ebda9364f0976772fcbe06d851c378e0cabd892d0bc46b7bcf63b3ead2fcd235

Analysis

max time kernel
141s
max time network
136s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19/03/2024, 03:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d524eeff5817495b18ded0a5ec9f4c2a.exe
Size

468KB
MD5

d524eeff5817495b18ded0a5ec9f4c2a
SHA1

a7a7af62f02f2e1ce6d1d3879f53839b653f5cf3
SHA256

ebda9364f0976772fcbe06d851c378e0cabd892d0bc46b7bcf63b3ead2fcd235
SHA512

77e5d8d0ab03c8d205630420e7cf34e2749bb5921df82fba5d787aa5bf2fd6ff776a66b00c7d8260a19c036f1cd623a72f7fd644a75d3ed299aae142b8eaff07
SSDEEP

12288:qb7jkD3v0VBRxE5MBGlcM7UdrbK7UZWG1j3FLiUh/:qb3w3v8BRqEM7UdqU1j35i0

Score

7^/10

bootkit persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2428	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2540	GHFHGJHNSSJDW.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	d524eeff5817495b18ded0a5ec9f4c2a.exe
File opened for modification	\??\PhysicalDrive0	GHFHGJHNSSJDW.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	GHFHGJHNSSJDW.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\GHFHGJHNSSJDW.exe	d524eeff5817495b18ded0a5ec9f4c2a.exe
File created	C:\Windows\HKFX2008.BAT	d524eeff5817495b18ded0a5ec9f4c2a.exe
File created	C:\Windows\GHFHGJHNSSJDW.exe	d524eeff5817495b18ded0a5ec9f4c2a.exe

Modifies data under HKEY_USERS 28 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	GHFHGJHNSSJDW.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{46194884-D124-4814-8B9C-EFCF19A4046D}\WpadDecisionTime = 206ee8d6b179da01	GHFHGJHNSSJDW.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-76-2a-34-08-3e\WpadDecisionReason = "1"	GHFHGJHNSSJDW.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	GHFHGJHNSSJDW.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-76-2a-34-08-3e\WpadDecisionTime = e015690cb279da01	GHFHGJHNSSJDW.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	GHFHGJHNSSJDW.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	GHFHGJHNSSJDW.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{46194884-D124-4814-8B9C-EFCF19A4046D}\WpadNetworkName = "Network 3"	GHFHGJHNSSJDW.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	GHFHGJHNSSJDW.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	GHFHGJHNSSJDW.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{46194884-D124-4814-8B9C-EFCF19A4046D}\WpadDecision = "0"	GHFHGJHNSSJDW.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00f2000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	GHFHGJHNSSJDW.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	GHFHGJHNSSJDW.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-76-2a-34-08-3e\WpadDetectedUrl	GHFHGJHNSSJDW.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GHFHGJHNSSJDW.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{46194884-D124-4814-8B9C-EFCF19A4046D}	GHFHGJHNSSJDW.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{46194884-D124-4814-8B9C-EFCF19A4046D}\WpadDecisionReason = "1"	GHFHGJHNSSJDW.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	GHFHGJHNSSJDW.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{46194884-D124-4814-8B9C-EFCF19A4046D}\3e-76-2a-34-08-3e	GHFHGJHNSSJDW.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-76-2a-34-08-3e\WpadDecisionTime = 206ee8d6b179da01	GHFHGJHNSSJDW.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{46194884-D124-4814-8B9C-EFCF19A4046D}\WpadDecisionTime = e015690cb279da01	GHFHGJHNSSJDW.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	GHFHGJHNSSJDW.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	GHFHGJHNSSJDW.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-76-2a-34-08-3e	GHFHGJHNSSJDW.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-76-2a-34-08-3e\WpadDecision = "0"	GHFHGJHNSSJDW.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	GHFHGJHNSSJDW.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	GHFHGJHNSSJDW.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00f2000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	GHFHGJHNSSJDW.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2280	d524eeff5817495b18ded0a5ec9f4c2a.exe
Token: SeDebugPrivilege	2540	GHFHGJHNSSJDW.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2540	GHFHGJHNSSJDW.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 2544	2540	GHFHGJHNSSJDW.exe	29
PID 2540 wrote to memory of 2544	2540	GHFHGJHNSSJDW.exe	29
PID 2540 wrote to memory of 2544	2540	GHFHGJHNSSJDW.exe	29
PID 2540 wrote to memory of 2544	2540	GHFHGJHNSSJDW.exe	29
PID 2280 wrote to memory of 2428	2280	d524eeff5817495b18ded0a5ec9f4c2a.exe	30
PID 2280 wrote to memory of 2428	2280	d524eeff5817495b18ded0a5ec9f4c2a.exe	30
PID 2280 wrote to memory of 2428	2280	d524eeff5817495b18ded0a5ec9f4c2a.exe	30
PID 2280 wrote to memory of 2428	2280	d524eeff5817495b18ded0a5ec9f4c2a.exe	30

