Overview

overview

8

Static

static

d4bf4aa181...88.exe

windows7-x64

8

d4bf4aa181...88.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-01-2023 02:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d4bf4aa1811c33145d8fd41966f28fd5cdae2f88.exe

  • Size

    838KB

  • MD5

    4a9fa940e898ebcc4f723cad30f0ad07

  • SHA1

    d4bf4aa1811c33145d8fd41966f28fd5cdae2f88

  • SHA256

    e1a4f84716f597d3bdb3097fd7d3cf6db230f853c2719156cc5a1ae1b7b5051c

  • SHA512

    c23c3bbfda82df201f5f5ea429e0aa6c14ccfd8cbd43addbbfc5d77dfa0717ed02d60c7ab8a581cdfc651653223b339246374bd892cb7c546b5245e1ea0206bc

  • SSDEEP

    12288:SXo30W26PmYn4QqWJgksAQYUT6eETMaICXadZe09CKEvYzQq6E+UFRZECNzYlL:SXo526e49CbaMavt0IfY8vE+MRGizML

Score
8/10
bootkitpersistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in System32 directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 11 IoCs
  • Checks SCSI registry key(s) 3 TTPs 40 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 14 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 38 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d4bf4aa1811c33145d8fd41966f28fd5cdae2f88.exe
    "C:\Users\Admin\AppData\Local\Temp\d4bf4aa1811c33145d8fd41966f28fd5cdae2f88.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4228
    • C:\ProgramData\isecurity.exe
      C:\ProgramData\isecurity.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Enumerates connected drives
      • Writes to the Master Boot Record (MBR)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:1128
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1128 -s 764
        3⤵
        • Program crash
        PID:2020
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1128 -s 764
        3⤵
        • Program crash
        PID:1072
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1128 -s 1140
        3⤵
        • Program crash
        PID:5028
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1128 -s 1148
        3⤵
        • Program crash
        PID:5068
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1128 -s 1200
        3⤵
        • Program crash
        PID:4108
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1128 -s 1300
        3⤵
        • Program crash
        PID:4444
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1128 -s 1288
        3⤵
        • Program crash
        PID:4412
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1128 -s 1200
        3⤵
        • Program crash
        PID:4104
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1128 -s 1320
        3⤵
        • Program crash
        PID:4296
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1128 -s 1848
        3⤵
        • Program crash
        PID:4540
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1128 -s 1292
        3⤵
        • Program crash
        PID:2940
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1128 -ip 1128
    1⤵
      PID:2860
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1128 -ip 1128
      1⤵
        PID:1336
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1128 -ip 1128
        1⤵
          PID:204
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1128 -ip 1128
          1⤵
            PID:1840
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1128 -ip 1128
            1⤵
              PID:4328
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1128 -ip 1128
              1⤵
                PID:3460
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1128 -ip 1128
                1⤵
                  PID:2616
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1128 -ip 1128
                  1⤵
                    PID:4448
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1128 -ip 1128
                    1⤵
                      PID:5060
                    • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
                      "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
                      1⤵
                      • Modifies data under HKEY_USERS
                      • Suspicious use of SetWindowsHookEx
                      PID:372
                    • C:\Windows\system32\sihost.exe
                      sihost.exe
                      1⤵
                      • Suspicious use of FindShellTrayWindow
                      • Suspicious use of WriteProcessMemory
                      PID:4420
                      • C:\Windows\explorer.exe
                        explorer.exe /LOADSAVEDWINDOWS
                        2⤵
                        • Modifies Installed Components in the registry
                        • Enumerates connected drives
                        • Checks SCSI registry key(s)
                        • Modifies registry class
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of FindShellTrayWindow
                        • Suspicious use of SendNotifyMessage
                        • Suspicious use of SetWindowsHookEx
                        PID:1004
                    • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
                      "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
                      1⤵
                      • Drops file in System32 directory
                      • Modifies data under HKEY_USERS
                      • Suspicious use of SetWindowsHookEx
                      PID:4220
                    • C:\Windows\system32\sihost.exe
                      sihost.exe
                      1⤵
                      • Suspicious use of FindShellTrayWindow
                      PID:4184
                    • C:\Windows\system32\sihost.exe
                      sihost.exe
                      1⤵
                      • Suspicious use of FindShellTrayWindow
                      PID:2592
                    • C:\Windows\system32\sihost.exe
                      sihost.exe
                      1⤵
                      • Suspicious use of FindShellTrayWindow
                      PID:4068
                    • C:\Windows\system32\sihost.exe
                      sihost.exe
                      1⤵
                      • Suspicious use of FindShellTrayWindow
                      PID:3188
                    • C:\Windows\system32\sihost.exe
                      sihost.exe
                      1⤵
                      • Suspicious use of FindShellTrayWindow
                      PID:4712
                    • C:\Windows\SysWOW64\WerFault.exe
                      C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1128 -ip 1128
                      1⤵
                        PID:408
                      • C:\Windows\SysWOW64\WerFault.exe
                        C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 1128 -ip 1128
                        1⤵
                          PID:3016

                        Network

                        MITRE ATT&CK Matrix ATT&CK v6

                        Initial Access

                        Execution

                        Persistence

                        Registry Run Keys / Startup Folder

                        2
                        T1060

                        Bootkit

                        1
                        T1067

                        Privilege Escalation

                        Defense Evasion

                        Modify Registry

                        2
                        T1112

                        Credential Access

                        Discovery

                        Query Registry

                        2
                        T1012

                        Peripheral Device Discovery

                        2
                        T1120

                        System Information Discovery

                        3
                        T1082

                        Lateral Movement

                        Collection

                        Exfiltration

                        Command and Control

                        Impact

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\ProgramData\isecurity.exe
                          Filesize

                          830KB

                          MD5

                          3f6a90e1ac85e296d3da4283ada9eaf2

                          SHA1

                          ee32ce828dd445a4e45b057a68af8e9fde79d42a

                          SHA256

                          ce0075e8ab4c6c5455b362c35e077ed409cef1c31f3ea5e1a7b007eaefc22757

                          SHA512

                          bfdb6a57c4673ff209272279174305e9d19c54a569ca63b030be85f05cbc0c4845aa2447449def390a9b7356511950c65481505ec75f0eaefa65c5c1dfd208ac

                          Download Submit
                        • C:\ProgramData\isecurity.exe
                          Filesize

                          830KB

                          MD5

                          3f6a90e1ac85e296d3da4283ada9eaf2

                          SHA1

                          ee32ce828dd445a4e45b057a68af8e9fde79d42a

                          SHA256

                          ce0075e8ab4c6c5455b362c35e077ed409cef1c31f3ea5e1a7b007eaefc22757

                          SHA512

                          bfdb6a57c4673ff209272279174305e9d19c54a569ca63b030be85f05cbc0c4845aa2447449def390a9b7356511950c65481505ec75f0eaefa65c5c1dfd208ac

                          Download Submit
                        • C:\Users\Public\Desktop\Internet Security.lnk
                          Filesize

                          682B

                          MD5

                          aafb6f8818fb7ab11bf1156695776e76

                          SHA1

                          690bab05fddec23a8e086630eb9826d1de2f076a

                          SHA256

                          611c24ee949163c4eede28cdc817a8ef07c57e936521f48093361e3b5f379016

                          SHA512

                          db6546622d60c853f96f37ff55fff25bb98f49a3c61fa9bde15d5e07e2de01bd1b32b00def3dfe2a138cd8ff9fea3817c410a99ec713b5c23e77d9cce6086db1

                          Download Submit
                        • memory/1004-140-0x0000000000000000-mapping.dmp
                          Download
                        • memory/1128-133-0x0000000000000000-mapping.dmp
                          Download
                        • memory/1128-137-0x0000000000400000-0x0000000000A3F000-memory.dmp
                          Filesize

                          6.2MB

                          Download
                        • memory/1128-139-0x0000000000400000-0x0000000000A3F000-memory.dmp
                          Filesize

                          6.2MB

                          Download
                        • memory/1128-141-0x0000000000400000-0x0000000000A3F000-memory.dmp
                          Filesize

                          6.2MB

                          Download
                        • memory/1128-143-0x0000000000400000-0x0000000000A3F000-memory.dmp
                          Filesize

                          6.2MB

                          Download
                        • memory/4228-132-0x0000000000400000-0x00000000004FC000-memory.dmp
                          Filesize

                          1008KB

                          Download
                        • memory/4228-136-0x0000000000400000-0x00000000004FC000-memory.dmp
                          Filesize

                          1008KB

                          Download