Overview

overview

8

Static

static

1

288c9db43e...09.exe

windows7-x64

8

288c9db43e...09.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    06-03-2023 05:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    288c9db43eefa78a005aad3606eb26f57f6acc45c750349e79e09cdde7e22c09.exe

  • Size

    2.0MB

  • MD5

    65131a7f489514b5be72c1dd94a46f40

  • SHA1

    ae73dee3fa6b12aea76d71e781b706cc2d0b64d1

  • SHA256

    288c9db43eefa78a005aad3606eb26f57f6acc45c750349e79e09cdde7e22c09

  • SHA512

    a8ab17fb80368f3dbb2754b81f962384977f2f8d829e92bd8403ce74ac230e4250942c1321cda018f447c2c7fc6453867a7e3dae75a497cbb217348433525f9f

  • SSDEEP

    49152:sk9+GAL69ZhqdxIT9H2Q10H7y3O216k4xIUi9hOyiUMBaM:sk9+GAO9ZhqdxIpWHmNFJr9hOyiUMBaM

Score
8/10
bootkitevasionpersistencetrojanupx

Malware Config

Signatures

  • Downloads MZ/PE file
  • Drops file in Drivers directory 2 IoCs
  • ACProtect 1.3x - 1.4x DLL software 2 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 14 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\288c9db43eefa78a005aad3606eb26f57f6acc45c750349e79e09cdde7e22c09.exe
    "C:\Users\Admin\AppData\Local\Temp\288c9db43eefa78a005aad3606eb26f57f6acc45c750349e79e09cdde7e22c09.exe"
    1⤵
    • Drops file in Drivers directory
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • Writes to the Master Boot Record (MBR)
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:912
    • C:\Users\Admin\AppData\Local\Temp\kantivirus\InstallHelper.exe
      "C:\Users\Admin\AppData\Local\Temp\kantivirus\InstallHelper.exe" -Pid:"912" -LogFileName:"C:\Users\Admin\AppData\Local\Temp\kantivirus\semPacketDllLog.log" -InstallPath:"C:\Users\Admin\AppData\Local\Temp\kantivirus" -Tid1:"168" -Tid2:"100" -Tod1:"83" -Tod2:"23" -IId:"209819133" -UUID:"83D09ACBB464B2B9156F20C4E5B4E55F" -TryNo:"1335" -SvrId:"2023.SP0.7" -StrategyList:"0;1;2;3;4|0;2;3;4" -Version:"3" -ProductInstalled:"0" -CompetitorMask:"0" -CompetitorInstalled:"0"
      2⤵
      • Executes dropped EXE
      PID:1600

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\kingsoft\kingsoft antivirus\kxecom.kid
    Filesize

    1B

    MD5

    7215ee9c7d9dc229d2921a40e899ec5f

    SHA1

    b858cb282617fb0956d960215c8e84d1ccf909c6

    SHA256

    36a9e7f1c95b82ffb99743e0c5c4ce95d83c9a430aac59f84ef3cbfab6145068

    SHA512

    f90ddd77e400dfe6a3fcf479b00b1ee29e7015c5bb8cd70f5f15b4886cc339275ff553fc8a053f8ddc7324f45168cffaf81f8c3ac93996f6536eef38e5e40768

    Download Submit

  • C:\ProgramData\Kingsoft\KIS\hg.dat
    Filesize

    53B

    MD5

    33a6e990ee010b43cfe49efec2a07ad3

    SHA1

    680dfb641fc1347f27c07b074f3165a48b0c75d8

    SHA256

    0d5d5a076476e3709fe1ef5622ae44d6902765734c0155823fc9aba55894c0c4

    SHA512

    a204538c6bcafd82b324f95ce3053ca1e1ee5322d18d771bf4bddccf6c2b99685920fe70ff8e20b6ba4984416dd601c8ce00fab6ffe81bdd77fa871c1714063d

    Download Submit

  • C:\ProgramData\dbazdk03.dat
    Filesize

    35KB

    MD5

    dea1a9339b742ec35a94b8e6ba0431e9

    SHA1

    e220cdca69b7a65645dd4a18b707ddbc74d42f41

    SHA256

    1c38a63480ee790eb22267119f453c5f206a627e6d2a1b5cbafcdec96e1a7376

    SHA512

    437b7edfa1d302bb34a820a20892632b80d49ceb96a6f72898b4d2932892e1170677358ee8cdfa044acfca2a4367ebe3c3dbfd3448a416c6e9669a057a438d9d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\duba_u23850015_sv1_83_23.dll
    Filesize

