4a210e3c6c2fc8cee8cfb374c61ba2a7912022e963824d8266e20748bf7398b9

Analysis

max time kernel
149s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 21:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d8be23e4fb067497d62a6119b026e34.exe
Size

464KB
MD5

1d8be23e4fb067497d62a6119b026e34
SHA1

018c990cea55c429fdc602d2f93d6a752edd3805
SHA256

4a210e3c6c2fc8cee8cfb374c61ba2a7912022e963824d8266e20748bf7398b9
SHA512

e486f7c4f8a56ebad70a628d5a3d8b54ddeb07a37b1b1770cbee3f88d5acb8010380a1dcd1d2ec33ba421ef9877cddb7209f0da0782e52ea8fdf92d7f38b87c3
SSDEEP

12288:4/pm2a4XMxWANZ8w5gUEnETQEIgDd0PrhVkq0YE6Jb2lDosy:4R0uMxBvhgUTEEIgMv0YE6ha7y

Score

7^/10

bootkit persistence

Malware Config

Signatures

Loads dropped DLL 9 IoCs

pid	Process
2280	1d8be23e4fb067497d62a6119b026e34.exe
2280	1d8be23e4fb067497d62a6119b026e34.exe
2280	1d8be23e4fb067497d62a6119b026e34.exe
2280	1d8be23e4fb067497d62a6119b026e34.exe
2280	1d8be23e4fb067497d62a6119b026e34.exe
2280	1d8be23e4fb067497d62a6119b026e34.exe
2280	1d8be23e4fb067497d62a6119b026e34.exe
2280	1d8be23e4fb067497d62a6119b026e34.exe
2280	1d8be23e4fb067497d62a6119b026e34.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	1d8be23e4fb067497d62a6119b026e34.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ÅôÉÙ.dll	1d8be23e4fb067497d62a6119b026e34.exe
File created	C:\Windows\SysWOW64\ÄÚ´æ´úÂë.txt	1d8be23e4fb067497d62a6119b026e34.exe
File opened for modification	C:\Windows\SysWOW64\ÅôÉÙ.dll	1d8be23e4fb067497d62a6119b026e34.exe
File created	C:\Windows\SysWOW64\ceAte×¢Èë.ime	1d8be23e4fb067497d62a6119b026e34.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	1d8be23e4fb067497d62a6119b026e34.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2280	1d8be23e4fb067497d62a6119b026e34.exe
2280	1d8be23e4fb067497d62a6119b026e34.exe
2280	1d8be23e4fb067497d62a6119b026e34.exe
2280	1d8be23e4fb067497d62a6119b026e34.exe
2280	1d8be23e4fb067497d62a6119b026e34.exe
2280	1d8be23e4fb067497d62a6119b026e34.exe
2280	1d8be23e4fb067497d62a6119b026e34.exe
2280	1d8be23e4fb067497d62a6119b026e34.exe
2280	1d8be23e4fb067497d62a6119b026e34.exe
2280	1d8be23e4fb067497d62a6119b026e34.exe
2280	1d8be23e4fb067497d62a6119b026e34.exe
2280	1d8be23e4fb067497d62a6119b026e34.exe
2280	1d8be23e4fb067497d62a6119b026e34.exe
2280	1d8be23e4fb067497d62a6119b026e34.exe
2280	1d8be23e4fb067497d62a6119b026e34.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	2280	1d8be23e4fb067497d62a6119b026e34.exe
Token: SeIncBasePriorityPrivilege	2280	1d8be23e4fb067497d62a6119b026e34.exe
Token: 33	2280	1d8be23e4fb067497d62a6119b026e34.exe
Token: SeIncBasePriorityPrivilege	2280	1d8be23e4fb067497d62a6119b026e34.exe
Token: 33	2280	1d8be23e4fb067497d62a6119b026e34.exe
Token: SeIncBasePriorityPrivilege	2280	1d8be23e4fb067497d62a6119b026e34.exe
Token: 33	2280	1d8be23e4fb067497d62a6119b026e34.exe
Token: SeIncBasePriorityPrivilege	2280	1d8be23e4fb067497d62a6119b026e34.exe
Token: 33	2280	1d8be23e4fb067497d62a6119b026e34.exe
Token: SeIncBasePriorityPrivilege	2280	1d8be23e4fb067497d62a6119b026e34.exe
Token: 33	2280	1d8be23e4fb067497d62a6119b026e34.exe
Token: SeIncBasePriorityPrivilege	2280	1d8be23e4fb067497d62a6119b026e34.exe
Token: 33	2280	1d8be23e4fb067497d62a6119b026e34.exe
Token: SeIncBasePriorityPrivilege	2280	1d8be23e4fb067497d62a6119b026e34.exe
Token: 33	2280	1d8be23e4fb067497d62a6119b026e34.exe
