a98cc25206131a8332af1f840b12438cc337576ab3b60e8d808590fabfe99f1d | Triage

Submit
Reports

Overview

overview

Static

static

wps_office_inst.exe

windows7-x64

wps_office_inst.exe

windows10-2004-x64

8

Sharing

General

Target

wps_office_inst.bin.zip
Size

2.8MB
Sample

221228-lflfaaaa96
MD5

32a619ff023beef2cdd274653f0ba0ba
SHA1

4968730a575328881a4fcc7b5bbebe3e00179792
SHA256

a98cc25206131a8332af1f840b12438cc337576ab3b60e8d808590fabfe99f1d
SHA512

db6f2318c773a436b726e8d971ee49d1dcc3139dcfe41fde2949f4e6fcf42d557fadb188bbc74d9b3dcc983f35e94cb0aa8d44d17b18cea00e8e8f14805ec616
SSDEEP

49152:ATDsqA1KjQJeT5joXs5TTWjS71iKtYR1oI4DMfBhOFdbJKhLGain+ZMtph+drAl8:GsyjeeTVDG271iKStffT0bJ3ainzKACv

Score

10^/10

bootkit discovery evasion persistence trojan

Static task

static1

Behavioral task

behavioral1

Sample

wps_office_inst.exe

Resource

win7-20221111-en

bootkit discovery evasion persistence trojan

windows7-x64

21 signatures

150 seconds

Behavioral task

behavioral2

Sample

wps_office_inst.exe

Resource

win10v2004-20220812-en

bootkit discovery evasion persistence trojan

windows10-2004-x64

18 signatures

150 seconds

Malware Config

Targets

- Target
  
  wps_office_inst.bin
- Size
  
  5.2MB
- MD5
  
  0774933894f8d4e54675e959efe06c42
- SHA1
  
  2d2c240494065a2d71b6cbdd40dc90e0f809dd43
- SHA256
  
  1050973ea42dc8afcfb9d037450e9ab9485f08afcfec3d0c3f4a6fe71800cd7e
- SHA512
  
  b33f5614fcabe88177dea07df7d608013e162919bb2f313ec6e3eb4b8eb16a8f4a0ea9d3e7823920c45bb5c136a51f0ca7b8d10b7539ca9885ca59430213fadb
- SSDEEP
  
  98304:vYCjhUpyGHZFZgoGAEh3YsbLGzkY83nJfDUTPY37/uxl:vopyGHHyogxe7MJLUqu
Score

10^/10

bootkit discovery evasion persistence trojan
- Modifies system executable filetype association
  persistence
- Executes dropped EXE
- Registers COM server for autorun
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

Registry Run Keys / Startup Folder

Bootkit

Privilege Escalation

Defense Evasion

Modify Registry

Install Root Certificate

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

bootkitdiscoveryevasionpersistencetrojan

behavioral2

bootkitdiscoveryevasionpersistencetrojan

© 2018-2024

Terms | Privacy