aab3477d4c76ae28869ebf49da7f0d45a6101b2e4b56d75a3dbdaa242abf888b

Analysis

max time kernel
161s
max time network
173s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05/12/2022, 10:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aab3477d4c76ae28869ebf49da7f0d45a6101b2e4b56d75a3dbdaa242abf888b.exe
Size

1.1MB
MD5

effbea685e7b77b9fa92604418c4f8f4
SHA1

27059309b55f180b4135ace1016b4f407f26be70
SHA256

aab3477d4c76ae28869ebf49da7f0d45a6101b2e4b56d75a3dbdaa242abf888b
SHA512

7b0e9d7c21d1960ff76df9f8f333014793e694b85bea3eccf3db6963d496a881efd782d7ec102b4b69a8efd29929a00a070d035f914c431f97b73121076b5da1
SSDEEP

24576:2NGQvfd4wzQP6ASSvTd7z/fl3F6e8P25XZkKcs9hzTQVF4CFU:UGQHuaQiWvZ7ThW2tZZcs99Q0

Score

8^/10

bootkit discovery persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
712	downhill.exe
4544	downhill.exe
1532	downhill.exe
4724	downhill.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	aab3477d4c76ae28869ebf49da7f0d45a6101b2e4b56d75a3dbdaa242abf888b.exe

Loads dropped DLL 3 IoCs

pid	Process
3368	aab3477d4c76ae28869ebf49da7f0d45a6101b2e4b56d75a3dbdaa242abf888b.exe
3368	aab3477d4c76ae28869ebf49da7f0d45a6101b2e4b56d75a3dbdaa242abf888b.exe
3368	aab3477d4c76ae28869ebf49da7f0d45a6101b2e4b56d75a3dbdaa242abf888b.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	downhill.exe
File opened for modification	\??\PhysicalDrive0	downhill.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
3368	aab3477d4c76ae28869ebf49da7f0d45a6101b2e4b56d75a3dbdaa242abf888b.exe
3368	aab3477d4c76ae28869ebf49da7f0d45a6101b2e4b56d75a3dbdaa242abf888b.exe
4724	downhill.exe
4724	downhill.exe
4724	downhill.exe
4724	downhill.exe
4724	downhill.exe
4724	downhill.exe
4724	downhill.exe
4724	downhill.exe
4724	downhill.exe
4724	downhill.exe
4724	downhill.exe
4724	downhill.exe
4724	downhill.exe
4724	downhill.exe
4724	downhill.exe
4724	downhill.exe
4724	downhill.exe
4724	downhill.exe
4724	downhill.exe
4724	downhill.exe
4724	downhill.exe
4724	downhill.exe
1532	downhill.exe
1532	downhill.exe
1532	downhill.exe
1532	downhill.exe
1532	downhill.exe
1532	downhill.exe
1532	downhill.exe
1532	downhill.exe
1532	downhill.exe
1532	downhill.exe
1532	downhill.exe
1532	downhill.exe
1532	downhill.exe
1532	downhill.exe
1532	downhill.exe
1532	downhill.exe
1532	downhill.exe
1532	downhill.exe
1532	downhill.exe
1532	downhill.exe
1532	downhill.exe
1532	downhill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4544	downhill.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
712	downhill.exe
712	downhill.exe
1532	downhill.exe
1532	downhill.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3368 wrote to memory of 712	3368	aab3477d4c76ae28869ebf49da7f0d45a6101b2e4b56d75a3dbdaa242abf888b.exe	77
PID 3368 wrote to memory of 712	3368	aab3477d4c76ae28869ebf49da7f0d45a6101b2e4b56d75a3dbdaa242abf888b.exe	77
PID 3368 wrote to memory of 712	3368	aab3477d4c76ae28869ebf49da7f0d45a6101b2e4b56d75a3dbdaa242abf888b.exe	77
PID 3368 wrote to memory of 4544	3368	aab3477d4c76ae28869ebf49da7f0d45a6101b2e4b56d75a3dbdaa242abf888b.exe	78
PID 3368 wrote to memory of 4544	3368	aab3477d4c76ae28869ebf49da7f0d45a6101b2e4b56d75a3dbdaa242abf888b.exe	78
PID 3368 wrote to memory of 4544	3368	aab3477d4c76ae28869ebf49da7f0d45a6101b2e4b56d75a3dbdaa242abf888b.exe	78
PID 3368 wrote to memory of 1532	3368	aab3477d4c76ae28869ebf49da7f0d45a6101b2e4b56d75a3dbdaa242abf888b.exe	79
PID 3368 wrote to memory of 1532	3368	aab3477d4c76ae28869ebf49da7f0d45a6101b2e4b56d75a3dbdaa242abf888b.exe	79
PID 3368 wrote to memory of 1532	3368	aab3477d4c76ae28869ebf49da7f0d45a6101b2e4b56d75a3dbdaa242abf888b.exe	79
PID 3368 wrote to memory of 4724	3368	aab3477d4c76ae28869ebf49da7f0d45a6101b2e4b56d75a3dbdaa242abf888b.exe	80
PID 3368 wrote to memory of 4724	3368	aab3477d4c76ae28869ebf49da7f0d45a6101b2e4b56d75a3dbdaa242abf888b.exe	80
PID 3368 wrote to memory of 4724	3368	aab3477d4c76ae28869ebf49da7f0d45a6101b2e4b56d75a3dbdaa242abf888b.exe	80

C:\Users\Admin\AppData\Local\Temp\aab3477d4c76ae28869ebf49da7f0d45a6101b2e4b56d75a3dbdaa242abf888b.exe
"C:\Users\Admin\AppData\Local\Temp\aab3477d4c76ae28869ebf49da7f0d45a6101b2e4b56d75a3dbdaa242abf888b.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3368
- C:\Users\Admin\AppData\Roaming\downhill\downhill.exe
  "C:\Users\Admin\AppData\Roaming\downhill\downhill.exe" SW_SHOWNORMAL
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:712
- C:\Users\Admin\AppData\Roaming\downhill\downhill.exe
  "C:\Users\Admin\AppData\Roaming\downhill\downhill.exe" /ShowDeskTop
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  PID:4544
- C:\Users\Admin\AppData\Roaming\downhill\downhill.exe
  "C:\Users\Admin\AppData\Roaming\downhill\downhill.exe" /autorun /setuprun
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1532
- C:\Users\Admin\AppData\Roaming\downhill\downhill.exe
  "C:\Users\Admin\AppData\Roaming\downhill\downhill.exe" /setupsucc
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Suspicious behavior: EnumeratesProcesses
  PID:4724

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsvBDA9.tmp\FindProcDLL.dll

Filesize
3KB

MD5
8614c450637267afacad1645e23ba24a

SHA1
e7b7b09b5bbc13e910aa36316d9cc5fc5d4dcdc2

SHA256
0fa04f06a6de18d316832086891e9c23ae606d7784d5d5676385839b21ca2758

SHA512
af46cd679097584ff9a1d894a729b6397f4b3af17dff3e6f07bef257bc7e48ffa341d82daf298616cd5df1450fc5ab7435cacb70f27302b6db193f01a9f8391b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsvBDA9.tmp\FindProcDLL.dll

Filesize
3KB

MD5
8614c450637267afacad1645e23ba24a

SHA1
e7b7b09b5bbc13e910aa36316d9cc5fc5d4dcdc2

SHA256
0fa04f06a6de18d316832086891e9c23ae606d7784d5d5676385839b21ca2758

SHA512
af46cd679097584ff9a1d894a729b6397f4b3af17dff3e6f07bef257bc7e48ffa341d82daf298616cd5df1450fc5ab7435cacb70f27302b6db193f01a9f8391b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsvBDA9.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Roaming\downhill\Lander.ini

Filesize
416B

MD5
b5327437c7760ed5465764a66dad7c5d

SHA1
143b40cfb78b74c7f03c661cc1b172c98b903621

SHA256
d311c3cf024b4c77f2c2f31a9feeccc760cda6ce5bf480533dfd632c82b2983b

SHA512
65db2ce8d3bfffc653ce53a38a7ebd5a47068442fcbd4d5e472b46ddef4b413c5c5d9ccd1cabe9c1d340645d3d625c2ca6339b3994a99dab0bb1154d72149bd0

Download Submit
C:\Users\Admin\AppData\Roaming\downhill\Lander.ini

Filesize
416B

MD5
b5327437c7760ed5465764a66dad7c5d

SHA1
143b40cfb78b74c7f03c661cc1b172c98b903621

SHA256
d311c3cf024b4c77f2c2f31a9feeccc760cda6ce5bf480533dfd632c82b2983b

SHA512
65db2ce8d3bfffc653ce53a38a7ebd5a47068442fcbd4d5e472b46ddef4b413c5c5d9ccd1cabe9c1d340645d3d625c2ca6339b3994a99dab0bb1154d72149bd0

Download Submit
C:\Users\Admin\AppData\Roaming\downhill\Lander.ini

Filesize
448B

MD5
0354208aa510521c29f68976064cf4ed

SHA1
57532514e83a3018025942f3639ff214c307672d

SHA256
254b91ed6a7766f21840e90a6f1c030ae7edcc3d341f67c54b05c768a9fde112

SHA512
b5c554868b0e3242aaa8cc6ec94a6e3a541c38341276022fb747d85e25a47a343d0f0d65b28b87472c33e8391931d123fae7a1989046470b4bcb2663aa351549

