA256
58f1dc604d96b41d6027c1960eb79428f16e79275af6a926465a60c2299ee82f

SHA512
e3b10290296fab701656767c92f55b56a20bf1d050d56195aa876ba0b7c205cde7ab7f9d17b92b21224909bdf00024fe76e000407539c06a961ca1addfb88a30

Download Submit
memory/952-74-0x0000000000400000-0x0000000000545000-memory.dmp

Filesize
1.3MB

Download
memory/952-77-0x0000000000260000-0x0000000000270000-memory.dmp

Filesize
64KB

Download
memory/952-75-0x0000000000260000-0x0000000000270000-memory.dmp

Filesize
64KB

Download
memory/1900-60-0x0000000000260000-0x0000000000270000-memory.dmp

Filesize
64KB

Download
memory/1900-72-0x0000000000400000-0x0000000000545000-memory.dmp

Filesize
1.3MB

Download
memory/1900-73-0x0000000000260000-0x0000000000270000-memory.dmp

Filesize
64KB

Download
memory/1900-66-0x0000000075131000-0x0000000075133000-memory.dmp

Filesize
8KB

Download
memory/1900-54-0x0000000000240000-0x0000000000251000-memory.dmp

Filesize
68KB

Download
memory/1900-59-0x0000000000400000-0x0000000000545000-memory.dmp

Filesize
1.3MB

Download
memory/1900-58-0x0000000000260000-0x0000000000270000-memory.dmp

Filesize
64KB

Download