Overview

overview

10

Static

static

3

BUG32.exe

windows7-x64

BUG32.exe

windows10-2004-x64

Windows/Bonzify.exe

windows7-x64

8

Windows/Bonzify.exe

windows10-2004-x64

8

BossDaMajor.exe

windows7-x64

BossDaMajor.exe

windows10-2004-x64

FakeGoldenEye.exe

windows7-x64

6

FakeGoldenEye.exe

windows10-2004-x64

6

PCToaster.exe

windows7-x64

1

PCToaster.exe

windows10-2004-x64

7

Bolbi.vbs

windows7-x64

10

Bolbi.vbs

windows10-2004-x64

10

Resubmissions

16-03-2024 17:14

240316-vsg33ahc39 7

16-03-2024 17:12

240316-vqyb9shb94 10

16-03-2024 15:47

240316-s8g2wsea5y 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Windows.zip

  • Size

    9.4MB

  • Sample

    240316-s8g2wsea5y

  • MD5

    35b2ef10409d648aad35972f9b778865

  • SHA1

    4313bbefce6164a7b62f7712acabe1bb8b717357

  • SHA256

    28216f94328e942434bc24d7af60ce691f46f2ac5f1381d6ac093d32e65489a5

  • SHA512

    df0245f4e1c97e45ac3d94c084d372403cb516aea6c8986ea59fe41eec28c3a7901f5ff846983c3042f736faf6e7f5182192007db8a058da5837cbe19cb16cca

  • SSDEEP

    196608:dym3jqbHw/507vuvQ+rD7CtapiWT5l+6pEClVTDNY3fozOtmgrnTi3w36W:E2qbQ/m7mvYeis5l+6y8YvoKDt5

Score
10/10
bootkitdiscoveryevasionexploitpersistenceransomwarespywarestealertrojan

Malware Config

Targets

    • Target

      BUG32.exe

    • Size

      3.0MB

    • MD5

      149cc2ec1900cb778afb50d8026eadf5

    • SHA1

      a7bc1bbc7bdc970757ec369ef0b51dc53989f131

    • SHA256

      817a695e53a1d6e24f2c701751b4d18468f20698f30fada420dfba6e21a09797

    • SHA512

      d617654478beb6325d86c108cddaff8f8d658a235d26b8e0282ed85dca826bdb62b0b67e749c7cd421dbae1d98084220e2f4d5779badb8fd7ab07ff333a35553

    • SSDEEP

      49152:Or2U5IahDUGN97rkqOAackLjQ0rZEAh3oA6wHE+K60Kk0aCLkfAZKt0OJTcL:4H2ahFNNrg3QbQoA6wHEnFN4IJu

    Score
    10/10
    evasionpersistenceransomwarespywarestealertrojan

    • Modifies WinLogon for persistence

      persistence

    • UAC bypass

      evasiontrojan

    • Renames multiple (156) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Disables RegEdit via registry modification

      evasion

    • Disables Task Manager via registry modification

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Modifies system executable filetype association

      persistence

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1behavioral2

    • Target

      Windows/Bonzify.exe

    • Size

      6.4MB

    • MD5

      9c352d2ce0c0bdc40c72f52ce3480577

    • SHA1

      bd4c956186f33c92eb4469f7e5675510d0790e99

    • SHA256

      d7e6580054525d3f21f86edfc9f30b7a75ffa829a1eb67ee3cab33f0040dba4e

    • SHA512

      c1926d59272df0e049467f4497bcc3631bbc1aa5337e87f4af31bfdba60c9ef460e394380024ffa7e71fef8938761d48d75e9dc93dc7529d2b9c8c638dddae92

    • SSDEEP

      196608:/dAMaWetTeAkLIdx751qFTkub//73lc6u7b5VJ2Yx5xIdk3:naWedh+Idx75QYub//73lc6u7bLMYxD

    Score
    8/10
    discoveryexploitpersistence

    • Modifies AppInit DLL entries

      persistence

    • Modifies Installed Components in the registry

      persistence

    • Possible privilege escalation attempt

      exploit

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Drops file in System32 directory

    behavioral3behavioral4

    • Target

      BossDaMajor.exe

    • Size

      1.9MB

    • MD5

      38ff71c1dee2a9add67f1edb1a30ff8c

    • SHA1

      10f0defd98d4e5096fbeb321b28d6559e44d66db

    • SHA256

      730a41a7656f606a22e9f0d68782612d6e00ab8cfe1260160b9e0b00bc2e442a

    • SHA512

      8347782951f2647fe433482cb13186653afa32ee9f5be83a138c4ed47ff34d8de66a26e74b5a28ea21c1529b2078401922a9a26803772677b70489967c10f3e9

    • SSDEEP

      49152:veG3J7FtM9SbJakTiTBMGSARaspyyx979PSxgKFdGlYU:2GZxSoJrTiTBMGtRa8t7EFddU

    Score
    10/10
    evasionpersistencetrojan

    • Modifies WinLogon for persistence

      persistence

    • UAC bypass

      evasiontrojan

    • Disables RegEdit via registry modification

      evasion

    • Disables Task Manager via registry modification

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Modifies system executable filetype association

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral5behavioral6

    • Target

      FakeGoldenEye.exe

    • Size

      76KB

    • MD5

      26758407117c78422332c443ca7ed21d

    • SHA1

      9ab022e854166f4ec567d2ed4cf15880c13b3d95

    • SHA256

      2900dcc4246afc601ada049b127c4344fa917acf1689a6a4748ee72f93f503ed

    • SHA512

      ddbc118d3124508e4a9493b0d55eced154ae41c641f852f49b7f2b72fb9770d5af7ccf913b65e87bd9d66a4e0064d47bebd62e38cc03953c30d48ece13d501ee

    • SSDEEP

      1536:5GIHamLYZy4hk7CR8yrO1gStZ6PjydhiAphYjy:rRfi88OOKZSjioJjy

    Score
    6/10
    bootkitpersistence

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence
    behavioral7behavioral8

    • Target

      PCToaster.exe

    • Size

      411KB

    • MD5

      04251a49a240dbf60975ac262fc6aeb7

    • SHA1

      e211ca63af2ab85ffab1e5fbbdf28a4ef8f77de0

    • SHA256

      85a58aa96dccd94316a34608ba996656a22c8158d5156b6e454d9d69e6ff38c3

    • SHA512

      3422a231e1dadb68d3567a99d46791392ecf5883fd3bbc2cae19a595364dac46e4b2712db70b61b488937d906413d39411554034ffd3058389700a93c17568d2

    • SSDEEP

      3072:quJFS5Aqu+WwjxeI/0gVnfKl0FA+aPobO24yNz88iu8vDYHTlI5EJD5Hbibfd6PK:/JM0mCsWq1/qpz+nF5c

    Score
    7/10
    discovery
    behavioral10behavioral9

    • Target

      Bolbi.vbs

    • Size

      46KB

    • MD5

      99ec3237394257cb0b5c24affe458f48

    • SHA1

      5300e68423da9712280e601b51622c4b567a23a4

    • SHA256

      ec17f950f6ee9c0c237d93bc0b766aa6e2ab458c70320b534212043128177b51

    • SHA512

      af2394d18f672def6d5d7081def759093759205aac0390ca03591c58c15a02e463a68b583b6fc28ef1368922b4bd5f9072d570ee97a955250a478cdb093500cb

    • SSDEEP

      384:m71ThEgivcqpCghtpCAhDnVLri57VurlgRL1xCLI05ej+1DPpUo/i/vFCbWZkraB:m7BGV95hIG1/d49gsCDsl

    Score
    10/10
    discoveryevasionexploitpersistenceransomwaretrojan

    • UAC bypass

      evasiontrojan

    • Blocklisted process makes network request

    • Disables cmd.exe use via registry modification

      evasion

    • Modifies Installed Components in the registry

      persistence

    • Possible privilege escalation attempt

      exploit

    • Sets file execution options in registry

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Modifies file permissions

      discovery

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral11behavioral12

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

8
T1547

Registry Run Keys / Startup Folder

6
T1547.001

Winlogon Helper DLL

2
T1547.004

Event Triggered Execution

2
T1546

Change Default File Association

2
T1546.001

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

8
T1547

Registry Run Keys / Startup Folder

6
T1547.001

Winlogon Helper DLL

2
T1547.004

Abuse Elevation Control Mechanism

3
T1548

Bypass User Account Control

3
T1548.002

Event Triggered Execution

2
T1546

Change Default File Association

2
T1546.001

Defense Evasion

Modify Registry

19
T1112

Abuse Elevation Control Mechanism

3
T1548

Bypass User Account Control

3
T1548.002

Impair Defenses

3
T1562

Disable or Modify Tools

3
T1562.001

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

File and Directory Permissions Modification

3
T1222

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

10
T1012

System Information Discovery

11
T1082

Peripheral Device Discovery

4
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Resource Development

Reconnaissance

Tasks