Token: SeIncBasePriorityPrivilege	2280	1d8be23e4fb067497d62a6119b026e34.exe
Token: 33	2280	1d8be23e4fb067497d62a6119b026e34.exe
Token: SeIncBasePriorityPrivilege	2280	1d8be23e4fb067497d62a6119b026e34.exe
Token: 33	2280	1d8be23e4fb067497d62a6119b026e34.exe
Token: SeIncBasePriorityPrivilege	2280	1d8be23e4fb067497d62a6119b026e34.exe
Token: 33	2280	1d8be23e4fb067497d62a6119b026e34.exe
Token: SeIncBasePriorityPrivilege	2280	1d8be23e4fb067497d62a6119b026e34.exe
Token: 33	2280	1d8be23e4fb067497d62a6119b026e34.exe
Token: SeIncBasePriorityPrivilege	2280	1d8be23e4fb067497d62a6119b026e34.exe
Token: 33	2280	1d8be23e4fb067497d62a6119b026e34.exe
Token: SeIncBasePriorityPrivilege	2280	1d8be23e4fb067497d62a6119b026e34.exe
Token: 33	2280	1d8be23e4fb067497d62a6119b026e34.exe
Token: SeIncBasePriorityPrivilege	2280	1d8be23e4fb067497d62a6119b026e34.exe
Token: 33	2280	1d8be23e4fb067497d62a6119b026e34.exe
Token: SeIncBasePriorityPrivilege	2280	1d8be23e4fb067497d62a6119b026e34.exe
Token: 33	2280	1d8be23e4fb067497d62a6119b026e34.exe
Token: SeIncBasePriorityPrivilege	2280	1d8be23e4fb067497d62a6119b026e34.exe
Token: 33	2280	1d8be23e4fb067497d62a6119b026e34.exe
Token: SeIncBasePriorityPrivilege	2280	1d8be23e4fb067497d62a6119b026e34.exe
Token: 33	2280	1d8be23e4fb067497d62a6119b026e34.exe
Token: SeIncBasePriorityPrivilege	2280	1d8be23e4fb067497d62a6119b026e34.exe
Token: 33	2280	1d8be23e4fb067497d62a6119b026e34.exe
Token: SeIncBasePriorityPrivilege	2280	1d8be23e4fb067497d62a6119b026e34.exe
Token: 33	2280	1d8be23e4fb067497d62a6119b026e34.exe
Token: SeIncBasePriorityPrivilege	2280	1d8be23e4fb067497d62a6119b026e34.exe
Token: 33	2280	1d8be23e4fb067497d62a6119b026e34.exe
Token: SeIncBasePriorityPrivilege	2280	1d8be23e4fb067497d62a6119b026e34.exe
Token: 33	2280	1d8be23e4fb067497d62a6119b026e34.exe
Token: SeIncBasePriorityPrivilege	2280	1d8be23e4fb067497d62a6119b026e34.exe
Token: 33	2280	1d8be23e4fb067497d62a6119b026e34.exe
Token: SeIncBasePriorityPrivilege	2280	1d8be23e4fb067497d62a6119b026e34.exe
Token: 33	2280	1d8be23e4fb067497d62a6119b026e34.exe
Token: SeIncBasePriorityPrivilege	2280	1d8be23e4fb067497d62a6119b026e34.exe
Token: 33	2280	1d8be23e4fb067497d62a6119b026e34.exe
Token: SeIncBasePriorityPrivilege	2280	1d8be23e4fb067497d62a6119b026e34.exe
Token: 33	2280	1d8be23e4fb067497d62a6119b026e34.exe
Token: SeIncBasePriorityPrivilege	2280	1d8be23e4fb067497d62a6119b026e34.exe
Token: 33	2280	1d8be23e4fb067497d62a6119b026e34.exe
Token: SeIncBasePriorityPrivilege	2280	1d8be23e4fb067497d62a6119b026e34.exe
Token: 33	2280	1d8be23e4fb067497d62a6119b026e34.exe
Token: SeIncBasePriorityPrivilege	2280	1d8be23e4fb067497d62a6119b026e34.exe
Token: 33	2280	1d8be23e4fb067497d62a6119b026e34.exe
Token: SeIncBasePriorityPrivilege	2280	1d8be23e4fb067497d62a6119b026e34.exe
Token: 33	2280	1d8be23e4fb067497d62a6119b026e34.exe
Token: SeIncBasePriorityPrivilege	2280	1d8be23e4fb067497d62a6119b026e34.exe
Token: 33	2280	1d8be23e4fb067497d62a6119b026e34.exe
Token: SeIncBasePriorityPrivilege	2280	1d8be23e4fb067497d62a6119b026e34.exe
Token: 33	2280	1d8be23e4fb067497d62a6119b026e34.exe
Token: SeIncBasePriorityPrivilege	2280	1d8be23e4fb067497d62a6119b026e34.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2280	1d8be23e4fb067497d62a6119b026e34.exe
2280	1d8be23e4fb067497d62a6119b026e34.exe
2280	1d8be23e4fb067497d62a6119b026e34.exe
2280	1d8be23e4fb067497d62a6119b026e34.exe

