36f4a643b55ba7dcba92c8a8e1ef5f05bf2acc1d866ea1d8752a926f848cca44

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29-12-2023 20:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CrossFire WallHack by F.R.sesin/CF-Inject.exe
Size

804KB
MD5

04f837132953fb007d1333eeabb77655
SHA1

9a756c0c3a650a7350825b7c5b85dfdad471ade8
SHA256

8849fb37089286839e9b7a488da619870714a86f7e2f25cec386b3652902cffb
SHA512

caee2bace240b54e16527ee4f9021cdbfec702631a93f1be3be16081dcf3aa79efe9aff8122ae027c0d42df70969d083cfa1d454a676ad2ee5b29610183e109e
SSDEEP

24576:tewaMhX281y6QCZZZ4mVFb9PGpyFqbID6:vXZ1y6QCZ8mVTKyFq

Score

7^/10

bootkit evasion persistence trojan

Malware Config

Signatures

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Wine	CF-Inject.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	CF-Inject.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	CF-Inject.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2844	CF-Inject.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2844	CF-Inject.exe
2844	CF-Inject.exe
2844	CF-Inject.exe
2844	CF-Inject.exe
2844	CF-Inject.exe
2844	CF-Inject.exe
2844	CF-Inject.exe
2844	CF-Inject.exe
2844	CF-Inject.exe
2844	CF-Inject.exe
2844	CF-Inject.exe
2844	CF-Inject.exe
2844	CF-Inject.exe
2844	CF-Inject.exe
2844	CF-Inject.exe
2844	CF-Inject.exe
2844	CF-Inject.exe
2844	CF-Inject.exe
2844	CF-Inject.exe
2844	CF-Inject.exe
2844	CF-Inject.exe
2844	CF-Inject.exe
2844	CF-Inject.exe
2844	CF-Inject.exe
2844	CF-Inject.exe
2844	CF-Inject.exe
2844	CF-Inject.exe
2844	CF-Inject.exe
2844	CF-Inject.exe
2844	CF-Inject.exe
2844	CF-Inject.exe
2844	CF-Inject.exe
2844	CF-Inject.exe
2844	CF-Inject.exe
2844	CF-Inject.exe
2844	CF-Inject.exe
2844	CF-Inject.exe
2844	CF-Inject.exe
2844	CF-Inject.exe
2844	CF-Inject.exe
2844	CF-Inject.exe
2844	CF-Inject.exe
2844	CF-Inject.exe
2844	CF-Inject.exe
2844	CF-Inject.exe
2844	CF-Inject.exe
2844	CF-Inject.exe
2844	CF-Inject.exe
2844	CF-Inject.exe
2844	CF-Inject.exe
2844	CF-Inject.exe
2844	CF-Inject.exe
2844	CF-Inject.exe
2844	CF-Inject.exe
2844	CF-Inject.exe
2844	CF-Inject.exe
2844	CF-Inject.exe
2844	CF-Inject.exe
2844	CF-Inject.exe
2844	CF-Inject.exe
2844	CF-Inject.exe
2844	CF-Inject.exe
2844	CF-Inject.exe
2844	CF-Inject.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2844	CF-Inject.exe

C:\Users\Admin\AppData\Local\Temp\CrossFire WallHack by F.R.sesin\CF-Inject.exe
"C:\Users\Admin\AppData\Local\Temp\CrossFire WallHack by F.R.sesin\CF-Inject.exe"
1⤵
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2844-0-0x0000000000400000-0x00000000005C1000-memory.dmp

Filesize
1.8MB

Download
memory/2844-4-0x0000000004440000-0x0000000004441000-memory.dmp

Filesize
4KB

Download
memory/2844-14-0x00000000046A0000-0x00000000046A1000-memory.dmp

Filesize
4KB

Download
memory/2844-13-0x0000000004660000-0x0000000004661000-memory.dmp

Filesize
4KB

Download
memory/2844-12-0x0000000004690000-0x0000000004691000-memory.dmp

Filesize
4KB

Download
memory/2844-11-0x0000000004430000-0x0000000004431000-memory.dmp

Filesize
4KB

Download
memory/2844-10-0x00000000043E0000-0x00000000043E1000-memory.dmp

Filesize
4KB

Download
memory/2844-9-0x00000000043F0000-0x00000000043F1000-memory.dmp

Filesize
4KB

Download
memory/2844-8-0x00000000044B0000-0x00000000044B1000-memory.dmp

Filesize
4KB

Download
memory/2844-7-0x0000000004400000-0x0000000004401000-memory.dmp

Filesize
4KB

Download
memory/2844-6-0x00000000044A0000-0x00000000044A1000-memory.dmp

Filesize
4KB

Download
memory/2844-5-0x0000000004670000-0x0000000004671000-memory.dmp

Filesize
4KB

Download
memory/2844-3-0x0000000000400000-0x00000000005C1000-memory.dmp

Filesize
1.8MB

Download
memory/2844-15-0x0000000000400000-0x00000000005C1000-memory.dmp

Filesize
1.8MB

Download
memory/2844-16-0x0000000000400000-0x00000000005C1000-memory.dmp

Filesize
1.8MB

Download
memory/2844-17-0x0000000000400000-0x00000000005C1000-memory.dmp

Filesize
1.8MB

Download
memory/2844-18-0x0000000000400000-0x00000000005C1000-memory.dmp

Filesize
1.8MB

Download
memory/2844-19-0x0000000000400000-0x00000000005C1000-memory.dmp

Filesize
1.8MB

Download
memory/2844-20-0x0000000000400000-0x00000000005C1000-memory.dmp

Filesize
1.8MB

Download
memory/2844-21-0x0000000000400000-0x00000000005C1000-memory.dmp

Filesize
1.8MB

Download
memory/2844-22-0x0000000000400000-0x00000000005C1000-memory.dmp

Filesize
1.8MB

Download
memory/2844-23-0x0000000000400000-0x00000000005C1000-memory.dmp

Filesize
1.8MB

Download
memory/2844-24-0x0000000000400000-0x00000000005C1000-memory.dmp

Filesize
1.8MB

Download
memory/2844-25-0x0000000000400000-0x00000000005C1000-memory.dmp

Filesize
1.8MB

Download
memory/2844-26-0x0000000000400000-0x00000000005C1000-memory.dmp

Filesize
1.8MB

Download
memory/2844-27-0x0000000000400000-0x00000000005C1000-memory.dmp

Filesize
1.8MB

Download
memory/2844-28-0x0000000000400000-0x00000000005C1000-memory.dmp

Filesize
1.8MB

Download
memory/2844-29-0x0000000000400000-0x00000000005C1000-memory.dmp

Filesize
1.8MB

Download
memory/2844-30-0x0000000000400000-0x00000000005C1000-memory.dmp

Filesize
1.8MB

Download