Analysis

  • max time kernel
    154s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-03-2023 15:44

General

  • Target

    PassMark PerformanceTest 10.2.1008 Portable/App/PerformanceTest/PerformanceTest32.exe

  • Size

    36.2MB

  • MD5

    ca67450c01c5c8025f570e0d9c72fe79

  • SHA1

    5eb81d0db35d1362d87240e783d0f0ccc50fe7e9

  • SHA256

    9b66fb8fc58b93195516e759e7dbccfa6f7ebbe195a0fc4e9a16955307315624

  • SHA512

    c592d8263d06a70c382aed2ded45228f39d343b8e6d39dbcf8f2bea7b2e8b8c5947a325069b33c9be1f387b470bbeba0da60760bc3c0a4393dc91b28b03681f3

  • SSDEEP

    393216:jsIUPGkuHxSyqs7jFQws80KmDJ2mXynzlJKOXpTU2KqdmdLaBh1F8:jzUPaDjxonaBhw

Malware Config

Signatures

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies system certificate store 2 TTPs 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PassMark PerformanceTest 10.2.1008 Portable\App\PerformanceTest\PerformanceTest32.exe
    "C:\Users\Admin\AppData\Local\Temp\PassMark PerformanceTest 10.2.1008 Portable\App\PerformanceTest\PerformanceTest32.exe"
    1⤵
    • Enumerates connected drives
    • Maps connected drives based on registry
    • Writes to the Master Boot Record (MBR)
    • Checks SCSI registry key(s)
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    PID:5068

Network

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Bootkit

1
T1067

Defense Evasion

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Discovery

Query Registry

4
T1012

Peripheral Device Discovery

3
T1120

System Information Discovery

3
T1082

Replay Monitor

Loading Replay Monitor...

Downloads