C:\Users\Admin\AppData\Local\Temp\d524eeff5817495b18ded0a5ec9f4c2a.exe
"C:\Users\Admin\AppData\Local\Temp\d524eeff5817495b18ded0a5ec9f4c2a.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\HKFX2008.BAT
  2⤵
  - Deletes itself
  PID:2428

C:\Windows\GHFHGJHNSSJDW.exe
C:\Windows\GHFHGJHNSSJDW.exe
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\GHFHGJHNSSJDW.exe

Filesize
468KB

MD5
d524eeff5817495b18ded0a5ec9f4c2a

SHA1
a7a7af62f02f2e1ce6d1d3879f53839b653f5cf3

SHA256
ebda9364f0976772fcbe06d851c378e0cabd892d0bc46b7bcf63b3ead2fcd235

SHA512
77e5d8d0ab03c8d205630420e7cf34e2749bb5921df82fba5d787aa5bf2fd6ff776a66b00c7d8260a19c036f1cd623a72f7fd644a75d3ed299aae142b8eaff07

Download Submit
C:\Windows\HKFX2008.BAT

Filesize
190B

MD5
cf4a9f6466651221b6eed2de9145f9db

SHA1
62a747af039b4caaf62862d465b717dcc298d405

SHA256
8fca9a52a9c049b228eee43924291b282149fcb96a7affe16ad631d195be92c1

SHA512
3ef1e6ff2f81ce2e0c220733811599c78b2153e46fdbb331ec8554807b5230a007b87ac40cf0700ade0f2574942f6c47df591c12372f13faa811173aba9fa0ee

Download Submit
memory/2280-10-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/2280-7-0x0000000001F20000-0x0000000001F21000-memory.dmp

Filesize
4KB

Download
memory/2280-1-0x0000000000320000-0x000000000035A000-memory.dmp

Filesize
232KB

Download
memory/2280-14-0x0000000002030000-0x0000000002031000-memory.dmp

Filesize
4KB

Download
memory/2280-13-0x0000000001F30000-0x0000000001F31000-memory.dmp

Filesize
4KB

Download
memory/2280-12-0x0000000000820000-0x0000000000821000-memory.dmp

Filesize
4KB

Download
memory/2280-15-0x0000000002F00000-0x0000000002F01000-memory.dmp

Filesize
4KB

Download
memory/2280-11-0x0000000000840000-0x0000000000841000-memory.dmp

Filesize
4KB

Download
memory/2280-2-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/2280-9-0x0000000002080000-0x0000000002081000-memory.dmp

Filesize
4KB

Download
memory/2280-8-0x0000000002090000-0x0000000002091000-memory.dmp

Filesize
4KB

Download
memory/2280-4-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/2280-6-0x0000000001F10000-0x0000000001F11000-memory.dmp

Filesize
4KB

Download
memory/2280-5-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/2280-19-0x0000000000550000-0x0000000000551000-memory.dmp

Filesize
4KB

Download
memory/2280-18-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/2280-20-0x0000000001F00000-0x0000000001F01000-memory.dmp

Filesize
4KB

Download
memory/2280-3-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2280-49-0x0000000000320000-0x000000000035A000-memory.dmp

Filesize
232KB

Download
memory/2280-48-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/2280-0-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/2540-29-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/2540-27-0x0000000001FA0000-0x0000000001FA1000-memory.dmp

Filesize
4KB

Download
memory/2540-26-0x00000000007B0000-0x00000000007B1000-memory.dmp

Filesize
4KB

Download
memory/2540-25-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2540-24-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2540-23-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2540-31-0x0000000000750000-0x0000000000751000-memory.dmp

Filesize
4KB

Download
memory/2540-34-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/2540-33-0x0000000002DE0000-0x0000000002DE1000-memory.dmp

Filesize
4KB

Download
memory/2540-32-0x00000000007C0000-0x00000000007C1000-memory.dmp

Filesize
4KB

Download
memory/2540-38-0x0000000001F60000-0x0000000001F61000-memory.dmp

Filesize
4KB

Download
memory/2540-37-0x0000000000820000-0x0000000000821000-memory.dmp

Filesize
4KB

Download
memory/2540-36-0x0000000000710000-0x0000000000711000-memory.dmp

Filesize
4KB

Download
memory/2540-39-0x0000000000330000-0x000000000036A000-memory.dmp

Filesize
232KB

Download
memory/2540-40-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/2540-28-0x0000000001F90000-0x0000000001F91000-memory.dmp

Filesize
4KB

Download
memory/2540-30-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/2540-22-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/2540-51-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/2540-53-0x0000000002DE0000-0x0000000002DE1000-memory.dmp

Filesize
4KB

Download
memory/2540-56-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads