Overview

overview

8

Static

static

3

7acc85ad6e...10.exe

windows7-x64

8

7acc85ad6e...10.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    145s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    14-01-2024 07:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7acc85ad6eea22222b77c6b97e70d70163d665decfb01c7ac37a521cad221910.exe

  • Size

    4.8MB

  • MD5

    bee3dc35e58b6c7cfb3373edd86f0f5c

  • SHA1

    7d355964f351de173dd160fb2c101008adf63883

  • SHA256

    7acc85ad6eea22222b77c6b97e70d70163d665decfb01c7ac37a521cad221910

  • SHA512

    55329e7a2f02a3318c87bae712918a7f9b8fe96fe098e09f3549d70aa9fd5b5a71efa7119385eadf563d909736be243763fd7a66ea1e8e29b35a06874a1a0454

  • SSDEEP

    98304:LpLE90Ta7PG5o2/JUqf7W1DSWCLT5S6SNZOreOa4:2932puiSeSOt

Score
8/10
bootkitpersistence

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 6 IoCs
    persistence
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 17 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies system certificate store 2 TTPs 64 IoCs
    evasionspywaretrojan
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7acc85ad6eea22222b77c6b97e70d70163d665decfb01c7ac37a521cad221910.exe
    "C:\Users\Admin\AppData\Local\Temp\7acc85ad6eea22222b77c6b97e70d70163d665decfb01c7ac37a521cad221910.exe"
    1⤵
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • Modifies system certificate store
    • Suspicious use of WriteProcessMemory
    PID:1152
    • C:\Users\Admin\AppData\Local\Temp\{2D64C598-794E-43f7-BE28-D2EBF3C22175}.tmp\KB931125.exe
      "C:\Users\Admin\AppData\Local\Temp\{2D64C598-794E-43f7-BE28-D2EBF3C22175}.tmp\KB931125.exe" /Q
      2⤵
      • Modifies Installed Components in the registry
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2700
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe authroots.sst
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies system certificate store
        PID:2600
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe updroots.sst
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies system certificate store
        PID:2988
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe -l roots.sst
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies system certificate store
        PID:2572
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe -d delroots.sst
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:1940

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Cab5514.tmp
    Filesize

    65KB

    MD5

    ac05d27423a85adc1622c714f2cb6184

    SHA1

    b0fe2b1abddb97837ea0195be70ab2ff14d43198

    SHA256

    c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

    SHA512

    6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\authroots.sst
    Filesize

    73KB

    MD5

    bb49ccc10926cdb601eba81afef749a2

    SHA1

    a4766c9aea8d211e9632148fd4b625cece195be9

    SHA256

    f013ee3b7fede9a95844e83e83ee298d38cba6efce5a5cafcd8b95255c32f86c

    SHA512

    94c2809727039d1ed07a3742a4b2f9300e865ea7c49bc1fcf547a30238eeecc88d8dd06a2d4f3112317f948908b9af082b50f412a41a2bcb48d5e30d6d8ecbba

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\delroots.sst
    Filesize

    9KB

    MD5

    7b32871e409608ff887b6cf4d87debb0

    SHA1

    191f9ea1298ee52dbd6f977b3584109a064f57b9

    SHA256

    3f01268547364d2d60a0f65b46757cccfd9225fc39d581846a8fbffdb5756ff2

    SHA512

    534a384f7946db4083e639b8e02d83ac97293c60630b8811a84c85e0330e9c293f05f5cf71e0f3580551e7923bc5a3bfb7f0406432ca3cdb7efeb4a950ac5e8a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\roots.sst
    Filesize

    7KB

    MD5

    9e5de0fd1f90486a66dee4bfe89a78d7

    SHA1

    90e3188ef63495aaa71c85d4ff0f23253c834b40

    SHA256

    8b95ff56d61586582864d05563762615c8705779578dca3c98a303c3b1f4122e

    SHA512

    60006fa6f57e4d280642d51055f85f8d27b913ce71373de5b928c515c77647295030ab73ab4a55024de4a40c18f200909f49ffb52c26cf554835fc3d4cc348f1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\rootsupd.inf
    Filesize

    1KB

    MD5

    421e60325404f5f29ac04c9b9d59096b

    SHA1

    aace2fd74d799e8af5c8d5b2646361bb67a1620c

    SHA256

    571a8da5298aacc37700c747ee5d72b5a7797835140e7a4d4f895e9604574d77

    SHA512

    86693975b1b187ee65b0a23b1f3f8e05d1a3f61e7e47b060f938fe1602bbad96021847b709e64c2d5a295b72f10f4db587a11a1e7ca0a0b64c3bed7fa683b1d2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.sst
    Filesize

    320KB

    MD5

    2d9b4498c847715418160bfd7e7c8a2d

    SHA1

    e0873091d476d2566aa6fc988cb364247c95dc97

    SHA256

    c49c05b701c390c679e5e3226ec621f22a08155b1065fcfc37b509f648f03b41

    SHA512

    dcf3208cdd1e4353f82823f796d735c1209f149f183eea827a90753ec55509a1c460a16c120e07c12a5eacf0e67d2661c25638491ecf4403e25d6508983e519b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar5527.tmp
    Filesize

    171KB

    MD5

    9c0c641c06238516f27941aa1166d427

    SHA1

    64cd549fb8cf014fcd9312aa7a5b023847b6c977

    SHA256

    4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

    SHA512

    936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\{7C5A3163-02A7-4022-BFAC-E0DABA3BD953}.tmp\NetBridge.dll
    Filesize

    238KB

    MD5

    8786d469338c30e0ba9fedfc62bd5197

    SHA1

    5fb12028ceae9772f938e1b98b699f0e02e32718

    SHA256

    beeaf8b72f7008e9adabacfcd85e32a50747a0dfb5c86802aeb973bd1f5c3d2f

    SHA512

    5db1e5b78e62cda81a63e8e712e720f87a7c7a539237a55a9098c076f9fb4e0b5adb83383c23657b4ccc90c117e55e3946a399cdf3d15cb94444b203d9d6c45c

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\ADVPACK.DLL
    Filesize

    89KB

    MD5

    a64e4b204d44548eeb5c3d86eca2ad70

    SHA1

    e3245bf6dbb2e56d71a9cbad2697aa4fa0df6bbe

    SHA256

    985a5603ebf94539ac11549999f83b5e6dc008180994898c5daa6fd31ae1e9dc

    SHA512

    dca4099318954bab5f1204645be0d0e8fea0c2e97ee95496fa884fbed627e376358623fa94c39bf0abe97d07d46a7e6c5e1081496cdd1987e07e595995a46cd5

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\updroots.exe
    Filesize

    5KB

    MD5

    9c18ae971cbffb096952177f6804ea31

    SHA1

    bb255dd1bd9bb39cdbb8671af66054432c686828

    SHA256

    2703c25453b09c40ee81fdc458b8cc24712e387a12d15ff94e12b02921fe98cb

    SHA512

    21086509bb4ea5afede55d034955de0bdf8b366d5d8d4bfa7a6c68b0f35fbf217ff3e932f87fc1d37f09022805e79ceeecbaf3dbccbd96d7c93029ffe7370e4c

    Download Submit

  • \Users\Admin\AppData\Local\Temp\{2D64C598-794E-43f7-BE28-D2EBF3C22175}.tmp\KB931125.exe
    Filesize

    349KB

    MD5

    4a4d72d34f9da1fc5019e0748fcde2f5

    SHA1

    f54752ec63369522f37e545325519ee434cdf439

    SHA256

    83b660f3f3eaddd4b388ed3f806f7444f03429fb63fc1f8db3d86294914a05ca

    SHA512

    95986ffbf51483a0d1a256028847c7ee6ac73ffd62f6d838309a69e1833f719a7cfed5422815f4d4a49dbd599c449f8db8f60273136720cb1da5f8b0eb24cb33

    Download Submit

  • \Users\Admin\AppData\Local\Temp\{3F783FE5-149B-4bfa-AC7A-049B4412C3A1}.tmp\7z.dll
    Filesize

    1.1MB

    MD5

    2706693dda10c6cc79eed24c56d4e5ef

    SHA1

    4f34ef1bd49273a0d260b9dab15c73eb0ccb6383

    SHA256

    0edad8a1af22d5b97c1f324791c86243a6ecce7b5a9d2f30415af99aba9129c3

    SHA512

    7e7f7ae894528587ba33b6e10999549bb9a2ec2748b5662fa1b8806e5f4ce33af47507b3ef2954f2747a76b5b7c775c1cd671061f577c5016d1f8ba165bbe21c

    Download Submit

  • memory/1152-169-0x00000000005A0000-0x00000000005A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1152-170-0x00000000005A0000-0x00000000005A1000-memory.dmp

    Filesize

    4KB

    Download