03b6c6768c646a743565f36ff617ed9a7aedabc418ba443d392261441f102746

Analysis

max time kernel
118s
max time network
130s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
12-03-2024 09:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c30dd23bf4889ce2cd2f842373d31609.exe
Size

544KB
MD5

c30dd23bf4889ce2cd2f842373d31609
SHA1

2f896de2271259eef258ecf46addcbfe0b35ff45
SHA256

03b6c6768c646a743565f36ff617ed9a7aedabc418ba443d392261441f102746
SHA512

872e50fbfcbb6abe4cefa96074bb0d8dd8f5f88ae6ba03398192abf34223cb4ff0ecc629d77120dfa6addd24f836ad9f8b2fb6bda3c7d10b129224021a9fde06
SSDEEP

12288:HJUzLBeJqq8N1BB+pCqbX3xDUsVlUMMEcCoWz9:HG3BePm1BB+pZnKsVlUMMpv0

Score

7^/10

bootkit persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2768	cmd.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	c30dd23bf4889ce2cd2f842373d31609.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\DriveTheLife\Drivers\mifffgi.jse	c30dd23bf4889ce2cd2f842373d31609.exe
File created	C:\Program Files (x86)\Adobe Media Player\assets\iebbbce.jse	c30dd23bf4889ce2cd2f842373d31609.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main	c30dd23bf4889ce2cd2f842373d31609.exe

Modifies registry class 41 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\DefaultIcon\ = "%SystemRoot%\\SysWow64\\url.dll,0"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\shellex\IconHandler\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.solll\ = "uqnnnoq"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\IsShortcut	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\CLSID	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\CLSID\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.solll\ = "uqnnnoq"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\shellex\IconHandler	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\shell\open\command	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\shellex\ContextMenuHandlers\	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\shellex\IconHandler\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\IsShortcut	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\NeverShowExt	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\CLSID\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\NeverShowExt	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\shell	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\shell\open\command\ = "WScript.exe /B \"C:\\Program Files (x86)Intel\\Logs\\gczzzac.jse\" \"%1\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\ = "????"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\shell	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\shell\open	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\shell\open\command	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\shellex\ContextMenuHandlers	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.solll	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\DefaultIcon\ = "%SystemRoot%\\SysWow64\\url.dll,0"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\shellex\ContextMenuHandlers\	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\CLSID	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\shellex\IconHandler	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\shellex\ContextMenuHandlers	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\DefaultIcon	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\ = "????"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\DefaultIcon	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\shell\open	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\shellex	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\shell\open\command\ = "WScript.exe /B \"C:\\Program Files (x86)Intel\\Logs\\gczzzac.jse\" \"%1\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\shell\ = "open"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\shell\open\CLSID = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\shell\ = "open"	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\uqnnnoq\shell\open\CLSID = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	wscript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.solll	wscript.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2168	c30dd23bf4889ce2cd2f842373d31609.exe
2168	c30dd23bf4889ce2cd2f842373d31609.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 2652	2168	c30dd23bf4889ce2cd2f842373d31609.exe	28
PID 2168 wrote to memory of 2652	2168	c30dd23bf4889ce2cd2f842373d31609.exe	28
PID 2168 wrote to memory of 2652	2168	c30dd23bf4889ce2cd2f842373d31609.exe	28
PID 2168 wrote to memory of 2652	2168	c30dd23bf4889ce2cd2f842373d31609.exe	28
PID 2168 wrote to memory of 2400	2168	c30dd23bf4889ce2cd2f842373d31609.exe	29
PID 2168 wrote to memory of 2400	2168	c30dd23bf4889ce2cd2f842373d31609.exe	29
PID 2168 wrote to memory of 2400	2168	c30dd23bf4889ce2cd2f842373d31609.exe	29
PID 2168 wrote to memory of 2400	2168	c30dd23bf4889ce2cd2f842373d31609.exe	29
PID 2168 wrote to memory of 3064	2168	c30dd23bf4889ce2cd2f842373d31609.exe	33
PID 2168 wrote to memory of 3064	2168	c30dd23bf4889ce2cd2f842373d31609.exe	33
PID 2168 wrote to memory of 3064	2168	c30dd23bf4889ce2cd2f842373d31609.exe	33
PID 2168 wrote to memory of 3064	2168	c30dd23bf4889ce2cd2f842373d31609.exe	33
PID 2168 wrote to memory of 2768	2168	c30dd23bf4889ce2cd2f842373d31609.exe	35
PID 2168 wrote to memory of 2768	2168	c30dd23bf4889ce2cd2f842373d31609.exe	35
PID 2168 wrote to memory of 2768	2168	c30dd23bf4889ce2cd2f842373d31609.exe	35
PID 2168 wrote to memory of 2768	2168	c30dd23bf4889ce2cd2f842373d31609.exe	35

