a394e91fb22b6ec8842d6cba17500e5b912cbe7928200afbaea3c1600a37e207

Analysis

max time kernel
148s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 05:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6221新.exe
Size

265KB
MD5

4372635f940e9263290505d9bfdcbbe4
SHA1

0ae3820396a771cb8f37cc95c3834fac7068c790
SHA256

c0fef0c9cda8bc2da1f0743f9700dbddd58d342383ad598e2a834b7a6f8ae0e6
SHA512

43de006727d7a72e1407416261818d41003ea619c64e053c4898ef53b023a7ce11d2ba9a7b6de7ec100bad1d20c389cb65f503075205f2bb936a6f11f928e5cc
SSDEEP

3072:4EbUmOnQUneuV6yez7W8cnRKdkbuCuma2A6dPnP0A8dq8JOpe37VgEoY46LgjNED:4gQea6yez7W3RSkbu1N5sPTPizoh7D

Score

8^/10

bootkit persistence

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	6221新.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	{C91C370A-70E4-4ec0-9A81-02C37C354A61}.exe

Executes dropped EXE 3 IoCs

pid	Process
1280	{C91C370A-70E4-4ec0-9A81-02C37C354A61}.exe
3612	Thunder.exe
3060	{5F7323A3-2309-4ddf-8792-938647AE1E0C}.exe

Loads dropped DLL 2 IoCs

pid	Process
1280	{C91C370A-70E4-4ec0-9A81-02C37C354A61}.exe
3060	{5F7323A3-2309-4ddf-8792-938647AE1E0C}.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	{5F7323A3-2309-4ddf-8792-938647AE1E0C}.exe
File opened (read-only)	\??\M:	{5F7323A3-2309-4ddf-8792-938647AE1E0C}.exe
File opened (read-only)	\??\W:	{5F7323A3-2309-4ddf-8792-938647AE1E0C}.exe
File opened (read-only)	\??\Y:	{5F7323A3-2309-4ddf-8792-938647AE1E0C}.exe
File opened (read-only)	\??\Z:	{5F7323A3-2309-4ddf-8792-938647AE1E0C}.exe
File opened (read-only)	\??\Q:	{5F7323A3-2309-4ddf-8792-938647AE1E0C}.exe
File opened (read-only)	\??\R:	{5F7323A3-2309-4ddf-8792-938647AE1E0C}.exe
File opened (read-only)	\??\U:	{5F7323A3-2309-4ddf-8792-938647AE1E0C}.exe
File opened (read-only)	\??\E:	{5F7323A3-2309-4ddf-8792-938647AE1E0C}.exe
File opened (read-only)	\??\G:	{5F7323A3-2309-4ddf-8792-938647AE1E0C}.exe
File opened (read-only)	\??\I:	{5F7323A3-2309-4ddf-8792-938647AE1E0C}.exe
File opened (read-only)	\??\O:	{5F7323A3-2309-4ddf-8792-938647AE1E0C}.exe
File opened (read-only)	\??\P:	{5F7323A3-2309-4ddf-8792-938647AE1E0C}.exe
File opened (read-only)	\??\X:	{5F7323A3-2309-4ddf-8792-938647AE1E0C}.exe
File opened (read-only)	\??\B:	{5F7323A3-2309-4ddf-8792-938647AE1E0C}.exe
File opened (read-only)	\??\N:	{5F7323A3-2309-4ddf-8792-938647AE1E0C}.exe
File opened (read-only)	\??\V:	{5F7323A3-2309-4ddf-8792-938647AE1E0C}.exe
File opened (read-only)	\??\H:	{5F7323A3-2309-4ddf-8792-938647AE1E0C}.exe
File opened (read-only)	\??\J:	{5F7323A3-2309-4ddf-8792-938647AE1E0C}.exe
File opened (read-only)	\??\L:	{5F7323A3-2309-4ddf-8792-938647AE1E0C}.exe
File opened (read-only)	\??\S:	{5F7323A3-2309-4ddf-8792-938647AE1E0C}.exe
File opened (read-only)	\??\T:	{5F7323A3-2309-4ddf-8792-938647AE1E0C}.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	{C91C370A-70E4-4ec0-9A81-02C37C354A61}.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	6221新.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4148	6221新.exe
4148	6221新.exe
4148	6221新.exe
4148	6221新.exe
4148	6221新.exe
4148	6221新.exe
4148	6221新.exe
4148	6221新.exe
4148	6221新.exe
4148	6221新.exe
4148	6221新.exe
4148	6221新.exe
4148	6221新.exe
4148	6221新.exe
4148	6221新.exe
4148	6221新.exe
4148	6221新.exe
4148	6221新.exe
4148	6221新.exe
4148	6221新.exe
4148	6221新.exe
4148	6221新.exe
4148	6221新.exe
4148	6221新.exe
4148	6221新.exe
4148	6221新.exe
4148	6221新.exe
4148	6221新.exe
4148	6221新.exe
4148	6221新.exe
4148	6221新.exe
4148	6221新.exe
4148	6221新.exe
4148	6221新.exe
4148	6221新.exe
4148	6221新.exe
4148	6221新.exe
4148	6221新.exe
4148	6221新.exe
4148	6221新.exe
4148	6221新.exe
4148	6221新.exe
4148	6221新.exe
4148	6221新.exe
4148	6221新.exe
4148	6221新.exe
4148	6221新.exe
4148	6221新.exe
4148	6221新.exe
4148	6221新.exe
4148	6221新.exe
4148	6221新.exe
4148	6221新.exe
4148	6221新.exe
4148	6221新.exe
4148	6221新.exe
4148	6221新.exe
4148	6221新.exe
4148	6221新.exe
4148	6221新.exe
4148	6221新.exe
4148	6221新.exe
4148	6221新.exe
4148	6221新.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3060	{5F7323A3-2309-4ddf-8792-938647AE1E0C}.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 4148 wrote to memory of 1280	4148	6221新.exe	100
PID 4148 wrote to memory of 1280	4148	6221新.exe	100
PID 4148 wrote to memory of 1280	4148	6221新.exe	100
PID 1280 wrote to memory of 3612	1280	{C91C370A-70E4-4ec0-9A81-02C37C354A61}.exe	103
PID 1280 wrote to memory of 3612	1280	{C91C370A-70E4-4ec0-9A81-02C37C354A61}.exe	103
PID 4148 wrote to memory of 3060	4148	6221新.exe	104
PID 4148 wrote to memory of 3060	4148	6221新.exe	104

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\6221新.exe
"C:\Users\Admin\AppData\Local\Temp\6221新.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4148
- C:\Users\Admin\AppData\Local\Temp\{C91C370A-70E4-4ec0-9A81-02C37C354A61}.exe
  "C:\Users\Admin\AppData\Local\Temp\{C91C370A-70E4-4ec0-9A81-02C37C354A61}.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v "Startup" /t REG_EXPAND_SZ /d "C:\Users\Admin\AppData\Local\{E7B69DF1-7F9F-4f0a-B082-F1C17C4C1316}" /f
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of WriteProcessMemory
  PID:1280
- - C:\Users\Admin\AppData\Local\Temp\Thunder.exe
    "C:\Users\Admin\AppData\Local\Temp\Thunder.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v "Startup" /t REG_EXPAND_SZ /d "C:\Users\Admin\AppData\Local\{E7B69DF1-7F9F-4f0a-B082-F1C17C4C1316}" /f
    3⤵
    - Executes dropped EXE
    PID:3612
- C:\Users\Admin\Desktop\{5F7323A3-2309-4ddf-8792-938647AE1E0C}.exe
  "C:\Users\Admin\Desktop\{5F7323A3-2309-4ddf-8792-938647AE1E0C}.exe" "C:\Users\Admin\Desktop\{5F7323A3-2309-4ddf-8792-938647AE1E0C}.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Suspicious use of SetWindowsHookEx
  PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Thunder.exe

Filesize
73KB

MD5
9d0b3066fe3d1fd345e86bc7bcced9e4

SHA1
e05984a6671fcfecbc465e613d72d42bda35fd90

SHA256
4e66b857b7010db8d4e4e28d73eb81a99bd6915350bb9a63cd86671051b22f0e

SHA512
d773ca3490918e26a42f90f5c75a0728b040e414d03599ca70e99737a339858e9f0c99711bed8eeebd5e763d10d45e19c4e7520ee62d6957bc9799fd62d4e119

Download Submit
C:\Users\Admin\AppData\Local\Temp\XLBugHandler.dll

Filesize
186KB

MD5
f76923c7f17614e4f364f800e9a2d090

SHA1
0d95dbf62c8b903f9ee98719cc8df95aba6c45d5

SHA256
c7d45904a5fadebc83dcef3d26fc200d496cda1a4b5f6867e48d106421160828

SHA512
77edc466f59af81e14c8a2a1d638211636d8b27ba1edefb84b654ce21ee9413f82c66e4b7d0c17debbc55da3e2366635d2bd24231ae5eb8d71a8b2683e9787cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\XLBugHandler.dll

