Overview

overview

10

Static

static

3

c16723e4a5...be.exe

windows7-x64

10

c16723e4a5...be.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    153s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/03/2024, 19:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c16723e4a57711813e198a40582ac7be.exe

  • Size

    956KB

  • MD5

    c16723e4a57711813e198a40582ac7be

  • SHA1

    ca5409bb26dbaa4bc7396b2e81adb734fc60ccf9

  • SHA256

    8f2dad334e7d146f5f68b839b449976033fc9b8e4e233bce4f2c2032ad41b6e3

  • SHA512

    e86158fa87caa904d30b36745da2ba7b70f555c9a218d68aafdc6f5b024999d817b03bfaaea66155413a1fd3b38b79ef760988eeed47b6a3773cd794ab9108f9

  • SSDEEP

    24576:8NdWWi1OHS0R4bYiwYrZ+YPFnUm1Y2A9Q9JNds6syh:8NdtOeS06bpcYNUmm2A69JN66th

Score
10/10
bootkitevasionpersistence

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 10 IoCs
    evasion
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 36 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 51 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c16723e4a57711813e198a40582ac7be.exe
    "C:\Users\Admin\AppData\Local\Temp\c16723e4a57711813e198a40582ac7be.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2748
    • C:\Users\Admin\AppData\Local\Temp\c16723e4a57711813e198a40582ac7be.exe
      "C:\Users\Admin\AppData\Local\Temp\c16723e4a57711813e198a40582ac7be.exe"
      2⤵
      • Checks computer location settings
      • Writes to the Master Boot Record (MBR)
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4444
      • C:\Users\Admin\AppData\Local\Temp\z607g2ssn.exe
        "C:\Users\Admin\AppData\Local\Temp\z607g2ssn.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4840
        • C:\Users\Admin\AppData\Local\Temp\z607g2ssn.exe
          "C:\Users\Admin\AppData\Local\Temp\z607g2ssn.exe"
          4⤵
          • Executes dropped EXE
          • Writes to the Master Boot Record (MBR)
          • Suspicious use of SetThreadContext
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3896
          • C:\Users\Admin\AppData\Local\Temp\z607g2ssn.exe
            "C:\Users\Admin\AppData\Local\Temp\z607g2ssn.exe"
            5⤵
            • Adds policy Run key to start application
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1712
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:4460
              • C:\Windows\SysWOW64\reg.exe
                REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
                7⤵
                • Modifies firewall policy service
                • Modifies registry key
                PID:3620
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\z607g2ssn.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\z607g2ssn.exe:*:Enabled:Windows Messanger" /f
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:4612
              • C:\Windows\SysWOW64\reg.exe
                REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\z607g2ssn.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\z607g2ssn.exe:*:Enabled:Windows Messanger" /f
                7⤵
                • Modifies firewall policy service
                • Modifies registry key
                PID:4192
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:4432
              • C:\Windows\SysWOW64\reg.exe
                REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
                7⤵
                • Modifies firewall policy service
                • Modifies registry key
                PID:3436
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe:*:Enabled:Windows Messanger" /f
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:3596
              • C:\Windows\SysWOW64\reg.exe
                REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe:*:Enabled:Windows Messanger" /f
                7⤵
                • Modifies firewall policy service
                • Modifies registry key
                PID:372
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4080 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:4632

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\z607g2ssn.exe
      Filesize

      676KB

      MD5

      45033334a78ebe0cf821edb6f41bda29

      SHA1

      d89d1335e95883599b973603bb391eb1c0a3654d

      SHA256

      70da12e65e60b8dcb88a4f154e3be5c0fafbd71cf069c19f6a66e1e9ca15e5ff

      SHA512

      98053a7e296f1398c6fe6e142a424710546ad42d92729b47e26f6076a2a4e7231d551c3d3614b1ecf1ef03320d72eb5e21b37878eb29e5c2684582beb2740c7a

      Download Submit

    • memory/1712-48-0x0000000077520000-0x0000000077610000-memory.dmp

      Filesize

      960KB

      Download

    • memory/1712-64-0x0000000000400000-0x0000000000470000-memory.dmp

      Filesize

      448KB

      Download

    • memory/1712-87-0x0000000000400000-0x0000000000470000-memory.dmp

      Filesize

      448KB

      Download

    • memory/1712-84-0x0000000000400000-0x0000000000470000-memory.dmp

      Filesize

      448KB

      Download

    • memory/1712-77-0x0000000000400000-0x0000000000470000-memory.dmp

      Filesize

      448KB

      Download

    • memory/1712-29-0x0000000000400000-0x0000000000470000-memory.dmp

      Filesize

      448KB

      Download

    • memory/1712-32-0x0000000000400000-0x0000000000470000-memory.dmp

      Filesize

      448KB

      Download

    • memory/1712-73-0x0000000000400000-0x0000000000470000-memory.dmp

      Filesize

      448KB

      Download

    • memory/1712-41-0x0000000077520000-0x0000000077610000-memory.dmp

      Filesize

      960KB

      Download

    • memory/1712-43-0x0000000077686000-0x0000000077687000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1712-42-0x00000000772E0000-0x000000007735A000-memory.dmp

      Filesize

      488KB

      Download

    • memory/1712-49-0x0000000000400000-0x0000000000470000-memory.dmp

      Filesize

      448KB

      Download

    • memory/1712-70-0x0000000000400000-0x0000000000470000-memory.dmp

      Filesize

      448KB

      Download

    • memory/1712-80-0x0000000000400000-0x0000000000470000-memory.dmp

      Filesize

      448KB

      Download

    • memory/1712-44-0x0000000000400000-0x0000000000470000-memory.dmp

      Filesize

      448KB

      Download

    • memory/1712-52-0x00000000772E0000-0x000000007735A000-memory.dmp

      Filesize

      488KB

      Download

    • memory/1712-54-0x0000000000400000-0x0000000000470000-memory.dmp

      Filesize

      448KB

      Download

    • memory/1712-57-0x0000000000400000-0x0000000000470000-memory.dmp

      Filesize

      448KB

      Download

    • memory/1712-60-0x0000000000400000-0x0000000000470000-memory.dmp

      Filesize

      448KB

      Download

    • memory/1712-47-0x0000000000400000-0x0000000000470000-memory.dmp

      Filesize

      448KB

      Download

    • memory/1712-67-0x0000000000400000-0x0000000000470000-memory.dmp

      Filesize

      448KB

      Download

    • memory/3896-33-0x0000000000400000-0x0000000000475000-memory.dmp

      Filesize

      468KB

      Download

    • memory/3896-26-0x0000000000400000-0x0000000000475000-memory.dmp

      Filesize

      468KB

      Download

    • memory/3896-23-0x0000000000400000-0x0000000000475000-memory.dmp

      Filesize

      468KB

      Download

    • memory/4444-4-0x0000000000400000-0x00000000004BC000-memory.dmp

      Filesize

      752KB

      Download

    • memory/4444-2-0x0000000000400000-0x00000000004BC000-memory.dmp

      Filesize

      752KB

      Download

    • memory/4444-21-0x0000000000400000-0x00000000004BC000-memory.dmp

      Filesize

      752KB

      Download