Overview

overview

8

Static

static

3

95fe10af6b...88.exe

windows7-x64

7

95fe10af6b...88.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    131s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/02/2024, 02:23

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    95fe10af6be9480d1387f853187a3888.exe

  • Size

    823KB

  • MD5

    95fe10af6be9480d1387f853187a3888

  • SHA1

    7a611f6424f115feac9cca3fc62edbae393a0efd

  • SHA256

    5c47826106a2ffd683a79429dc90991c714ea4a7d57d4b82a2ca262bd511e289

  • SHA512

    d6356dbd5bb0387d46f06cdad05cb03de02e3fdac92cc7b3bf1e6f2ae9ea03b7a282922bce40fca58a80841b88ead8c91d391fff4c1b30ee7cb508f765c2d4a5

  • SSDEEP

    24576:qUUtONsaaPq7kQgnyi1AVS1fB8Ze1itMLNrn3m3b:58ONsPPq7vgl1AM6rKZr23b

Score
8/10
bootkitpersistence

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 6 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 33 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 10 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\95fe10af6be9480d1387f853187a3888.exe
    "C:\Users\Admin\AppData\Local\Temp\95fe10af6be9480d1387f853187a3888.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2408
    • C:\ProgramData\privacy.exe
      C:\ProgramData\privacy.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Enumerates connected drives
      • Writes to the Master Boot Record (MBR)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:3420
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Suspicious use of FindShellTrayWindow
    PID:3312
  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
    "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:2236
  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
    "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:3660
  • C:\Windows\explorer.exe
    explorer.exe /LOADSAVEDWINDOWS
    1⤵
    • Modifies Installed Components in the registry
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:4972
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4860
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:4204
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Modifies registry class
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1776
    • C:\Windows\explorer.exe
      explorer.exe /LOADSAVEDWINDOWS
      2⤵
      • Modifies registry class
      PID:3964
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
    • Modifies Installed Components in the registry
    • Enumerates connected drives
    • Checks SCSI registry key(s)
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:1956
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
    1⤵
      PID:4736
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3184
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:8
    • C:\Windows\system32\sihost.exe
      sihost.exe
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:4804
      • C:\Windows\explorer.exe
        explorer.exe /LOADSAVEDWINDOWS
        2⤵
        • Modifies Installed Components in the registry
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious use of SendNotifyMessage
        PID:1804
    • C:\Windows\system32\sihost.exe
      sihost.exe
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1156
      • C:\Windows\explorer.exe
        explorer.exe /LOADSAVEDWINDOWS
        2⤵
        • Modifies Installed Components in the registry
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        PID:4936
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:716
    • C:\Windows\system32\sihost.exe
      sihost.exe
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:4768
      • C:\Windows\explorer.exe
        explorer.exe /LOADSAVEDWINDOWS
        2⤵
          PID:5004
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        PID:5096
      • C:\Windows\System32\rundll32.exe
        C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
        1⤵
          PID:4280
        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
          1⤵
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:4104
        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
          1⤵
          • Suspicious use of SetWindowsHookEx
          PID:2640

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\ProgramData\privacy.exe
                Filesize

                808KB

                MD5

                bc7112d7e9a1af3db97234ee1e0d1b54

                SHA1

                29657d4406c85bbfceb352beded4fd67af856418

                SHA256

                a4911073224e79bc3ab1fe20ae291616f0567fa79b8e24b7421ca7b767f7c202

                SHA512

                426f5de28097e65bc4856f5614df544be826d2fb5265cac57dc381d70bfd0913afd75ef2a1007a042fde5ebd0606ac91ebb0bd83bf39b79ed57f32cc7e819a4f

                Download Submit

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
                Filesize

                471B

                MD5

                35438222d9a30e1e70126b281b67a753

                SHA1

                d970406c64ecdde12239697617e61499c495d61a

                SHA256

                d20f6f1281bb16a78ff3c9cbaf43792807ebdfc8010167183840741cff612639

                SHA512

                3bfb940f9528490e85b09fc14c6553d214ce96d64a63616422ee85415e12d1948dabcbc49a0afb9b37e1f6391f39c477d32f511bf50c81669e3705295ee8b63c

                Download Submit

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
                Filesize

                412B

                MD5

                028580bb3b943367a6bf3779ed8196c8

                SHA1

                0f276099526ceed1de2c7f7031ccbe0b8909602f

                SHA256

                3bb5c3a9948c40c31482efab10e070a3ff5a47e0850f965b48e0ce3cf0676bef

                SHA512

                e8103b003f8fc84dc96d80bd24effaab959c853e9007cf7e52b344cd8446507508ae0e46c1c5afc7cd318a0f8f04e9ef353aab2a036a0d2eca0c5441ba8f41f1

                Download Submit

              • C:\Users\Admin\AppData\Local\IconCache.db
                Filesize

                18KB

                MD5

                21c0e448b0fc48142ca556d6a4b7f773

                SHA1

                7c016196365a0b9f2ff88b98e4fc7aaf5bc81ece

                SHA256

                336419278e42e3c276d4b2155ce97be1f88b6ce243e9b373ffd4d1515aa92b2b

                SHA512

                5335df3ffd8665c89810c5b2b3d34819a3dc8c95c0e99019afe7e6ba0acce1e837cc6be82f0baab9dabc427a62f6857896f57449015c3b819936809c04aaa32e

                Download Submit

              • C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat
                Filesize

                1022B

                MD5

                51b3a166a00731f39e6811278b1fba03

                SHA1

                2eeaf874ac0f03ba743529fe29d2f3ee3aac06eb

                SHA256

                042930a728985e2a03de93dbe5952c72a172548433af8818802a47e6ea842c72

                SHA512

                42631b5cda9f3ea1a145227ee9a124e8be3fcf94815cba8fa0646c27a68da16111d5af734bf016f45ba40c24a4266691ab23d6370bb954aec26eaa53ed5f1e4f

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\{AC4B317E-DEF8-463E-AAC4-29F779E04896}.png
                Filesize

                6KB

                MD5

                099ba37f81c044f6b2609537fdb7d872

                SHA1

                470ef859afbce52c017874d77c1695b7b0f9cb87

                SHA256

                8c98c856e4d43f705ff9a5c9a55f92e1885765654912b4c75385c3ea2fdef4a7

                SHA512

                837e1ad7fe4f5cbc0a87f3703ba211c18f32b20df93b23f681cbd0390d8077adba64cf6454a1bb28df1f7df4cb2cdc021d826b6ef8db890e40f21d618d5eb07a

                Download Submit

              • C:\Users\Public\Desktop\Privacy Protection.lnk
                Filesize

                672B

                MD5

                5cef1bf60b960ab2e1cd9ff57a879609

                SHA1

                97c5f69ff8cb865e6011b745a84b34d2fae1e66e

                SHA256

                aa9e1c9ed352ce801d9965a125eca51c644d331dd709fa498ffcffe08a8dfafa

                SHA512

                0330b58faf5c90ac021553796d71c0397417fa2a69439bcd5b09d6b910292c2cdc9128e05f220334d79b5519beab4d125d4dc8b390f5e8eafe95ba378a1aa3b7

                Download Submit

              • memory/8-34-0x0000026274DB0000-0x0000026274DD0000-memory.dmp

                Filesize

                128KB

                Download

              • memory/8-36-0x0000026274D70000-0x0000026274D90000-memory.dmp

                Filesize

                128KB

                Download

              • memory/8-38-0x0000026275180000-0x00000262751A0000-memory.dmp

                Filesize

                128KB

                Download

              • memory/1804-61-0x0000000002960000-0x0000000002961000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1956-27-0x0000000004830000-0x0000000004831000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2408-1-0x00000000006C0000-0x00000000007C0000-memory.dmp

                Filesize

                1024KB

                Download

              • memory/2408-7-0x0000000000400000-0x00000000004F9000-memory.dmp

                Filesize

                996KB

                Download

              • memory/2408-2-0x0000000000400000-0x00000000004F9000-memory.dmp

                Filesize

                996KB

                Download

              • memory/3420-98-0x0000000000400000-0x0000000000A26000-memory.dmp

                Filesize

                6.1MB

                Download

              • memory/3420-106-0x0000000000400000-0x0000000000A26000-memory.dmp

                Filesize

                6.1MB

                Download

              • memory/3420-19-0x0000000000400000-0x0000000000A26000-memory.dmp

                Filesize

                6.1MB

                Download

              • memory/3420-18-0x0000000000400000-0x0000000000A26000-memory.dmp

                Filesize

                6.1MB

                Download

              • memory/3420-63-0x0000000000400000-0x0000000000A26000-memory.dmp

                Filesize

                6.1MB

                Download

              • memory/3420-113-0x0000000000400000-0x0000000000A26000-memory.dmp

                Filesize

                6.1MB

                Download

              • memory/3420-15-0x0000000000B20000-0x0000000000C20000-memory.dmp

                Filesize

                1024KB

                Download

              • memory/3420-112-0x0000000000400000-0x0000000000A26000-memory.dmp

                Filesize

                6.1MB

                Download

              • memory/3420-80-0x0000000000400000-0x0000000000A26000-memory.dmp

                Filesize

                6.1MB

                Download

              • memory/3420-79-0x0000000000B20000-0x0000000000C20000-memory.dmp

                Filesize

                1024KB

                Download

              • memory/3420-87-0x0000000000400000-0x0000000000A26000-memory.dmp

                Filesize

                6.1MB

                Download

              • memory/3420-88-0x0000000000400000-0x0000000000A26000-memory.dmp

                Filesize

                6.1MB

                Download

              • memory/3420-89-0x0000000000B10000-0x0000000000B11000-memory.dmp

                Filesize

                4KB

                Download

              • memory/3420-90-0x0000000000400000-0x0000000000A26000-memory.dmp

                Filesize

                6.1MB

                Download

              • memory/3420-97-0x0000000000400000-0x0000000000A26000-memory.dmp

                Filesize

                6.1MB

                Download

              • memory/3420-16-0x0000000000400000-0x0000000000A26000-memory.dmp

                Filesize

                6.1MB

                Download

              • memory/3420-99-0x0000000000400000-0x0000000000A26000-memory.dmp

                Filesize

                6.1MB

                Download

              • memory/3420-102-0x0000000000400000-0x0000000000A26000-memory.dmp

                Filesize

                6.1MB

                Download

              • memory/3420-105-0x0000000000400000-0x0000000000A26000-memory.dmp

                Filesize

                6.1MB

                Download

              • memory/3420-20-0x0000000000B10000-0x0000000000B11000-memory.dmp

                Filesize

                4KB

                Download

              • memory/3420-107-0x0000000000400000-0x0000000000A26000-memory.dmp

                Filesize

                6.1MB

                Download

              • memory/3420-110-0x0000000000400000-0x0000000000A26000-memory.dmp

                Filesize

                6.1MB

                Download

              • memory/3420-111-0x0000000000400000-0x0000000000A26000-memory.dmp

                Filesize

                6.1MB

                Download

              • memory/4936-65-0x00000000045C0000-0x00000000045C1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/5096-71-0x0000000004A20000-0x0000000004A21000-memory.dmp

                Filesize

                4KB

                Download