a4721f61926d66aef4f552077d81fe31b43b9e0827dea793e8c663ae27c0fa31

Analysis

max time kernel
190s
max time network
203s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
05/12/2022, 10:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a4721f61926d66aef4f552077d81fe31b43b9e0827dea793e8c663ae27c0fa31.exe
Size

2.5MB
MD5

c5eb544e37290708069aaa8e871ab413
SHA1

649413b3aaa0a8a49d490ee2fd9faa545c101caf
SHA256

a4721f61926d66aef4f552077d81fe31b43b9e0827dea793e8c663ae27c0fa31
SHA512

d93f49646aa8dee2b1ad4f67d366a4c7a6bbb0a634f8383986cacafef0193070deed56a9645ac32bc8f2f2cf25ec26c14f863aa60e9cb2bfb683105bcbdc7ba7
SSDEEP

49152:YKmr0UN8Yf/ZF5ZK67Zk5S1XRUESW+wvZn5/zRN+9RUKHs16yaNx8Qz:xmrlN8YfB9FB1hUElLRNgM16yaJ

Score

7^/10

bootkit evasion persistence trojan

Malware Config

Signatures

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Wine	a4721f61926d66aef4f552077d81fe31b43b9e0827dea793e8c663ae27c0fa31.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\startkey = "C:\\Windows\\server.exe"	a4721f61926d66aef4f552077d81fe31b43b9e0827dea793e8c663ae27c0fa31.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	a4721f61926d66aef4f552077d81fe31b43b9e0827dea793e8c663ae27c0fa31.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	a4721f61926d66aef4f552077d81fe31b43b9e0827dea793e8c663ae27c0fa31.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4312	a4721f61926d66aef4f552077d81fe31b43b9e0827dea793e8c663ae27c0fa31.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\server.exe	a4721f61926d66aef4f552077d81fe31b43b9e0827dea793e8c663ae27c0fa31.exe
File opened for modification	C:\Windows\server.exe	a4721f61926d66aef4f552077d81fe31b43b9e0827dea793e8c663ae27c0fa31.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4312	a4721f61926d66aef4f552077d81fe31b43b9e0827dea793e8c663ae27c0fa31.exe
4312	a4721f61926d66aef4f552077d81fe31b43b9e0827dea793e8c663ae27c0fa31.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4312	a4721f61926d66aef4f552077d81fe31b43b9e0827dea793e8c663ae27c0fa31.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4312 wrote to memory of 2596	4312	a4721f61926d66aef4f552077d81fe31b43b9e0827dea793e8c663ae27c0fa31.exe	26
PID 4312 wrote to memory of 2596	4312	a4721f61926d66aef4f552077d81fe31b43b9e0827dea793e8c663ae27c0fa31.exe	26
PID 4312 wrote to memory of 3944	4312	a4721f61926d66aef4f552077d81fe31b43b9e0827dea793e8c663ae27c0fa31.exe	83
PID 4312 wrote to memory of 3944	4312	a4721f61926d66aef4f552077d81fe31b43b9e0827dea793e8c663ae27c0fa31.exe	83
PID 4312 wrote to memory of 3944	4312	a4721f61926d66aef4f552077d81fe31b43b9e0827dea793e8c663ae27c0fa31.exe	83
PID 4312 wrote to memory of 3944	4312	a4721f61926d66aef4f552077d81fe31b43b9e0827dea793e8c663ae27c0fa31.exe	83
PID 4312 wrote to memory of 3944	4312	a4721f61926d66aef4f552077d81fe31b43b9e0827dea793e8c663ae27c0fa31.exe	83
PID 4312 wrote to memory of 3944	4312	a4721f61926d66aef4f552077d81fe31b43b9e0827dea793e8c663ae27c0fa31.exe	83

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2596
- C:\Users\Admin\AppData\Local\Temp\a4721f61926d66aef4f552077d81fe31b43b9e0827dea793e8c663ae27c0fa31.exe
  "C:\Users\Admin\AppData\Local\Temp\a4721f61926d66aef4f552077d81fe31b43b9e0827dea793e8c663ae27c0fa31.exe"
  2⤵
  - Identifies Wine through registry keys
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4312
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:3944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4312-132-0x0000000000400000-0x0000000000683000-memory.dmp

Filesize
2.5MB

Download
memory/4312-133-0x0000000000400000-0x0000000000683000-memory.dmp

Filesize
2.5MB

Download
memory/4312-134-0x0000000000400000-0x0000000000683000-memory.dmp

Filesize
2.5MB

Download