    92.3MB

    MD5

    e492e9c82991f210a21f92c7e6664c5a

    SHA1

    7ecfc3ed5a23ecbe52397b4efd890d0eda405978

    SHA256

    a19252b00aaf0f1fe4d8f479098c3bf2d89f80e9d51cffa82f2c69f163d172ea

    SHA512

    669ff7a020aaac47cd1a1614c330dede60de30399935dce4b71d006391c1294ccf331ffaabf74facd4c99fec6cd556db39db5bc58b052c0972f3a9090ab74304

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\install_res\installconfig.ini
    Filesize

    86B

    MD5

    2f072e61844a768970152819580e1fb8

    SHA1

    217c7ab78787a78b574dac610eeafc924842cb32

    SHA256

    424e8a33302671b467f699946118dd662758bf40a0afa1dc35580e268428d3e4

    SHA512

    c50e790e57eaea6bd895c701633092495a8946419a85840c4bace25e4d2aad8f4a1faae6edc4868a33151e4fd78924f20d04ba7a88617c1d4e6a74427d117196

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\kantivirus\InstallHelper.exe
    Filesize

    409KB

    MD5

    39ce66cbf9cbf36472d3dec7332f0451

    SHA1

    625ab0e27ebf28b49627c156f8c4595c979adbed

    SHA256

    446ca743f9f5d6364bbb46f4dce62ab754878b593b285890edec1e501357c533

    SHA512

    00a3750b9c4b11bfb220db4123dc100d1b6f1fe1321ccaf3a825aa4b1918cd6039467cae5109a2a3eee77e59f30685c49e3bd7af8a26cb6358ce63e9de90a268

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\kantivirus\kavsetup.log
    Filesize

    4KB

    MD5

    f1e9243510c2e132a78a8b482e60acb3

    SHA1

    6eac95af43a85c4d07f007fed182b13745b5276a

    SHA256

    871e2f94293d77d246a2221600a8349961c348d43f090b43c50890c371290aca

    SHA512

    df3db96e4a25a9830a24711ab4e14eaa7471f6035e4ee10e207d5b138872237dfdf7cd2d4ee7ab5fbb805dbab666e7a13f911074e37f5afbe754a4dec4789de0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\kantivirus\semPacketDllLog.log
    Filesize

    40KB

    MD5

    dcf56cde00c8c863358c199a1e820b5d

    SHA1

    89f2f9d2d27bac2e9d1573c9ed39ffedb7a0a21b

    SHA256

    d2e2d2dc2c566732a844fcd6a50a2e9a70190e14f9cf230817696c5e46dcb292

    SHA512

    8677a9e6c40308e7b2a2e1841371d166129a9cacfd8edeb8b08a7612480c71fd7753150d3b1abdc0c243ab75944026c34b95af220219338d6239b011a9927bd8

    Download Submit

  • \Users\Admin\AppData\Local\Temp\duba_u23850015_sv1_83_23.dll
    Filesize

    92.3MB

    MD5

    e492e9c82991f210a21f92c7e6664c5a

    SHA1

    7ecfc3ed5a23ecbe52397b4efd890d0eda405978

    SHA256

    a19252b00aaf0f1fe4d8f479098c3bf2d89f80e9d51cffa82f2c69f163d172ea

    SHA512

    669ff7a020aaac47cd1a1614c330dede60de30399935dce4b71d006391c1294ccf331ffaabf74facd4c99fec6cd556db39db5bc58b052c0972f3a9090ab74304

    Download Submit

  • \Users\Admin\AppData\Local\Temp\kantivirus\InstallHelper.exe
    Filesize

    409KB

    MD5

    39ce66cbf9cbf36472d3dec7332f0451

    SHA1

    625ab0e27ebf28b49627c156f8c4595c979adbed

    SHA256

    446ca743f9f5d6364bbb46f4dce62ab754878b593b285890edec1e501357c533

    SHA512

    00a3750b9c4b11bfb220db4123dc100d1b6f1fe1321ccaf3a825aa4b1918cd6039467cae5109a2a3eee77e59f30685c49e3bd7af8a26cb6358ce63e9de90a268

    Download Submit

  • memory/912-186-0x0000000010000000-0x00000000103D0000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/912-165-0x0000000010000000-0x00000000103D0000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/912-169-0x0000000010000000-0x00000000103D0000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/912-103-0x0000000010000000-0x00000000103D0000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/912-194-0x0000000010000000-0x00000000103D0000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/912-97-0x0000000010000000-0x00000000103D0000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/912-205-0x0000000010000000-0x00000000103D0000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/912-215-0x0000000010000000-0x00000000103D0000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/912-151-0x0000000010000000-0x00000000103D0000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/912-83-0x0000000002300000-0x0000000002301000-memory.dmp

    Filesize

    4KB

    Download

  • memory/912-232-0x0000000010000000-0x00000000103D0000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/912-74-0x0000000002300000-0x0000000002301000-memory.dmp

    Filesize

    4KB

    Download