20020cf5423afd089b6c627ab73db019727ba97a0f1916413a7ded2a2142ef25

Analysis

max time kernel
149s
max time network
153s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26-05-2024 12:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

instbeta.exe
Size

3.9MB
MD5

8ab0afae7cd5e71782005780e3213cc3
SHA1

994d71d897fb14501fe94de2c8bd130474f8aeab
SHA256

20020cf5423afd089b6c627ab73db019727ba97a0f1916413a7ded2a2142ef25
SHA512

937f0ca24cbdd2918081a718ac843713e5cd56ed8e9260c3781c1c8e801cf83820e9d7d567c418e3d4bc19b46b201df9fe52c71861ce0d34400ebad68b834c02
SSDEEP

98304:36xwG+U3X+4FL8VtL0hviDfHrafY0kJIKUjFB:SwxUe4yVBDfLa9bD

Score

7^/10

bootkit persistence

Malware Config

Signatures

Loads dropped DLL 2 IoCs

Processes:

instbeta.exe

pid process

2036 instbeta.exe
2036 instbeta.exe
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

instbeta.exe

description ioc process

File opened (read-only) \??\F: instbeta.exe
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

instbeta.exe

description ioc process

File opened for modification \??\PhysicalDrive0 instbeta.exe
File opened for modification \??\PHYSICALDRIVE0 instbeta.exe

pid	process
2036	instbeta.exe
2036	instbeta.exe

description	ioc	process
File opened (read-only)	\??\F:	instbeta.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	instbeta.exe
File opened for modification	\??\PHYSICALDRIVE0	instbeta.exe

Drops file in Program Files directory 2 IoCs

Processes:

instbeta.exe

description	ioc	process
File created	C:\Program Files (x86)\360\360Safe\{1C2E12E7-8E6E-4992-9A56-DE1888F542E2}.tf	instbeta.exe
File created	C:\Program Files (x86)\360\360Safe\{03178ED5-AC83-4c3a-B4C6-B19C240B3A7D}.tf	instbeta.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

instbeta.exe

pid process

2036 instbeta.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

instbeta.exe

description pid process

Token: SeManageVolumePrivilege 2036 instbeta.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

instbeta.exe

pid process

2036 instbeta.exe
2036 instbeta.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

instbeta.exe

pid process

2036 instbeta.exe
2036 instbeta.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

instbeta.exe

pid process

2036 instbeta.exe

pid	process
2036	instbeta.exe

description	pid	process
Token: SeManageVolumePrivilege	2036	instbeta.exe

pid	process
2036	instbeta.exe
2036	instbeta.exe

pid	process
2036	instbeta.exe
2036	instbeta.exe

pid	process
2036	instbeta.exe

C:\Users\Admin\AppData\Local\Temp\instbeta.exe
"C:\Users\Admin\AppData\Local\Temp\instbeta.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\{A44B7723-4283-41b8-B9C0-6B1983C61382}.tmp\sites.dll

Filesize
1.4MB

MD5
a2ff2c72e739e0cf4c73b623444ca39d

SHA1
ff886e63c894a20f30c136a8264cfa33d41b8331

SHA256
c1eb83993c85e01ee6ae84eb6e05744ff8c3ccc02c41d09c22286e3012ef46fc

SHA512
844dab35a1625d5bf1bd814a36fb80d5670d3dfee5cf65ad8be53784b486dcc08898b7577a323c7c7e1e83655f861ea86c5453cfa4c3d55353d329ef3af6320b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A44B7723-4283-41b8-B9C0-6B1983C61382}.tmp\themes\NewInstallAir\NewInstallAir.ui

Filesize
1.1MB

MD5
d34c31255bf6d5c6085a0ae3bcb5d26c

SHA1
09cba08569047a67d9b6426bdd44c483f0af462e

SHA256
ea5961d466942b8cb96bf9c1fb2a22bc7a913077978e64e1b1e7621b88fba394

SHA512
d50b0107c76ec7ff6ccff370ce91181050a0febda1caab58442fc79f6243b45e4f77494af890c6b3f431cb41f2ccbfc24176d28983652ad09a22788d99d687c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A44B7723-4283-41b8-B9C0-6B1983C61382}.tmp\themes\theme_NewInstallAir.xml

Filesize
27KB

MD5
d9ac7a98975e8073a3fa08af3bdeeb1a

SHA1
c05861e7e23b08cd77ce6e43d8ba101008646e3d

SHA256
8ab731632b80ecd8c91071c36d12edfdad404ad4debbd663023360278a614817

SHA512
8fa58ddf1607e40262b032da6d69dacd8eca35da5a0ab5c9a1441469704aad12ef4807b7fecdb22740d0191da2ee32fad5b8e96d298f78c07889bef8bf82a1ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\{C8813D5D-DC18-4de6-AE54-644682CD3141}.tmp\360P2SP.dll

Filesize
688KB

MD5
d875875eb3282b692ab10e946ea22361

SHA1
34bcef8a8cb0e1db44671892ac3cbd74d3c541a8

SHA256
0eca2e140f973b2011c633d4d92e512a1f77e1da610cfe0f4538c0b451270016

SHA512
972466310d3c145141320584b5f3e431c6888bda2ba1036f85e68e534ed6fb97ba04cbd46d8d9c401dc5857100dc1bff1bad82b50514f3e5c582522f22fd2b5c

Download Submit
memory/2036-34-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

Filesize
4KB

Download
memory/2036-51-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

Filesize
4KB

Download