adfd47bcff033337b525bbdb2300213dc45344cf4024b5b1cefe3500892e51df | Triage

Submit
Reports

Overview

overview

8

Static

static

1

HD-EnableHyperV.exe

windows7-x64

7

HD-EnableHyperV.exe

windows10-2004-x64

8

Sharing

General

Target

HD-EnableHyperV.exe
Size

24KB
Sample

230316-fb5epsha42
MD5

6c782f5f5a64c0b2d9b1db4c774e416e
SHA1

536d5cf87af69245644efd7c06a06616eee3ff7b
SHA256

adfd47bcff033337b525bbdb2300213dc45344cf4024b5b1cefe3500892e51df
SHA512

364dbd37e4c9bd81ba82f2a5e6c02379dd3b7cd5ec80f25fca0b08c2972c761ee7947e05e7c3ea0b5adc9f7f54df54c77f4406be742cd74749dfaa8ebb064759
SSDEEP

384:IjbMVzPjpeABHWsVI4ASSo/Dkb9lxrZNZBAIqFIYiM8TIrL+Pxh8E9VF0Ny402r:FIWJSBF8IPYiMCrPxWEGf

Score

8^/10

bootkit discovery persistence ransomware spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

HD-EnableHyperV.exe

Resource

win7-20230220-es

windows7-x64

9 signatures

1800 seconds

Behavioral task

behavioral2

Sample

HD-EnableHyperV.exe

Resource

win10v2004-20230221-es

bootkit discovery persistence ransomware spyware stealer

windows10-2004-x64

28 signatures

1800 seconds

Malware Config

Targets

- Target
  
  HD-EnableHyperV.exe
- Size
  
  24KB
- MD5
  
  6c782f5f5a64c0b2d9b1db4c774e416e
- SHA1
  
  536d5cf87af69245644efd7c06a06616eee3ff7b
- SHA256
  
  adfd47bcff033337b525bbdb2300213dc45344cf4024b5b1cefe3500892e51df
- SHA512
  
  364dbd37e4c9bd81ba82f2a5e6c02379dd3b7cd5ec80f25fca0b08c2972c761ee7947e05e7c3ea0b5adc9f7f54df54c77f4406be742cd74749dfaa8ebb064759
- SSDEEP
  
  384:IjbMVzPjpeABHWsVI4ASSo/Dkb9lxrZNZBAIqFIYiM8TIrL+Pxh8E9VF0Ny402r:FIWJSBF8IPYiMCrPxWEGf
Score

8^/10

bootkit discovery persistence ransomware spyware stealer
- Downloads MZ/PE file
- Modifies Installed Components in the registry
  persistence
- Sets file execution options in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Drops desktop.ini file(s)
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops file in System32 directory
- Sets desktop wallpaper using registry
  ransomware
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Bootkit

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Defacement

Tasks

static1

behavioral1

behavioral2

bootkitdiscoverypersistenceransomwarespywarestealer

© 2018-2024

Terms | Privacy