59612641c7f0a01fdb9d2ce264665af72912045b4fa515deb8e03c093d3ba0e6

Analysis

max time kernel
158s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13/01/2024, 12:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59612641c7f0a01fdb9d2ce264665af72912045b4fa515deb8e03c093d3ba0e6.exe
Size

4.9MB
MD5

a0708d9ff367a4700ad53cf7a232fcc4
SHA1

4102ec23cac1fb5838dbeeaedad169ece5c67ca9
SHA256

59612641c7f0a01fdb9d2ce264665af72912045b4fa515deb8e03c093d3ba0e6
SHA512

2b43524c423049d10d58e28dfda397f29828ff6d8d2f8d64a6044e13707d39183e9923595a666964b77c89fe9b7723f68c31a7354b2597026719c835755fa978
SSDEEP

98304:wdYTAt79GRfIXhgYp2U0qxjWwct0pH+zw923MogVdpTNuaxVw17V:sEAtZwfI9pYu9TpeDMrfgaLw1p

Score

7^/10

bootkit persistence upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	360断网急救箱新版.exe

Executes dropped EXE 3 IoCs

pid	Process
3936	sg.tmp
1380	360断网急救箱新版.exe
4972	360NetRepair.exe

Loads dropped DLL 4 IoCs

pid	Process
4972	360NetRepair.exe
4972	360NetRepair.exe
4972	360NetRepair.exe
4972	360NetRepair.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3120-0-0x0000000000400000-0x000000000056E000-memory.dmp	upx
behavioral2/memory/3120-5-0x0000000000400000-0x000000000056E000-memory.dmp	upx
behavioral2/memory/3120-34-0x0000000000400000-0x000000000056E000-memory.dmp	upx
behavioral2/memory/3120-40-0x0000000000400000-0x000000000056E000-memory.dmp	upx
behavioral2/memory/3120-72-0x0000000000400000-0x000000000056E000-memory.dmp	upx

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	360NetRepair.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3120	59612641c7f0a01fdb9d2ce264665af72912045b4fa515deb8e03c093d3ba0e6.exe
3120	59612641c7f0a01fdb9d2ce264665af72912045b4fa515deb8e03c093d3ba0e6.exe
3120	59612641c7f0a01fdb9d2ce264665af72912045b4fa515deb8e03c093d3ba0e6.exe
3120	59612641c7f0a01fdb9d2ce264665af72912045b4fa515deb8e03c093d3ba0e6.exe
4972	360NetRepair.exe
4972	360NetRepair.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeBackupPrivilege	3120	59612641c7f0a01fdb9d2ce264665af72912045b4fa515deb8e03c093d3ba0e6.exe
Token: SeRestorePrivilege	3120	59612641c7f0a01fdb9d2ce264665af72912045b4fa515deb8e03c093d3ba0e6.exe
Token: 33	3120	59612641c7f0a01fdb9d2ce264665af72912045b4fa515deb8e03c093d3ba0e6.exe
Token: SeIncBasePriorityPrivilege	3120	59612641c7f0a01fdb9d2ce264665af72912045b4fa515deb8e03c093d3ba0e6.exe
Token: 33	3120	59612641c7f0a01fdb9d2ce264665af72912045b4fa515deb8e03c093d3ba0e6.exe
Token: SeIncBasePriorityPrivilege	3120	59612641c7f0a01fdb9d2ce264665af72912045b4fa515deb8e03c093d3ba0e6.exe
Token: 33	3120	59612641c7f0a01fdb9d2ce264665af72912045b4fa515deb8e03c093d3ba0e6.exe
Token: SeIncBasePriorityPrivilege	3120	59612641c7f0a01fdb9d2ce264665af72912045b4fa515deb8e03c093d3ba0e6.exe
Token: SeRestorePrivilege	3936	sg.tmp
Token: 35	3936	sg.tmp
Token: SeSecurityPrivilege	3936	sg.tmp
Token: SeSecurityPrivilege	3936	sg.tmp
Token: 33	3120	59612641c7f0a01fdb9d2ce264665af72912045b4fa515deb8e03c093d3ba0e6.exe
Token: SeIncBasePriorityPrivilege	3120	59612641c7f0a01fdb9d2ce264665af72912045b4fa515deb8e03c093d3ba0e6.exe
Token: SeDebugPrivilege	3120	59612641c7f0a01fdb9d2ce264665af72912045b4fa515deb8e03c093d3ba0e6.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4972	360NetRepair.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3120 wrote to memory of 740	3120	59612641c7f0a01fdb9d2ce264665af72912045b4fa515deb8e03c093d3ba0e6.exe	91
PID 3120 wrote to memory of 740	3120	59612641c7f0a01fdb9d2ce264665af72912045b4fa515deb8e03c093d3ba0e6.exe	91
PID 3120 wrote to memory of 3936	3120	59612641c7f0a01fdb9d2ce264665af72912045b4fa515deb8e03c093d3ba0e6.exe	93
PID 3120 wrote to memory of 3936	3120	59612641c7f0a01fdb9d2ce264665af72912045b4fa515deb8e03c093d3ba0e6.exe	93
PID 3120 wrote to memory of 3936	3120	59612641c7f0a01fdb9d2ce264665af72912045b4fa515deb8e03c093d3ba0e6.exe	93
PID 3120 wrote to memory of 1380	3120	59612641c7f0a01fdb9d2ce264665af72912045b4fa515deb8e03c093d3ba0e6.exe	99
PID 3120 wrote to memory of 1380	3120	59612641c7f0a01fdb9d2ce264665af72912045b4fa515deb8e03c093d3ba0e6.exe	99
PID 3120 wrote to memory of 1380	3120	59612641c7f0a01fdb9d2ce264665af72912045b4fa515deb8e03c093d3ba0e6.exe	99
PID 1380 wrote to memory of 4972	1380	360断网急救箱新版.exe	101
PID 1380 wrote to memory of 4972	1380	360断网急救箱新版.exe	101
PID 1380 wrote to memory of 4972	1380	360断网急救箱新版.exe	101

C:\Users\Admin\AppData\Local\Temp\59612641c7f0a01fdb9d2ce264665af72912045b4fa515deb8e03c093d3ba0e6.exe
"C:\Users\Admin\AppData\Local\Temp\59612641c7f0a01fdb9d2ce264665af72912045b4fa515deb8e03c093d3ba0e6.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3120
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c set
  2⤵
  PID:740
- C:\Users\Admin\AppData\Local\Temp\~7538592508468266977~\sg.tmp
  7zG_exe x "C:\Users\Admin\AppData\Local\Temp\59612641c7f0a01fdb9d2ce264665af72912045b4fa515deb8e03c093d3ba0e6.exe" -y -aoa -o"C:\Users\Admin\AppData\Local\Temp\~3316846966438104996"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3936
- C:\Users\Admin\AppData\Local\Temp\~3316846966438104996\360断网急救箱新版.exe
  "C:\Users\Admin\AppData\Local\Temp\~3316846966438104996\360断网急救箱新版.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1380
- - C:\Users\Admin\AppData\Local\Temp\~3316846966438104996\360safe\netmon\360NetRepair.exe
    "C:\Users\Admin\AppData\Local\Temp\~3316846966438104996\360safe\netmon\360NetRepair.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Writes to the Master Boot Record (MBR)
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~3316846966438104996\360safe\360Base.dll

Filesize
983KB

MD5
ee7e4f5d83f902984c765283b863b7f0

SHA1
c463761632cb9e04d864442f73c0e97365ffe38a

SHA256
4123b8d9f136d9e533be8279f9ea2de3d403d89298065c72f285dc8316cfd307

SHA512
9d5b09d78df6008c504d99c320bc639e70d33e1b71371307fdd139df63fef06383bbcb6a1bfe9a5a7d2c129f01a5910af90ce5b9d7d750b563b555aff0c2e15a

Download Submit
C:\Users\Admin\AppData\Local\Temp\~3316846966438104996\360safe\Config\newui\themes\default\360netrepair\360NetRepair_theme.ui

Filesize
218KB

MD5
90a81423eea4120256a0fcb6da5165e9

SHA1
88e38d9cd2104e8275bf694245b19c1134e885e2

SHA256
cd5fbc80791a5c61ab5c37af7e8e401b64b61814c5e898d743ee1707b3cc5fe3

SHA512
93a9852c473c96318b6ef86bca70402985ae376901dc99afa98e15d22d4ad82ba3ee09386f31a43dd0fbec4d4ed7e09df24b0443481ee2f55c7ca81fac78505c

Download Submit
C:\Users\Admin\AppData\Local\Temp\~3316846966438104996\360safe\Config\newui\themes\default\default_theme.ui

Filesize
3.5MB

MD5
79a642d092824233e42d029561bcdcec

SHA1
f98eb5c76e2acebb4a90a7c6709a16c47139f5e9

SHA256
84024e243aff64beccbbf9e1ecd7fe0a0c4e6896ba4a0bbf4288e31b5de36dc9

SHA512
f1e6edb1c6c1b3bc00080f8ca9f7bdc49b0942daecedb6fd0bb6bc13407e8a1506ea8a22b4dee7bb2d7e1462a513027126147a9b89f4068d9a76b982d79f341f

Download Submit
C:\Users\Admin\AppData\Local\Temp\~3316846966438104996\360safe\Config\newui\themes\default\theme_360NetRepair.xml

Filesize
28KB

MD5
94314ee521500d9d14f82da21b9c90b8

SHA1
34c5d47c3fa7a4c6d9d4256d818286f07226f7dd

SHA256
b75516cd40a8394de20ea89e65dec578da1d3fcc4d7cfed23cb8e40cb5c33f2b

SHA512
36b14e06016a7463cb9c501581aa5026363194744db45a9117a0864964347ad138ea25a04a7d9e13b6f6f13f354963524ca3608b4ff02f4483334eec65b8db88

Download Submit
C:\Users\Admin\AppData\Local\Temp\~3316846966438104996\360safe\Utils\SiteUIProxy.dll

Filesize
348KB

MD5
36f88da8ab5c25a1655ad0aaebb2ae50

SHA1
467abe06651b6d5b30204c012162090868f4c050

SHA256
0574b9283d232bdeac7c53cc86c5a89435d52ff399039cf5bb304628be286a6f

SHA512
184c1f130717c7e235fb08dbd265d1d2a8e67d106081553a00f66afc10e80ed4b756386a9717f6051e9ecad81eaa236dddd8d863d425f55d996ba713f99fe5cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\~3316846966438104996\360safe\netmon\360NetRepair.exe

Filesize
302KB

MD5
ce4d391d467308347f16a700b37fde76

SHA1
19e6f998bed4c96b9d516a031c9a4af9ca9143fe

SHA256
d10e387b9085aae8d413075da3a1e7b153fb1001f95abc684e60f73fd512b125

SHA512
009e419b06718a4dcefca2c3e2c27ebc33b795b8d58ed111d35da68158a3170cce120e2b0a084a53786b5b27d77aede9d515241e2e28e028b381d95d50f94440

Download Submit
C:\Users\Admin\AppData\Local\Temp\~3316846966438104996\360safe\netmon\360netdr.dll

Filesize
469KB

MD5
2285f4f4b3a086f0e835eaa9e7f7e2a2

SHA1
fe8d8045c6a0d099e44fef081ae91260cfd32c4b

SHA256
edac97ddc8c5a7c166bfe9d256ff3d165efd994b787986ee69a36106f764b5f5

SHA512
5eb7d551554d5fe40ab4afd61d9341a5051fca71b0f72268d83540280f7d9fe934b24af2b7e91fbf600ae5d919b983af53c36aa92c5d85da2d79f1c9581b3fe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\~3316846966438104996\360safe\sites.dll

Filesize
1.4MB

MD5
3f03f2c6000d713bf0c2824eb6021fe7

SHA1
b03401b07bc2eda58c4749e8a5ee14ab5cd056d4

SHA256
43923dd9f19e5089947f8376be5e59a9683c4c9b566ce6feb46a02d8a6e12c28

SHA512
cafdda7e6d67e3906e8dabecec018dc45cda69e505d074cf93dd3cb1a4e967263d8486a788ea97809e633036e06ced1257bbd96d23b441242e7b8abc05948b37

Download Submit
C:\Users\Admin\AppData\Local\Temp\~3316846966438104996\360断网急救箱新版.exe

Filesize
20KB

MD5
55076570d533b9f85c08cf3f5cf7dbc8

SHA1
701f74cf7fa6f846ac25c9250c1327a284d946f6

SHA256
a3f88e79c4dbdebc578674e0b8f06ff853b2a3776368ea3e7bb838136ef4f92b

SHA512
bb59f3157b817dc4e4852f83f438af8f0f634cfb746965bfa2172211f29192d7fff308183b6aed6e3daa16f7b127aed30ef9cde0d24d056f1086a5ff2023761f

Download Submit
C:\Users\Admin\AppData\Local\Temp\~7538592508468266977~\sg.tmp

Filesize
715KB

MD5
7c4718943bd3f66ebdb47ccca72c7b1e

SHA1
f9edfaa7adb8fa528b2e61b2b251f18da10a6969

SHA256
4cc32d00338fc7b206a7c052297acf9ac304ae7de9d61a2475a116959c1524fc

SHA512
e18c40d646fa4948f90f7471da55489df431f255041ebb6dcef86346f91078c9b27894e27216a4b2fe2a1c5e501c7953c77893cf696930123d28a322d49e1516

Download Submit
\??\c:\users\admin\appdata\local\temp\~3316846966438104996\360safe\config\newui\themes\default\theme.xml

Filesize
219KB

MD5
d4a8d901409f9a167b7e1ebaafc59847

SHA1
8a97638edc67effabf3ab45ff3528067d58d3ea7

SHA256
16343463aebc0dc3d94ea10b2fbe743bc8936780905f52cec0f4766cf85c08da

SHA512
e26b43f475c7db9a694a289cd728584e80ec7be30cb3fb5df928b74ee9cee7767c0acf880c839d0451c562d89db04537560fe7ec757c8cb7de8cb0772e66a012

Download Submit
memory/1380-48-0x0000000074010000-0x00000000747C0000-memory.dmp

Filesize
7.7MB

Download
memory/1380-43-0x00000000055A0000-0x0000000005B44000-memory.dmp

Filesize
5.6MB

Download
memory/1380-42-0x0000000000610000-0x000000000061C000-memory.dmp

Filesize
48KB

Download
memory/1380-41-0x0000000074010000-0x00000000747C0000-memory.dmp

Filesize
7.7MB

Download
memory/3120-0-0x0000000000400000-0x000000000056E000-memory.dmp

Filesize
1.4MB

Download
memory/3120-40-0x0000000000400000-0x000000000056E000-memory.dmp

Filesize
1.4MB

Download
memory/3120-34-0x0000000000400000-0x000000000056E000-memory.dmp

Filesize
1.4MB

Download
memory/3120-5-0x0000000000400000-0x000000000056E000-memory.dmp

Filesize
1.4MB

Download
memory/3120-72-0x0000000000400000-0x000000000056E000-memory.dmp

Filesize
1.4MB

Download
memory/4972-60-0x0000000003070000-0x0000000003071000-memory.dmp

Filesize
4KB

Download
memory/4972-75-0x0000000003070000-0x0000000003071000-memory.dmp

Filesize
4KB

Download