dd0e8944471f44180dd44807d817e0b8a1c931fc67d48278cdb7354d98567e7c

Analysis

max time kernel
149s
max time network
273s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 03:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

360TS_Setup_Mini_WW.Marketator.CPI20230405_6.6.0.1054.exe
Size

1.5MB
MD5

cd4acedefa9ab5c7dccac667f91cef13
SHA1

bff5ce910f75aeae37583a63828a00ae5f02c4e7
SHA256

dd0e8944471f44180dd44807d817e0b8a1c931fc67d48278cdb7354d98567e7c
SHA512

06fae66da503eb1b9b4fbe63a5bb98c519a43999060029c35fe289e60b1cb126a6278c67ce90f02e05b893fcaea6d54f9deb65bc6da82561487a7754f50c93d1
SSDEEP

24576:3D1YS7FpyUxT3DC2C1zj1SqdAGFQZIx2C45UJoeXH:OQ5xT3DDazjYq+ZIwL5UJoe3

Score

8^/10

bootkit persistence

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

360TS_Setup_Mini_WW.Marketator.CPI20230405_6.6.0.1054.exe360TS_Setup.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	360TS_Setup_Mini_WW.Marketator.CPI20230405_6.6.0.1054.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	360TS_Setup.exe

Executes dropped EXE 2 IoCs

Processes:

360TS_Setup.exe360TS_Setup.exe

pid process

3780 360TS_Setup.exe
872 360TS_Setup.exe
Loads dropped DLL 3 IoCs

Processes:

360TS_Setup_Mini_WW.Marketator.CPI20230405_6.6.0.1054.exe360TS_Setup.exe360TS_Setup.exe

pid process

4824 360TS_Setup_Mini_WW.Marketator.CPI20230405_6.6.0.1054.exe
3780 360TS_Setup.exe
872 360TS_Setup.exe

pid	process
3780	360TS_Setup.exe
872	360TS_Setup.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

Processes:

360TS_Setup.exe360TS_Setup_Mini_WW.Marketator.CPI20230405_6.6.0.1054.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	360TS_Setup.exe
File opened for modification	\??\PhysicalDrive0	360TS_Setup_Mini_WW.Marketator.CPI20230405_6.6.0.1054.exe

Drops file in Program Files directory 2 IoCs

Processes:

360TS_Setup.exe

description	ioc	process
File created	C:\Program Files (x86)\1716521198_0\360TS_Setup.exe	360TS_Setup.exe
File opened for modification	C:\Program Files (x86)\1716521198_0\360TS_Setup.exe	360TS_Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

360TS_Setup_Mini_WW.Marketator.CPI20230405_6.6.0.1054.exe

description pid process

Token: SeManageVolumePrivilege 4824 360TS_Setup_Mini_WW.Marketator.CPI20230405_6.6.0.1054.exe

description	pid	process
Token: SeManageVolumePrivilege	4824	360TS_Setup_Mini_WW.Marketator.CPI20230405_6.6.0.1054.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

360TS_Setup_Mini_WW.Marketator.CPI20230405_6.6.0.1054.exe

pid	process
4824	360TS_Setup_Mini_WW.Marketator.CPI20230405_6.6.0.1054.exe
4824	360TS_Setup_Mini_WW.Marketator.CPI20230405_6.6.0.1054.exe
4824	360TS_Setup_Mini_WW.Marketator.CPI20230405_6.6.0.1054.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

360TS_Setup_Mini_WW.Marketator.CPI20230405_6.6.0.1054.exe

pid	process
4824	360TS_Setup_Mini_WW.Marketator.CPI20230405_6.6.0.1054.exe
4824	360TS_Setup_Mini_WW.Marketator.CPI20230405_6.6.0.1054.exe
4824	360TS_Setup_Mini_WW.Marketator.CPI20230405_6.6.0.1054.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

360TS_Setup.exe360TS_Setup.exe

pid process

3780 360TS_Setup.exe
872 360TS_Setup.exe

pid	process
3780	360TS_Setup.exe
872	360TS_Setup.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

360TS_Setup_Mini_WW.Marketator.CPI20230405_6.6.0.1054.exe360TS_Setup.exe

description	pid	process	target process
PID 4824 wrote to memory of 3780	4824	360TS_Setup_Mini_WW.Marketator.CPI20230405_6.6.0.1054.exe	360TS_Setup.exe
PID 4824 wrote to memory of 3780	4824	360TS_Setup_Mini_WW.Marketator.CPI20230405_6.6.0.1054.exe	360TS_Setup.exe
PID 4824 wrote to memory of 3780	4824	360TS_Setup_Mini_WW.Marketator.CPI20230405_6.6.0.1054.exe	360TS_Setup.exe
PID 3780 wrote to memory of 872	3780	360TS_Setup.exe	360TS_Setup.exe
PID 3780 wrote to memory of 872	3780	360TS_Setup.exe	360TS_Setup.exe
PID 3780 wrote to memory of 872	3780	360TS_Setup.exe	360TS_Setup.exe

C:\Users\Admin\AppData\Local\Temp\360TS_Setup_Mini_WW.Marketator.CPI20230405_6.6.0.1054.exe
"C:\Users\Admin\AppData\Local\Temp\360TS_Setup_Mini_WW.Marketator.CPI20230405_6.6.0.1054.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4824

C:\Users\Admin\AppData\Local\Temp\360TS_Setup.exe
"C:\Users\Admin\AppData\Local\Temp\360TS_Setup.exe" /c:WW.Marketator.CPI20230405 /pmode:2 /promo:eyJib290dGltZSI6IjciLCJtZWRhbCI6IjciLCJuZXdzIjoiMCIsIm9wZXJhIjoiNyIsIm9wZXJhX2lucyI6IjAiLCJwb3B1cCI6IjciLCJyZW1pbmRlciI6IjciLCJ1cGdyYWRlX25vdyI6IjAifQo=
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3780

C:\Program Files (x86)\1716521198_0\360TS_Setup.exe
"C:\Program Files (x86)\1716521198_0\360TS_Setup.exe" /c:WW.Marketator.CPI20230405 /pmode:2 /promo:eyJib290dGltZSI6IjciLCJtZWRhbCI6IjciLCJuZXdzIjoiMCIsIm9wZXJhIjoiNyIsIm9wZXJhX2lucyI6IjAiLCJwb3B1cCI6IjciLCJyZW1pbmRlciI6IjciLCJ1cGdyYWRlX25vdyI6IjAifQo= /TSinstall
3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
PID:872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_90887DD7920637A743EF36CB9A88B5D8
Filesize
2KB

MD5
28aca45e40fe41c868e60e8a67e074f5

SHA1
902be3327626226d31eb180690ff5483bd4ba528

SHA256
e0122a71a3d757ed067ab1ce1802dc92a5041b260d18390066b91806bcec99d8

SHA512
d7fe7e53dbe9bc387adf5bc70e24d13ffc9c9acbde20bd50defa6e9af590169651e349b9a416358bd79c51dc1604edfd966fd5cf297b35625e5d3a307a56e8c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
1KB

MD5
b54ee3141b59659af5e3f171445c5ece

SHA1
a63857f696eca4e315360dbbfeb2b3f83421b359

SHA256
f1b98092b580635f43d37e747b963bd80f39efbbe414633290c1be160c5ace1f

SHA512
66c1232d177c4352291f2edfbd051b40d6164c7cb7f87bc6a07408df90d53a90d67ef4f235f9ad99ab6dd3ab78cfdfaa5e5fb55b52939c3174e44cd8c4b7480b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_90887DD7920637A743EF36CB9A88B5D8
Filesize
488B

MD5
5cf74201c22f9da09212c6d7a201dd32

SHA1
4e3fbb6a827fbb028d62362426b2e511d2be86af

SHA256
21e4295993edd182c345f6405b4e45cad242501f9f89307e6841708a218cb5f3

SHA512
1d5f71752c050f7d78239536f82e7e42b865a86a26cf75af11dc8b8e3f8e83e323f8f8e8e85284089984466aed93a24a97ac3e52fb083d6dc38088be1f202b23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize
482B

MD5
2c4057d5797d913ed6b56f5f56d57b92

SHA1
ccaba53ee52a28caedbdea19a60cb99450057ebc

SHA256
abc9a9a3f9b9815e5f5438a31ae88317ea9a06c57f15b43500c6145d66c93a15

SHA512
a188873092458a2138f7d65b46116e4d2de4490f1114768e18a69b50ecaa7ea849f5097cde1334e7417dc4f2f6ae178f7017a965f93c4c3302eb53898413dcf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]
Filesize
656B

MD5
184a117024f3789681894c67b36ce990

SHA1
c5b687db3b27ef04ad2b2cbc9f4e523cb7f6ba7e

SHA256
b10d5fef165fc89e61cd16e02eac1b90b8f94ef95218bdd4b678cd0d5c8a925e

SHA512
354d3bbc1329cbbe30d22f0cf95564e44acc68d6fe91e2beb4584a473d320faf4c092de9db7f1f93cf0b235703fc8de913883985c7d5db6b596244771a1edaf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]\setup.ini
Filesize
830B

MD5
e6edb41c03bce3f822020878bde4e246

SHA1
03198ad7bbfbdd50dd66ab4bed13ad230b66e4d9

SHA256
9fa80f0889358d9db3d249a2e747e27b7c01c6123b784d94d169c0e54cacf454

SHA512
2d71b7d50212f980e82562af95598c430aa0875f7a9d9cc670ba2cb1f63057fb26fd747a99cb4ca08f2355d002daa79bda2236b3ad9e37a3cfef32ae5420e2a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1716521198_00000000_base\360base.dll
Filesize
1.0MB

MD5
b192f34d99421dc3207f2328ffe62bd0

SHA1
e4bbbba20d05515678922371ea787b39f064cd2c

SHA256
58f13d919f44d194827b609b6b267246abc47134bb202472c0dfe033b9d7ed73

SHA512
00d4c7a0a0097eb4b31a71a0eaf6ff0d44619f77a335c75688565e34e6d7f4fb6c258917457d560c6b0a5077603845ce012e01d9862e87fb5327d7f8da970f95

Download Submit
C:\Users\Admin\AppData\Local\Temp\{223C74C6-DE20-4dbc-BFDD-B1D9C577BC11}.tmp\360P2SP.dll
Filesize
824KB

MD5
fc1796add9491ee757e74e65cedd6ae7

SHA1
603e87ab8cb45f62ecc7a9ef52d5dedd261ea812

SHA256
bf1b96f5b56be51e24d6314bc7ec25f1bdba2435f4dfc5be87de164fe5de9e60

SHA512
8fa2e4ff5cbc05034051261c778fec1f998ceb2d5e8dea16b26b91056a989fdc58f33767687b393f32a5aff7c2b8d6df300b386f608abd0ad193068aa9251e0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{CE48A519-8909-491f-8BEF-B80D319724B4}.tmp
Filesize
3KB

MD5
b1ddd3b1895d9a3013b843b3702ac2bd

SHA1
71349f5c577a3ae8acb5fbce27b18a203bf04ede

SHA256
46cda5ad256bf373f5ed0b2a20efa5275c1ffd96864c33f3727e76a3973f4b3c

SHA512
93e6c10c4a8465bc2e58f4c7eb300860186ddc5734599bcdad130ff9c8fd324443045eac54bbc667b058ac1fa271e5b7645320c6e3fc2f28cc5f824096830de1

Download Submit
memory/4824-9-0x0000000003330000-0x0000000003331000-memory.dmp

Filesize
4KB

Download