dd0e8944471f44180dd44807d817e0b8a1c931fc67d48278cdb7354d98567e7c

Analysis

max time kernel
149s
max time network
155s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
16/05/2024, 12:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

dd0e8944471f44180dd44807d817e0b8a1c931fc67d48278cdb7354d98567e7c.exe
Size

1.5MB
MD5

cd4acedefa9ab5c7dccac667f91cef13
SHA1

bff5ce910f75aeae37583a63828a00ae5f02c4e7
SHA256

dd0e8944471f44180dd44807d817e0b8a1c931fc67d48278cdb7354d98567e7c
SHA512

06fae66da503eb1b9b4fbe63a5bb98c519a43999060029c35fe289e60b1cb126a6278c67ce90f02e05b893fcaea6d54f9deb65bc6da82561487a7754f50c93d1
SSDEEP

24576:3D1YS7FpyUxT3DC2C1zj1SqdAGFQZIx2C45UJoeXH:OQ5xT3DDazjYq+ZIwL5UJoe3

Score

8^/10

bootkit persistence

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
1916	360TS_Setup.exe
1684	360TS_Setup.exe

Loads dropped DLL 3 IoCs

pid	Process
3504	dd0e8944471f44180dd44807d817e0b8a1c931fc67d48278cdb7354d98567e7c.exe
1916	360TS_Setup.exe
1684	360TS_Setup.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	dd0e8944471f44180dd44807d817e0b8a1c931fc67d48278cdb7354d98567e7c.exe
File opened for modification	\??\PhysicalDrive0	360TS_Setup.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\1715861397_0\360TS_Setup.exe	360TS_Setup.exe
File opened for modification	C:\Program Files (x86)\1715861397_0\360TS_Setup.exe	360TS_Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	3504	dd0e8944471f44180dd44807d817e0b8a1c931fc67d48278cdb7354d98567e7c.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3504	dd0e8944471f44180dd44807d817e0b8a1c931fc67d48278cdb7354d98567e7c.exe
3504	dd0e8944471f44180dd44807d817e0b8a1c931fc67d48278cdb7354d98567e7c.exe
3504	dd0e8944471f44180dd44807d817e0b8a1c931fc67d48278cdb7354d98567e7c.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3504	dd0e8944471f44180dd44807d817e0b8a1c931fc67d48278cdb7354d98567e7c.exe
3504	dd0e8944471f44180dd44807d817e0b8a1c931fc67d48278cdb7354d98567e7c.exe
3504	dd0e8944471f44180dd44807d817e0b8a1c931fc67d48278cdb7354d98567e7c.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1916	360TS_Setup.exe
1684	360TS_Setup.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3504 wrote to memory of 1916	3504	dd0e8944471f44180dd44807d817e0b8a1c931fc67d48278cdb7354d98567e7c.exe	85
PID 3504 wrote to memory of 1916	3504	dd0e8944471f44180dd44807d817e0b8a1c931fc67d48278cdb7354d98567e7c.exe	85
PID 3504 wrote to memory of 1916	3504	dd0e8944471f44180dd44807d817e0b8a1c931fc67d48278cdb7354d98567e7c.exe	85
PID 1916 wrote to memory of 1684	1916	360TS_Setup.exe	88
PID 1916 wrote to memory of 1684	1916	360TS_Setup.exe	88
PID 1916 wrote to memory of 1684	1916	360TS_Setup.exe	88

C:\Users\Admin\AppData\Local\Temp\dd0e8944471f44180dd44807d817e0b8a1c931fc67d48278cdb7354d98567e7c.exe
"C:\Users\Admin\AppData\Local\Temp\dd0e8944471f44180dd44807d817e0b8a1c931fc67d48278cdb7354d98567e7c.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3504
- C:\Users\Admin\AppData\Local\Temp\360TS_Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\360TS_Setup.exe" /c:WW.Marketator.CPI20230405 /pmode:2 /syncid0_2 /promo:eyJib290dGltZSI6IjciLCJtZWRhbCI6IjciLCJuZXdzIjoiMCIsIm9wZXJhIjoiNyIsIm9wZXJhX2lucyI6IjAiLCJwb3B1cCI6IjciLCJyZW1pbmRlciI6IjciLCJ1cGdyYWRlX25vdyI6IjAifQo=
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Program Files (x86)\1715861397_0\360TS_Setup.exe
    "C:\Program Files (x86)\1715861397_0\360TS_Setup.exe" /c:WW.Marketator.CPI20230405 /pmode:2 /syncid0_2 /promo:eyJib290dGltZSI6IjciLCJtZWRhbCI6IjciLCJuZXdzIjoiMCIsIm9wZXJhIjoiNyIsIm9wZXJhX2lucyI6IjAiLCJwb3B1cCI6IjciLCJyZW1pbmRlciI6IjciLCJ1cGdyYWRlX25vdyI6IjAifQo= /TSinstall
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Writes to the Master Boot Record (MBR)
    - Suspicious use of SetWindowsHookEx
    PID:1684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_90887DD7920637A743EF36CB9A88B5D8

Filesize
2KB

MD5
8b5ed32c647258a7d0dbf7dd9017e1b8

SHA1
2176451a5fc1715061ae1d63431b582c58c865ce

SHA256
70d8966bebe92bb101982f22563da3df6caa3fcc066a37078939386cb7485758

SHA512
6675efc8d8160d35e743b76a129ce856bdf8b603d6fa89fa4c5adeb475e74fbd89c7633c96411da1c8294343a66b5945058c91e531c8a153666bdac551ecaf56

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
133d53b2000db065d95a086304953d29

SHA1
dd9aaba87a5b2e840ea35e3c2ace5a8717f33784

SHA256
5504a66e5b782564a3e8990573d89850c6aef93f9da69bec8ddde2a3ffaa64e3

SHA512
7c22a122f645d7c423413ba7117fa1b22c53b1af3f741ae195e163ed45e1e7b8dd1d062e6249d54c285e8971968d4707070e6174a5b67e2a7903dc1646d65a6e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_90887DD7920637A743EF36CB9A88B5D8

Filesize
488B

MD5
e19618710d34dce784c4550e1b81e3ee

SHA1
3cbe7b411e551d244e798cba06e68db576d6e304

SHA256
88004fedcb3cb4aff9204afcf5f935d7ace853c162e596aa0b7189755bb86ba9

SHA512
97c543406808d1304f18c4285001dac6ef293165aedcb639170c9f2c525bea9ca334c44be50e8a6d3a1293f2f62014bc1a2f70b74d23eb4f836a718d17e83e90

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
3d9dc1b8d79865d09ea4ec61ffca523b

SHA1
a1e8df6a82508d3dea5c38184837e8b9893004f0

SHA256
ba4eaf5acf2810432e342ffda3f5d55819c48cd1d814038ae9d9407f4117f68b

SHA512
c7ead8bbb45c88cc7894d029a943b28dc7cfab63b4dcdc005371435d3610a2d8904ef29df46a95606276adaa3582d5b5867be6bfdbaa0dcc869ad16b87aff918

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
656B

MD5
184a117024f3789681894c67b36ce990

SHA1
c5b687db3b27ef04ad2b2cbc9f4e523cb7f6ba7e

SHA256
b10d5fef165fc89e61cd16e02eac1b90b8f94ef95218bdd4b678cd0d5c8a925e

SHA512
354d3bbc1329cbbe30d22f0cf95564e44acc68d6fe91e2beb4584a473d320faf4c092de9db7f1f93cf0b235703fc8de913883985c7d5db6b596244771a1edaf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]\setup.ini

Filesize
830B

MD5
e6edb41c03bce3f822020878bde4e246

SHA1
03198ad7bbfbdd50dd66ab4bed13ad230b66e4d9

SHA256
9fa80f0889358d9db3d249a2e747e27b7c01c6123b784d94d169c0e54cacf454

SHA512
2d71b7d50212f980e82562af95598c430aa0875f7a9d9cc670ba2cb1f63057fb26fd747a99cb4ca08f2355d002daa79bda2236b3ad9e37a3cfef32ae5420e2a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1715861397_00000000_base\360base.dll

Filesize
1.0MB

MD5
b192f34d99421dc3207f2328ffe62bd0

SHA1
e4bbbba20d05515678922371ea787b39f064cd2c

SHA256
58f13d919f44d194827b609b6b267246abc47134bb202472c0dfe033b9d7ed73

SHA512
00d4c7a0a0097eb4b31a71a0eaf6ff0d44619f77a335c75688565e34e6d7f4fb6c258917457d560c6b0a5077603845ce012e01d9862e87fb5327d7f8da970f95

Download Submit
C:\Users\Admin\AppData\Local\Temp\{36C6ACEB-7882-4452-9B15-13F6C00E1F91}.tmp

Filesize
3KB

MD5
b1ddd3b1895d9a3013b843b3702ac2bd

SHA1
71349f5c577a3ae8acb5fbce27b18a203bf04ede

SHA256
46cda5ad256bf373f5ed0b2a20efa5275c1ffd96864c33f3727e76a3973f4b3c

SHA512
93e6c10c4a8465bc2e58f4c7eb300860186ddc5734599bcdad130ff9c8fd324443045eac54bbc667b058ac1fa271e5b7645320c6e3fc2f28cc5f824096830de1

Download Submit
C:\Users\Admin\AppData\Local\Temp\{537B2FCC-712A-4320-9E8B-66A463E8F706}.tmp\360P2SP.dll

Filesize
824KB

MD5
fc1796add9491ee757e74e65cedd6ae7

SHA1
603e87ab8cb45f62ecc7a9ef52d5dedd261ea812

SHA256
bf1b96f5b56be51e24d6314bc7ec25f1bdba2435f4dfc5be87de164fe5de9e60

SHA512
8fa2e4ff5cbc05034051261c778fec1f998ceb2d5e8dea16b26b91056a989fdc58f33767687b393f32a5aff7c2b8d6df300b386f608abd0ad193068aa9251e0d

Download Submit
memory/3504-13-0x0000000003410000-0x0000000003411000-memory.dmp

Filesize
4KB

Download
memory/3504-102-0x0000000003410000-0x0000000003411000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads