Overview

overview

8

Static

static

7

d0be347179...a2.exe

windows7-x64

7

d0be347179...a2.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-03-2024 11:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d0be347179715db77e40ef4a50439da2.exe

  • Size

    946KB

  • MD5

    d0be347179715db77e40ef4a50439da2

  • SHA1

    4b94bc600735eb5eed60a471dd788e7d0e2586b8

  • SHA256

    767c367613633db9798a37c366a0166e132bef1ebd74b7a51c28711d42bb1e83

  • SHA512

    2d56ead24db04d054fac5c737acb99449cb9317ff3865db89d7dded4d72cfa702d129850504d11b1abe85367cad5f40c0524d1b6fab86b33aa7ae238b7ea8e40

  • SSDEEP

    24576:wSW+8M9O1qYOrrfGkFpuJieh6NvZKPubpeM:U9NPOrKkWJieh65Zte

Score
8/10
bootkitpersistenceupx

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 29 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\d0be347179715db77e40ef4a50439da2.exe
    "C:\Users\Admin\AppData\Local\Temp\d0be347179715db77e40ef4a50439da2.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:2028
    • C:\ProgramData\defender.exe
      C:\ProgramData\defender.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Enumerates connected drives
      • Writes to the Master Boot Record (MBR)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:4516
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Suspicious use of FindShellTrayWindow
    PID:3272
  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
    "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:1908
  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:872
    • C:\Windows\explorer.exe
      explorer.exe /LOADSAVEDWINDOWS
      2⤵
      • Modifies Installed Components in the registry
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2060
  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
    "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:2800
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
      PID:3292
    • C:\Windows\system32\sihost.exe
      sihost.exe
      1⤵
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:4292
      • C:\Windows\explorer.exe
        explorer.exe /LOADSAVEDWINDOWS
        2⤵
        • Modifies Installed Components in the registry
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SendNotifyMessage
        PID:2972
    • C:\Windows\system32\sihost.exe
      sihost.exe
      1⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4116
      • C:\Windows\explorer.exe
        explorer.exe /LOADSAVEDWINDOWS
        2⤵
        • Modifies Installed Components in the registry
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SendNotifyMessage
        PID:980
    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4752
    • C:\Windows\system32\sihost.exe
      sihost.exe
      1⤵
        PID:2740
      • C:\Windows\system32\sihost.exe
        sihost.exe
        1⤵
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:4084
        • C:\Windows\explorer.exe
          explorer.exe /LOADSAVEDWINDOWS
          2⤵
          • Modifies Installed Components in the registry
          • Enumerates connected drives
          • Checks SCSI registry key(s)
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of SetWindowsHookEx
          PID:1980
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies registry class
        PID:4816
      • C:\Windows\System32\rundll32.exe
        C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
        1⤵
          PID:4800
        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
          1⤵
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:1164
        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
          1⤵
          • Suspicious use of SetWindowsHookEx
          PID:2036

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Persistence

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        2
        T1547.001

        Pre-OS Boot

        1
        T1542

        Bootkit

        1
        T1542.003

        Privilege Escalation

        Boot or Logon Autostart Execution

        2
        T1547

        Registry Run Keys / Startup Folder

        2
        T1547.001

        Defense Evasion

        Modify Registry

        3
        T1112

        Pre-OS Boot

        1
        T1542

        Bootkit

        1
        T1542.003

        Credential Access

        Discovery

        Query Registry

        3
        T1012

        Peripheral Device Discovery

        2
        T1120

        System Information Discovery

        3
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\defender.exe
          Filesize

          860KB

          MD5

          aa4e5c7054d22802f163c22997a71c1e

          SHA1

          d3e6aa99876fa005d2ab78a3759ef4e60f8829a0

          SHA256

          f54df95030a04f6bf2902f12176d1d4874a36b0eba39ac404d14705afc9711ef

          SHA512

          382ae78fd41c42fe110e296c0af6c58c4a5153416f12b882811832c8bbc0aa6025b10be631a8ea1daea1f33fc95480b1bd4c1c893d7d7870e1ea58f281cfb102

          Download Submit
        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
          Filesize

          471B

          MD5

          17e15b91176fa10ea50ff1dda4af7466

          SHA1

          f90dd63484674bf3aa002c46b4f3eaf82c640937

          SHA256

          5da18606da5d31eb297e6374a10c34ea0c381218ecac2fe3a49cead14cf03156

          SHA512

          10cb8095177f5ff38008d7ad6d015f76cdb799c67910ecb8db72d9c22d1f4a665c058d314bb5e24d8545aa57d74cee1638630cb8b984f5fa53268e92a42e727c

          Download Submit
        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
          Filesize

          412B

          MD5

          746a735a44862385e795f9e8104cf7e2

          SHA1

          1cee9e698a1d46878e6d1f53b10624a5ee6bda54

          SHA256

          6fd86b07dc717cc119494c8f0ce5cc7e403228a63fa36a950b3efc2342505124

          SHA512

          c79a0d915ac03f4a4a7098bf270b5b1c0bc9bcc752cbcbd2f2ff1e421bb02963bf222c74b15d648825e2e2b0151c002b958a0ddf0d93d003ac66a52ec9b7c952

          Download Submit
        • C:\Users\Admin\AppData\Local\IconCache.db
          Filesize

          15KB

          MD5

          b5c1a6c24c584a854af524bd48d89274

          SHA1

          4ab43b50edd86dc34c02454d478d985d06da431c

          SHA256

          206bb91a7a688f0cf0b29fc3d195863292609bb258ac1a5141b79487497be889

          SHA512

          338bb07b506036f72aa55ea0cacfc33b6a80ec21e9ff2d109328ec16bf6dce35bc32d27965b27e13ad28903ea0c051770a8c5ad623acff159e46bad92cb7dc23

          Download Submit
        • C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat
          Filesize

          1011B

          MD5

          81f9851075469ba9f61771b9e78d2b53

          SHA1

          d4590777887027d87cca1bf50e5a08d67d85f034

          SHA256

          0ed39626930fa1dd78587200007b5ebc084eb11ae3c8f7b554a030c5317b768d

          SHA512

          c32ae75ab67fa294b0d7b6a4faa4662a9484046dffdb1d54ca45aba6b87938726ca6d1f37fc5c0a91dabd3dc542ecfc84244b0553520e4418366c080f8de29cc

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\{7AF78495-991C-4966-ABE1-413F0C0AE7B2}.png
          Filesize

          6KB

          MD5

          099ba37f81c044f6b2609537fdb7d872

          SHA1

          470ef859afbce52c017874d77c1695b7b0f9cb87

          SHA256

          8c98c856e4d43f705ff9a5c9a55f92e1885765654912b4c75385c3ea2fdef4a7

          SHA512

          837e1ad7fe4f5cbc0a87f3703ba211c18f32b20df93b23f681cbd0390d8077adba64cf6454a1bb28df1f7df4cb2cdc021d826b6ef8db890e40f21d618d5eb07a

          Download Submit
        • C:\Users\Public\Desktop\Malware Protection.lnk
          Filesize

          679B

          MD5

          be7aab2a43e4c95570307372a9163b4b

          SHA1

          690f30b8a2d9770913e688dc2893104bc8920009

          SHA256

          8c2b4486ec8953d2f276b657c4fa7ceae4012a71f54c87601adf8dae99286719

          SHA512

          9044b8f9a3e8b1998ea13ec56dac8ea0611fa55f78d906ca9b0c5ff4ee7634009b4d397016f09296bc4e230de9dd7c580f8a2190f5438f486f16f565944297a5

          Download Submit
        • memory/980-42-0x0000000004810000-0x0000000004811000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1980-49-0x00000000047A0000-0x00000000047A1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2028-0-0x0000000000400000-0x00000000006E4000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/2028-8-0x0000000000400000-0x00000000006E4000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/2028-3-0x0000000000400000-0x00000000006E4000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/2028-2-0x00000000008E0000-0x00000000009E0000-memory.dmp
          Filesize

          1024KB

          Download
        • memory/2060-28-0x0000000004060000-0x0000000004061000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2972-39-0x0000000004F60000-0x0000000004F61000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4516-22-0x0000000002900000-0x0000000002901000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4516-69-0x0000000000400000-0x0000000000A0E000-memory.dmp
          Filesize

          6.1MB

          Download
        • memory/4516-20-0x0000000000400000-0x0000000000A0E000-memory.dmp
          Filesize

          6.1MB

          Download
        • memory/4516-18-0x0000000000400000-0x0000000000A0E000-memory.dmp
          Filesize

          6.1MB

          Download
        • memory/4516-43-0x0000000000400000-0x0000000000A0E000-memory.dmp
          Filesize

          6.1MB

          Download
        • memory/4516-17-0x0000000000B80000-0x0000000000C80000-memory.dmp
          Filesize

          1024KB

          Download
        • memory/4516-15-0x0000000000400000-0x0000000000A0E000-memory.dmp
          Filesize

          6.1MB

          Download
        • memory/4516-57-0x0000000000400000-0x0000000000A0E000-memory.dmp
          Filesize

          6.1MB

          Download
        • memory/4516-64-0x0000000000400000-0x0000000000A0E000-memory.dmp
          Filesize

          6.1MB

          Download
        • memory/4516-65-0x0000000000B80000-0x0000000000C80000-memory.dmp
          Filesize

          1024KB

          Download
        • memory/4516-66-0x0000000000400000-0x0000000000A0E000-memory.dmp
          Filesize

          6.1MB

          Download
        • memory/4516-67-0x0000000000400000-0x0000000000A0E000-memory.dmp
          Filesize

          6.1MB

          Download
        • memory/4516-68-0x0000000002900000-0x0000000002901000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4516-21-0x0000000000400000-0x0000000000A0E000-memory.dmp
          Filesize

          6.1MB

          Download
        • memory/4516-76-0x0000000000400000-0x0000000000A0E000-memory.dmp
          Filesize

          6.1MB

          Download
        • memory/4516-77-0x0000000000400000-0x0000000000A0E000-memory.dmp
          Filesize

          6.1MB

          Download
        • memory/4516-78-0x0000000000400000-0x0000000000A0E000-memory.dmp
          Filesize

          6.1MB

          Download
        • memory/4516-79-0x0000000000400000-0x0000000000A0E000-memory.dmp
          Filesize

          6.1MB

          Download
        • memory/4516-84-0x0000000000400000-0x0000000000A0E000-memory.dmp
          Filesize

          6.1MB

          Download
        • memory/4516-85-0x0000000000400000-0x0000000000A0E000-memory.dmp
          Filesize

          6.1MB

          Download
        • memory/4516-86-0x0000000000400000-0x0000000000A0E000-memory.dmp
          Filesize

          6.1MB

          Download
        • memory/4516-89-0x0000000000400000-0x0000000000A0E000-memory.dmp
          Filesize

          6.1MB

          Download
        • memory/4516-90-0x0000000000400000-0x0000000000A0E000-memory.dmp
          Filesize

          6.1MB

          Download
        • memory/4516-91-0x0000000000400000-0x0000000000A0E000-memory.dmp
          Filesize

          6.1MB

          Download
        • memory/4516-92-0x0000000000400000-0x0000000000A0E000-memory.dmp
          Filesize

          6.1MB

          Download