ccf2417e0b8ebedbfdbb005c84ed93adcf1cd0abe9b3c0a37ae692d5ee3cc2fe | Triage

Submit
Reports

Overview

overview

8

Static

static

1

ccf2417e0b...fe.exe

windows7-x64

8

ccf2417e0b...fe.exe

windows10-2004-x64

8

Sharing

General

Target

ccf2417e0b8ebedbfdbb005c84ed93adcf1cd0abe9b3c0a37ae692d5ee3cc2fe
Size

479KB
Sample

221203-h8n54aeh84
MD5

4cfb9d0a6fddcf41d6b72feb74045f67
SHA1

3b183e19739dad99673f0a00e9bb3d05bfa4f8c4
SHA256

ccf2417e0b8ebedbfdbb005c84ed93adcf1cd0abe9b3c0a37ae692d5ee3cc2fe
SHA512

ebafc6724ef6b1cce8a31f775362abbffb7bf49f6efaec5f6dc79fac25974a192df1c7ec762b4666352395d4785f37368fe09b49ef407c03efb651722a438f02
SSDEEP

6144:2bNST1Pw/LEbmejC6vpq7uQoagJAcUF5nTtj7VJ/9QLkq7+l7d589zia+u2fjk/Y:t4zreDvQsjKd5p7VRzqSmO1YfLu33cW

Score

8^/10

bootkit evasion persistence trojan upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

ccf2417e0b8ebedbfdbb005c84ed93adcf1cd0abe9b3c0a37ae692d5ee3cc2fe.exe

Resource

win7-20220901-en

bootkit evasion persistence trojan upx

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

ccf2417e0b8ebedbfdbb005c84ed93adcf1cd0abe9b3c0a37ae692d5ee3cc2fe.exe

Resource

win10v2004-20220812-en

bootkit evasion persistence trojan upx

windows10-2004-x64

16 signatures

150 seconds

Malware Config

Targets

- Target
  
  ccf2417e0b8ebedbfdbb005c84ed93adcf1cd0abe9b3c0a37ae692d5ee3cc2fe
- Size
  
  479KB
- MD5
  
  4cfb9d0a6fddcf41d6b72feb74045f67
- SHA1
  
  3b183e19739dad99673f0a00e9bb3d05bfa4f8c4
- SHA256
  
  ccf2417e0b8ebedbfdbb005c84ed93adcf1cd0abe9b3c0a37ae692d5ee3cc2fe
- SHA512
  
  ebafc6724ef6b1cce8a31f775362abbffb7bf49f6efaec5f6dc79fac25974a192df1c7ec762b4666352395d4785f37368fe09b49ef407c03efb651722a438f02
- SSDEEP
  
  6144:2bNST1Pw/LEbmejC6vpq7uQoagJAcUF5nTtj7VJ/9QLkq7+l7d589zia+u2fjk/Y:t4zreDvQsjKd5p7VRzqSmO1YfLu33cW
Score

8^/10

bootkit evasion persistence trojan upx
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Bootkit

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

bootkitevasionpersistencetrojanupx

behavioral2

bootkitevasionpersistencetrojanupx

© 2018-2024

Terms | Privacy