C:\Users\Admin\AppData\Local\Temp\1d8be23e4fb067497d62a6119b026e34.exe
"C:\Users\Admin\AppData\Local\Temp\1d8be23e4fb067497d62a6119b026e34.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\ceAte×¢Èë.ime

Filesize
52KB

MD5
c19a9f52996c85527e500747a7d69749

SHA1
ad867382e1f3696f1a46a577c62e49cbd3b03a14

SHA256
1c335c6d63bdf8fc0382bca35a0da10b2b0d4f338f85e18189beab13c45a942b

SHA512
e54323b141d813499b9e763de8df06870fa6a225d1403bd1bec49dc4a0996d11f53706bb6fe58a11f5dc639999a51a8f99d4241b54a1edaf75ba43a30dd78f12

Download Submit
memory/2280-51-0x0000000000400000-0x00000000014CBA3A-memory.dmp

Filesize
16.8MB

Download
memory/2280-54-0x0000000000400000-0x00000000014CBA3A-memory.dmp

Filesize
16.8MB

Download
memory/2280-46-0x0000000000400000-0x00000000014CBA3A-memory.dmp

Filesize
16.8MB

Download
memory/2280-47-0x0000000000400000-0x00000000014CBA3A-memory.dmp

Filesize
16.8MB

Download
memory/2280-48-0x0000000000400000-0x00000000014CBA3A-memory.dmp

Filesize
16.8MB

Download
memory/2280-49-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/2280-50-0x0000000000400000-0x00000000014CBA3A-memory.dmp

Filesize
16.8MB

Download
memory/2280-1-0x0000000000400000-0x00000000014CBA3A-memory.dmp

Filesize
16.8MB

Download
memory/2280-2-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/2280-52-0x0000000000400000-0x00000000014CBA3A-memory.dmp

Filesize
16.8MB

Download
memory/2280-53-0x0000000000400000-0x00000000014CBA3A-memory.dmp

Filesize
16.8MB

Download
memory/2280-55-0x0000000000400000-0x00000000014CBA3A-memory.dmp

Filesize
16.8MB

Download
memory/2280-56-0x0000000000400000-0x00000000014CBA3A-memory.dmp

Filesize
16.8MB

Download
memory/2280-57-0x0000000000400000-0x00000000014CBA3A-memory.dmp

Filesize
16.8MB

Download
memory/2280-58-0x0000000000400000-0x00000000014CBA3A-memory.dmp

Filesize
16.8MB

Download
memory/2280-59-0x0000000000400000-0x00000000014CBA3A-memory.dmp

Filesize
16.8MB

Download
memory/2280-60-0x0000000000400000-0x00000000014CBA3A-memory.dmp

Filesize
16.8MB

Download
memory/2280-61-0x0000000000400000-0x00000000014CBA3A-memory.dmp

Filesize
16.8MB

Download