296becf74a7989ff8f63a1c572b8b01ff0a7e8472d4d59f31bf9167ed195b2f6

Resubmissions

16/02/2023, 08:23

230216-kacqhsgf66 7

14/02/2023, 13:14

230214-qg2acach6z 7

14/02/2023, 13:10

230214-qetsgsde72 7

Analysis

max time kernel
128s
max time network
144s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
14/02/2023, 13:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

67cf719a695ae1b769da9253901c26d8.exe
Size

5.1MB
MD5

67cf719a695ae1b769da9253901c26d8
SHA1

c148e7823e4bd98060f1b1d402aed070f99b5902
SHA256

296becf74a7989ff8f63a1c572b8b01ff0a7e8472d4d59f31bf9167ed195b2f6
SHA512

52a82db982f67f78558933c2ea5d2df8a88a20fdbedd71fcb0cd367b7c88b91a5388aec1bf5f305b1a0e8c610d489c93149599ee0fe3136d201e2522d50a5a48
SSDEEP

98304:MspkzuYnHDsB7V7UsE/8EI79WFynJih6/BG:M2Su7VSk7wQJc60

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	67cf719a695ae1b769da9253901c26d8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 41 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000771857067c06a940b79750cd25c9189900000000020000000000106600000001000020000000f6df0a4ee900b44d4fe8b45030537cde4283d0b7e93d06fba06fd671e7b48275000000000e80000000020000200000002d42b7c2cc4139bad3b9ad1835f869755068d134d15206391aa29ca22ea173cf200000002158b4d7aad3a341febbc1f493e825ba422cd639018349c109ae270482ed76254000000086753d53f849802620a0f7b0195fd77a205f291a2551371634345abcaea84c5c2155b2083c9c5891e0951b3ed1a89201cb8b87fc0c5feafea215b075526cdb3d	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\360.cn	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage\360.cn\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60116a767e40d901	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000771857067c06a940b79750cd25c918990000000002000000000010660000000100002000000098669cdbc79a4f3750d15d1c37a1679b440bcb192de1d9952946261e545689eb000000000e8000000002000020000000ac12daa9221c63d5cef2c5d41b8e7f13fb67f1523f617ba7ec788514f6f6132e900000001fa6fed825f244f68d4aee247308b574c50acc01f5b858939be2b0b5d10eaca88cca776e7e9a73034f64374339822b3c1a15db74d612969156568269c549fdbf8d9b084efca4cf30c69eea811305bd9ddd066906c41c0786d56bf5d44251cb9df63f9591551e74cda456c6453011b8612d5dc05b0d16a662eea87f88e525de01a99e31572dd5b820553949321ad31f9240000000c11953d031ce24ae41f4bc20d8bc1e60aad4a2457ce80c467797e3aad073e98979062c908d122368de107183347a9b3d2297397ae6bac460a5f931588b54afba	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6C65E361-AC71-11ED-91E9-EEBA1A0FFCD1} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "383148842"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1680	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1680	IEXPLORE.EXE
1680	IEXPLORE.EXE
1440	IEXPLORE.EXE
1440	IEXPLORE.EXE
1440	IEXPLORE.EXE
1440	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 840 wrote to memory of 1492	840	67cf719a695ae1b769da9253901c26d8.exe	29
PID 840 wrote to memory of 1492	840	67cf719a695ae1b769da9253901c26d8.exe	29
PID 840 wrote to memory of 1492	840	67cf719a695ae1b769da9253901c26d8.exe	29
PID 840 wrote to memory of 1492	840	67cf719a695ae1b769da9253901c26d8.exe	29
PID 1492 wrote to memory of 1680	1492	iexplore.exe	31
PID 1492 wrote to memory of 1680	1492	iexplore.exe	31
PID 1492 wrote to memory of 1680	1492	iexplore.exe	31
PID 1492 wrote to memory of 1680	1492	iexplore.exe	31
PID 1680 wrote to memory of 1440	1680	IEXPLORE.EXE	32
PID 1680 wrote to memory of 1440	1680	IEXPLORE.EXE	32
PID 1680 wrote to memory of 1440	1680	IEXPLORE.EXE	32
PID 1680 wrote to memory of 1440	1680	IEXPLORE.EXE	32

C:\Users\Admin\AppData\Local\Temp\67cf719a695ae1b769da9253901c26d8.exe
"C:\Users\Admin\AppData\Local\Temp\67cf719a695ae1b769da9253901c26d8.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:840
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://bbs.360.cn/thread-15667307-1-1.html
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1492
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://bbs.360.cn/thread-15667307-1-1.html
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1680
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1680 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1440

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aa6d309f405230e7a6831b1b040c662a

SHA1
c309d063de6a1d02a8b5585a4338b688ce577d8c

SHA256
ba665b2ba821a36dea9720ad5856c1ac0ee5e5ae607c2fce7f01aee7e46dd652

SHA512
ece8a5cd7aeb2b786fd34f522ad74fdd569405ec7d1742b898f26b9fe869d38924a0715181639a61e418eec6473d0476979a3d1becb06f7081e4cfe0d8408314

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\t9o3c8r\imagestore.dat

Filesize
9KB

MD5
d4d4f0d4f9639ddd297484b9184c0cbf

SHA1
2861ade3e9bca536e082c23cf822f392a4dfc024

SHA256
5b9b50d06adf70ce8a5ec5fac22e4f845dadc4bdfc332cfa373baeb89a8d1e82

SHA512
273e12b72e4f2268f4a8a70b8f02754dd576df5a53650d7e36e7480e5bb6d5466e0cbf0f2c8e58cd70d265309249c742a5de2aa90494be126efb377458f0285d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\8Y7SR4JA.txt

Filesize
604B

MD5
8eeee751ee31dd672bccc38f6c54c471

SHA1
4d63d7879d5875b0cb5f144bf85755219114576f

SHA256
4a8e4c847112b36d4ad4c110fa1668d454250d6e4924890de9782c8364193843

SHA512
a6dd57419393c15d7bd35425dbce2a0a14537d80e6311fecb98e5488470c8e0ac5d2f55a7dbdb5aeb4cb6f839f74ca072dc7c9c9e81e392d21095b5bd5f07828

Download Submit
memory/840-54-0x0000000075A91000-0x0000000075A93000-memory.dmp

Filesize
8KB

Download
memory/840-55-0x0000000000400000-0x0000000000B20000-memory.dmp

Filesize
7.1MB

Download
memory/840-56-0x0000000000F10000-0x0000000000F20000-memory.dmp

Filesize
64KB

Download
memory/840-57-0x0000000000400000-0x0000000000B20000-memory.dmp

Filesize
7.1MB

Download
memory/840-58-0x0000000000F10000-0x0000000000F1D000-memory.dmp

Filesize
52KB

Download