612dd0ec18f33d07ceafbd2feff2b38cc296a0faf5be5967b74448fcf6222ad9

Analysis

max time kernel
141s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
13/01/2024, 21:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5969721d2dc4657b7c2c3673bd069999.exe
Size

352KB
MD5

5969721d2dc4657b7c2c3673bd069999
SHA1

e151c30e64e15333e4681887ddf882900d3b10a2
SHA256

612dd0ec18f33d07ceafbd2feff2b38cc296a0faf5be5967b74448fcf6222ad9
SHA512

ad2b406485cf01c3017b1d10070cfdfb07c033ed09739c0445342bed657bf42f6ff5366f66896f0996e3a46f7227cb035c5fc3659abe68df4b7526e5c8c02357
SSDEEP

6144:ExgEVdGJoM4PYJ6fQy++AIw8Zqqbq4n+aCyIK3ccnMxjOFUd:OgSWorYJqQMzfGIW1K3Dns3d

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	5969721d2dc4657b7c2c3673bd069999.exe

Modifies registry class 30 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A1C16977-50A1-F865-88DA-181EA33F6D6C}\1.0	5969721d2dc4657b7c2c3673bd069999.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A1C16977-50A1-F865-88DA-181EA33F6D6C}\1.0\FLAGS\ = "0"	5969721d2dc4657b7c2c3673bd069999.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F47DE36C-B31B-4C54-76B2-831883D1358E}\TypeLib\	5969721d2dc4657b7c2c3673bd069999.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	5969721d2dc4657b7c2c3673bd069999.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A1C16977-50A1-F865-88DA-181EA33F6D6C}	5969721d2dc4657b7c2c3673bd069999.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A1C16977-50A1-F865-88DA-181EA33F6D6C}\1.0\0\win32	5969721d2dc4657b7c2c3673bd069999.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A1C16977-50A1-F865-88DA-181EA33F6D6C}\1.0\FLAGS	5969721d2dc4657b7c2c3673bd069999.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A1C16977-50A1-F865-88DA-181EA33F6D6C}\1.0\0\	5969721d2dc4657b7c2c3673bd069999.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A1C16977-50A1-F865-88DA-181EA33F6D6C}\1.0\0	5969721d2dc4657b7c2c3673bd069999.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A1C16977-50A1-F865-88DA-181EA33F6D6C}\1.0\0\win32\ = "%systemroot%\\SysWow64\\comsvcs.dll"	5969721d2dc4657b7c2c3673bd069999.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A1C16977-50A1-F865-88DA-181EA33F6D6C}\1.0\FLAGS\	5969721d2dc4657b7c2c3673bd069999.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F47DE36C-B31B-4C54-76B2-831883D1358E}\VersionIndependentProgID\	5969721d2dc4657b7c2c3673bd069999.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F47DE36C-B31B-4C54-76B2-831883D1358E}\InprocServer32	5969721d2dc4657b7c2c3673bd069999.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A1C16977-50A1-F865-88DA-181EA33F6D6C}\	5969721d2dc4657b7c2c3673bd069999.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A1C16977-50A1-F865-88DA-181EA33F6D6C}\1.0\	5969721d2dc4657b7c2c3673bd069999.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F47DE36C-B31B-4C54-76B2-831883D1358E}\TypeLib\ = "{A1C16977-50A1-F865-88DA-181EA33F6D6C}"	5969721d2dc4657b7c2c3673bd069999.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F47DE36C-B31B-4C54-76B2-831883D1358E}\ = "Apopihe Zogan class"	5969721d2dc4657b7c2c3673bd069999.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F47DE36C-B31B-4C54-76B2-831883D1358E}\InprocServer32\	5969721d2dc4657b7c2c3673bd069999.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F47DE36C-B31B-4C54-76B2-831883D1358E}\InprocServer32\ = "%SystemRoot%\\SysWow64\\sppcomapi.dll"	5969721d2dc4657b7c2c3673bd069999.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F47DE36C-B31B-4C54-76B2-831883D1358E}\VersionIndependentProgID\ = "SppComApi.TokenActivation"	5969721d2dc4657b7c2c3673bd069999.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F47DE36C-B31B-4C54-76B2-831883D1358E}	5969721d2dc4657b7c2c3673bd069999.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F47DE36C-B31B-4C54-76B2-831883D1358E}\ProgID\	5969721d2dc4657b7c2c3673bd069999.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F47DE36C-B31B-4C54-76B2-831883D1358E}\VersionIndependentProgID	5969721d2dc4657b7c2c3673bd069999.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	5969721d2dc4657b7c2c3673bd069999.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F47DE36C-B31B-4C54-76B2-831883D1358E}\ProgID	5969721d2dc4657b7c2c3673bd069999.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A1C16977-50A1-F865-88DA-181EA33F6D6C}\1.0\0\win32\	5969721d2dc4657b7c2c3673bd069999.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F47DE36C-B31B-4C54-76B2-831883D1358E}\ProgID\ = "SppComApi.TokenActivation.1"	5969721d2dc4657b7c2c3673bd069999.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F47DE36C-B31B-4C54-76B2-831883D1358E}\TypeLib	5969721d2dc4657b7c2c3673bd069999.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	5969721d2dc4657b7c2c3673bd069999.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A1C16977-50A1-F865-88DA-181EA33F6D6C}\1.0\ = "Legacy Microsoft Transaction Server Type Library"	5969721d2dc4657b7c2c3673bd069999.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1992	5969721d2dc4657b7c2c3673bd069999.exe

C:\Users\Admin\AppData\Local\Temp\5969721d2dc4657b7c2c3673bd069999.exe
"C:\Users\Admin\AppData\Local\Temp\5969721d2dc4657b7c2c3673bd069999.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:1992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1992-1-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/1992-0-0x0000000000400000-0x0000000000634000-memory.dmp

Filesize
2.2MB

Download
memory/1992-5-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/1992-4-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/1992-3-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/1992-2-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/1992-6-0x0000000000400000-0x0000000000634000-memory.dmp

Filesize
2.2MB

Download
memory/1992-9-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads