4dea15e828eff36658d4ee1d1e336fabbe5c691a4d684b3a477597032a5b5406

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
27-01-2024 19:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b18df60bcea519495e8f14951b23097.exe
Size

933KB
MD5

7b18df60bcea519495e8f14951b23097
SHA1

29f91ad53f1d5cff34ca8a9585bae77015210875
SHA256

4dea15e828eff36658d4ee1d1e336fabbe5c691a4d684b3a477597032a5b5406
SHA512

3fa2bdf301b9c10d97f7476c5c9f316e85e25fdeffdb11b79089ba296ca4d581e0e0745663d184124169188f69b579d75103d762f95e55306c021c875a99d61c
SSDEEP

24576:VkthAHFSXKOxoS2R65WrNDsFn4VY2KZtQpQUH:V94aOORkcpQFn8KZXUH

Score

7^/10

bootkit persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2768	defender.exe

Loads dropped DLL 2 IoCs

pid	Process
2268	7b18df60bcea519495e8f14951b23097.exe
2268	7b18df60bcea519495e8f14951b23097.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2268-0-0x0000000000400000-0x00000000006EC000-memory.dmp	upx
behavioral1/files/0x000a000000012247-10.dat	upx
behavioral1/files/0x000a000000012247-15.dat	upx
behavioral1/files/0x000a000000012247-14.dat	upx
behavioral1/files/0x000a000000012247-17.dat	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Software\Microsoft\Windows\CurrentVersion\Run\Malware Protection = "C:\\ProgramData\\defender.exe"	defender.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	defender.exe
File opened (read-only)	\??\J:	defender.exe
File opened (read-only)	\??\S:	defender.exe
File opened (read-only)	\??\T:	defender.exe
File opened (read-only)	\??\U:	defender.exe
File opened (read-only)	\??\V:	defender.exe
File opened (read-only)	\??\W:	defender.exe
File opened (read-only)	\??\L:	defender.exe
File opened (read-only)	\??\M:	defender.exe
File opened (read-only)	\??\O:	defender.exe
File opened (read-only)	\??\P:	defender.exe
File opened (read-only)	\??\Y:	defender.exe
File opened (read-only)	\??\Q:	defender.exe
File opened (read-only)	\??\R:	defender.exe
File opened (read-only)	\??\Z:	defender.exe
File opened (read-only)	\??\E:	defender.exe
File opened (read-only)	\??\G:	defender.exe
File opened (read-only)	\??\I:	defender.exe
File opened (read-only)	\??\K:	defender.exe
File opened (read-only)	\??\N:	defender.exe
File opened (read-only)	\??\X:	defender.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	defender.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2268	7b18df60bcea519495e8f14951b23097.exe
2768	defender.exe
2768	defender.exe
2768	defender.exe
2768	defender.exe
2768	defender.exe
2768	defender.exe
2768	defender.exe
2768	defender.exe
2768	defender.exe
2768	defender.exe
2768	defender.exe
2768	defender.exe
2768	defender.exe
2768	defender.exe
2768	defender.exe
2768	defender.exe
2768	defender.exe
2768	defender.exe
2768	defender.exe
2768	defender.exe
2768	defender.exe
2768	defender.exe
2768	defender.exe
2768	defender.exe
2768	defender.exe
2768	defender.exe
2768	defender.exe
2768	defender.exe
2768	defender.exe
2768	defender.exe
2768	defender.exe
2768	defender.exe
2768	defender.exe
2768	defender.exe
2768	defender.exe
2768	defender.exe
2768	defender.exe
2768	defender.exe
2768	defender.exe
2768	defender.exe
2768	defender.exe
2768	defender.exe
2768	defender.exe
2768	defender.exe
2768	defender.exe
2768	defender.exe
2768	defender.exe
2768	defender.exe
2768	defender.exe
2768	defender.exe
2768	defender.exe
2768	defender.exe
2768	defender.exe
2768	defender.exe
2768	defender.exe
2768	defender.exe
2768	defender.exe
2768	defender.exe
2768	defender.exe
2768	defender.exe
2768	defender.exe
2768	defender.exe
2768	defender.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2268	7b18df60bcea519495e8f14951b23097.exe

Suspicious use of FindShellTrayWindow 11 IoCs

pid	Process
2768	defender.exe
2768	defender.exe
2768	defender.exe
2768	defender.exe
2768	defender.exe
2768	defender.exe
2768	defender.exe
2768	defender.exe
2768	defender.exe
2768	defender.exe
2768	defender.exe

Suspicious use of SendNotifyMessage 11 IoCs

pid	Process
2768	defender.exe
2768	defender.exe
2768	defender.exe
2768	defender.exe
2768	defender.exe
2768	defender.exe
2768	defender.exe
2768	defender.exe
2768	defender.exe
2768	defender.exe
2768	defender.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2768	defender.exe
2768	defender.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 2768	2268	7b18df60bcea519495e8f14951b23097.exe	28
PID 2268 wrote to memory of 2768	2268	7b18df60bcea519495e8f14951b23097.exe	28
PID 2268 wrote to memory of 2768	2268	7b18df60bcea519495e8f14951b23097.exe	28
PID 2268 wrote to memory of 2768	2268	7b18df60bcea519495e8f14951b23097.exe	28

C:\Users\Admin\AppData\Local\Temp\7b18df60bcea519495e8f14951b23097.exe
"C:\Users\Admin\AppData\Local\Temp\7b18df60bcea519495e8f14951b23097.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2268
- C:\ProgramData\defender.exe
  C:\ProgramData\defender.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Enumerates connected drives
  - Writes to the Master Boot Record (MBR)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\defender.exe

Filesize
473KB

MD5
1617749a8d6454307d6f71b1179bdfad

SHA1
3a2c114cffa9d83f3890b2506caccde506d4fed0

SHA256
45a228299585a9a5d9e9f546d248194d7e29c8be9b365c8c85d11fd8cedaa4ba

SHA512
7a939a2b5264b82a02dddf27e8e0fe490bc8c9cdbbd62dbdc03f0772280a658cd1b29c59e81435989a93f15938e49356c949b0153a5d7fe965db2cd0dc8c1307

Download Submit
C:\ProgramData\defender.exe

Filesize
190KB

MD5
945e6ad3db6055dcf920759d8b040ca7

SHA1
f2ec0acbc1020e04b731be0a116b7ab22256ad36

SHA256
b4f87801c0e519eaaec53ca57e4a83bea6510aaac44471427dcff99b703f6506

SHA512
ecd74a536b767af8b85fb69763c8dd1b1816f612bbd80fb88152405b4c50ece37472a3eda5c4360c9d9d768427b313d5903bcbee29898de037b3d1c276b40704

Download Submit
\ProgramData\defender.exe

Filesize
320KB

MD5
96e85872e6d37f42bd7115a12f34f0a3

SHA1
04c97813c90f4e12c71fbf59319ea626cc49a133

SHA256
da00e6da922a3f885cb14fce74c8786765091f734c587281e1dee6f6b4ce0e8c

SHA512
e9437028c25c0721330c73b8e7b3c8df643461b5d0ca1e8fbb39b45a9257f2fd9c7a0786a2b7886c67419c354bce2fbfe3ed7c9793e1e7f16128750bb3df9f76

Download Submit
\ProgramData\defender.exe

Filesize
346KB

MD5
99852f9b812f8209619aa51ad7d26caa

SHA1
8788220a972377832574bbcadaea7eaf4a93dddd

SHA256
5e92650da10c0e602d58657a3ea235c6e92a35813e07970b9ac27ee5473e76d4

SHA512
25f56ab00447486983de25b7d1c51e03bfb6a40d39b6ca7b5a5aa044322520fb6275e93890fab13072678b1a193b895a9ad8c58e6cef0dad5e0e0fe39203aa19

Download Submit
memory/2268-0-0x0000000000400000-0x00000000006EC000-memory.dmp

Filesize
2.9MB

Download
memory/2268-1-0x00000000007E0000-0x00000000007F0000-memory.dmp

Filesize
64KB

Download
memory/2268-2-0x0000000000400000-0x00000000006EC000-memory.dmp

Filesize
2.9MB

Download
memory/2268-5-0x0000000077550000-0x0000000077551000-memory.dmp

Filesize
4KB

Download
memory/2268-8-0x0000000000400000-0x00000000006EC000-memory.dmp

Filesize
2.9MB

Download
memory/2268-18-0x00000000029D0000-0x0000000002FEA000-memory.dmp

Filesize
6.1MB

Download
memory/2268-12-0x00000000008F0000-0x0000000000900000-memory.dmp

Filesize
64KB

Download
memory/2768-28-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2768-33-0x0000000000400000-0x0000000000A1A000-memory.dmp

Filesize
6.1MB

Download
memory/2768-26-0x0000000000400000-0x0000000000A1A000-memory.dmp

Filesize
6.1MB

Download
memory/2768-27-0x0000000000400000-0x0000000000A1A000-memory.dmp

Filesize
6.1MB

Download
memory/2768-20-0x0000000000400000-0x0000000000A1A000-memory.dmp

Filesize
6.1MB

Download
memory/2768-19-0x0000000000400000-0x0000000000A1A000-memory.dmp

Filesize
6.1MB

Download
memory/2768-30-0x0000000000400000-0x0000000000A1A000-memory.dmp

Filesize
6.1MB

Download
memory/2768-31-0x0000000000400000-0x0000000000A1A000-memory.dmp

Filesize
6.1MB

Download
memory/2768-32-0x0000000000400000-0x0000000000A1A000-memory.dmp

Filesize
6.1MB

Download
memory/2768-24-0x0000000000260000-0x0000000000270000-memory.dmp

Filesize
64KB

Download
memory/2768-34-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2768-36-0x0000000000400000-0x0000000000A1A000-memory.dmp

Filesize
6.1MB

Download
memory/2768-37-0x0000000000400000-0x0000000000A1A000-memory.dmp

Filesize
6.1MB

Download
memory/2768-38-0x0000000000400000-0x0000000000A1A000-memory.dmp

Filesize
6.1MB

Download
memory/2768-39-0x0000000000400000-0x0000000000A1A000-memory.dmp

Filesize
6.1MB

Download
memory/2768-40-0x0000000000400000-0x0000000000A1A000-memory.dmp

Filesize
6.1MB

Download
memory/2768-41-0x0000000000400000-0x0000000000A1A000-memory.dmp

Filesize
6.1MB

Download
memory/2768-42-0x0000000000400000-0x0000000000A1A000-memory.dmp

Filesize
6.1MB

Download
memory/2768-43-0x0000000000400000-0x0000000000A1A000-memory.dmp

Filesize
6.1MB

Download
memory/2768-44-0x0000000000400000-0x0000000000A1A000-memory.dmp

Filesize
6.1MB

Download