Overview

overview

10

Static

static

1

ClaimD_UkP(33).js

windows10-1703-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ClaimD_UkP(33)

  • Size

    82KB

  • Sample

    230406-h5a43adh5x

  • MD5

    1b538fb655d1ea772726b28a85ec7d15

  • SHA1

    cfd966ba2f7c7ef654465c013686da1c7de6afe9

  • SHA256

    23a5d13793ab459b6af65b981172dedc3ad6e2c745aa5eb79c3f1e948ee89037

  • SHA512

    e2baca3ae7eb094fbda9c65c04d40ede9dfcdf6e29de7fdfc691dfc46d5c54baaa9d2da709cac7757ff7b9910838afdcd836f983e5fefc24cd98305bceb23532

  • SSDEEP

    1536:8AzaBoRHY+8SqpqbKyOxc+IWsEltqlqheN:8AzaBoFYnFp0KA+IWs2tqlvN

Score
10/10
bootkitdiscoverypersistencevmprotect

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

http://139.180.172.203/oUL2TJbgdevk.dat
exe.dropper

http://154.7.253.203/iD6lQK.dat
exe.dropper

http://198.44.140.75/ObaPI.dat
exe.dropper

http://137.74.39.237/fkxoEdG.dat
exe.dropper

http://87.236.146.53/PsEwwF0hC.dat
exe.dropper

http://103.214.71.131/rehbF3vo.dat

Targets

    • Target

      ClaimD_UkP(33)

    • Size

      82KB

    • MD5

      1b538fb655d1ea772726b28a85ec7d15

    • SHA1

      cfd966ba2f7c7ef654465c013686da1c7de6afe9

    • SHA256

      23a5d13793ab459b6af65b981172dedc3ad6e2c745aa5eb79c3f1e948ee89037

    • SHA512

      e2baca3ae7eb094fbda9c65c04d40ede9dfcdf6e29de7fdfc691dfc46d5c54baaa9d2da709cac7757ff7b9910838afdcd836f983e5fefc24cd98305bceb23532

    • SSDEEP

      1536:8AzaBoRHY+8SqpqbKyOxc+IWsEltqlqheN:8AzaBoFYnFp0KA+IWs2tqlvN

    Score
    10/10
    bootkitdiscoverypersistencevmprotect

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

1
T1067

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Credential Access

Discovery

Query Registry

3
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks