Overview

overview

7

Static

static

3

fc008e3aa4...18.exe

windows7-x64

7

fc008e3aa4...18.exe

windows10-2004-x64

7

$PLUGINSDI...RL.dll

windows7-x64

3

$PLUGINSDI...RL.dll

windows10-2004-x64

3

$PLUGINSDI...ns.dll

windows7-x64

3

$PLUGINSDI...ns.dll

windows10-2004-x64

3

$SMPROGRAM...��.lnk

windows7-x64

3

$SMPROGRAM...��.lnk

windows10-2004-x64

3

ReflexiveA...de.dll

windows7-x64

1

ReflexiveA...de.dll

windows10-2004-x64

1

SDL.dll

windows7-x64

1

SDL.dll

windows10-2004-x64

1

SDL_image.dll

windows7-x64

1

SDL_image.dll

windows10-2004-x64

1

SDL_mixer.dll

windows7-x64

1

SDL_mixer.dll

windows10-2004-x64

1

SDL_ttf.dll

windows7-x64

1

SDL_ttf.dll

windows10-2004-x64

1

bbb.exe

windows7-x64

7

bbb.exe

windows10-2004-x64

7

jpeg.dll

windows7-x64

3

jpeg.dll

windows10-2004-x64

3

libpng1.dll

windows7-x64

1

libpng1.dll

windows10-2004-x64

1

uninst.exe

windows7-x64

7

uninst.exe

windows10-2004-x64

7

zlib.dll

windows7-x64

3

zlib.dll

windows10-2004-x64

3

�...��.lnk

windows7-x64

3

�...��.lnk

windows10-2004-x64

3

Analysis

  • max time kernel
    141s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-04-2024 05:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bbb.exe

  • Size

    1.5MB

  • MD5

    5a090e5cc569ba0021df79115256d0b4

  • SHA1

    7949b5a3ca432d9d63201ce29810cfdafbde05ce

  • SHA256

    9b8af759ea2c190423291db0d14aa4e68f78ab80f43372efddaa445b332b5b8e

  • SHA512

    2d7f854d04652aaeeb92738cb56a93d440e1097ba70b89d2a77c4888006fcd7fb454018fbc09d56f3e23523eb5c4c5e35078543866823da3ca1161daa9882575

  • SSDEEP

    49152:hN8BXjYmjv39rA5cHB0jIQKf0DjzPhMVkj0fvoX4QIrx:haBX0mjSmh0jIHf0DjzPhMVkj0fvoX4J

Score
7/10
bootkitpersistence

Malware Config

Signatures

  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bbb.exe
    "C:\Users\Admin\AppData\Local\Temp\bbb.exe"
    1⤵
    • Checks BIOS information in registry
    • Writes to the Master Boot Record (MBR)
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    PID:1644
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x4b8 0x3e4
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1772

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\bbb.log
    Filesize

    1KB

    MD5

    5f70c8da13c10873e72b8280971e4cd4

    SHA1

    93e6cba4a0b78f53635e8b65c3a0b190bdffce75

    SHA256

    4ed25a54e4dc3d2d4773e498e8a6c8caa42797f9926c8fd4202a22035963fa07

    SHA512

    e4663aa067164bad270b4e55f267931aa6b523a32656f1b6f42bf96c0e66e7414e9e5f6063824de3664c6d78e1bd1174893b799d1a1cc9bfb93f8b1da39fb974

    Download Submit
  • memory/1644-0-0x0000000000400000-0x0000000000592000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/1644-1-0x0000000000F20000-0x0000000000F5F000-memory.dmp
    Filesize

    252KB

    Download
  • memory/1644-2-0x0000000000F80000-0x0000000000FCC000-memory.dmp
    Filesize

    304KB

    Download
  • memory/1644-3-0x0000000000FD0000-0x0000000000FEB000-memory.dmp
    Filesize

    108KB

    Download
  • memory/1644-5-0x0000000001010000-0x0000000001037000-memory.dmp
    Filesize

    156KB

    Download
  • memory/1644-4-0x0000000000FF0000-0x0000000001001000-memory.dmp
    Filesize

    68KB

    Download
  • memory/1644-15-0x0000000002810000-0x000000000299A000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/1644-51-0x0000000000400000-0x0000000000592000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/1644-52-0x0000000064F40000-0x0000000064F67000-memory.dmp
    Filesize

    156KB

    Download