f1bbcc5c678d174d858ae089f4494e3ea8bcfc418098d61804a15e437f08aff7

Resubmissions

03-07-2024 22:59

240703-2yn7wszhlp 10

03-07-2024 16:13

03-07-2024 16:11

10-05-2024 16:25

24-08-2023 11:16

Analysis

max time kernel
142s
max time network
144s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
24-07-2023 06:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

[email protected]
Size

6.1MB
MD5

04155ed507699b4e37532e8371192c0b
SHA1

a14107131237dbb0df750e74281c462a2ea61016
SHA256

b6371644b93b9d3b9b32b2f13f8265f9c23ddecc1e9c5a0291bbf98aa0fc3b77
SHA512

6de59ebbc9b96c8a19d530caa13aa8129531ebd14b3b6c6bbb758426b59ed5ab12483bfa232d853af2e661021231b4b3fcc6c53e187eeba38fa523f673115371
SSDEEP

98304:hvOOFJ+Z8eAgy7SH9s76RSvyqJOBgECfMfYv+85JH0DVczt8A:hvOOFJ+ggr9s76R+wcMAv+IHCczt8

Score

10^/10

bootkit discovery evasion persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

[email protected]

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "2"	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "2"	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	[email protected]

Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518
Enumerates VirtualBox registry keys 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

[email protected]

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest [email protected]

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest	[email protected]

Drops file in Drivers directory 4 IoCs

Processes:

[email protected]

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	[email protected]
File opened for modification	C:\Windows\System32\drivers\etc\hosts	[email protected]
File created	C:\Windows\system32\drivers\etc\host_new	[email protected]
File created	C:\Windows\System32\drivers\etc\hosts	[email protected]

Checks for any installed AV software in registry 1 TTPs 1 IoCs

Security Software Discovery
T1518.001

Processes:

[email protected]

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Eset\Nod\ [email protected]
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Eset\Nod\	[email protected]

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

[email protected]

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	[email protected]

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

[email protected]

description	ioc	process
File opened (read-only)	\??\E:	[email protected]
File opened (read-only)	\??\H:	[email protected]
File opened (read-only)	\??\N:	[email protected]
File opened (read-only)	\??\G:	[email protected]
File opened (read-only)	\??\J:	[email protected]
File opened (read-only)	\??\P:	[email protected]
File opened (read-only)	\??\S:	[email protected]
File opened (read-only)	\??\W:	[email protected]
File opened (read-only)	\??\Y:	[email protected]
File opened (read-only)	\??\K:	[email protected]
File opened (read-only)	\??\Q:	[email protected]
File opened (read-only)	\??\T:	[email protected]
File opened (read-only)	\??\U:	[email protected]
File opened (read-only)	\??\Z:	[email protected]
File opened (read-only)	\??\X:	[email protected]
File opened (read-only)	\??\I:	[email protected]
File opened (read-only)	\??\L:	[email protected]
File opened (read-only)	\??\M:	[email protected]
File opened (read-only)	\??\O:	[email protected]
File opened (read-only)	\??\R:	[email protected]
File opened (read-only)	\??\V:	[email protected]

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

[email protected]

description ioc process

File opened for modification \??\PhysicalDrive0 [email protected]
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1952 2320 WerFault.exe [email protected]

description	ioc	process
File opened for modification	\??\PhysicalDrive0	[email protected]

pid	pid_target	process	target process
1952	2320	WerFault.exe	[email protected]

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

[email protected]

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\IIL = "0"	[email protected]
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\ltHI = "0"	[email protected]
Set value (int)	\REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Internet Explorer\ltTST = "23346"	[email protected]

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

[email protected]

pid	process
2320	[email protected]
2320	[email protected]
2320	[email protected]
2320	[email protected]
2320	[email protected]
2320	[email protected]
2320	[email protected]
2320	[email protected]
2320	[email protected]
2320	[email protected]
2320	[email protected]
2320	[email protected]
2320	[email protected]
2320	[email protected]
2320	[email protected]
2320	[email protected]
2320	[email protected]
2320	[email protected]
2320	[email protected]
2320	[email protected]
2320	[email protected]
2320	[email protected]
2320	[email protected]
2320	[email protected]
2320	[email protected]

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

[email protected]

description	pid	process	target process
PID 2320 wrote to memory of 1952	2320	[email protected]	WerFault.exe
PID 2320 wrote to memory of 1952	2320	[email protected]	WerFault.exe
PID 2320 wrote to memory of 1952	2320	[email protected]	WerFault.exe
PID 2320 wrote to memory of 1952	2320	[email protected]	WerFault.exe

System policy modification 1 TTPs 7 IoCs

evasion

Modify Registry

T1112

Processes:

[email protected]

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "2"	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "2"	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	[email protected]
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	[email protected]
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	[email protected]

C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
1⤵
- UAC bypass
- Enumerates VirtualBox registry keys
- Drops file in Drivers directory
- Checks for any installed AV software in registry
- Checks whether UAC is enabled
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2320
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 952
  2⤵
  - Program crash
  PID:1952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ISNCTG\ISFSBPYJWG.cfg

Filesize
185B

MD5
b8224e5293d4fad1927c751cc00c80e7

SHA1
270b8c752c7e93ec5485361fe6ef7b37f0b4513b

SHA256
c47da9be4fc4d757add73c49654c9179067af547d0cc758d6356e2955bbfcb61

SHA512
8fed9a509e46319529145fa2159251e43040d26080af84e44badaab1dd339c767ff75a2c473bc0abfb448b03beb96718ee34ba6bc150ed3085322878b55a22f2

Download Submit
C:\Windows\System32\drivers\etc\host_new

Filesize
977B

MD5
53316bc0c42b9d65743709021f1d03c7

SHA1
44cfe377bf7fedee2ce8f888cfacefd283e924e6

SHA256
600d914eb6b9ffb387be5b7300ca138192a4e86c4679c9bff36bcf0364e74b36

SHA512
9b390f6d7955413c8d63d02dff6988442cf78bbfb72e12f7deab56b190c1a7f455c5af3344ee5a1f7477d383c24e567af4fb7639ab6d9f014935418bf1cf00f6

Download Submit
memory/2320-54-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2320-213-0x0000000013140000-0x0000000013764000-memory.dmp

Filesize
6.1MB

Download
memory/2320-214-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download