7b6e9e2db641c88e98f324b92a88034a7ca19c3f5d180b7e6882a478fb8fcda8

Resubmissions

24/04/2024, 18:44

240424-xdfb2afb7x 7

24/04/2024, 18:17

240424-ww1j9aeg4z 7

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
24/04/2024, 18:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

vvchmqom.exe
Size

2.4MB
MD5

fef437e0d3b39c1d66940200a6ae92f7
SHA1

1a30b28813c5d153aa8335ecf1af0cdee90a2ccb
SHA256

7b6e9e2db641c88e98f324b92a88034a7ca19c3f5d180b7e6882a478fb8fcda8
SHA512

daa7354f2a3b0928645c1c0eed53ea46c41b4004eba11c5c19e73f49711e915ca5eea23169333b8599e6ed10e2d3312272bc647fbd94ccf2d6ae2443c4e19483
SSDEEP

49152:X640cBt1N6IQjfYuSP6bn5lvr8tsc4ABskrucI6fqc9kxoR4Holu:XD/t1N7uUg5lz8tsnA/iPJcqfolu

Score

7^/10

bootkit persistence

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	vvchmqom.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	vvchmqom.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\taskschd.msc	mmc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5116	4212	WerFault.exe	84

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	vvchmqom.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	vvchmqom.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	vvchmqom.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	vvchmqom.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosDate	vvchmqom.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Bios	vvchmqom.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer	vvchmqom.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	vvchmqom.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVendor	vvchmqom.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
4212	vvchmqom.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
264	mmc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4212	vvchmqom.exe
Token: 33	264	mmc.exe
Token: SeIncBasePriorityPrivilege	264	mmc.exe
Token: 33	264	mmc.exe
Token: SeIncBasePriorityPrivilege	264	mmc.exe
Token: 33	264	mmc.exe
Token: SeIncBasePriorityPrivilege	264	mmc.exe
Token: 33	264	mmc.exe
Token: SeIncBasePriorityPrivilege	264	mmc.exe
Token: 33	264	mmc.exe
Token: SeIncBasePriorityPrivilege	264	mmc.exe
Token: 33	264	mmc.exe
Token: SeIncBasePriorityPrivilege	264	mmc.exe
Token: 33	264	mmc.exe
Token: SeIncBasePriorityPrivilege	264	mmc.exe
Token: 33	264	mmc.exe
Token: SeIncBasePriorityPrivilege	264	mmc.exe
Token: 33	264	mmc.exe
Token: SeIncBasePriorityPrivilege	264	mmc.exe
Token: 33	264	mmc.exe
Token: SeIncBasePriorityPrivilege	264	mmc.exe
Token: 33	264	mmc.exe
Token: SeIncBasePriorityPrivilege	264	mmc.exe
Token: 33	264	mmc.exe
Token: SeIncBasePriorityPrivilege	264	mmc.exe
Token: 33	264	mmc.exe
Token: SeIncBasePriorityPrivilege	264	mmc.exe
Token: 33	264	mmc.exe
Token: SeIncBasePriorityPrivilege	264	mmc.exe
Token: 33	264	mmc.exe
Token: SeIncBasePriorityPrivilege	264	mmc.exe
Token: 33	264	mmc.exe
Token: SeIncBasePriorityPrivilege	264	mmc.exe
Token: 33	264	mmc.exe
Token: SeIncBasePriorityPrivilege	264	mmc.exe
Token: 33	264	mmc.exe
Token: SeIncBasePriorityPrivilege	264	mmc.exe
Token: 33	264	mmc.exe
Token: SeIncBasePriorityPrivilege	264	mmc.exe
Token: 33	264	mmc.exe
Token: SeIncBasePriorityPrivilege	264	mmc.exe
Token: 33	264	mmc.exe
Token: SeIncBasePriorityPrivilege	264	mmc.exe
Token: 33	264	mmc.exe
Token: SeIncBasePriorityPrivilege	264	mmc.exe
Token: 33	264	mmc.exe
Token: SeIncBasePriorityPrivilege	264	mmc.exe
Token: 33	264	mmc.exe
Token: SeIncBasePriorityPrivilege	264	mmc.exe
Token: 33	264	mmc.exe
Token: SeIncBasePriorityPrivilege	264	mmc.exe
Token: 33	264	mmc.exe
Token: SeIncBasePriorityPrivilege	264	mmc.exe
Token: 33	264	mmc.exe
Token: SeIncBasePriorityPrivilege	264	mmc.exe
Token: 33	264	mmc.exe
Token: SeIncBasePriorityPrivilege	264	mmc.exe
Token: 33	264	mmc.exe
Token: SeIncBasePriorityPrivilege	264	mmc.exe
Token: 33	264	mmc.exe
Token: SeIncBasePriorityPrivilege	264	mmc.exe
Token: 33	264	mmc.exe
Token: SeIncBasePriorityPrivilege	264	mmc.exe
Token: 33	264	mmc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
264	mmc.exe
264	mmc.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\vvchmqom.exe
"C:\Users\Admin\AppData\Local\Temp\vvchmqom.exe"
1⤵
- Checks BIOS information in registry
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4212
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 764
  2⤵
  - Program crash
  PID:5116

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s
1⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4212 -ip 4212
1⤵
PID:4916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/264-15-0x000000001CB30000-0x000000001CB40000-memory.dmp

Filesize
64KB

Download
memory/264-20-0x0000000002C90000-0x0000000002D90000-memory.dmp

Filesize
1024KB

Download
memory/264-14-0x000000001CB30000-0x000000001CB40000-memory.dmp

Filesize
64KB

Download
memory/264-23-0x00007FF96F9A0000-0x00007FF970461000-memory.dmp

Filesize
10.8MB

Download
memory/264-13-0x00007FF96F9A0000-0x00007FF970461000-memory.dmp

Filesize
10.8MB

Download
memory/264-19-0x000000001CB30000-0x000000001CB40000-memory.dmp

Filesize
64KB

Download
memory/264-18-0x00007FF4716C0000-0x00007FF4716D0000-memory.dmp

Filesize
64KB

Download
memory/264-8-0x00007FF96F9A0000-0x00007FF970461000-memory.dmp

Filesize
10.8MB

Download
memory/264-9-0x000000001CB30000-0x000000001CB40000-memory.dmp

Filesize
64KB

Download
memory/264-10-0x000000001CB30000-0x000000001CB40000-memory.dmp

Filesize
64KB

Download
memory/264-11-0x00007FF4716C0000-0x00007FF4716D0000-memory.dmp

Filesize
64KB

Download
memory/264-12-0x000000001CB30000-0x000000001CB40000-memory.dmp

Filesize
64KB

Download
memory/264-17-0x000000001CB30000-0x000000001CB40000-memory.dmp

Filesize
64KB

Download
memory/264-16-0x000000001CB30000-0x000000001CB40000-memory.dmp

Filesize
64KB

Download
memory/4212-2-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download
memory/4212-29-0x0000000000400000-0x0000000000877000-memory.dmp

Filesize
4.5MB

Download
memory/4212-1-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download
memory/4212-7-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

Filesize
4KB

Download
memory/4212-6-0x0000000002720000-0x0000000002721000-memory.dmp

Filesize
4KB

Download
memory/4212-4-0x0000000000980000-0x0000000000981000-memory.dmp

Filesize
4KB

Download
memory/4212-24-0x00000000025F0000-0x00000000025F1000-memory.dmp

Filesize
4KB

Download
memory/4212-25-0x0000000000400000-0x0000000000877000-memory.dmp

Filesize
4.5MB

Download
memory/4212-27-0x0000000000400000-0x0000000000877000-memory.dmp

Filesize
4.5MB

Download
memory/4212-3-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

Filesize
4KB

Download
memory/4212-26-0x0000000000400000-0x0000000000877000-memory.dmp

Filesize
4.5MB

Download
memory/4212-28-0x00000000030B0000-0x0000000004F31000-memory.dmp

Filesize
30.5MB

Download
memory/4212-0-0x0000000002720000-0x0000000002721000-memory.dmp

Filesize
4KB

Download
memory/4212-30-0x00000000025D0000-0x00000000025D1000-memory.dmp

Filesize
4KB

Download