Download Submit
C:\Users\Admin\AppData\Roaming\downhill\Lander.ini

Filesize
672B

MD5
5b40ebdd9a60fedd258d75dcbf7b5246

SHA1
e4a485919c7e720c01cf5d6f42c3115c97908a35

SHA256
52a03267442cd3506307e6ecf68447b31dc5ebc92538f6b337d46bb2626754a9

SHA512
07d222af982ceb309925c547238754fca56d24922be5ff36f7ba06d2d84164fc7f0c10445fb3aac8cbdee0f76a9514c144016b060a69b8d5db5a26317b48de0d

Download Submit
C:\Users\Admin\AppData\Roaming\downhill\Lander.ini

Filesize
672B

MD5
5b40ebdd9a60fedd258d75dcbf7b5246

SHA1
e4a485919c7e720c01cf5d6f42c3115c97908a35

SHA256
52a03267442cd3506307e6ecf68447b31dc5ebc92538f6b337d46bb2626754a9

SHA512
07d222af982ceb309925c547238754fca56d24922be5ff36f7ba06d2d84164fc7f0c10445fb3aac8cbdee0f76a9514c144016b060a69b8d5db5a26317b48de0d

Download Submit
C:\Users\Admin\AppData\Roaming\downhill\downhill.exe

Filesize
1.3MB

MD5
ce25a1dd39160a76c2897033a6994b16

SHA1
d8fc1e6b7ede9c4aa9322607a2f9d10c423945de

SHA256
53822e59b4ae7c2df39d938e0a4b96f4cde12c1bdd639866e9737c996c0dc4c8

SHA512
a93653b7715b8ed010dcce07da0edd905203c5cf03182341de5e926f16d3f8cad3e70eda55ed8856a3f72e2570df83d82986ed2a328bd2f40b276a6d76458f65

Download Submit
C:\Users\Admin\AppData\Roaming\downhill\downhill.exe

Filesize
1.3MB

MD5
ce25a1dd39160a76c2897033a6994b16

SHA1
d8fc1e6b7ede9c4aa9322607a2f9d10c423945de

SHA256
53822e59b4ae7c2df39d938e0a4b96f4cde12c1bdd639866e9737c996c0dc4c8

SHA512
a93653b7715b8ed010dcce07da0edd905203c5cf03182341de5e926f16d3f8cad3e70eda55ed8856a3f72e2570df83d82986ed2a328bd2f40b276a6d76458f65

Download Submit
C:\Users\Admin\AppData\Roaming\downhill\downhill.exe

Filesize
1.3MB

MD5
ce25a1dd39160a76c2897033a6994b16

SHA1
d8fc1e6b7ede9c4aa9322607a2f9d10c423945de

SHA256
53822e59b4ae7c2df39d938e0a4b96f4cde12c1bdd639866e9737c996c0dc4c8

SHA512
a93653b7715b8ed010dcce07da0edd905203c5cf03182341de5e926f16d3f8cad3e70eda55ed8856a3f72e2570df83d82986ed2a328bd2f40b276a6d76458f65

Download Submit
C:\Users\Admin\AppData\Roaming\downhill\downhill.exe

Filesize
1.3MB

MD5
ce25a1dd39160a76c2897033a6994b16

SHA1
d8fc1e6b7ede9c4aa9322607a2f9d10c423945de

SHA256
53822e59b4ae7c2df39d938e0a4b96f4cde12c1bdd639866e9737c996c0dc4c8

SHA512
a93653b7715b8ed010dcce07da0edd905203c5cf03182341de5e926f16d3f8cad3e70eda55ed8856a3f72e2570df83d82986ed2a328bd2f40b276a6d76458f65

Download Submit
C:\Users\Admin\AppData\Roaming\downhill\downhill.exe

Filesize
1.3MB

MD5
ce25a1dd39160a76c2897033a6994b16

SHA1
d8fc1e6b7ede9c4aa9322607a2f9d10c423945de

SHA256
53822e59b4ae7c2df39d938e0a4b96f4cde12c1bdd639866e9737c996c0dc4c8

SHA512
a93653b7715b8ed010dcce07da0edd905203c5cf03182341de5e926f16d3f8cad3e70eda55ed8856a3f72e2570df83d82986ed2a328bd2f40b276a6d76458f65

Download Submit
memory/3368-136-0x00000000022A0000-0x00000000022A3000-memory.dmp

Filesize
12KB

Download
memory/3368-135-0x00000000022A0000-0x00000000022A3000-memory.dmp

Filesize
12KB

Download