91982591f123907fbe16d1b1941ddcab6d398a3d5485b709bcbdc30bea83bff9

Analysis

max time kernel
144s
max time network
150s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
13/01/2024, 09:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

589703e464ae29be30ad5493a069ea2d.exe
Size

3.1MB
MD5

589703e464ae29be30ad5493a069ea2d
SHA1

b8f0a48f8790a7ebead40d24ec7c30a857cdd713
SHA256

91982591f123907fbe16d1b1941ddcab6d398a3d5485b709bcbdc30bea83bff9
SHA512

776d9c86a901df861eebe3709d5469431feb56ca1b8840fc6b2433a119c7d90fb89b96f382305177e811eace25658df30e920a2b195784464e7613ec25866b7a
SSDEEP

49152:I7Z5vK5RYzxirZN3DKICwSB+NX6pKMHrawb88S1dmK2VZ:I7Z5v2RYtiFNTKIIDfHrawbkd2VZ

Score

7^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1792	inst.exe

Loads dropped DLL 2 IoCs

pid	Process
2548	589703e464ae29be30ad5493a069ea2d.exe
1792	inst.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	inst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	inst.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	inst.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	inst.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	1792	inst.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1792	inst.exe
1792	inst.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1792	inst.exe
1792	inst.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 1792	2548	589703e464ae29be30ad5493a069ea2d.exe	28
PID 2548 wrote to memory of 1792	2548	589703e464ae29be30ad5493a069ea2d.exe	28
PID 2548 wrote to memory of 1792	2548	589703e464ae29be30ad5493a069ea2d.exe	28
PID 2548 wrote to memory of 1792	2548	589703e464ae29be30ad5493a069ea2d.exe	28
PID 2548 wrote to memory of 1792	2548	589703e464ae29be30ad5493a069ea2d.exe	28
PID 2548 wrote to memory of 1792	2548	589703e464ae29be30ad5493a069ea2d.exe	28
PID 2548 wrote to memory of 1792	2548	589703e464ae29be30ad5493a069ea2d.exe	28

C:\Users\Admin\AppData\Local\Temp\589703e464ae29be30ad5493a069ea2d.exe
"C:\Users\Admin\AppData\Local\Temp\589703e464ae29be30ad5493a069ea2d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\inst.exe
  "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\inst.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
3KB

MD5
130b7e74cd7a598db6cf4537a0316d1e

SHA1
a5f65508dca70b41e7cb8450e8b0a6dacaba0cf2

SHA256
01ae9625c7716ae4f0a5a378d13f2478d7c8be89a4c3d93ba8ce3fd7dfa63442

SHA512
814920aa4f71f1e4467e1123e04e15cbe0e77e2ddab3a2a0252944803d16fdeb0330110acf6da30c6292ffd53fc176ec7fe88d6f41c70a3d89dd8e0150697253

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]\computer_rescue_icon.png

Filesize
838B

MD5
3090d2de85382dff85b62ba401ad154a

SHA1
ef99c36242f2b16b8f5c124bf045d435cec0858e

SHA256
e4b839057fcf4fa07d8e84e1a83f1096cf36c89a2f19f692d4ffbfd0706c62b4

SHA512
05d16c277259fdcfada9aa2bfdb88de1356e7b1384ea24686821af3bf3c127d4ed2c1f26aeb4b87d23747fa4ea6e46f95756c980bf7501221384495219149665

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]\custom_wnd.ini

Filesize
2KB

MD5
9b112c4f740a4e1454b5c799f858727d

SHA1
40349402d12d0de24332a99baf007054f6d46b1d

SHA256
045219484debeafdcedb04e6fd0c914cb4db13a712b2abdad75b33696f28f7ac

SHA512
5d2c68cd2fe2444100a1a3031d33b1f6c186384af40c943d711e5b39a29bf9592e59e45d5b35fab59415db86b5abd926ee58aadd857a3868672ff3e648a63907

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]\setup.ini

Filesize
1KB

MD5
b31114daf434004ec91a440de4f1c5ad

SHA1
6cabc21acc9fe19ac89f3be882f550f0f4f72b5e

SHA256
d0bee07b22fc92d5ca9695401dc1c84d62331d6db8be5e7d002777e894e8b2e2

SHA512
023e5403cbf937a98a9f543c15280f9d8ff47ddf396cb1b66dd212f6b76b8b1b3df0a4ec858e52bff1e06ae59551d26a257aba8070c732ba01bbfc8443044f24

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]\soft_manager_icon.png

Filesize
646B

MD5
8f7051f0e9b7b4ce87f82dc64fc57972

SHA1
77b7122ee16b8d7141323e5b66b7a2f390265bcd

SHA256
4c2639778afba2c0d782996ea8a80152ed25ac2a954f3d525960583bddd12090

SHA512
6ebf53ed208c4d6840678074f23fec27735939a948f277f8bf6d2cd6888a13ec6086147d417daf5eab7c3887e2ca4dc64a23579e93238f186faec2d46f8a2501

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7005.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7065.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\{7822031B-E4E0-4fe0-9CC8-2C5DB6DCCD66}.tmp\360P2SP.dll

Filesize
688KB

MD5
d875875eb3282b692ab10e946ea22361

SHA1
34bcef8a8cb0e1db44671892ac3cbd74d3c541a8

SHA256
0eca2e140f973b2011c633d4d92e512a1f77e1da610cfe0f4538c0b451270016

SHA512
972466310d3c145141320584b5f3e431c6888bda2ba1036f85e68e534ed6fb97ba04cbd46d8d9c401dc5857100dc1bff1bad82b50514f3e5c582522f22fd2b5c

Download Submit
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\inst.exe

Filesize
2.1MB

MD5
a972867b8b661d999e7d7dc20253db95

SHA1
93112bdef8f443bf25fece0d6826490b7e4f4f7c

SHA256
5be93d7cc5a0a7d51dcad5386b30c7133642e68efb28d9383f7f5b29d812b6c8

SHA512
0ae6030771a16fa62a5280f4e8942030b3d67ce768184ec276f7e868a26f745cef0e12224cf97f5af3f4b9300f5a9b4e6290c4062687efdfcc404b380dcb2941

Download Submit
memory/1792-18-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/1792-155-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads