913ecfd11233aba6a8af3480baa08d21d4d34729891e7caf840198393fc135d9

Analysis

max time kernel
150s
max time network
146s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19-04-2024 03:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Box/4399Box.exe
Size

2.3MB
MD5

9b64457f5165b190bde14ac4127add13
SHA1

0af29175fd6d038d1e9e37398db71bc5deb77fc6
SHA256

40b0d852bc012e0a7e5b87f890d2119a7a921b22f02d42f36807aaf642001fef
SHA512

a15a79809c3b720165bb25e000eee38f048e25700ad0053e0b0bf24d36806bab2042d5b6de9d7cef9fbd7df7df6537a2b9a919451d79ee445ac577f2a5e9f4cf
SSDEEP

49152:lMFhc8uGbRxvKMQE1jcZ++p5AeD/NrenT:moXGXvKMQfDbN

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

4399Box.exe

description ioc process

File opened for modification \??\PhysicalDrive0 4399Box.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	\??\PhysicalDrive0	4399Box.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

4399Box.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	4399Box.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	4399Box.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Disable Script Debugger = "yes"	4399Box.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	4399Box.exe

Modifies registry class 17 IoCs

Processes:

4399Box.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\box\shell\open\Command	4399Box.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\box\shell	4399Box.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\box\ = "URL:????????"	4399Box.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YX4399\ = "URL:????????"	4399Box.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\box	4399Box.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\box\shell\open	4399Box.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\box\URL Protocol	4399Box.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\box\DefaultIcon	4399Box.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\box\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Box\\4399Box.exe"	4399Box.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YX4399\Shell\Open	4399Box.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YX4399\Shell\Open\Command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Box\\4399Box.exe\" \"%1\""	4399Box.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\box\shell\open\Command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Box\\4399Box.exe\" \"%1\""	4399Box.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\box\shell\ = "open"	4399Box.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YX4399\Shell\Open\Command	4399Box.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YX4399\Shell	4399Box.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YX4399\URL Protocol	4399Box.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YX4399	4399Box.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

4399Box.exe

pid process

1752 4399Box.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

4399Box.exe

pid process

1752 4399Box.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

4399Box.exe4399Panel.exe4399Panel.exe4399Live.dll

pid	process
1752	4399Box.exe
1752	4399Box.exe
1752	4399Box.exe
1752	4399Box.exe
1752	4399Box.exe
1752	4399Box.exe
584	4399Panel.exe
584	4399Panel.exe
1968	4399Panel.exe
1968	4399Panel.exe
1752	4399Box.exe
2768	4399Live.dll
2768	4399Live.dll
1752	4399Box.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

4399Box.exe

description	pid	process	target process
PID 1752 wrote to memory of 584	1752	4399Box.exe	4399Panel.exe
PID 1752 wrote to memory of 584	1752	4399Box.exe	4399Panel.exe
PID 1752 wrote to memory of 584	1752	4399Box.exe	4399Panel.exe
PID 1752 wrote to memory of 584	1752	4399Box.exe	4399Panel.exe
PID 1752 wrote to memory of 1968	1752	4399Box.exe	4399Panel.exe
PID 1752 wrote to memory of 1968	1752	4399Box.exe	4399Panel.exe
PID 1752 wrote to memory of 1968	1752	4399Box.exe	4399Panel.exe
PID 1752 wrote to memory of 1968	1752	4399Box.exe	4399Panel.exe
PID 1752 wrote to memory of 2768	1752	4399Box.exe	4399Live.dll
PID 1752 wrote to memory of 2768	1752	4399Box.exe	4399Live.dll
PID 1752 wrote to memory of 2768	1752	4399Box.exe	4399Live.dll
PID 1752 wrote to memory of 2768	1752	4399Box.exe	4399Live.dll

C:\Users\Admin\AppData\Local\Temp\Box\4399Box.exe
"C:\Users\Admin\AppData\Local\Temp\Box\4399Box.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1752

C:\Users\Admin\AppData\Local\Temp\Box\4399Panel.exe
C:\Users\Admin\AppData\Local\Temp\Box\4399Panel.exe -4399Box
2⤵
- Suspicious use of SetWindowsHookEx
PID:584

C:\Users\Admin\AppData\Local\Temp\Box\4399Panel.exe
C:\Users\Admin\AppData\Local\Temp\Box\4399Panel.exe -4399Box
2⤵
- Suspicious use of SetWindowsHookEx
PID:1968

C:\Users\Admin\AppData\Local\Temp\Box\4399Live.dll
C:\Users\Admin\AppData\Local\Temp\Box\4399Live.dll
2⤵
- Suspicious use of SetWindowsHookEx
PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\4399Box\main.ini

Filesize
81B

MD5
8a83c2fc7ef4006450a3941f1d648693

SHA1
91c9f4e1b7093132477d110af4b82a86b27ccb30

SHA256
29f6b40231b2ba32df12741fda8e0bf13624320879fd5f12025698e141a609ae

SHA512
fcdabb34682c7c5112d72b65424fd9c3e8a018b1c4884013d7c8d8c220b6e2f329d24f89334e4d4a71a0edb5393d57ed4948e199f02247ab3a552930fc03e493

Download Submit
C:\ProgramData\4399Box\task\joined

Filesize
45B

MD5
1fe3ac88a035769eb5228b4ebe4f6dcd

SHA1
2bcf0bb70483a4d0a82cd8694dd8a175dee3f824

SHA256
06aae9b00800bfe90005bd1af97d220a8f93c57445c73d3709d4a9ed009a123d

SHA512
0991f5da9b3f26eaf03ea8569b38b1997bf74a34a6622419e48a44e57e7262bbd94bffab8fe906292dfb8061905ce23a4e4630524a8a3a93a57b5f8914be3f81

Download Submit
C:\ProgramData\4399Box\task\wait

Filesize
32B

MD5
645c7cf39de437cd3aff5e17201df2a0

SHA1
f73a2d2c89a878e7ba6d57c5360a6e212c662ead

SHA256
16c48607a3873cb60a57dd6aef02e90473f1bec389bf361c7f779158c0c529d2

SHA512
2acb0ff4b49843bafb8c4b344e07d4ffc77c5f36753bf5c033df2beff11f8e94e1b6fd73d4002b64791fbe63e70d6cbb3cac48ecb029711f799a643a8bca607f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Box\Config\config.dll

Filesize
1KB

MD5
4bd6361eaf1ac1b5d264cc703ef61de1

SHA1
9755e767d425fbdf8d0819c31f4b2cad03ffbc6d

SHA256
edf4cc8c2c917e37e254a1689433957b75d402afe3a42676845ae6fe10c07205

SHA512
75800c8b5f450494577ce9197288124abbcb2775915caf3475f622d0559fcbc1e13cd9a3d6ddff67aa639b6abb2c3b6feb112c47b83333e177b93b4b6c5222e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Box\Config\config.dll

Filesize
746B

MD5
db1ba8b432445321ac70e7fa1f8af63e

SHA1
4af0a58e6c0c31db460224aadc0774fae132e6a0

SHA256
4da49bc199662be1c7eb49e8a406c82cc2660cba6f5d26a7d320683393c627b8

SHA512
3f432e3aed401102b92b93ea15df6be9474d805445bb3a9910a771361cd49f71f1f77d54637c5691cb904d96f5a522aac55d979642e0f169c2d8b5efff71ce07

Download Submit
C:\Users\Admin\AppData\Local\Temp\Box\Config\config.dll

Filesize
1KB

MD5
b2045cb7aef41ec009a4de36e47c12f3

SHA1
3d2f2380ef39adf8049a8a6e97626fd465e592d8

SHA256
d3a77ca245fb422505354e0a6f24e8745e06c9c3fefb7c8ce8e5038636f7fe23

SHA512
bc0ca88f3d70357159935af281de4bca49ec4eaf710afbdf9e0e24293a4d3685a53506de853eb6e831e76f150550a4bf2bc17a393ab0c98a465e397d88911533

Download Submit
memory/584-90-0x0000000000260000-0x0000000000296000-memory.dmp

Filesize
216KB

Download
memory/584-92-0x0000000000360000-0x0000000000385000-memory.dmp

Filesize
148KB

Download
memory/584-88-0x0000000000220000-0x0000000000256000-memory.dmp

Filesize
216KB

Download
memory/1752-117-0x0000000005B70000-0x0000000005B90000-memory.dmp

Filesize
128KB

Download
memory/1752-118-0x0000000005B70000-0x0000000005B90000-memory.dmp

Filesize
128KB

Download
memory/1752-173-0x0000000005B70000-0x0000000005B90000-memory.dmp

Filesize
128KB

Download
memory/1968-99-0x0000000000380000-0x00000000003A5000-memory.dmp

Filesize
148KB

Download