f63c549707775b9add6dc22526df887ea868f789c81824416db2bce6af8a50a4

General

Target

f63c549707775b9add6dc22526df887ea868f789c81824416db2bce6af8a50a4.exe
Size

4.1MB
MD5

cd4839fbc22c6fccab4c3170c845bfdb
SHA1

2f0edc79f6248f17c61e86d02be38c6d6b11b75b
SHA256

f63c549707775b9add6dc22526df887ea868f789c81824416db2bce6af8a50a4
SHA512

2e8a55d8ad8916a9772e73956244d1ec68c35963395fd7d71fd9ae881ab72bb30d04aa39427420fc44460e2a03a39ddc9937b69bebb6ca74835573350b605524
SSDEEP

98304:9/4JXInxCzh+jyHbhGYndKYJ/mtnZCYiZ6c+RCHuY:9/4JX0xa+jy5np8nAZ6aHu

Score

7^/10

bootkit persistence vmprotect

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f63c549707775b9add6dc22526df887ea868f789c81824416db2bce6af8a50a4.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	f63c549707775b9add6dc22526df887ea868f789c81824416db2bce6af8a50a4.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	f63c549707775b9add6dc22526df887ea868f789c81824416db2bce6af8a50a4.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/744-54-0x0000000000260000-0x0000000000AD1000-memory.dmp	vmprotect
behavioral1/memory/744-56-0x0000000000260000-0x0000000000AD1000-memory.dmp	vmprotect
behavioral1/memory/744-96-0x0000000000260000-0x0000000000AD1000-memory.dmp	vmprotect

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

f63c549707775b9add6dc22526df887ea868f789c81824416db2bce6af8a50a4.exe

description ioc process

File opened for modification \??\PhysicalDrive0 f63c549707775b9add6dc22526df887ea868f789c81824416db2bce6af8a50a4.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	\??\PhysicalDrive0	f63c549707775b9add6dc22526df887ea868f789c81824416db2bce6af8a50a4.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

f63c549707775b9add6dc22526df887ea868f789c81824416db2bce6af8a50a4.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	f63c549707775b9add6dc22526df887ea868f789c81824416db2bce6af8a50a4.exe

Modifies Internet Explorer settings 1 TTPs 11 IoCs

adware spyware

Modify Registry

T1112

Processes:

f63c549707775b9add6dc22526df887ea868f789c81824416db2bce6af8a50a4.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"	f63c549707775b9add6dc22526df887ea868f789c81824416db2bce6af8a50a4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\DOMStorage\virtualhardwares.com\Total = "63"	f63c549707775b9add6dc22526df887ea868f789c81824416db2bce6af8a50a4.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main	f63c549707775b9add6dc22526df887ea868f789c81824416db2bce6af8a50a4.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\DOMStorage\virtualhardwares.com	f63c549707775b9add6dc22526df887ea868f789c81824416db2bce6af8a50a4.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\DOMStorage	f63c549707775b9add6dc22526df887ea868f789c81824416db2bce6af8a50a4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\DOMStorage\virtualhardwares.com\NumberOfSubdomains = "1"	f63c549707775b9add6dc22526df887ea868f789c81824416db2bce6af8a50a4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.virtualhardwares.com\ = "63"	f63c549707775b9add6dc22526df887ea868f789c81824416db2bce6af8a50a4.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	f63c549707775b9add6dc22526df887ea868f789c81824416db2bce6af8a50a4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	f63c549707775b9add6dc22526df887ea868f789c81824416db2bce6af8a50a4.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	f63c549707775b9add6dc22526df887ea868f789c81824416db2bce6af8a50a4.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.virtualhardwares.com	f63c549707775b9add6dc22526df887ea868f789c81824416db2bce6af8a50a4.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

f63c549707775b9add6dc22526df887ea868f789c81824416db2bce6af8a50a4.exe

pid	process
744	f63c549707775b9add6dc22526df887ea868f789c81824416db2bce6af8a50a4.exe
744	f63c549707775b9add6dc22526df887ea868f789c81824416db2bce6af8a50a4.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

f63c549707775b9add6dc22526df887ea868f789c81824416db2bce6af8a50a4.exe

description pid process

Token: SeDebugPrivilege 744 f63c549707775b9add6dc22526df887ea868f789c81824416db2bce6af8a50a4.exe

description	pid	process
Token: SeDebugPrivilege	744	f63c549707775b9add6dc22526df887ea868f789c81824416db2bce6af8a50a4.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

f63c549707775b9add6dc22526df887ea868f789c81824416db2bce6af8a50a4.exe

pid	process
744	f63c549707775b9add6dc22526df887ea868f789c81824416db2bce6af8a50a4.exe
744	f63c549707775b9add6dc22526df887ea868f789c81824416db2bce6af8a50a4.exe

C:\Users\Admin\AppData\Local\Temp\f63c549707775b9add6dc22526df887ea868f789c81824416db2bce6af8a50a4.exe
"C:\Users\Admin\AppData\Local\Temp\f63c549707775b9add6dc22526df887ea868f789c81824416db2bce6af8a50a4.exe"
1⤵
- Checks BIOS information in registry
- Writes to the Master Boot Record (MBR)
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:744

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/744-54-0x0000000000260000-0x0000000000AD1000-memory.dmp

Filesize
8.4MB

Download
memory/744-56-0x0000000000260000-0x0000000000AD1000-memory.dmp

Filesize
8.4MB

Download
memory/744-96-0x0000000000260000-0x0000000000AD1000-memory.dmp

Filesize
8.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads