Analysis
-
max time kernel
139s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02-03-2024 05:27
Static task
static1
Behavioral task
behavioral1
Sample
bde11b06b5ca98c10855cd656c3ccc9558eed98869a868b6aa793c6065f71cb5.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
bde11b06b5ca98c10855cd656c3ccc9558eed98869a868b6aa793c6065f71cb5.exe
Resource
win10v2004-20240226-en
General
-
Target
bde11b06b5ca98c10855cd656c3ccc9558eed98869a868b6aa793c6065f71cb5.exe
-
Size
1.6MB
-
MD5
f06289187cf808ecff5d056ee633894a
-
SHA1
94c2cb9df16bc52d5c4342ebb506dae6c35335b9
-
SHA256
bde11b06b5ca98c10855cd656c3ccc9558eed98869a868b6aa793c6065f71cb5
-
SHA512
13ac32c52ce9aae54445772af0a5b413456e22047425ab73b1486f1590401384062ca65140f90c3955d1b7235f57c4a7fc1c972e9811a9573f42baa2f73fdaba
-
SSDEEP
49152:3/Nnfd+Cz+puNrWX+YFIvRYLZ7RqvCMxr86BO5J:PNnf4Cz+8NrWX+YF570vCMw5J
Malware Config
Signatures
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
bde11b06b5ca98c10855cd656c3ccc9558eed98869a868b6aa793c6065f71cb5.exedescription ioc process File opened for modification \??\PhysicalDrive0 bde11b06b5ca98c10855cd656c3ccc9558eed98869a868b6aa793c6065f71cb5.exe -
Modifies registry class 11 IoCs
Processes:
bde11b06b5ca98c10855cd656c3ccc9558eed98869a868b6aa793c6065f71cb5.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8AB9CCC4-75EC-438b-B6C0-D8D78882A12D}\Implemented Categories\{6BC04964-67B7-4d50-BB9B-3653A5C305B3}\idno = "1" bde11b06b5ca98c10855cd656c3ccc9558eed98869a868b6aa793c6065f71cb5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}\Implemented Categories\{607568DD-B059-434b-B7E7-38EC51998F8E} bde11b06b5ca98c10855cd656c3ccc9558eed98869a868b6aa793c6065f71cb5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}\Implemented Categories bde11b06b5ca98c10855cd656c3ccc9558eed98869a868b6aa793c6065f71cb5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8AB9CCC4-75EC-438b-B6C0-D8D78882A12D}\Implemented Categories\{6BC04964-67B7-4d50-BB9B-3653A5C305B3} bde11b06b5ca98c10855cd656c3ccc9558eed98869a868b6aa793c6065f71cb5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID bde11b06b5ca98c10855cd656c3ccc9558eed98869a868b6aa793c6065f71cb5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8AB9CCC4-75EC-438b-B6C0-D8D78882A12D} bde11b06b5ca98c10855cd656c3ccc9558eed98869a868b6aa793c6065f71cb5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8AB9CCC4-75EC-438b-B6C0-D8D78882A12D}\Implemented Categories\{6BC04964-67B7-4d50-BB9B-3653A5C305B3}\idex = "60d4eeefa1ba79eb0ee1c92fcfe1b9ab" bde11b06b5ca98c10855cd656c3ccc9558eed98869a868b6aa793c6065f71cb5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node bde11b06b5ca98c10855cd656c3ccc9558eed98869a868b6aa793c6065f71cb5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8AB9CCC4-75EC-438b-B6C0-D8D78882A12D}\Implemented Categories bde11b06b5ca98c10855cd656c3ccc9558eed98869a868b6aa793c6065f71cb5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278} bde11b06b5ca98c10855cd656c3ccc9558eed98869a868b6aa793c6065f71cb5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}\Implemented Categories\{607568DD-B059-434b-B7E7-38EC51998F8E}\did = "9A1691CF0DC34890DA3EE08EF8DC290C" bde11b06b5ca98c10855cd656c3ccc9558eed98869a868b6aa793c6065f71cb5.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
bde11b06b5ca98c10855cd656c3ccc9558eed98869a868b6aa793c6065f71cb5.exepid process 1300 bde11b06b5ca98c10855cd656c3ccc9558eed98869a868b6aa793c6065f71cb5.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
bde11b06b5ca98c10855cd656c3ccc9558eed98869a868b6aa793c6065f71cb5.exepid process 1300 bde11b06b5ca98c10855cd656c3ccc9558eed98869a868b6aa793c6065f71cb5.exe 1300 bde11b06b5ca98c10855cd656c3ccc9558eed98869a868b6aa793c6065f71cb5.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
bde11b06b5ca98c10855cd656c3ccc9558eed98869a868b6aa793c6065f71cb5.exepid process 1300 bde11b06b5ca98c10855cd656c3ccc9558eed98869a868b6aa793c6065f71cb5.exe 1300 bde11b06b5ca98c10855cd656c3ccc9558eed98869a868b6aa793c6065f71cb5.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bde11b06b5ca98c10855cd656c3ccc9558eed98869a868b6aa793c6065f71cb5.exe"C:\Users\Admin\AppData\Local\Temp\bde11b06b5ca98c10855cd656c3ccc9558eed98869a868b6aa793c6065f71cb5.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1300