02fec5710656ad9adb7b1540e80eb42bcd7a44c09b0a1542c81bfc0bb474bc32

Analysis

max time kernel
142s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/03/2024, 18:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02fec5710656ad9adb7b1540e80eb42bcd7a44c09b0a1542c81bfc0bb474bc32.exe
Size

833KB
MD5

012fc9ab793f339043fe88eb3e28996f
SHA1

ca2000d8fb282a8d8e24e2b7f079455341f5ac9a
SHA256

02fec5710656ad9adb7b1540e80eb42bcd7a44c09b0a1542c81bfc0bb474bc32
SHA512

8d5f7cd85ca6b18b3361360f6174be54e437cf61d420c60400a34ea972dbd9b6381280614f63a887e91552ba874a60a6209d6d388ab8ac2593034e45faf138eb
SSDEEP

24576:8wj7QpalR342ddHjXglpvvB2+R4QmX8T4:8wjMpal5d8lph2+Rlmx

Score

7^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1444	HKFX20~1.EXE
2420	www.cmder.com.exe

Loads dropped DLL 2 IoCs

pid	Process
860	02fec5710656ad9adb7b1540e80eb42bcd7a44c09b0a1542c81bfc0bb474bc32.exe
860	02fec5710656ad9adb7b1540e80eb42bcd7a44c09b0a1542c81bfc0bb474bc32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	02fec5710656ad9adb7b1540e80eb42bcd7a44c09b0a1542c81bfc0bb474bc32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	HKFX20~1.EXE
File opened for modification	\??\PhysicalDrive0	www.cmder.com.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	www.cmder.com.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\www.cmder.com.exe	HKFX20~1.EXE
File opened for modification	C:\Windows\www.cmder.com.exe	HKFX20~1.EXE

Modifies data under HKEY_USERS 28 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00f3000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	www.cmder.com.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-1f-6b-5e-b8-15\WpadDecisionReason = "1"	www.cmder.com.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	www.cmder.com.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	www.cmder.com.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	www.cmder.com.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	www.cmder.com.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	www.cmder.com.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	www.cmder.com.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-1f-6b-5e-b8-15	www.cmder.com.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	www.cmder.com.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00f3000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	www.cmder.com.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	www.cmder.com.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7B0A350E-8A80-4CD5-B11A-E6AFC8AEC92C}	www.cmder.com.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	www.cmder.com.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7B0A350E-8A80-4CD5-B11A-E6AFC8AEC92C}\WpadDecisionTime = f056100b4f72da01	www.cmder.com.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	www.cmder.com.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7B0A350E-8A80-4CD5-B11A-E6AFC8AEC92C}\WpadNetworkName = "Network 3"	www.cmder.com.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-1f-6b-5e-b8-15\WpadDecision = "0"	www.cmder.com.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-1f-6b-5e-b8-15\WpadDetectedUrl	www.cmder.com.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7B0A350E-8A80-4CD5-B11A-E6AFC8AEC92C}\WpadDecisionTime = b0869dd94e72da01	www.cmder.com.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-1f-6b-5e-b8-15\WpadDecisionTime = b0869dd94e72da01	www.cmder.com.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	www.cmder.com.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	www.cmder.com.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7B0A350E-8A80-4CD5-B11A-E6AFC8AEC92C}\22-1f-6b-5e-b8-15	www.cmder.com.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	www.cmder.com.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-1f-6b-5e-b8-15\WpadDecisionTime = f056100b4f72da01	www.cmder.com.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7B0A350E-8A80-4CD5-B11A-E6AFC8AEC92C}\WpadDecisionReason = "1"	www.cmder.com.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7B0A350E-8A80-4CD5-B11A-E6AFC8AEC92C}\WpadDecision = "0"	www.cmder.com.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1444	HKFX20~1.EXE
Token: SeDebugPrivilege	2420	www.cmder.com.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2420	www.cmder.com.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 860 wrote to memory of 1444	860	02fec5710656ad9adb7b1540e80eb42bcd7a44c09b0a1542c81bfc0bb474bc32.exe	28
PID 860 wrote to memory of 1444	860	02fec5710656ad9adb7b1540e80eb42bcd7a44c09b0a1542c81bfc0bb474bc32.exe	28
PID 860 wrote to memory of 1444	860	02fec5710656ad9adb7b1540e80eb42bcd7a44c09b0a1542c81bfc0bb474bc32.exe	28
PID 860 wrote to memory of 1444	860	02fec5710656ad9adb7b1540e80eb42bcd7a44c09b0a1542c81bfc0bb474bc32.exe	28
PID 2420 wrote to memory of 2032	2420	www.cmder.com.exe	30
PID 2420 wrote to memory of 2032	2420	www.cmder.com.exe	30
PID 2420 wrote to memory of 2032	2420	www.cmder.com.exe	30
PID 2420 wrote to memory of 2032	2420	www.cmder.com.exe	30

C:\Users\Admin\AppData\Local\Temp\02fec5710656ad9adb7b1540e80eb42bcd7a44c09b0a1542c81bfc0bb474bc32.exe
"C:\Users\Admin\AppData\Local\Temp\02fec5710656ad9adb7b1540e80eb42bcd7a44c09b0a1542c81bfc0bb474bc32.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:860
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HKFX20~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\HKFX20~1.EXE
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1444

C:\Windows\www.cmder.com.exe
C:\Windows\www.cmder.com.exe
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:2032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\IXP000.TMP\HKFX20~1.EXE

Filesize
468KB

MD5
73b138e63de1f1efb03859d334313bc8

SHA1
778b926faf84ada04c3eac712e62fe69d804f1ce

SHA256
9e72b0bebd1a70edb51637991714fe1557635fe302cc5e49c74abfadcf7799ec

SHA512
3b18012a2d0800bd869b0890ea9341bfbe812a2535de7eb07917b1d771824ffd3c5966cbd2dd8bd8f6faef191f50280244ae2b5c8c24377122d848dcbc83d371

Download Submit
memory/860-34-0x00000000031C0000-0x00000000031D0000-memory.dmp

Filesize
64KB

Download
memory/860-44-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/860-30-0x00000000031C0000-0x00000000031D0000-memory.dmp

Filesize
64KB

Download
memory/860-27-0x00000000031C0000-0x00000000031D0000-memory.dmp

Filesize
64KB

Download
memory/860-0-0x0000000001000000-0x0000000001156000-memory.dmp

Filesize
1.3MB

Download
memory/860-25-0x00000000031C0000-0x00000000031D0000-memory.dmp

Filesize
64KB

Download
memory/860-24-0x00000000031C0000-0x00000000031D0000-memory.dmp

Filesize
64KB

Download
memory/860-23-0x0000000000D80000-0x0000000000D81000-memory.dmp

Filesize
4KB

Download
memory/860-22-0x0000000000D90000-0x0000000000D91000-memory.dmp

Filesize
4KB

Download
memory/860-21-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/860-20-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/860-19-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/860-18-0x0000000000D70000-0x0000000000D71000-memory.dmp

Filesize
4KB

Download
memory/860-17-0x0000000000470000-0x0000000000471000-memory.dmp

Filesize
4KB

Download
memory/860-16-0x0000000000D00000-0x0000000000D01000-memory.dmp

Filesize
4KB

Download
memory/860-15-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/860-14-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/860-13-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/860-12-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download
memory/860-11-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download
memory/860-10-0x0000000000480000-0x0000000000481000-memory.dmp

Filesize
4KB

Download
memory/860-9-0x00000000007D0000-0x00000000007D1000-memory.dmp

Filesize
4KB

Download
memory/860-7-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/860-6-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/860-5-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/860-4-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/860-3-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/860-2-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/860-31-0x00000000031C0000-0x00000000031D0000-memory.dmp

Filesize
64KB

Download
memory/860-33-0x00000000031C0000-0x00000000031D0000-memory.dmp

Filesize
64KB

Download
memory/860-32-0x00000000031C0000-0x00000000031D0000-memory.dmp

Filesize
64KB

Download
memory/860-35-0x00000000031C0000-0x00000000031D0000-memory.dmp

Filesize
64KB

Download
memory/860-26-0x00000000031C0000-0x00000000031D0000-memory.dmp

Filesize
64KB

Download
memory/860-8-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/860-90-0x0000000001000000-0x0000000001156000-memory.dmp

Filesize
1.3MB

Download
memory/860-1-0x00000000003C0000-0x0000000000414000-memory.dmp

Filesize
336KB

Download
memory/860-45-0x00000000031C0000-0x00000000031D0000-memory.dmp

Filesize
64KB

Download
memory/860-46-0x00000000031C0000-0x00000000031D0000-memory.dmp

Filesize
64KB

Download
memory/860-47-0x00000000035A0000-0x0000000003684000-memory.dmp

Filesize
912KB

Download
memory/860-43-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/1444-59-0x0000000001F50000-0x0000000001F51000-memory.dmp

Filesize
4KB

Download
memory/1444-52-0x0000000001F30000-0x0000000001F31000-memory.dmp

Filesize
4KB

Download
memory/1444-51-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/1444-54-0x0000000002390000-0x0000000002391000-memory.dmp

Filesize
4KB

Download
memory/1444-53-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/1444-49-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/1444-56-0x0000000001EF0000-0x0000000001EF1000-memory.dmp

Filesize
4KB

Download
memory/1444-55-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/1444-57-0x0000000001ED0000-0x0000000001ED1000-memory.dmp

Filesize
4KB

Download
memory/1444-58-0x0000000001F40000-0x0000000001F41000-memory.dmp

Filesize
4KB

Download
memory/1444-61-0x0000000000560000-0x000000000059A000-memory.dmp

Filesize
232KB

Download
memory/1444-60-0x0000000002F00000-0x0000000002F01000-memory.dmp

Filesize
4KB

Download
memory/1444-89-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/1444-50-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1444-68-0x0000000001F10000-0x0000000001F11000-memory.dmp

Filesize
4KB

Download
memory/1444-65-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/1444-67-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/1444-48-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/1444-66-0x0000000001F20000-0x0000000001F21000-memory.dmp

Filesize
4KB

Download
memory/1444-69-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/2420-76-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/2420-73-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download
memory/2420-72-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2420-71-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/2420-74-0x0000000001F20000-0x0000000001F21000-memory.dmp

Filesize
4KB

Download
memory/2420-75-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/2420-92-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/2420-97-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads