8edb730282cad396bb32902d7112dc1dcc9fd734d7d774ed39f1f869a5f37c0b

Analysis

max time kernel
143s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
07/02/2023, 08:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8edb730282cad396bb32902d7112dc1dcc9fd734d7d774ed39f1f869a5f37c0b.exe
Size

674KB
MD5

f2c5f477b01299298696c253d74a4263
SHA1

7dd0c64c4a27f1396e8a7560e9052c6b23b4d623
SHA256

8edb730282cad396bb32902d7112dc1dcc9fd734d7d774ed39f1f869a5f37c0b
SHA512

8944cd200e51708d62d64757b5210f071bd8050ebc1fc75adef858a13277abf55ea1a6f645d0a4e768af8680d6eb618779138bdf624c426885dabdb5786d628d
SSDEEP

12288:sIEtsfvYX1uWPNpgFYqeJhC8ETj092LOD9M6:sI0h1BXHqYQ8o0ELg9

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	8edb730282cad396bb32902d7112dc1dcc9fd734d7d774ed39f1f869a5f37c0b.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\DOMStorage\zcygov.cn	8edb730282cad396bb32902d7112dc1dcc9fd734d7d774ed39f1f869a5f37c0b.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	8edb730282cad396bb32902d7112dc1dcc9fd734d7d774ed39f1f869a5f37c0b.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\zcygov.cn	8edb730282cad396bb32902d7112dc1dcc9fd734d7d774ed39f1f869a5f37c0b.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\zcygov.cn\NumberOfSubdomains = "1"	8edb730282cad396bb32902d7112dc1dcc9fd734d7d774ed39f1f869a5f37c0b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	8edb730282cad396bb32902d7112dc1dcc9fd734d7d774ed39f1f869a5f37c0b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\8edb730282cad396bb32902d7112dc1dcc9fd734d7d774ed39f1f869a5f37c0b.exe = "11001"	8edb730282cad396bb32902d7112dc1dcc9fd734d7d774ed39f1f869a5f37c0b.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4972	8edb730282cad396bb32902d7112dc1dcc9fd734d7d774ed39f1f869a5f37c0b.exe
4972	8edb730282cad396bb32902d7112dc1dcc9fd734d7d774ed39f1f869a5f37c0b.exe

C:\Users\Admin\AppData\Local\Temp\8edb730282cad396bb32902d7112dc1dcc9fd734d7d774ed39f1f869a5f37c0b.exe
"C:\Users\Admin\AppData\Local\Temp\8edb730282cad396bb32902d7112dc1dcc9fd734d7d774ed39f1f869a5f37c0b.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4972

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...