Filesize
160KB

MD5
7681eac6c5ebdb7bb8e2d583bfa16341

SHA1
b788d9e9090dc153888fb86e823516c8cf871591

SHA256
e57ebdf2eb9a5cbb9d405974573d33e63f28c9c1a7ed552d0c4bee1eb8d09a43

SHA512
e55a698a85359c8b032996e0b5d5870d2c014dad0d01b71b92c8a73ce5b87289d567731ec2d437f785d71e5ac9675f1a215ec8a5ff8135adb455a4160a05c554

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C91C370A-70E4-4ec0-9A81-02C37C354A61}.exe

Filesize
1024KB

MD5
92c6763032aa1e11375af275dbd52677

SHA1
ca7a28592e68c216be1e4a8fae423de892f2cb13

SHA256
a5e6631ed7914f49baf9608cb3091eb8a9214d5ff8d01314fa2b80b634db4270

SHA512
3c37dc1835ae930b187f12d1c6436abb2e84b9672a4a2452ee396df17ab7ebd406973e493cb952bbb477063578ba911c6a01223a70e5f1daa02bb0d5fdba0821

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C91C370A-70E4-4ec0-9A81-02C37C354A61}.exe

Filesize
176KB

MD5
d339c73539cdaa70c7ff348cb0e4d597

SHA1
ef247b10ddf7e29cdab4de08657ff36e2a998a1e

SHA256
60b4a4d5dbed67709a4e8d484dcd9099f76eaf27e39c85faa11ecc0a4206b99f

SHA512
dd3199cc4180c5ec0f072ca67f89b62337b6ae5d6b7c4d8ebeafbb33d52c8524e6f82e9674592cfd57ff58e22090a07d2569bb8af0e89495024a3a74a088991f

Download Submit
C:\Users\Admin\AppData\Local\{E7B69DF1-7F9F-4f0a-B082-F1C17C4C1316}\{1FADDC2A-655A-482e-918E-40C134B51508}.lnk

Filesize
864B

MD5
c8f76501f080962d32a52f7f4bd8b154

SHA1
a8429717852263197a13942777eaa8fb6a3ec9a0

SHA256
5f99ec9ef90e6c61765d2409b14ea84b59360ff091583378dc10556d4306af5d

SHA512
bbe90256cd3e6589d48532e21d3fc576b83043af55cd848c8b094d400790e5b95b34998e61313343de4deb3198060a46f3036f082e643c35db65db9ec11c96e7

Download Submit
C:\Users\Admin\AppData\Local\{E7B69DF1-7F9F-4f0a-B082-F1C17C4C1316}\{3341C944-5358-46b8-BC09-ED9D1DD8D691}.lnk

Filesize
1KB

MD5
9afd34ffcdefadd644e35a566a55856a

SHA1
c107f2095cf6e5aaafc3df7b70059c8b89c48191

SHA256
109f06b3c82f7ec80560432acfe05339b6bae3762d95218aa95782e6e11e3516

SHA512
adb30d4b5d8e7413f5362c269cd58b8aec2e9aa83a0eed197fd04476ecd8f3c5b826629514a60e24ee127ebdad15ea00f55e19a47e68ab80b26839f447d39e5b

Download Submit
C:\Users\Admin\Desktop\assistBase.dll

Filesize
44KB

MD5
6bed6dab88b16ed37aa3b4177e9271ed

SHA1
3f3165eae3aa3490135c34be82ed09e9c4c58c47

SHA256
13e9178b2347e5a2865506ade0b566b4877073643921502715dd7b415e2c7510

SHA512
76af2b9b7847e089cc13e82928fbddae473a63841de245872c86b664092f164bffe2a9d16ca8997a083696e85c1429dac25cc917a123770adbadffe72b20cb64

Download Submit
C:\Users\Admin\Desktop\assistBase.dll

Filesize
12KB

MD5
804a1ff3eb8d495312e05a2ffabb9c4a

SHA1
21334dfbc4e22b5a38acc06b576b1fef3d5ce705

SHA256
c45368e52c237444d4a87ae57d2c70629f4d6aa0d7fe54bfd7331905b5a5f4b2

SHA512
1363f2be5f22a7d3a60fb50fed9bdc8e12f39e12af190877a177e888de1ece75c3a8df691c67eb5abf27e14acf0cdf8a3daacf7e8e1f8e8f52a758dca65d38e9

Download Submit
C:\Users\Admin\Desktop\downloaded_content.txt

Filesize
515KB

MD5
15290fc8f641fa38e96bd208e70e9654

SHA1
fcca666640c53960a779e0ec6594d6d3feae7694

SHA256
0967a47a5f1d734dda6abfd53f4f81d70509e360a8ab6a6474f349e8b1352909

SHA512
5ee1be332d8a68a331070bc2bae998199995f71ff9b65b07725ae316327cee55214263fa5423fd585cbbd76be885dbf61d0bd4922ec211a63959f889455cec5d

Download Submit
C:\Users\Admin\Desktop\{5F7323A3-2309-4ddf-8792-938647AE1E0C}.exe

Filesize
806KB

MD5
b3f9eef2b467793d8b103bf19f557439

SHA1
25bef6f3022414dcad89cf14dbdfbfb74550267c

SHA256
55bf2c6aa048121ca3f0f1797936c56296c3a717babe9fb4a77a2c60bdf6910c

SHA512
637905383c7ff5947249cd209b15c38c1b3f0992549a42e6ca2497c8b9ed614bf7bc4d44abc305db968fe38ce9e7a3ec419351e70d0c20811ec39733d34cfcad

Download Submit
C:\Users\Admin\Desktop\{5F7323A3-2309-4ddf-8792-938647AE1E0C}.exe

Filesize
35KB

MD5
417c6664ef51618f5b8488aaf3994ce7

SHA1
22d46528cf43d696d95cf83627887be3de583fcf

SHA256
ca84c30bb0ebe9d29fe10b91501b66394287a56c5ee2755472d235095518d70b

SHA512
729575838ae5a75dba66eece3df596560bd67279e8c9b83c03198594bf513e442f19384495e3a14f151247020bcf76c6a85e8a255f441bcde858e59fc7db79a3

Download Submit
C:\Users\Admin\Desktop\{5F7323A3-2309-4ddf-8792-938647AE1E0C}.exe

Filesize
21KB

MD5
d056f288b27111a15611e2e06418956c

SHA1
29a361a493de58ab7f8c16e73eacfb7b2a504302

SHA256
6f09f9da58d5e8dbbeb940830a8815b6cf962334e2f265643cc871a54604b892

SHA512
c964dbe6f9bccca24a78f38d27b2838328ade8b853e7f7d32332f6a692ba689c4ca021f15f7f24bdd06b341a22566142246008e9b45815b0de5f117b10b67073

Download Submit
memory/1280-76-0x0000000035DC0000-0x0000000035DD0000-memory.dmp

Filesize
64KB

Download
memory/3060-110-0x0000000002000000-0x0000000002001000-memory.dmp

Filesize
4KB

Download
memory/3060-114-0x0000000001EE0000-0x0000000001F46000-memory.dmp

Filesize
408KB

Download
memory/3060-125-0x0000000003000000-0x0000000003041000-memory.dmp

Filesize
260KB

Download
memory/3060-104-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/3060-123-0x0000000001EE0000-0x0000000001F46000-memory.dmp

Filesize
408KB

Download
memory/3060-109-0x0000000001EE0000-0x0000000001F46000-memory.dmp

Filesize
408KB

Download
memory/3060-108-0x0000000001F70000-0x0000000001FF1000-memory.dmp

Filesize
516KB

Download
memory/3060-106-0x0000000001EE0000-0x0000000001F46000-memory.dmp

Filesize
408KB

Download
memory/3060-105-0x0000000001EE0000-0x0000000001F46000-memory.dmp

Filesize
408KB

Download
memory/3060-113-0x0000000001EE0000-0x0000000001F46000-memory.dmp

Filesize
408KB

Download
memory/3060-112-0x0000000001EE0000-0x0000000001F46000-memory.dmp

Filesize
408KB

Download
memory/3060-100-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/3060-115-0x0000000002EC0000-0x0000000002EFA000-memory.dmp

Filesize
232KB

Download
memory/3060-116-0x0000000003000000-0x0000000003041000-memory.dmp

Filesize
260KB

Download
memory/3060-117-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/3060-118-0x0000000003000000-0x0000000003041000-memory.dmp

Filesize
260KB

Download
memory/3060-119-0x0000000003000000-0x0000000003041000-memory.dmp

Filesize
260KB

Download
memory/3060-121-0x0000000003000000-0x0000000003041000-memory.dmp

Filesize
260KB

Download
memory/3060-120-0x0000000003000000-0x0000000003041000-memory.dmp

Filesize
260KB

Download
memory/3060-122-0x0000000001EE0000-0x0000000001F46000-memory.dmp

Filesize
408KB

Download
memory/4148-12-0x000001631D710000-0x000001631D771000-memory.dmp

Filesize
388KB

Download
memory/4148-13-0x0000000180000000-0x00000001801E9000-memory.dmp

Filesize
1.9MB

Download