f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7

General

Target

f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe
Size

3.3MB
MD5

51e442e27e653595685490dc7c7855a5
SHA1

35106601e646459da88b75c2b8058ebbf745f957
SHA256

f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7
SHA512

95742561022003be9bfbdaa1e9c15d77d2b75273f9965174d819490d362c54eea358e99c5b94e09f5c41c1399caa893afea2f2e90ce9d6209611248f54cfc27d
SSDEEP

98304:NQOH5raw1GoHKqUifIwY/L4a3X62BcFOg/9MRhM6+baj:NH3BHKqUaS/LO2BM9MDMF

Score

9^/10

bootkit evasion persistence trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe

description ioc process

File opened for modification \??\PhysicalDrive0 f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe
Runs .reg file with regedit 1 IoCs

Processes:

regedit.exe

pid process

2640 regedit.exe
Runs net.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe

pid	process
2640	regedit.exe

Suspicious use of FindShellTrayWindow 10 IoCs

Processes:

f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe

pid	process
3020	f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe
3020	f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe
3020	f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe
3020	f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe
3020	f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe
3020	f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe
3020	f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe
3020	f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe
3020	f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe
3020	f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe

Suspicious use of SendNotifyMessage 9 IoCs

Processes:

f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe

pid	process
3020	f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe
3020	f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe
3020	f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe
3020	f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe
3020	f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe
3020	f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe
3020	f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe
3020	f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe
3020	f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe

pid	process
3020	f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe
3020	f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.execmd.exenet.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 3020 wrote to memory of 2636	3020	f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe	cmd.exe
PID 3020 wrote to memory of 2636	3020	f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe	cmd.exe
PID 3020 wrote to memory of 2636	3020	f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe	cmd.exe
PID 3020 wrote to memory of 2636	3020	f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe	cmd.exe
PID 2636 wrote to memory of 1596	2636	cmd.exe	net.exe
PID 2636 wrote to memory of 1596	2636	cmd.exe	net.exe
PID 2636 wrote to memory of 1596	2636	cmd.exe	net.exe
PID 2636 wrote to memory of 1596	2636	cmd.exe	net.exe
PID 1596 wrote to memory of 1628	1596	net.exe	net1.exe
PID 1596 wrote to memory of 1628	1596	net.exe	net1.exe
PID 1596 wrote to memory of 1628	1596	net.exe	net1.exe
PID 1596 wrote to memory of 1628	1596	net.exe	net1.exe
PID 2636 wrote to memory of 2120	2636	cmd.exe	net.exe
PID 2636 wrote to memory of 2120	2636	cmd.exe	net.exe
PID 2636 wrote to memory of 2120	2636	cmd.exe	net.exe
PID 2636 wrote to memory of 2120	2636	cmd.exe	net.exe
PID 2120 wrote to memory of 2656	2120	net.exe	net1.exe
PID 2120 wrote to memory of 2656	2120	net.exe	net1.exe
PID 2120 wrote to memory of 2656	2120	net.exe	net1.exe
PID 2120 wrote to memory of 2656	2120	net.exe	net1.exe
PID 2636 wrote to memory of 2684	2636	cmd.exe	SecEdit.exe
PID 2636 wrote to memory of 2684	2636	cmd.exe	SecEdit.exe
PID 2636 wrote to memory of 2684	2636	cmd.exe	SecEdit.exe
PID 2636 wrote to memory of 2684	2636	cmd.exe	SecEdit.exe
PID 2636 wrote to memory of 2596	2636	cmd.exe	net.exe
PID 2636 wrote to memory of 2596	2636	cmd.exe	net.exe
PID 2636 wrote to memory of 2596	2636	cmd.exe	net.exe
PID 2636 wrote to memory of 2596	2636	cmd.exe	net.exe
PID 2596 wrote to memory of 2848	2596	net.exe	net1.exe
PID 2596 wrote to memory of 2848	2596	net.exe	net1.exe
PID 2596 wrote to memory of 2848	2596	net.exe	net1.exe
PID 2596 wrote to memory of 2848	2596	net.exe	net1.exe
PID 2636 wrote to memory of 2092	2636	cmd.exe	net.exe
PID 2636 wrote to memory of 2092	2636	cmd.exe	net.exe
PID 2636 wrote to memory of 2092	2636	cmd.exe	net.exe
PID 2636 wrote to memory of 2092	2636	cmd.exe	net.exe
PID 2092 wrote to memory of 2716	2092	net.exe	net1.exe
PID 2092 wrote to memory of 2716	2092	net.exe	net1.exe
PID 2092 wrote to memory of 2716	2092	net.exe	net1.exe
PID 2092 wrote to memory of 2716	2092	net.exe	net1.exe
PID 2636 wrote to memory of 2640	2636	cmd.exe	regedit.exe
PID 2636 wrote to memory of 2640	2636	cmd.exe	regedit.exe
PID 2636 wrote to memory of 2640	2636	cmd.exe	regedit.exe
PID 2636 wrote to memory of 2640	2636	cmd.exe	regedit.exe
PID 3020 wrote to memory of 2472	3020	f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe	net.exe
PID 3020 wrote to memory of 2472	3020	f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe	net.exe
PID 3020 wrote to memory of 2472	3020	f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe	net.exe
PID 3020 wrote to memory of 2472	3020	f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe	net.exe
PID 2472 wrote to memory of 2584	2472	net.exe	net1.exe
PID 2472 wrote to memory of 2584	2472	net.exe	net1.exe
PID 2472 wrote to memory of 2584	2472	net.exe	net1.exe
PID 2472 wrote to memory of 2584	2472	net.exe	net1.exe
PID 3020 wrote to memory of 2612	3020	f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe	net.exe
PID 3020 wrote to memory of 2612	3020	f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe	net.exe
PID 3020 wrote to memory of 2612	3020	f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe	net.exe
PID 3020 wrote to memory of 2612	3020	f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe	net.exe
PID 2612 wrote to memory of 2680	2612	net.exe	net1.exe
PID 2612 wrote to memory of 2680	2612	net.exe	net1.exe
PID 2612 wrote to memory of 2680	2612	net.exe	net1.exe
PID 2612 wrote to memory of 2680	2612	net.exe	net1.exe
PID 3020 wrote to memory of 2448	3020	f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe	net.exe
PID 3020 wrote to memory of 2448	3020	f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe	net.exe
PID 3020 wrote to memory of 2448	3020	f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe	net.exe
PID 3020 wrote to memory of 2448	3020	f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe	net.exe

C:\Users\Admin\AppData\Local\Temp\f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe
"C:\Users\Admin\AppData\Local\Temp\f5358c38641466c06cdd819a8f69eb93d208c3a9f222221cc7c6e0cf0ebbdfe7.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3020

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\¿ªÆô¹²Ïí.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:2636

C:\Windows\SysWOW64\net.exe
NET USER Guest /active:yes
3⤵
- Suspicious use of WriteProcessMemory
PID:1596

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 USER Guest /active:yes
4⤵
PID:1628

C:\Windows\SysWOW64\net.exe
NET USER Guest /passwordreq:no
3⤵
- Suspicious use of WriteProcessMemory
PID:2120

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 USER Guest /passwordreq:no
4⤵
PID:2656

C:\Windows\SysWOW64\SecEdit.exe
Secedit /configure /cfg "security.inf" /db secsetup.sdb /areas USER_RIGHTS /verbose
3⤵
PID:2684

C:\Windows\SysWOW64\net.exe
net user guest /active:yes
3⤵
- Suspicious use of WriteProcessMemory
PID:2596

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user guest /active:yes
4⤵
PID:2848

C:\Windows\SysWOW64\net.exe
net user guest ""
3⤵
- Suspicious use of WriteProcessMemory
PID:2092

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user guest ""
4⤵
PID:2716

C:\Windows\SysWOW64\regedit.exe
regedit /s ┐¬╞⌠╣▓╧φ.reg
3⤵
- Runs .reg file with regedit
PID:2640

C:\Windows\SysWOW64\net.exe
net start workstation
2⤵
- Suspicious use of WriteProcessMemory
PID:2472

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start workstation
3⤵
PID:2584

C:\Windows\SysWOW64\net.exe
net start "Computer Browser"
2⤵
- Suspicious use of WriteProcessMemory
PID:2612

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start "Computer Browser"
3⤵
PID:2680

C:\Windows\SysWOW64\net.exe
net start server
2⤵
PID:2448

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start server
3⤵
PID:2488

C:\Windows\SysWOW64\net.exe
net start netbios
2⤵
PID:2520

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start netbios
3⤵
PID:2948

C:\Windows\SysWOW64\net.exe
net share ±¾µØ£¨CÅÌ)=C:\ /grant:Guests,full /grant:Everyone,full
2⤵
PID:2496

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 share ±¾µØ£¨CÅÌ)=C:\ /grant:Guests,full /grant:Everyone,full
3⤵
PID:2992

C:\Windows\SysWOW64\net.exe
net share ±¾µØ£¨DÅÌ)=D:\ /grant:Guests,full /grant:Everyone,full
2⤵
PID:2116

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 share ±¾µØ£¨DÅÌ)=D:\ /grant:Guests,full /grant:Everyone,full
3⤵
PID:2924

C:\Windows\SysWOW64\net.exe
net share ±¾µØ£¨FÅÌ)=F:\ /grant:Guests,full /grant:Everyone,full
2⤵
PID:2620

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 share ±¾µØ£¨FÅÌ)=F:\ /grant:Guests,full /grant:Everyone,full
3⤵
PID:2196

C:\Windows\SysWOW64\net.exe
net share ÎïÀíÖ÷»ú×ÀÃæ=C:\Users\Admin\Desktop /grant:Guests,full /grant:Everyone,full
2⤵
PID:2964

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 share ÎïÀíÖ÷»ú×ÀÃæ=C:\Users\Admin\Desktop /grant:Guests,full /grant:Everyone,full
3⤵
PID:2904

C:\Windows\SysWOW64\cacls.exe
cacls C:\Users\Admin\Desktop /e /t /g everyone:F
2⤵
PID:2252

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\¿ªÆô¹²Ïí.bat
Filesize
242B

MD5
80f0e65f938e3259b19f89241858ae23

SHA1
f6d463a58007cc20b70988563c49b3410e68e92b

SHA256
49b26f11aa955b7db4acc775b09476638525772c1a09e7c31dfdca19f6973dba

SHA512
d51279e860cf401cba03c90d4edea4cfe408725b6a8737cfc3c63110f7f13f63f52ed350c2e79d1a287172d8c77d6a7dc658a1ac1d4867504a886aa108501d95

Download Submit
\??\PIPE\lsarpc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3020-0-0x0000000000400000-0x0000000000C6A000-memory.dmp

Filesize
8.4MB

Download
memory/3020-2-0x0000000000400000-0x0000000000C6A000-memory.dmp

Filesize
8.4MB

Download
memory/3020-4-0x0000000000400000-0x0000000000C6A000-memory.dmp

Filesize
8.4MB

Download
memory/3020-3-0x0000000000400000-0x0000000000C6A000-memory.dmp

Filesize
8.4MB

Download
memory/3020-18-0x0000000000400000-0x0000000000C6A000-memory.dmp

Filesize
8.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads