b1e2c94ab1dbf9e7b7f0f91615170271dc104f728f7d8892dba2555959943958

Analysis

max time kernel
144s
max time network
156s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06-12-2022 16:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b1e2c94ab1dbf9e7b7f0f91615170271dc104f728f7d8892dba2555959943958.exe
Size

176KB
MD5

cf85b9d8b9325f97b2c6ced380cecb29
SHA1

cedce894b0e3b1e2423883595c0321eac1d988fd
SHA256

b1e2c94ab1dbf9e7b7f0f91615170271dc104f728f7d8892dba2555959943958
SHA512

6e8915d6ec1b5991fb60f53a5b2a610baf86946843d7e6a66e4254ce6642fecc70b90a6982efb3e8656810cd71dee777aa17f139b2fd0e3fd81691e4f220451c
SSDEEP

3072:kvzYFkSteUXaEx1Xki87wIejTGg843Q5zjvW7gk9DNF3B+u/gfVtQl:kLYKSQUXaEx1Xki53jigb3Q5zeFlNeu1

Score

8^/10

bootkit persistence

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\LSsiuUvXNE.ini	b1e2c94ab1dbf9e7b7f0f91615170271dc104f728f7d8892dba2555959943958.exe
File created	C:\Windows\system32\drivers\etc\r2dQ2ctF.dll	b1e2c94ab1dbf9e7b7f0f91615170271dc104f728f7d8892dba2555959943958.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SRAT_Service\Parameters\ServiceDLL = "C:\\Windows\\system32\\drivers\\etc\\r2dQ2ctF.dll"	b1e2c94ab1dbf9e7b7f0f91615170271dc104f728f7d8892dba2555959943958.exe

Loads dropped DLL 1 IoCs

pid	Process
1220	svchost.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	756	b1e2c94ab1dbf9e7b7f0f91615170271dc104f728f7d8892dba2555959943958.exe

C:\Users\Admin\AppData\Local\Temp\b1e2c94ab1dbf9e7b7f0f91615170271dc104f728f7d8892dba2555959943958.exe
"C:\Users\Admin\AppData\Local\Temp\b1e2c94ab1dbf9e7b7f0f91615170271dc104f728f7d8892dba2555959943958.exe"
1⤵
- Drops file in Drivers directory
- Sets DLL path for service in the registry
- Suspicious use of AdjustPrivilegeToken
PID:756

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
PID:1220

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\system32\drivers\etc\r2dq2ctf.dll

Filesize
144KB

MD5
05c53a644815cafff33d8273e1157cff

SHA1
a4616f45adf956f28290bf31d2c773ad4b8c0995

SHA256
570dddf2a808fc5b65fa47d39dafb333fa57ac9c88d75a64aaf3f8c9cbbf12b3

SHA512
fa80bdd3b83fd2bfaa1c6a10c343074038f2d1c1aafdd3c45919968f86ee2c2d059eabe58cc7447118f5c76ce826e1d4e0965ab6529b0795b11cbebcb1fc5b68

Download Submit
\Windows\System32\drivers\etc\r2dQ2ctF.dll

Filesize
144KB

MD5
05c53a644815cafff33d8273e1157cff

SHA1
a4616f45adf956f28290bf31d2c773ad4b8c0995

SHA256
570dddf2a808fc5b65fa47d39dafb333fa57ac9c88d75a64aaf3f8c9cbbf12b3

SHA512
fa80bdd3b83fd2bfaa1c6a10c343074038f2d1c1aafdd3c45919968f86ee2c2d059eabe58cc7447118f5c76ce826e1d4e0965ab6529b0795b11cbebcb1fc5b68

Download Submit
memory/1220-56-0x0000000000090000-0x00000000000B8000-memory.dmp

Filesize
160KB

Download
memory/1220-57-0x0000000075ED1000-0x0000000075ED3000-memory.dmp

Filesize
8KB

Download