1cdf0dcd13a46906d73588a4f2ef20637d25706ce90b53a7b6f1701c28cb3596

Resubmissions

26-03-2024 14:35

240326-ryecksfd5y 10

26-03-2024 14:27

240326-rse2xsfb8y 10

Analysis

max time kernel
178s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26-03-2024 14:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

*.*/update.exe
Size

744KB
MD5

288ad7c14b2e9cbfc8432d3d41d62164
SHA1

2138ba33796ed343fb01c03f4abfdbed30bfe151
SHA256

7e24716b753efa564cf6ace4abbe687a2ede68180140e4aaab8279b3328ababe
SHA512

6f045adea1a9d4c1a0ec414a77c1611687a7ec4ed23ffc1fda426a396ca4244f5b212a1189dc6fb804268a5d29cec3226ccd6d3418e7e5a9923cb0733caac70c
SSDEEP

12288:Yzki5f8eM8n7X0tYAY4+5684WFh5ecvSrW3yNdkeemwtuS9:OkE8eJnL02AYw84Wj5evNl0u

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

SinBa.exe

description ioc process

File opened for modification \??\PhysicalDrive0 SinBa.exe
Drops file in Windows directory 1 IoCs

Processes:

SinBa.exe

description ioc process

File opened for modification C:\Windows\SinBa.INI SinBa.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	\??\PhysicalDrive0	SinBa.exe

description	ioc	process
File opened for modification	C:\Windows\SinBa.INI	SinBa.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SinBa.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	SinBa.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	SinBa.exe

Modifies Internet Explorer settings 1 TTPs 21 IoCs

adware spyware

Modify Registry

T1112

Processes:

SinBa.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_GPU_RENDERING\SinBa.exe = "1"	SinBa.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	SinBa.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BLOCK_LMZ_OBJECT\SinBa.exe = "0"	SinBa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT	SinBa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_SCRIPT_PASTE_URLACTION_IF_PROMPT	SinBa.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\SinBa.exe = "0"	SinBa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING	SinBa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	SinBa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	SinBa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_OBJECT	SinBa.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ENABLE_SCRIPT_PASTE_URLACTION_IF_PROMPT\SinBa.exe = "1"	SinBa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN	SinBa.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	SinBa.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\SinBa.exe = "10000"	SinBa.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_Cross_Domain_Redirect_Mitigation\SinBa.exe = "1"	SinBa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_Cross_Domain_Redirect_Mitigation	SinBa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\DisableScriptDebuggerIE = "yes"	SinBa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Disable Script Debugger = "yes"	SinBa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_IMG	SinBa.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BLOCK_LMZ_IMG\SinBa.exe = "0"	SinBa.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT\SinBa.exe = "0"	SinBa.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

efsui.exe

pid process

1132 efsui.exe
1132 efsui.exe
1132 efsui.exe
1132 efsui.exe
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

efsui.exe

pid process

1132 efsui.exe
1132 efsui.exe
1132 efsui.exe
1132 efsui.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

SinBa.exe

pid process

2972 SinBa.exe
2972 SinBa.exe
2972 SinBa.exe
2972 SinBa.exe
2972 SinBa.exe

pid	process
1132	efsui.exe
1132	efsui.exe
1132	efsui.exe
1132	efsui.exe

pid	process
1132	efsui.exe
1132	efsui.exe
1132	efsui.exe
1132	efsui.exe

pid	process
2972	SinBa.exe
2972	SinBa.exe
2972	SinBa.exe
2972	SinBa.exe
2972	SinBa.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

update.exe

description	pid	process	target process
PID 2508 wrote to memory of 2972	2508	update.exe	SinBa.exe
PID 2508 wrote to memory of 2972	2508	update.exe	SinBa.exe
PID 2508 wrote to memory of 2972	2508	update.exe	SinBa.exe
PID 2508 wrote to memory of 2972	2508	update.exe	SinBa.exe

C:\Users\Admin\AppData\Local\Temp\_._\update.exe
"C:\Users\Admin\AppData\Local\Temp\_._\update.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2508

C:\Users\Admin\AppData\Local\Temp\_._\SinBa.exe
"C:\Users\Admin\AppData\Local\Temp\_._\SinBa.exe"
2⤵
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2972

C:\Windows\system32\efsui.exe
efsui.exe /efs /keybackup
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1132

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_._\D6D136F4-F73D-48C6-8C04-A4B028B7AA4D.dat.crypt
Filesize
145B

MD5
c401bac2d2a86b224fb1dd1640998958

SHA1
a34169c5a35ed141b61641a11c00f3d09cc382cb

SHA256
1e64fc6e9dee17e504699cbd4035564f6b00dfe927d8066c9f4abc89fd06b87c

SHA512
9ebd9cc8c68c1bec06477fcdb1f3e0cc7b22d471a4d4fa8fe78c145a82fc828a22f33b791602ffcaa7c7bc7bf7f4161aa2d50f006fc055ce278366ff83434402

Download Submit
C:\Users\Admin\AppData\Local\Temp\_._\D6D136F4-F73D-48C6-8C04-A4B028B7AA4D.dat.crypt
Filesize
453B

MD5
ad19e6ad5b02145efd35ef5563cc303b

SHA1
45fff7a10ce07e1978ed96212efbae8a5cb1d75c

SHA256
23bd1f5c43e0580d2f1f80df3dcaf7d5620ae09fc57b314f5a3fa470c1c330a6

SHA512
e4a4e0d846a426dfff9616124f04e040a00b779b18b5d0bc71ef613e9ba24e5f22cf45d518cb883731ceb8368714ede8b276488b7f3417855cd0ddf5af7e2a53

Download Submit
C:\Users\Admin\AppData\Local\Temp\_._\config.dat
Filesize
748B

MD5
837fdb188d6087b76e3f1b9eda177f18

SHA1
1781ad7569b617f6f74a57c812403e994f9b77ce

SHA256
ceea2c6c0a73e14fa3baee956e0a15721996d00b6c88ebfa2312fee6c4eb0cc3

SHA512
5d2cd8ad01315d753324a1c12165d3bccef3de438754d06699d6f88b9e367f50d6d2d561d226f884a8e00ad5f481f33f769e8b63376df1eb70e445349d519900

Download Submit
C:\Users\Admin\AppData\Local\Temp\_._\config.dat
Filesize
1KB

MD5
27c96f87b64b794e9ae43a7fb279344e

SHA1
d2bf26e6171cf80918b0af0c68c1ce80d5777b34

SHA256
253b37bfbb2ba5df0e7ef3bb1179766205a2a26220f31550ef1968b7999465b7

SHA512
26b9ae0837cdecea0c64d47827141c9f1547d2f4aef7ba02a818911f36b204bc117139368c4c2773563aef11694895b585af95e3112efe84d807d58c523f29f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_._\config.dat
Filesize
1KB

MD5
f43d1c6209dc542d2d416f00fbc6ff1a

SHA1
544bf9b84626a60527c24bbaf082fde63b9f652b

SHA256
c68225f244dfdf21822a46905d75e7c223a55e0e3f75caca55aeca808d473339

SHA512
d137707ac85d2cb1420c64b5ced0474b63aee71f2fcd18b7868d115a471e98bc79628b59d3eaf986b91f649b73a18041606051b0b83a20d8f48d06a91efdefcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_._\local\blocklist\blocklist.dat.tmp
Filesize
785B

MD5
c8a53e693ca4fb5d58b99aad262f9d8b

SHA1
531d1feeb81887ffe99906093137d73391dcc977

SHA256
774993c2f43b81361c7eec7d77767a2bdccc18eb704fc2c46310973a4810ad1f

SHA512
acd26eb988210113ac728b1c146764cc41787e27d6ff9b6d7b3667c260f0450251b38b716f8ce24d55a649b7252bbe9064f03cb3b49783641b26fa273e5d5ee5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_._\local\homeurl\domain.txtGG
Filesize
127B

MD5
b29e2cbfa269c80bc8ae1f5c9df7f787

SHA1
22b9f84793f2e56a116822943ba31419ef728730

SHA256
8b9a18f8ab7cc377151deb7ddf3ff83435cd697aae1283dc2fa50e5298e3e1bc

SHA512
c64c7881b0c62b63ad92629772f070c0d4c2b99b97d303f4e294ab14061e8d421d24c5440615b5cd720a861854984a1e8b919fb7dae911e265db105cbe9255f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_._\local\homeurl\domain.txtGG
Filesize
179B

MD5
cc80322245b5c9dd7271708f22d612dd

SHA1
0345e4c6c2e692e26583285664f32f6cc7dd10cb

SHA256
9411a789d7206633d2eb3e3f261106223cc09624fa9efa92b9817b7ea67e11a4

SHA512
92532d5680206fd7d1d7a32ae639f02bd2ddd524d7b2cb45a42070842eaa5a3cbf4c1ca11978b8e34047afff19e5a961ec1b57f6f26ae7ff24f420cc69189b19

Download Submit
C:\Users\Admin\AppData\Local\Temp\_._\local\homeurl\urlchk.ini
Filesize
92B

MD5
e36c9f2f02078a73cfc83634f7eff8df

SHA1
2a450bb4696d13cbd2f7813fbe9825a9cdbebaee

SHA256
6dde63a1882f7e8aeaca623bfe518e88210177045b9728c0e5d8f4c747fabf59

SHA512
db0994441883e7c1743e9eb0ee5b3794d3cd15b1253fd1004f080ea6d831f85b910169a6422189816f776a76aa162edbc57ad9e681e2af03e41bf952a15c4b89

Download Submit
C:\Users\Admin\AppData\Local\Temp\_._\local\homeurl\urlchk.ini
Filesize
389B

MD5
a7d8ec35df9ee486a7a6bebe4a3288fa

SHA1
4e891491a2655bf5ddf920bd21b298358ee6f1b5

SHA256
8de9657c4d7bd04266e88434ce46d60e2e9664a992c3b2fcabb62f4e8103e9cc

SHA512
3f7bc6ce3f26ac5e90dfc51937005a09a8279c2f24b46d847a491a5629551bf6c37f1f4bd33755c7cd2a7989df49f960b3ea38cf014e6f891b8006658b2ff45c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_._\local\homeurl\urlchk.ini
Filesize
388B

MD5
1dce0cd82690197520a85895984ff20b

SHA1
9a9ac720bcba626daa07d13ce33a332c07ab0ed3

SHA256
34db6731822b8892a311c30740b3722e599cc1ebe8ed9aec63d5c84b8a5b3cf5

SHA512
d24d2a8642468fa400fb6ba08ce1fb1d852c3dfa5fc3c35e506ddfaad8534840cfcd858ea7754a617a1b23502057071d41d304594eb3fdae2d6edc64208c1978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_._\local\homeurl\urlchk.ini
Filesize
387B

MD5
33c529d1d4420be2e766df28de142f9f

SHA1
e2805cacf300f41bf370ae4bc527a58552965cad

SHA256
f2809d1fc77adc2f97c83817634429d4165a736a3aca9b8bb717b9691e573ace

SHA512
26ef99a424d7ffb4fc9d1c3f2926adf5409909297760cf0654b610958417fc23ffcc72209383392c32a96365695a3600d3f6872eff6b1bfe9b477e860f3e9123

Download Submit
C:\Users\Admin\AppData\Local\Temp\_._\local\homeurl\urlchk.ini
Filesize
387B

MD5
712bc2f464ccef3f6b9a323f0a8ea81b

SHA1
b19b68dc0a67aa76fedd823c9f643aeb3ff044f1

SHA256
4d860d473fb6788bc5ed914a5357a7dcb45827f7b7bf47464e129ce70e920ca9

SHA512
9e6917eab5d026a06ba8cb6722d9038980b97f99026138007d877cbedf14b0929c544a5b35bd4a8a026280f85fbea520d1ab033e624d639264e005bd585f3912

Download Submit
C:\Users\Admin\AppData\Local\Temp\_._\local\homeurl\urlchk.ini
Filesize
386B

MD5
3707fe7933c99b0e8e1992599e5732ce

SHA1
cdc8ef2b213e6fd5eda3df205663d7b6caa24f4b

SHA256
ff05ea11550914328a42d054d45bd1c54c1337f3e23875f4d3886f7e193d1cb7

SHA512
0ab3c0bdcb242fddca20b5ccf59ee49eca0d5ac253e2c1a115dca84ba837e8a95572599f44ce0ac902502bdc8a897cc171f69106b8d09b22fab53a80ba79c474

Download Submit
C:\Users\Admin\AppData\Local\Temp\_._\local\homeurl\urlchk.ini
Filesize
385B

MD5
e143b57eb66bf5a1d1a23095b4a98743

SHA1
6f339fc69fa6707de4d5848d169da4bf6a5f9a6e

SHA256
c9e807b3d52600c5d1dfe0acfcb4af71741e12fc6c276e0c23fae83bd1b30e26

SHA512
5855db02f10c36dd284109dcae0edefe3532c5dd9699c04e2d7e29a01eae31646153af6e1266fd8e9b4d61d9c9ae4a211508135ecd6e7ae11f71c9fe0b530f6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_._\local\homeurl\urlchk.ini
Filesize
416B

MD5
c65eaad99d7156f82d49538bcf347fb5

SHA1
4f7f4fc9d503e40f0df45cdedc1139c6527a599f

SHA256
829062ede9c5cf67a24e00020e091dd3435fcce01fa0852bd5f2b7ee2beb4b16

SHA512
38c3ced77c4a6868f1aea3cbae0a2511de5c207b7b41e041c2445227d4bc404f4dc637c5c4632d32e065f3d05c8e2554f6891f70816e40bb8c2763c80c263fa8

Download Submit
memory/1132-466-0x0000000001CC0000-0x0000000001CC1000-memory.dmp

Filesize
4KB

Download
memory/1132-467-0x0000000001CC0000-0x0000000001CC1000-memory.dmp

Filesize
4KB

Download