2ba315ff4d5e4d85b85759fffad1152c3388a8e761c32dfde8c72fff1b96bfe5

Resubmissions

17-04-2024 07:33

240417-jdvvtsae31 10

17-04-2024 06:33

240417-ha7jsahe7s 10

Analysis

max time kernel
151s
max time network
205s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17-04-2024 06:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

x64/upd.exe
Size

1.4MB
MD5

31fee2c73b8d2a8ec979775cd5f5ced7
SHA1

39182a68bc0c1c07d3ddc47cd69fe3692dbac834
SHA256

d26a7f2d4f3521827201e6cdcd296f132c7d18c3a1ce70c24b423300cff326fe
SHA512

db51b602a8675641bc3a0a980a197243787ed12f5e0619cb1d390c91193d7e3447e3e86e2321c3ea273c6732b356003a249241d7d8a5699931810e5a35d5c650
SSDEEP

24576:kL/7n6lbcC8oblv1zj1SqdAGFQZIxvC45UJoe1Z:E6+C8o5tzjYq+ZIxL5UJoeL

Score

8^/10

bootkit discovery persistence

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	upd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	360TS_Setup.exe

Executes dropped EXE 2 IoCs

pid	Process
2044	360TS_Setup.exe
1432	360TS_Setup.exe

Loads dropped DLL 3 IoCs

pid	Process
4220	upd.exe
2044	360TS_Setup.exe
1432	360TS_Setup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	upd.exe
File opened for modification	\??\PhysicalDrive0	360TS_Setup.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\1713335922_0\360TS_Setup.exe	360TS_Setup.exe
File created	C:\Program Files (x86)\1713335922_0\360TS_Setup.exe	360TS_Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	4220	upd.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4220	upd.exe
4220	upd.exe
4220	upd.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4220	upd.exe
4220	upd.exe
4220	upd.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2044	360TS_Setup.exe
1432	360TS_Setup.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4220 wrote to memory of 2044	4220	upd.exe	88
PID 4220 wrote to memory of 2044	4220	upd.exe	88
PID 4220 wrote to memory of 2044	4220	upd.exe	88
PID 2044 wrote to memory of 1432	2044	360TS_Setup.exe	90
PID 2044 wrote to memory of 1432	2044	360TS_Setup.exe	90
PID 2044 wrote to memory of 1432	2044	360TS_Setup.exe	90

C:\Users\Admin\AppData\Local\Temp\x64\upd.exe
"C:\Users\Admin\AppData\Local\Temp\x64\upd.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4220
- C:\Users\Admin\AppData\Local\Temp\x64\360TS_Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\x64\360TS_Setup.exe" /c:101 /pmode:2
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Program Files (x86)\1713335922_0\360TS_Setup.exe
    "C:\Program Files (x86)\1713335922_0\360TS_Setup.exe" /c:101 /pmode:2 /TSinstall
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Writes to the Master Boot Record (MBR)
    - Suspicious use of SetWindowsHookEx
    PID:1432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
655B

MD5
221347e561553ca15f425f0c339f6d2a

SHA1
113b27109b71235d47fb0f0dabd768c373afc92c

SHA256
1e7111eca4eaf28e07dc55c9f0aaa18751978acecd2aea9628472251b82ce95f

SHA512
ef8bb1566ab6a844a05158fa725bb68cb9baaf2edbdf54ec8cc9729f2ebc07977e99e53e1ae2424976f0b237ac6e7e39cec0267d33bda3621247dac4142f0cb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]\setup.ini

Filesize
830B

MD5
a78c8cda43a8bd21ed73c2e8e74b32aa

SHA1
994584166233363e26dce5d8de717e10ca5d677f

SHA256
3ce606ddd340eb72ea585442f4fbecb56c215f729473f535eef6906edc2f7dd7

SHA512
261f25a55c06666ab630ac9b15c32449884a2f08dd44fdee62bed04d8658a0e52444bb2897b4e4274960e526e74ba180802010ae314cbcfc54f6ca3eee870248

Download Submit
C:\Users\Admin\AppData\Local\Temp\1713335922_00000000_base\360base.dll

Filesize
1.0MB

MD5
b192f34d99421dc3207f2328ffe62bd0

SHA1
e4bbbba20d05515678922371ea787b39f064cd2c

SHA256
58f13d919f44d194827b609b6b267246abc47134bb202472c0dfe033b9d7ed73

SHA512
00d4c7a0a0097eb4b31a71a0eaf6ff0d44619f77a335c75688565e34e6d7f4fb6c258917457d560c6b0a5077603845ce012e01d9862e87fb5327d7f8da970f95

Download Submit
C:\Users\Admin\AppData\Local\Temp\x64\360TS_Setup.exe

Filesize
99.0MB

MD5
2262d2aa7ca436888e23d88b15b19383

SHA1
0d7f6fd75f71b8861718d79593f1930c40123b47

SHA256
bc120ec00d03c2d1c8be5053d48b9be4dac058a9ad8db8ce39e99174199b0100

SHA512
126a15f796d2814e6da92aeda1c9e336b8f078d76e8fa96956608e4b094fcbf290951ad0a07f8041d935d5cc64e36df535d2e6e253261ff567fa482227f8752e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{6D0BD64E-8EA6-4b20-A8FD-BEC9C5DA6609}.tmp\360P2SP.dll

Filesize
824KB

MD5
fc1796add9491ee757e74e65cedd6ae7

SHA1
603e87ab8cb45f62ecc7a9ef52d5dedd261ea812

SHA256
bf1b96f5b56be51e24d6314bc7ec25f1bdba2435f4dfc5be87de164fe5de9e60

SHA512
8fa2e4ff5cbc05034051261c778fec1f998ceb2d5e8dea16b26b91056a989fdc58f33767687b393f32a5aff7c2b8d6df300b386f608abd0ad193068aa9251e0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{97848479-F0BB-45fb-98F5-A036D7C71526}.tmp

Filesize
3KB

MD5
b1ddd3b1895d9a3013b843b3702ac2bd

SHA1
71349f5c577a3ae8acb5fbce27b18a203bf04ede

SHA256
46cda5ad256bf373f5ed0b2a20efa5275c1ffd96864c33f3727e76a3973f4b3c

SHA512
93e6c10c4a8465bc2e58f4c7eb300860186ddc5734599bcdad130ff9c8fd324443045eac54bbc667b058ac1fa271e5b7645320c6e3fc2f28cc5f824096830de1

Download Submit
memory/4220-9-0x0000000003FE0000-0x0000000003FE1000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads