a6f7221ed909db38527eb39adcab838385f16e9fbb4adb97c2398038a15d6152

Resubmissions

05-05-2024 15:15

240505-snbdlsdf6x 6

05-05-2024 15:12

240505-sln7padf2x 6

Analysis

max time kernel
104s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
05-05-2024 15:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

test.exe
Size

12KB
MD5

6c50b0f22b475bafa844b85eec36368d
SHA1

922bbaec4374ea97e7e9bf96e544026731614e0d
SHA256

a6f7221ed909db38527eb39adcab838385f16e9fbb4adb97c2398038a15d6152
SHA512

708f6806ac40a472762e9d01878e3b4273b0bfa3dcbcf54b45109393b6928d0dfd8a03ab198853eccf5ee85d3e4992912a3023d947afb6f6c86daaf4fe5a2f12
SSDEEP

192:m01syrRVPCNHSjtrjzxJ7xjWJLsjO9bhv63c1sOPmVR1CH9r9xYuucl7E5pz6fMg:mQsyDPCNHSjhzxJFKJLsj4bhv63cOOJS

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	test.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133593956849782693"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
464	chrome.exe
464	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe

Suspicious use of AdjustPrivilegeToken 56 IoCs

description	pid	Process
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 464 wrote to memory of 3512	464	chrome.exe	101
PID 464 wrote to memory of 3512	464	chrome.exe	101
PID 464 wrote to memory of 5072	464	chrome.exe	102
PID 464 wrote to memory of 5072	464	chrome.exe	102
PID 464 wrote to memory of 5072	464	chrome.exe	102
PID 464 wrote to memory of 5072	464	chrome.exe	102
PID 464 wrote to memory of 5072	464	chrome.exe	102
PID 464 wrote to memory of 5072	464	chrome.exe	102
PID 464 wrote to memory of 5072	464	chrome.exe	102
PID 464 wrote to memory of 5072	464	chrome.exe	102
PID 464 wrote to memory of 5072	464	chrome.exe	102
PID 464 wrote to memory of 5072	464	chrome.exe	102
PID 464 wrote to memory of 5072	464	chrome.exe	102
PID 464 wrote to memory of 5072	464	chrome.exe	102
PID 464 wrote to memory of 5072	464	chrome.exe	102
PID 464 wrote to memory of 5072	464	chrome.exe	102
PID 464 wrote to memory of 5072	464	chrome.exe	102
PID 464 wrote to memory of 5072	464	chrome.exe	102
PID 464 wrote to memory of 5072	464	chrome.exe	102
PID 464 wrote to memory of 5072	464	chrome.exe	102
PID 464 wrote to memory of 5072	464	chrome.exe	102
PID 464 wrote to memory of 5072	464	chrome.exe	102
PID 464 wrote to memory of 5072	464	chrome.exe	102
PID 464 wrote to memory of 5072	464	chrome.exe	102
PID 464 wrote to memory of 5072	464	chrome.exe	102
PID 464 wrote to memory of 5072	464	chrome.exe	102
PID 464 wrote to memory of 5072	464	chrome.exe	102
PID 464 wrote to memory of 5072	464	chrome.exe	102
PID 464 wrote to memory of 5072	464	chrome.exe	102
PID 464 wrote to memory of 5072	464	chrome.exe	102
PID 464 wrote to memory of 5072	464	chrome.exe	102
PID 464 wrote to memory of 5072	464	chrome.exe	102
PID 464 wrote to memory of 5072	464	chrome.exe	102
PID 464 wrote to memory of 1628	464	chrome.exe	103
PID 464 wrote to memory of 1628	464	chrome.exe	103
PID 464 wrote to memory of 1924	464	chrome.exe	104
PID 464 wrote to memory of 1924	464	chrome.exe	104
PID 464 wrote to memory of 1924	464	chrome.exe	104
PID 464 wrote to memory of 1924	464	chrome.exe	104
PID 464 wrote to memory of 1924	464	chrome.exe	104
PID 464 wrote to memory of 1924	464	chrome.exe	104
PID 464 wrote to memory of 1924	464	chrome.exe	104
PID 464 wrote to memory of 1924	464	chrome.exe	104
PID 464 wrote to memory of 1924	464	chrome.exe	104
PID 464 wrote to memory of 1924	464	chrome.exe	104
PID 464 wrote to memory of 1924	464	chrome.exe	104
PID 464 wrote to memory of 1924	464	chrome.exe	104
PID 464 wrote to memory of 1924	464	chrome.exe	104
PID 464 wrote to memory of 1924	464	chrome.exe	104
PID 464 wrote to memory of 1924	464	chrome.exe	104
PID 464 wrote to memory of 1924	464	chrome.exe	104
PID 464 wrote to memory of 1924	464	chrome.exe	104
PID 464 wrote to memory of 1924	464	chrome.exe	104
PID 464 wrote to memory of 1924	464	chrome.exe	104
PID 464 wrote to memory of 1924	464	chrome.exe	104
PID 464 wrote to memory of 1924	464	chrome.exe	104
PID 464 wrote to memory of 1924	464	chrome.exe	104
PID 464 wrote to memory of 1924	464	chrome.exe	104
PID 464 wrote to memory of 1924	464	chrome.exe	104
PID 464 wrote to memory of 1924	464	chrome.exe	104
PID 464 wrote to memory of 1924	464	chrome.exe	104
PID 464 wrote to memory of 1924	464	chrome.exe	104
PID 464 wrote to memory of 1924	464	chrome.exe	104
PID 464 wrote to memory of 1924	464	chrome.exe	104

C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
1⤵
- Writes to the Master Boot Record (MBR)
PID:2368

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb463cab58,0x7ffb463cab68,0x7ffb463cab78
  2⤵
  PID:3512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1712 --field-trial-handle=1896,i,13729558218702331478,12997469189644006459,131072 /prefetch:2
  2⤵
  PID:5072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2100 --field-trial-handle=1896,i,13729558218702331478,12997469189644006459,131072 /prefetch:8
  2⤵
  PID:1628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2232 --field-trial-handle=1896,i,13729558218702331478,12997469189644006459,131072 /prefetch:8
  2⤵
  PID:1924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3116 --field-trial-handle=1896,i,13729558218702331478,12997469189644006459,131072 /prefetch:1
  2⤵
  PID:1836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3124 --field-trial-handle=1896,i,13729558218702331478,12997469189644006459,131072 /prefetch:1
  2⤵
  PID:3860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4376 --field-trial-handle=1896,i,13729558218702331478,12997469189644006459,131072 /prefetch:1
  2⤵
  PID:3548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4700 --field-trial-handle=1896,i,13729558218702331478,12997469189644006459,131072 /prefetch:8
  2⤵
  PID:3664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4880 --field-trial-handle=1896,i,13729558218702331478,12997469189644006459,131072 /prefetch:8
  2⤵
  PID:3028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4572 --field-trial-handle=1896,i,13729558218702331478,12997469189644006459,131072 /prefetch:1
  2⤵
  PID:4144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5000 --field-trial-handle=1896,i,13729558218702331478,12997469189644006459,131072 /prefetch:1
  2⤵
  PID:4404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4688 --field-trial-handle=1896,i,13729558218702331478,12997469189644006459,131072 /prefetch:1
  2⤵
  PID:1912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4888 --field-trial-handle=1896,i,13729558218702331478,12997469189644006459,131072 /prefetch:1
  2⤵
  PID:4812

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
7c6807ef3a7a04dca2dcfdcdc22a5406

SHA1
ffed6c1f8148437337965566ecadbd6612a330b4

SHA256
78bdf1a5cdc29bbcb10f29b8c7570cfadaffabff56add5b1f949980ce66cb3a6

SHA512
449b8fcced72a8fdab2193988e6693404298056b76a1de24018fbc46fdd8827e4260d5f1ed919ed1f747e3e341286a00210f49ce5326142d008eb277203726bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
a5d59c3351f1af2b4910df708c9913d7

SHA1
2b7dc6f4f18f5440e403b85f95caa9a41f09ca19

SHA256
7c32e8372aefa397bc62b65936fd327c5016772afa2249a89a3ef0421face5b6

SHA512
0af0bbbd267ff30f7adf9d0e597e8a624cc2cca0fa95f1c1effff08ae4692b4878a9703d139552e1c82fb110788fcf64627faab82c5bb751c4ecaa5f872f2d3d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
1fae2a7cc9e7a004026e36a8aec162f3

SHA1
9e7d3215e6814e9f6e64ed37580dddf6a2ad2d45

SHA256
45b72716d9ba87ebc7519396d0bb6af6df41a01350baf395d34b3b661d572460

SHA512
2564353d805df2a4342baf8dd3f90287746b1d527d0f1146ab8e19be37f8efefb0c44671ffb2799a8c9a336114537852a6e9767f927318e96a1be2999f5d72d3

Download Submit