d8681cb9b7eeaf66c5057dea4102bda732fa887debb8495d0784a7921f59c6b5

Analysis

max time kernel
149s
max time network
152s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
14/01/2024, 12:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5b2fcb7b669dae8dfc3ac761f3e5b669.exe
Size

420KB
MD5

5b2fcb7b669dae8dfc3ac761f3e5b669
SHA1

107897a22cd8c6ba2b33321b2282748cba66688b
SHA256

d8681cb9b7eeaf66c5057dea4102bda732fa887debb8495d0784a7921f59c6b5
SHA512

8db3486a94eb495c0b14fc3f19383bca85600944db524bb194536cb2a17dfb0b9b837b7e1475f3c0b2d0627b35758d22b3a6c209eae27214e2b18d8ef8e2a6e6
SSDEEP

12288:sXukg+ih8FfXhre/8J8BvRYDlhaEbAAOw+:5h8FfXhqg8B2xsl1

Score

7^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2744	SVCH0ST.EXE

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	5b2fcb7b669dae8dfc3ac761f3e5b669.exe
File opened for modification	\??\PhysicalDrive0	SVCH0ST.EXE

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	SVCH0ST.EXE

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SVCH0ST.EXE	5b2fcb7b669dae8dfc3ac761f3e5b669.exe
File opened for modification	C:\Windows\SVCH0ST.EXE	5b2fcb7b669dae8dfc3ac761f3e5b669.exe
File opened for modification	C:\Windows\SVCH0ST.cfg	SVCH0ST.EXE
File created	C:\Windows\SVCH0ST.cfg	SVCH0ST.EXE

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Control Panel\International	5b2fcb7b669dae8dfc3ac761f3e5b669.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Control Panel\International\sDate = "-"	5b2fcb7b669dae8dfc3ac761f3e5b669.exe

Modifies data under HKEY_USERS 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	SVCH0ST.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	SVCH0ST.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\International\sDate = "-"	SVCH0ST.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	SVCH0ST.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\EnableAutodisconnect = 00000000	5b2fcb7b669dae8dfc3ac761f3e5b669.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\International	SVCH0ST.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	SVCH0ST.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	SVCH0ST.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	SVCH0ST.EXE
Key created	\REGISTRY\USER\.Default\Software\Microsoft\Windows\CurrentVersion\Internet Settings	5b2fcb7b669dae8dfc3ac761f3e5b669.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\EnableAutodial = 00000000	5b2fcb7b669dae8dfc3ac761f3e5b669.exe

Modifies registry class 6 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	SVCH0ST.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	5b2fcb7b669dae8dfc3ac761f3e5b669.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	5b2fcb7b669dae8dfc3ac761f3e5b669.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	5b2fcb7b669dae8dfc3ac761f3e5b669.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	SVCH0ST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	SVCH0ST.EXE

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
2744	SVCH0ST.EXE
2744	SVCH0ST.EXE
2744	SVCH0ST.EXE
2744	SVCH0ST.EXE
2744	SVCH0ST.EXE
2744	SVCH0ST.EXE
2744	SVCH0ST.EXE
2744	SVCH0ST.EXE
2744	SVCH0ST.EXE
2744	SVCH0ST.EXE
2744	SVCH0ST.EXE
2744	SVCH0ST.EXE
2744	SVCH0ST.EXE
2744	SVCH0ST.EXE
2744	SVCH0ST.EXE
2744	SVCH0ST.EXE
2744	SVCH0ST.EXE
2744	SVCH0ST.EXE
2744	SVCH0ST.EXE
2744	SVCH0ST.EXE
2744	SVCH0ST.EXE
2744	SVCH0ST.EXE
2744	SVCH0ST.EXE
2744	SVCH0ST.EXE
2744	SVCH0ST.EXE
2744	SVCH0ST.EXE
2744	SVCH0ST.EXE
2744	SVCH0ST.EXE
2744	SVCH0ST.EXE

C:\Users\Admin\AppData\Local\Temp\5b2fcb7b669dae8dfc3ac761f3e5b669.exe
"C:\Users\Admin\AppData\Local\Temp\5b2fcb7b669dae8dfc3ac761f3e5b669.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- Modifies Control Panel
- Modifies data under HKEY_USERS
- Modifies registry class
PID:1616

C:\Windows\SVCH0ST.EXE
C:\Windows\SVCH0ST.EXE
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SVCH0ST.EXE

Filesize
420KB

MD5
5b2fcb7b669dae8dfc3ac761f3e5b669

SHA1
107897a22cd8c6ba2b33321b2282748cba66688b

SHA256
d8681cb9b7eeaf66c5057dea4102bda732fa887debb8495d0784a7921f59c6b5

SHA512
8db3486a94eb495c0b14fc3f19383bca85600944db524bb194536cb2a17dfb0b9b837b7e1475f3c0b2d0627b35758d22b3a6c209eae27214e2b18d8ef8e2a6e6

Download Submit
memory/1616-0-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1616-1-0x0000000000270000-0x00000000002A0000-memory.dmp

Filesize
192KB

Download
memory/1616-7-0x00000000008E0000-0x00000000008E4000-memory.dmp

Filesize
16KB

Download
memory/1616-6-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1616-5-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1616-4-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/1616-14-0x0000000001E80000-0x0000000001E81000-memory.dmp

Filesize
4KB

Download
memory/1616-13-0x0000000001E90000-0x0000000001E91000-memory.dmp

Filesize
4KB

Download
memory/1616-12-0x0000000001E10000-0x0000000001E11000-memory.dmp

Filesize
4KB

Download
memory/1616-11-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1616-10-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/1616-9-0x0000000001E00000-0x0000000001E01000-memory.dmp

Filesize
4KB

Download
memory/1616-8-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1616-15-0x0000000001FA0000-0x0000000001FA1000-memory.dmp

Filesize
4KB

Download
memory/1616-17-0x0000000001FC0000-0x0000000001FC1000-memory.dmp

Filesize
4KB

Download
memory/1616-16-0x0000000001F90000-0x0000000001F91000-memory.dmp

Filesize
4KB

Download
memory/1616-18-0x0000000001FB0000-0x0000000001FB1000-memory.dmp

Filesize
4KB

Download
memory/1616-19-0x0000000001FE0000-0x0000000001FE1000-memory.dmp

Filesize
4KB

Download
memory/1616-20-0x0000000001FD0000-0x0000000001FD1000-memory.dmp

Filesize
4KB

Download
memory/1616-21-0x0000000002310000-0x0000000002311000-memory.dmp

Filesize
4KB

Download
memory/1616-22-0x0000000001FF0000-0x0000000001FF1000-memory.dmp

Filesize
4KB

Download
memory/1616-23-0x0000000002330000-0x0000000002331000-memory.dmp

Filesize
4KB

Download
memory/1616-24-0x0000000002320000-0x0000000002321000-memory.dmp

Filesize
4KB

Download
memory/1616-25-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download
memory/1616-27-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/1616-26-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/1616-29-0x0000000002390000-0x0000000002391000-memory.dmp

Filesize
4KB

Download
memory/1616-28-0x0000000002360000-0x0000000002361000-memory.dmp

Filesize
4KB

Download
memory/1616-30-0x0000000002380000-0x0000000002381000-memory.dmp

Filesize
4KB

Download
memory/1616-31-0x00000000023B0000-0x00000000023B1000-memory.dmp

Filesize
4KB

Download
memory/1616-32-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/1616-33-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/1616-34-0x00000000024C0000-0x00000000024C1000-memory.dmp

Filesize
4KB

Download
memory/1616-35-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/1616-36-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/1616-37-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/1616-38-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/1616-39-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/1616-40-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/1616-41-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/1616-42-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/1616-43-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download
memory/1616-44-0x0000000002560000-0x0000000002561000-memory.dmp

Filesize
4KB

Download
memory/1616-45-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/1616-46-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/1616-47-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download
memory/1616-48-0x00000000025A0000-0x00000000025A1000-memory.dmp

Filesize
4KB

Download
memory/1616-49-0x00000000025D0000-0x00000000025D1000-memory.dmp

Filesize
4KB

Download
memory/1616-50-0x00000000025C0000-0x00000000025C1000-memory.dmp

Filesize
4KB

Download
memory/1616-51-0x00000000025F0000-0x00000000025F1000-memory.dmp

Filesize
4KB

Download
memory/1616-53-0x0000000002610000-0x0000000002611000-memory.dmp

Filesize
4KB

Download
memory/1616-54-0x0000000002600000-0x0000000002601000-memory.dmp

Filesize
4KB

Download
memory/1616-52-0x00000000025E0000-0x00000000025E1000-memory.dmp

Filesize
4KB

Download
memory/1616-55-0x0000000002630000-0x0000000002631000-memory.dmp

Filesize
4KB

Download
memory/1616-57-0x0000000002650000-0x0000000002651000-memory.dmp

Filesize
4KB

Download
memory/1616-56-0x0000000002620000-0x0000000002621000-memory.dmp

Filesize
4KB

Download
memory/1616-59-0x0000000002670000-0x0000000002671000-memory.dmp

Filesize
4KB

Download
memory/1616-58-0x0000000002640000-0x0000000002641000-memory.dmp

Filesize
4KB

Download
memory/1616-60-0x0000000002660000-0x0000000002661000-memory.dmp

Filesize
4KB

Download
memory/1616-61-0x0000000002690000-0x0000000002691000-memory.dmp

Filesize
4KB

Download
memory/1616-62-0x0000000002680000-0x0000000002681000-memory.dmp

Filesize
4KB

Download
memory/1616-64-0x00000000026A0000-0x00000000026A1000-memory.dmp

Filesize
4KB

Download
memory/1616-69-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/1616-68-0x00000000026C0000-0x00000000026C1000-memory.dmp

Filesize
4KB

Download
memory/1616-70-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download
memory/2744-135-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2744-146-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download