Overview

overview

10

Static

static

10

Bootkits/5...1a.exe

windows7-x64

1

Bootkits/5...1a.exe

windows10-2004-x64

6

Bootkits/6...86.exe

windows7-x64

7

Bootkits/6...86.exe

windows10-2004-x64

7

Bootkits/8...f6.msi

windows7-x64

7

Bootkits/8...f6.msi

windows10-2004-x64

7

Bootkits/f...b1.exe

windows7-x64

7

Bootkits/f...b1.exe

windows10-2004-x64

Rootkits/0...c7.exe

windows7-x64

8

Rootkits/0...c7.exe

windows10-2004-x64

8

Rootkits/0...6d.exe

windows7-x64

10

Rootkits/0...6d.exe

windows10-2004-x64

1

Rootkits/0...ae.exe

windows7-x64

1

Rootkits/0...ae.exe

windows10-2004-x64

1

Rootkits/0...3e.exe

windows7-x64

7

Rootkits/0...3e.exe

windows10-2004-x64

10

Rootkits/0...10.exe

windows7-x64

7

Rootkits/0...10.exe

windows10-2004-x64

7

Rootkits/2...8e.dll

windows7-x64

1

Rootkits/2...8e.dll

windows10-2004-x64

1

Rootkits/2...a4.exe

windows7-x64

10

Rootkits/2...a4.exe

windows10-2004-x64

Rootkits/4...1b.exe

windows7-x64

7

Rootkits/4...1b.exe

windows10-2004-x64

7

Rootkits/6...d9.exe

windows7-x64

1

Rootkits/6...d9.exe

windows10-2004-x64

1

Rootkits/7...e8.exe

windows7-x64

7

Rootkits/7...e8.exe

windows10-2004-x64

7

Rootkits/8...22.exe

windows7-x64

1

Rootkits/8...22.exe

windows10-2004-x64

1

Rootkits/9...99.exe

windows7-x64

8

Rootkits/9...99.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    192s
  • max time network
    61s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    08-11-2023 03:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Rootkits/044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe

  • Size

    246KB

  • MD5

    5b65e0442761c3ba7ab13f19e696a3ad

  • SHA1

    840cd5fabb617cdfd848ff29253b4cce79213a35

  • SHA256

    044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d

  • SHA512

    a5af3f57bbeea72a98fa3fcf499f98e568994a9ea29ab5558fc691d83d97decf2c9aa17d2f157442baf63c06b8fcc3c604a5098289c991cd7b061cb22cd64ec7

  • SSDEEP

    3072:dZvq0Fnr1gWPgOYVkN6rnhccEYMY2wuoyq8pq+8MhHRIK8k4B7KHpwRXDYNdY2vx:dZvdr1bkVkNwzEJwu1Z/L8hgpwZY79

Score
10/10
evasion

Malware Config

Signatures

  • Modifies security service 2 TTPs 2 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\system32\lsass.exe
    C:\Windows\system32\lsass.exe
    1⤵
      PID:484
    • C:\Windows\system32\services.exe
      C:\Windows\system32\services.exe
      1⤵
        PID:468
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
          2⤵
            PID:1060
          • C:\Windows\system32\sppsvc.exe
            C:\Windows\system32\sppsvc.exe
            2⤵
              PID:2076
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
              2⤵
                PID:2224
              • C:\Windows\system32\taskhost.exe
                "taskhost.exe"
                2⤵
                  PID:1120
                • C:\Windows\System32\spoolsv.exe
                  C:\Windows\System32\spoolsv.exe
                  2⤵
                    PID:916
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k NetworkService
                    2⤵
                      PID:272
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k LocalService
                      2⤵
                        PID:972
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k netsvcs
                        2⤵
                          PID:860
                        • C:\Windows\System32\svchost.exe
                          C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
                          2⤵
                            PID:816
                          • C:\Windows\System32\svchost.exe
                            C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
                            2⤵
                            • Modifies security service
                            PID:764
                          • C:\Windows\system32\svchost.exe
                            C:\Windows\system32\svchost.exe -k RPCSS
                            2⤵
                              PID:680
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k DcomLaunch
                              2⤵
                                PID:600
                            • C:\Windows\system32\winlogon.exe
                              winlogon.exe
                              1⤵
                                PID:424
                              • C:\Windows\system32\lsm.exe
                                C:\Windows\system32\lsm.exe
                                1⤵
                                  PID:492
                                • C:\Windows\Explorer.EXE
                                  C:\Windows\Explorer.EXE
                                  1⤵
                                  • Suspicious behavior: GetForegroundWindowSpam
                                  PID:1204
                                  • C:\Users\Admin\AppData\Local\Temp\Rootkits\044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe
                                    "C:\Users\Admin\AppData\Local\Temp\Rootkits\044d94183a778f39e47f255fcb985d20bfd885771a74217cfbca9e63d7d9936d.exe"
                                    2⤵
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    • Suspicious use of WriteProcessMemory
                                    PID:2648
                                • C:\Windows\system32\Dwm.exe
                                  "C:\Windows\system32\Dwm.exe"
                                  1⤵
                                    PID:1176

                                  Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • memory/272-164-0x0000000000910000-0x000000000093A000-memory.dmp

                                    Filesize

                                    168KB

                                    Download

                                  • memory/272-96-0x0000000000910000-0x000000000093A000-memory.dmp

                                    Filesize

                                    168KB

                                    Download

                                  • memory/272-104-0x0000000037420000-0x0000000037430000-memory.dmp

                                    Filesize

                                    64KB

                                    Download

                                  • memory/424-52-0x0000000000870000-0x000000000089A000-memory.dmp

                                    Filesize

                                    168KB

                                    Download

                                  • memory/424-12-0x0000000037420000-0x0000000037430000-memory.dmp

                                    Filesize

                                    64KB

                                    Download

                                  • memory/424-10-0x0000000077431000-0x0000000077432000-memory.dmp

                                    Filesize

                                    4KB

                                    Download

                                  • memory/424-9-0x000007FEBED70000-0x000007FEBED80000-memory.dmp

                                    Filesize

                                    64KB

                                    Download

                                  • memory/424-8-0x0000000000870000-0x000000000089A000-memory.dmp

                                    Filesize

                                    168KB

                                    Download

                                  • memory/424-6-0x00000000004F0000-0x0000000000513000-memory.dmp

                                    Filesize

                                    140KB

                                    Download

                                  • memory/424-4-0x00000000004F0000-0x0000000000513000-memory.dmp

                                    Filesize

                                    140KB

                                    Download

                                  • memory/468-18-0x0000000000120000-0x000000000014A000-memory.dmp

                                    Filesize

                                    168KB

                                    Download

                                  • memory/468-61-0x0000000000120000-0x000000000014A000-memory.dmp

                                    Filesize

                                    168KB

                                    Download

                                  • memory/468-19-0x000007FEBED70000-0x000007FEBED80000-memory.dmp

                                    Filesize

                                    64KB

                                    Download

                                  • memory/468-20-0x0000000037420000-0x0000000037430000-memory.dmp

                                    Filesize

                                    64KB

                                    Download

                                  • memory/484-29-0x0000000037420000-0x0000000037430000-memory.dmp

                                    Filesize

                                    64KB

                                    Download

                                  • memory/484-28-0x000007FEBED70000-0x000007FEBED80000-memory.dmp

                                    Filesize

                                    64KB

                                    Download

                                  • memory/484-26-0x0000000000A50000-0x0000000000A7A000-memory.dmp

                                    Filesize

                                    168KB

                                    Download

                                  • memory/484-74-0x0000000000A50000-0x0000000000A7A000-memory.dmp

                                    Filesize

                                    168KB

                                    Download

                                  • memory/492-32-0x00000000004C0000-0x00000000004EA000-memory.dmp

                                    Filesize

                                    168KB

                                    Download

                                  • memory/492-35-0x000007FEBED70000-0x000007FEBED80000-memory.dmp

                                    Filesize

                                    64KB

                                    Download

                                  • memory/492-38-0x00000000004C0000-0x00000000004EA000-memory.dmp

                                    Filesize

                                    168KB

                                    Download

                                  • memory/492-42-0x0000000037420000-0x0000000037430000-memory.dmp

                                    Filesize

                                    64KB

                                    Download

                                  • memory/492-83-0x00000000004C0000-0x00000000004EA000-memory.dmp

                                    Filesize

                                    168KB

                                    Download

                                  • memory/600-45-0x00000000004D0000-0x00000000004FA000-memory.dmp

                                    Filesize

                                    168KB

                                    Download

                                  • memory/600-41-0x000007FEBED70000-0x000007FEBED80000-memory.dmp

                                    Filesize

                                    64KB

                                    Download

                                  • memory/600-90-0x00000000004D0000-0x00000000004FA000-memory.dmp

                                    Filesize

                                    168KB

                                    Download

                                  • memory/600-37-0x00000000004D0000-0x00000000004FA000-memory.dmp

                                    Filesize

                                    168KB

                                    Download

                                  • memory/600-44-0x0000000037420000-0x0000000037430000-memory.dmp

                                    Filesize

                                    64KB

                                    Download

                                  • memory/680-53-0x000007FEBED70000-0x000007FEBED80000-memory.dmp

                                    Filesize

                                    64KB

                                    Download

                                  • memory/680-55-0x0000000037420000-0x0000000037430000-memory.dmp

                                    Filesize

                                    64KB

                                    Download

                                  • memory/680-114-0x00000000003F0000-0x000000000041A000-memory.dmp

                                    Filesize

                                    168KB

                                    Download

                                  • memory/680-50-0x00000000003F0000-0x000000000041A000-memory.dmp

                                    Filesize

                                    168KB

                                    Download

                                  • memory/764-56-0x0000000000A30000-0x0000000000A5A000-memory.dmp

                                    Filesize

                                    168KB

                                    Download

                                  • memory/764-68-0x0000000037420000-0x0000000037430000-memory.dmp

                                    Filesize

                                    64KB

                                    Download

                                  • memory/764-119-0x0000000000A30000-0x0000000000A5A000-memory.dmp

                                    Filesize

                                    168KB

                                    Download

                                  • memory/764-63-0x000007FEBED70000-0x000007FEBED80000-memory.dmp

                                    Filesize

                                    64KB

                                    Download

                                  • memory/816-126-0x0000000000890000-0x00000000008BA000-memory.dmp

                                    Filesize

                                    168KB

                                    Download

                                  • memory/816-64-0x000007FEBED70000-0x000007FEBED80000-memory.dmp

                                    Filesize

                                    64KB

                                    Download

                                  • memory/816-60-0x0000000000890000-0x00000000008BA000-memory.dmp

                                    Filesize

                                    168KB

                                    Download

                                  • memory/816-65-0x0000000000890000-0x00000000008BA000-memory.dmp

                                    Filesize

                                    168KB

                                    Download

                                  • memory/816-66-0x0000000037420000-0x0000000037430000-memory.dmp

                                    Filesize

                                    64KB

                                    Download

                                  • memory/860-73-0x0000000000870000-0x000000000089A000-memory.dmp

                                    Filesize

                                    168KB

                                    Download

                                  • memory/860-146-0x0000000000870000-0x000000000089A000-memory.dmp

                                    Filesize

                                    168KB

                                    Download

                                  • memory/860-77-0x0000000000870000-0x000000000089A000-memory.dmp

                                    Filesize

                                    168KB

                                    Download

                                  • memory/916-108-0x0000000037420000-0x0000000037430000-memory.dmp

                                    Filesize

                                    64KB

                                    Download

                                  • memory/916-101-0x0000000001BC0000-0x0000000001BEA000-memory.dmp

                                    Filesize

                                    168KB

                                    Download

                                  • memory/916-166-0x0000000001BC0000-0x0000000001BEA000-memory.dmp

                                    Filesize

                                    168KB

                                    Download

                                  • memory/972-93-0x0000000037420000-0x0000000037430000-memory.dmp

                                    Filesize

                                    64KB

                                    Download

                                  • memory/972-86-0x0000000000880000-0x00000000008AA000-memory.dmp

                                    Filesize

                                    168KB

                                    Download

                                  • memory/972-82-0x0000000000880000-0x00000000008AA000-memory.dmp

                                    Filesize

                                    168KB

                                    Download

                                  • memory/972-156-0x0000000000880000-0x00000000008AA000-memory.dmp

                                    Filesize

                                    168KB

                                    Download

                                  • memory/1060-170-0x00000000008D0000-0x00000000008FA000-memory.dmp

                                    Filesize

                                    168KB

                                    Download

                                  • memory/1060-116-0x0000000037420000-0x0000000037430000-memory.dmp

                                    Filesize

                                    64KB

                                    Download

                                  • memory/1060-111-0x00000000008D0000-0x00000000008FA000-memory.dmp

                                    Filesize

                                    168KB

                                    Download

                                  • memory/1120-121-0x0000000001B70000-0x0000000001B9A000-memory.dmp

                                    Filesize

                                    168KB

                                    Download

                                  • memory/1120-123-0x0000000037420000-0x0000000037430000-memory.dmp

                                    Filesize

                                    64KB

                                    Download

                                  • memory/1120-171-0x0000000001B70000-0x0000000001B9A000-memory.dmp

                                    Filesize

                                    168KB

                                    Download

                                  • memory/1176-132-0x0000000001C30000-0x0000000001C5A000-memory.dmp

                                    Filesize

                                    168KB

                                    Download

                                  • memory/1176-172-0x0000000001C30000-0x0000000001C5A000-memory.dmp

                                    Filesize

                                    168KB

                                    Download

                                  • memory/1176-136-0x0000000037420000-0x0000000037430000-memory.dmp

                                    Filesize

                                    64KB

                                    Download

                                  • memory/1204-139-0x0000000002990000-0x00000000029BA000-memory.dmp

                                    Filesize

                                    168KB

                                    Download

                                  • memory/1204-173-0x0000000002990000-0x00000000029BA000-memory.dmp

                                    Filesize

                                    168KB

                                    Download

                                  • memory/1204-144-0x0000000037420000-0x0000000037430000-memory.dmp

                                    Filesize

                                    64KB

                                    Download

                                  • memory/2076-175-0x00000000007F0000-0x000000000081A000-memory.dmp

                                    Filesize

                                    168KB

                                    Download

                                  • memory/2076-160-0x00000000007F0000-0x000000000081A000-memory.dmp

                                    Filesize

                                    168KB

                                    Download

                                  • memory/2076-168-0x0000000037420000-0x0000000037430000-memory.dmp

                                    Filesize

                                    64KB

                                    Download

                                  • memory/2224-150-0x0000000000140000-0x000000000016A000-memory.dmp

                                    Filesize

                                    168KB

                                    Download

                                  • memory/2224-153-0x0000000037420000-0x0000000037430000-memory.dmp

                                    Filesize

                                    64KB

                                    Download

                                  • memory/2224-174-0x0000000000140000-0x000000000016A000-memory.dmp

                                    Filesize

                                    168KB

                                    Download

                                  • memory/2648-3-0x00000000771C0000-0x00000000772DF000-memory.dmp

                                    Filesize

                                    1.1MB

                                    Download

                                  • memory/2648-1-0x00000000773E0000-0x0000000077589000-memory.dmp

                                    Filesize

                                    1.7MB

                                    Download

                                  • memory/2648-169-0x0000000000230000-0x000000000025A000-memory.dmp

                                    Filesize

                                    168KB

                                    Download

                                  • memory/2648-34-0x00000000773E0000-0x0000000077589000-memory.dmp

                                    Filesize

                                    1.7MB

                                    Download