C:\Users\Admin\AppData\Local\Temp\c30dd23bf4889ce2cd2f842373d31609.exe
"C:\Users\Admin\AppData\Local\Temp\c30dd23bf4889ce2cd2f842373d31609.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Windows\SysWOW64\wscript.exe
  wscript.exe /B "C:\Program Files (x86)\DriveTheLife\Drivers\mifffgi.jse"
  2⤵
  - Modifies registry class
  PID:2652
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\$$dss.bat
  2⤵
  PID:2400
- C:\Windows\SysWOW64\wscript.exe
  wscript.exe /B "C:\Program Files (x86)Intel\Logs\gczzzac.jse" FirstSetup
  2⤵
  - Modifies registry class
  PID:3064
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\$$dmsf.bat
  2⤵
  - Deletes itself
  PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)Intel\Logs\gczzzac.jse

Filesize
28KB

MD5
0e333bab9dc604f29cd1da6c34bacefa

SHA1
c78094283924e6dd7be6c0304eb74d2bfbd92e01

SHA256
b97bfd684f0fc41fa7f8bdddaa58497f93a1ac60327dc0b18e2c0353146047fe

SHA512
d18022aa87aaa7ad8669d102da828e9e92a3ff3a9a4825799234eb5cdaf13c7dab7863de484a39d21bc10c8b3d9b6b3c94f50472f3823cd79ec423aa029c453f

Download Submit
C:\Program Files (x86)\DriveTheLife\Drivers\mifffgi.jse

Filesize
1KB

MD5
1e4063e05d1eb1ecc08cf945df34d5ce

SHA1
6a78abb59b1b19d0493d8f2487b96688da78cdcf

SHA256
f9a887ddac026115c0dfe4fad564b7caac17c2c7d9237e3bb886cfebccdfd1c8

SHA512
b0f1bf871c692bc73985bf9c6d597b2eac2e7160252f7247b42d2f45544089db0d55df21d41d61eb10f14517a88c6dc59cd9a5fa51d13cc2b01de4da06485e52

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$dmsf.bat

Filesize
245B

MD5
95011625d32cafc94926ff72a47314c1

SHA1
3a7393cb0c5ae57c6b94e468866f284fea092379

SHA256
9e318b924bfbbf77b346113a3291429b6aee309c756c0b8d74ebb1c055612f14

SHA512
ce0f8c07703799d4abc440713b7331e26aeea84d031eb29820b3eddc5cbce5d9230fd7821170cd4133b8b3b806c0915f7ac3190fccc3916e4c8c79217f21540d

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$dss.bat

Filesize
246B

MD5
b211c858d10413d5a58614b36a4c2c86

SHA1
5c374bd632cc5199c6e73bee53567a6e4f0787e1

SHA256
1ffc57fda104ab8bd80a025624bd558d1b69332f55cb20844c5122c7af0e3654

SHA512
a65ff4d4658fb409f2470cbeef5e128bf6ef439bef9c6dc3046afa19ff731ae349571f0dcf50dc20932f3508e43049a3a9455a9a4d6861b3a7fb1f312a5d3f53

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaoBao.tmp

Filesize
143B

MD5
fdbe75eee63e579fc4d54d5e96ffdc05

SHA1
6e4e0665f4ef8f058f815d9457f55d1fd1b1681e

SHA256
4434bbb1a63da852a06a95cae272a9387e045f2327f1aa71b10e8e524761ff44

SHA512
2a478daeded3250d3dfa1ac0d8d3f6fe763bccd29d8b116e4b7db5e28f6c2ba6cf5d19e44db1e1c4a4f10df5aab87c1196c8140b5bcc34a997853f6b971a2f8b

Download Submit
memory/2168-0-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2168-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2168-39-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads