e0ee2adfc14cdaf8e4163bb67a81e390cd3a5592c65bcd34623d7c05a1bc9a08

Analysis

max time kernel
144s
max time network
135s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01/01/2024, 05:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c0a3e000138e3ad4f00e8ada8301c92.exe
Size

6.8MB
MD5

3c0a3e000138e3ad4f00e8ada8301c92
SHA1

9b9ec01086cd38df37c3af5043cf04dd4e500743
SHA256

e0ee2adfc14cdaf8e4163bb67a81e390cd3a5592c65bcd34623d7c05a1bc9a08
SHA512

345fc5e0e2eddf386fee8c46d1de3d47b32e75f56f5195384a0eaf741a346f83878fbd00e0a61173b42e0bce9e5d6d9fedacf939e10ea3483e4c5a1e6a4d38be
SSDEEP

196608:nixq1evaDHx67b7yBNmH1Xa37KXBjytdO:nAJiDH9BNGG+Jyto

Score

10^/10

bootkit persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit = "userinit.exe,C:\\Windows\\system32\\sdra64.exe,"	Auth.exe

Executes dropped EXE 3 IoCs

pid	Process
2816	Auth.exe
2456	7.exe
2592	Auth.exe

Loads dropped DLL 4 IoCs

pid	Process
2828	3c0a3e000138e3ad4f00e8ada8301c92.exe
2828	3c0a3e000138e3ad4f00e8ada8301c92.exe
2828	3c0a3e000138e3ad4f00e8ada8301c92.exe
2816	Auth.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	3c0a3e000138e3ad4f00e8ada8301c92.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\sdra64.exe	Auth.exe
File created	C:\Windows\SysWOW64\sdra64.exe	Auth.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2472 set thread context of 2828	2472	3c0a3e000138e3ad4f00e8ada8301c92.exe	28
PID 2816 set thread context of 2592	2816	Auth.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2592	Auth.exe
2592	Auth.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2472	3c0a3e000138e3ad4f00e8ada8301c92.exe
2828	3c0a3e000138e3ad4f00e8ada8301c92.exe
2816	Auth.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2472 wrote to memory of 2828	2472	3c0a3e000138e3ad4f00e8ada8301c92.exe	28
PID 2472 wrote to memory of 2828	2472	3c0a3e000138e3ad4f00e8ada8301c92.exe	28
PID 2472 wrote to memory of 2828	2472	3c0a3e000138e3ad4f00e8ada8301c92.exe	28
PID 2472 wrote to memory of 2828	2472	3c0a3e000138e3ad4f00e8ada8301c92.exe	28
PID 2472 wrote to memory of 2828	2472	3c0a3e000138e3ad4f00e8ada8301c92.exe	28
PID 2472 wrote to memory of 2828	2472	3c0a3e000138e3ad4f00e8ada8301c92.exe	28
PID 2472 wrote to memory of 2828	2472	3c0a3e000138e3ad4f00e8ada8301c92.exe	28
PID 2472 wrote to memory of 2828	2472	3c0a3e000138e3ad4f00e8ada8301c92.exe	28
PID 2472 wrote to memory of 2828	2472	3c0a3e000138e3ad4f00e8ada8301c92.exe	28
PID 2828 wrote to memory of 2816	2828	3c0a3e000138e3ad4f00e8ada8301c92.exe	29
PID 2828 wrote to memory of 2816	2828	3c0a3e000138e3ad4f00e8ada8301c92.exe	29
PID 2828 wrote to memory of 2816	2828	3c0a3e000138e3ad4f00e8ada8301c92.exe	29
PID 2828 wrote to memory of 2816	2828	3c0a3e000138e3ad4f00e8ada8301c92.exe	29
PID 2828 wrote to memory of 2456	2828	3c0a3e000138e3ad4f00e8ada8301c92.exe	30
PID 2828 wrote to memory of 2456	2828	3c0a3e000138e3ad4f00e8ada8301c92.exe	30
PID 2828 wrote to memory of 2456	2828	3c0a3e000138e3ad4f00e8ada8301c92.exe	30
PID 2828 wrote to memory of 2456	2828	3c0a3e000138e3ad4f00e8ada8301c92.exe	30
PID 2816 wrote to memory of 2592	2816	Auth.exe	31
PID 2816 wrote to memory of 2592	2816	Auth.exe	31
PID 2816 wrote to memory of 2592	2816	Auth.exe	31
PID 2816 wrote to memory of 2592	2816	Auth.exe	31
PID 2816 wrote to memory of 2592	2816	Auth.exe	31
PID 2816 wrote to memory of 2592	2816	Auth.exe	31
PID 2816 wrote to memory of 2592	2816	Auth.exe	31
PID 2816 wrote to memory of 2592	2816	Auth.exe	31
PID 2816 wrote to memory of 2592	2816	Auth.exe	31
PID 2816 wrote to memory of 2592	2816	Auth.exe	31

C:\Users\Admin\AppData\Local\Temp\3c0a3e000138e3ad4f00e8ada8301c92.exe
"C:\Users\Admin\AppData\Local\Temp\3c0a3e000138e3ad4f00e8ada8301c92.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2472
- C:\Users\Admin\AppData\Local\Temp\3c0a3e000138e3ad4f00e8ada8301c92.exe
  "C:\Users\Admin\AppData\Local\Temp\3c0a3e000138e3ad4f00e8ada8301c92.exe"
  2⤵
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Users\Admin\AppData\Local\Temp\Auth.exe
    "C:\Users\Admin\AppData\Local\Temp\Auth.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2816
  - - C:\Users\Admin\AppData\Local\Temp\Auth.exe
      C:\Users\Admin\AppData\Local\Temp\Auth.exe
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      PID:2592
- - C:\Users\Admin\AppData\Local\Temp\7.exe
    "C:\Users\Admin\AppData\Local\Temp\7.exe"
    3⤵
    - Executes dropped EXE
    PID:2456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7.exe

Filesize
117KB

MD5
f4146d150326a05ca0bb6fc210cf8f79

SHA1
f441250b3e7b255eabea1dc2329b221e4477b70f

SHA256
46b42adcd860e12c00d3ace14d295743bf201e8a32b6b869f477a679936ae351

SHA512
b70242959034b6f5956760ec48c05bc03ae1edfeb7c32b68b06001844c1d03b04193137080bbd1bd445cb6c4dd428450b195305f65b90a31df93e9aeb60c4bc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7.exe

Filesize
72KB

MD5
3c1f23a73a81603f613d2461d65a2e5a

SHA1
fd08463aae967c851bc4f27cb5db0dc44140848a

SHA256
7ea117314b8f4bf39abaf34542bad703870cb4a0f72201b92cb2cd35b027413a

SHA512
6a359a3f4952cc52074f6f1ee87ff00213fdf8cd58847ef9ce6513a47fcba887478636a8604cb5f9c12175aedce0b32bcc388b0292248d6a87bd4146043c0af3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Auth.exe

Filesize
151KB

MD5
e9892ee886353c3fdf3075e8e247db62

SHA1
b15641f34c3f2e3527fe412a1d85ac190c7f5cdb

SHA256
ed39e72d3a5b1bfade861ede38333b21e8e66d597459f9c2618ff8d9d8035f93

SHA512
32710c67bcc37a80ab70d4137fdadd8cd107c5278af1a3eb1d6e59b8c5a52cbd2be9f2cd2af9557f221f06812cd0fcadef2f51ab78a723d4cf6075a4be44c762

Download Submit
C:\Users\Admin\AppData\Local\Temp\Auth.exe

Filesize
97KB

MD5
09411aab29e6483db845ec0af9373d5c

SHA1
5f78d030795bf0cfad26041db52fc9196c9fe12b

SHA256
b7c7dc498332db99786de64d5c29ed25f67d37cfceed79de0d3b31372269b9f0

SHA512
ce292c214be100e6f6234517532c96638384ccda19b5bb3320b6760e171679ef4a6a81923e564135457ff670c8295ee4bec3200aee422c34ec15944b29855547

Download Submit
C:\Users\Admin\AppData\Local\Temp\Auth.exe

Filesize
188KB

MD5
d4894d59d2c75a62d414bb219fd5ef9f

SHA1
3d4d6bfd9eb9c8d741e5b28f16d9dcfe98dada04

SHA256
0085e327ada9184158f7094f2488a4af3467d78ef2f30072c75d0fd661e91a92

SHA512
9c6892403e346ce29cfd9ca40852809635ce24638608f1b9621c99688810b7d671443d1ebc21c9cef9a0bf0666cf41c6342330c40f153518de1bcd3ee07669df

Download Submit
C:\Users\Admin\AppData\Local\Temp\Auth.exe

Filesize
89KB

MD5
12357fffade19316305dc3065268e412

SHA1
b107f2e57c979c78978c55adfeff76c51b063eb0

SHA256
885bbda0897fecd6a669f99f109e4ff72be54d4e1d326d3ca0543e30991c508f

SHA512
2690e2122e4f7fdc56b77960239bd8115c6870e0a4cbe4156e03055fd174ba121b0ee29f5b1e1c91730aeb2d3b06a8e7b4b5c7d1147f55db23caa5272566f6ee

Download Submit
\Users\Admin\AppData\Local\Temp\7.exe

Filesize
97KB

MD5
a709b894dde183390d43e33d7d14327f

SHA1
cf5204e56424b543ec37ade43a0c4af4312a5c8b

SHA256
5053c129442b0d777c34d9632fec242dfb5e32ef32ef992d3bb2a2122e83b7d6

SHA512
0667f4a17cc5358f0501112200c54959a3f3e6fbd225d4e0dfebe108ce4c096d666a95921965c8f3464139fcf9bc07166e304ec25c1c0e01c6758cc70028e6b3

Download Submit
\Users\Admin\AppData\Local\Temp\Auth.exe

Filesize
110KB

MD5
910fd4a68cf35a7ec0a4f1723a24f555

SHA1
412114c14a2ee8a5f67822c2c62d27d005be21a4

SHA256
f8adf47dc1c5712ea9e94718f51fd9fa9ecf2a110536a3ed07ca0ee9ba1dd563

SHA512
3ca844ad0017ca0c067ef13b547401e59a93f256f310f0effb8988942ad50c0e34d9a38324fd882bd4a4723753eeade877c44ebd4af50e533799b83e7eeeffea

Download Submit
\Users\Admin\AppData\Local\Temp\Auth.exe

Filesize
149KB

MD5
16cb1dd2359ebac8984580f912b8c97f

SHA1
71fcc5e100d194b51aed0827de6a0c88814d5f62

SHA256
75ce491d11f4529f1cbbd42cbe9d38194c661356b06c6068e3b6ddcc7eb4960a

SHA512
dd950a910cf50d30e9b7aa260ca73f6296c966c6faa0f4e17b1e34589494972e75f8bef3880343f34f35c7f845cc06322e13355a36e64fe55f2acfe0c73a7473

Download Submit
memory/2456-43-0x0000000000A60000-0x0000000000AE0000-memory.dmp

Filesize
512KB

Download
memory/2456-72-0x0000000000A60000-0x0000000000AE0000-memory.dmp

Filesize
512KB

Download
memory/2456-70-0x0000000000A60000-0x0000000000AE0000-memory.dmp

Filesize
512KB

Download
memory/2456-69-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp

Filesize
9.6MB

Download
memory/2456-67-0x0000000000A60000-0x0000000000AE0000-memory.dmp

Filesize
512KB

Download
memory/2456-66-0x0000000000A60000-0x0000000000AE0000-memory.dmp

Filesize
512KB

Download
memory/2456-40-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp

Filesize
9.6MB

Download
memory/2456-46-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp

Filesize
9.6MB

Download
memory/2592-44-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2592-55-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2592-47-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2592-51-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2592-49-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2592-58-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2592-41-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2592-65-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2592-60-0x00000000001B0000-0x00000000001C5000-memory.dmp

Filesize
84KB

Download
memory/2816-31-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2828-2-0x0000000000400000-0x0000000000A96000-memory.dmp

Filesize
6.6MB

Download
memory/2828-14-0x0000000000400000-0x0000000000A96000-memory.dmp

Filesize
6.6MB

Download
memory/2828-36-0x0000000000400000-0x0000000000A96000-memory.dmp

Filesize
6.6MB

Download
memory/2828-4-0x0000000000400000-0x0000000000A96000-memory.dmp

Filesize
6.6MB

Download
memory/2828-6-0x0000000000400000-0x0000000000A96000-memory.dmp

Filesize
6.6MB

Download
memory/2828-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2828-12-0x0000000000400000-0x0000000000A96000-memory.dmp

Filesize
6.6MB

Download
memory/2828-18-0x0000000000400000-0x0000000000A96000-memory.dmp

Filesize
6.6MB

Download