Overview

overview

8

Static

static

3

37f1aa17b4...77.exe

windows7-x64

7

37f1aa17b4...77.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    151s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-12-2023 13:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    37f1aa17b45ba6bac3dc987feed51277.exe

  • Size

    809KB

  • MD5

    37f1aa17b45ba6bac3dc987feed51277

  • SHA1

    e78e385e5e16238889ebd933f6d1ca139a07979e

  • SHA256

    e132565108cb63a3e24eb17b4e43834685efb50ef141dfcb5e8fe74708fb6542

  • SHA512

    9eb11295c4cb831f025a793ed01d52f32df2a805fffbd4cd90524b2e53cf9712c2c6c9c9621575a2203a3d4e506d64e4186d31039eb6702b8164d8c86199ef3b

  • SSDEEP

    24576:+Fb05b0gnC6Ma6OgHmN9VUU6dUpsFRxwZRFLZfA:+lYbDnCVaVgGNTUHdUpORxwTFLpA

Score
8/10
bootkitpersistence

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 5 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 29 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 61 IoCs
  • Suspicious behavior: AddClipboardFormatListener 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\37f1aa17b45ba6bac3dc987feed51277.exe
    "C:\Users\Admin\AppData\Local\Temp\37f1aa17b45ba6bac3dc987feed51277.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4552
    • C:\ProgramData\privacy.exe
      C:\ProgramData\privacy.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Enumerates connected drives
      • Writes to the Master Boot Record (MBR)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:884
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:3436
    • C:\Windows\explorer.exe
      explorer.exe /LOADSAVEDWINDOWS
      2⤵
      • Modifies Installed Components in the registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3588
  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
    "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:3772
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2292
    • C:\Windows\explorer.exe
      explorer.exe /LOADSAVEDWINDOWS
      2⤵
      • Modifies registry class
      PID:1568
  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
    "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:3720
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2876
    • C:\Windows\explorer.exe
      explorer.exe /LOADSAVEDWINDOWS
      2⤵
      • Modifies registry class
      PID:3344
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:4696
  • C:\Windows\explorer.exe
    C:\Windows\explorer.exe /factory,{682159d9-c321-47ca-b3f1-30e36b2ec8b9} -Embedding
    1⤵
    • Enumerates connected drives
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1912
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
    1⤵
      PID:2660
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding
      1⤵
        PID:3864
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Enumerates connected drives
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4396
      • C:\Windows\system32\sihost.exe
        sihost.exe
        1⤵
        • Suspicious use of FindShellTrayWindow
        PID:4812
      • C:\Windows\system32\sihost.exe
        sihost.exe
        1⤵
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:5116
        • C:\Windows\explorer.exe
          explorer.exe /LOADSAVEDWINDOWS
          2⤵
          • Modifies registry class
          PID:3952
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2168
      • C:\Windows\system32\sihost.exe
        sihost.exe
        1⤵
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:3180
        • C:\Windows\explorer.exe
          explorer.exe /LOADSAVEDWINDOWS
          2⤵
          • Modifies Installed Components in the registry
          • Enumerates connected drives
          • Checks SCSI registry key(s)
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of SetWindowsHookEx
          PID:3464

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\privacy.exe
        Filesize

        802KB

        MD5

        2d165f06bcd1f1a03d2e7c4438cc29c2

        SHA1

        e0815e62a72de46e950a3c7db108663289668134

        SHA256

        724e9bb61571645ac5a7e7ae103d423a025c194c02ea4e8aa580c66d6653ba99

        SHA512

        647ae8c217b2302a35b9069a51f10f572d9f3cc12be6fab4ce6abbc8aed34432e59bffc52e12b17717f058598895decd9ae824a361526f054549108d06cbdf24

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
        Filesize

        471B

        MD5

        492eb77e47ee010f2783bd46ce376685

        SHA1

        7ec1e281edcdf52217f32dac7c95f062906e55cd

        SHA256

        783af06109ea9546d8ff8e6cf1e576633b900087b23bcc5eebaf661f75b0a54b

        SHA512

        0853033385b2692969cdd8094e67f46916bb4ba54de5d18ad9eb6a92ec939784bebd461fe8775edeb4d1e7de1ad598b94e63b9ea92cc2449e5e8e9a8d230c3c6

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
        Filesize

        412B

        MD5

        58c30ce75bd83c00331424b3f83034c0

        SHA1

        2400bb0ff14ed85595b182951b085b082e0a8188

        SHA256

        5aa22f1023616dd0796d341bb4fd021cd60b757b3f3491cac82de31da36b6326

        SHA512

        87479ab527864777b8266a563d4a1f5922abc4d948a2e14bbafa199aa180412ba73e298c1244ccaa6040f17c626185f108e80026f4efc0aac478e38e190a27e4

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat
        Filesize

        1022B

        MD5

        c04afde6daa12535b6f51d340bd02cfd

        SHA1

        aa13d49bd14f85e43b5fd27608efd90cbb1850c1

        SHA256

        945467ecbc13d00016f2602a3ec5b58c663dc3b3b42228a20e7ff81de43e9dcb

        SHA512

        d94508e727bd6e9a69e6be233bee87a1cc7497f0dff0858756c69a36f1a570384e6ceb5b89a2541e698ee0fd168c69c57d9ec4e3cc4d4903e6831f7d40925781

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\{06514D3F-89A4-4A4E-80E4-323E608AC191}.png
        Filesize

        6KB

        MD5

        099ba37f81c044f6b2609537fdb7d872

        SHA1

        470ef859afbce52c017874d77c1695b7b0f9cb87

        SHA256

        8c98c856e4d43f705ff9a5c9a55f92e1885765654912b4c75385c3ea2fdef4a7

        SHA512

        837e1ad7fe4f5cbc0a87f3703ba211c18f32b20df93b23f681cbd0390d8077adba64cf6454a1bb28df1f7df4cb2cdc021d826b6ef8db890e40f21d618d5eb07a

        Download Submit

      • C:\Users\Public\Desktop\Privacy Protection.lnk
        Filesize

        672B

        MD5

        8ed50be79ae764de5935565dc166bfdd

        SHA1

        78ffac817d06ef7641ed5e6eb5aace017308d625

        SHA256

        2d9708d7d93c981b33ac15c0f7c7791eeba924ca4e6b4409548cfdba59b66881

        SHA512

        3a5e9190df53d6aaf5a48d1f778bac607e236886439cd7532baaa79bde96aaa0dda2b5f06e9e32c49b5ae22aabd7dfcc362c2f0bf01d36d96b9db049c69e1a17

        Download Submit

      • memory/884-19-0x0000000000400000-0x0000000000AF5000-memory.dmp

        Filesize

        7.0MB

        Download

      • memory/884-13-0x0000000002600000-0x0000000002609000-memory.dmp

        Filesize

        36KB

        Download

      • memory/884-82-0x0000000000400000-0x0000000000AF5000-memory.dmp

        Filesize

        7.0MB

        Download

      • memory/884-20-0x00000000025F0000-0x00000000025F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/884-81-0x0000000000400000-0x0000000000AF5000-memory.dmp

        Filesize

        7.0MB

        Download

      • memory/884-23-0x0000000000400000-0x0000000000AF5000-memory.dmp

        Filesize

        7.0MB

        Download

      • memory/884-24-0x0000000002600000-0x0000000002609000-memory.dmp

        Filesize

        36KB

        Download

      • memory/884-26-0x0000000000400000-0x0000000000AF5000-memory.dmp

        Filesize

        7.0MB

        Download

      • memory/884-32-0x00000000025F0000-0x00000000025F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/884-35-0x0000000000400000-0x0000000000AF5000-memory.dmp

        Filesize

        7.0MB

        Download

      • memory/884-16-0x0000000000400000-0x0000000000AF5000-memory.dmp

        Filesize

        7.0MB

        Download

      • memory/884-78-0x0000000000400000-0x0000000000AF5000-memory.dmp

        Filesize

        7.0MB

        Download

      • memory/884-15-0x0000000000400000-0x0000000000AF5000-memory.dmp

        Filesize

        7.0MB

        Download

      • memory/884-18-0x0000000000400000-0x0000000000AF5000-memory.dmp

        Filesize

        7.0MB

        Download

      • memory/884-77-0x0000000000400000-0x0000000000AF5000-memory.dmp

        Filesize

        7.0MB

        Download

      • memory/884-73-0x0000000000400000-0x0000000000AF5000-memory.dmp

        Filesize

        7.0MB

        Download

      • memory/884-56-0x0000000000400000-0x0000000000AF5000-memory.dmp

        Filesize

        7.0MB

        Download

      • memory/884-72-0x0000000000400000-0x0000000000AF5000-memory.dmp

        Filesize

        7.0MB

        Download

      • memory/884-63-0x0000000000400000-0x0000000000AF5000-memory.dmp

        Filesize

        7.0MB

        Download

      • memory/884-64-0x0000000000400000-0x0000000000AF5000-memory.dmp

        Filesize

        7.0MB

        Download

      • memory/884-65-0x0000000000400000-0x0000000000AF5000-memory.dmp

        Filesize

        7.0MB

        Download

      • memory/2168-42-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3464-48-0x0000000004770000-0x0000000004771000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4552-1-0x0000000000400000-0x00000000005B6000-memory.dmp

        Filesize

        1.7MB

        Download

      • memory/4552-6-0x0000000000400000-0x00000000005B6000-memory.dmp

        Filesize

        1.7MB

        Download

      • memory/4552-21-0x00000000023B0000-0x00000000023B9000-memory.dmp

        Filesize

        36KB

        Download

      • memory/4552-0-0x00000000023B0000-0x00000000023B9000-memory.dmp

        Filesize

        36KB

        Download