Overview

overview

7

Static

static

1

instbeta.exe

windows7-x64

7

instbeta.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-05-2024 12:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    instbeta.exe

  • Size

    3.9MB

  • MD5

    8ab0afae7cd5e71782005780e3213cc3

  • SHA1

    994d71d897fb14501fe94de2c8bd130474f8aeab

  • SHA256

    20020cf5423afd089b6c627ab73db019727ba97a0f1916413a7ded2a2142ef25

  • SHA512

    937f0ca24cbdd2918081a718ac843713e5cd56ed8e9260c3781c1c8e801cf83820e9d7d567c418e3d4bc19b46b201df9fe52c71861ce0d34400ebad68b834c02

  • SSDEEP

    98304:36xwG+U3X+4FL8VtL0hviDfHrafY0kJIKUjFB:SwxUe4yVBDfLa9bD

Score
7/10
bootkitpersistence

Malware Config

Signatures

  • Loads dropped DLL 2 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\instbeta.exe
    "C:\Users\Admin\AppData\Local\Temp\instbeta.exe"
    1⤵
    • Loads dropped DLL
    • Enumerates connected drives
    • Writes to the Master Boot Record (MBR)
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:4804

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\{7649D870-E9BC-4d94-9006-41FF68311504}.tmp\360P2SP.dll
    Filesize

    688KB

    MD5

    d875875eb3282b692ab10e946ea22361

    SHA1

    34bcef8a8cb0e1db44671892ac3cbd74d3c541a8

    SHA256

    0eca2e140f973b2011c633d4d92e512a1f77e1da610cfe0f4538c0b451270016

    SHA512

    972466310d3c145141320584b5f3e431c6888bda2ba1036f85e68e534ed6fb97ba04cbd46d8d9c401dc5857100dc1bff1bad82b50514f3e5c582522f22fd2b5c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\{A44B7723-4283-41b8-B9C0-6B1983C61382}.tmp\sites.dll
    Filesize

    1.4MB

    MD5

    a2ff2c72e739e0cf4c73b623444ca39d

    SHA1

    ff886e63c894a20f30c136a8264cfa33d41b8331

    SHA256

    c1eb83993c85e01ee6ae84eb6e05744ff8c3ccc02c41d09c22286e3012ef46fc

    SHA512

    844dab35a1625d5bf1bd814a36fb80d5670d3dfee5cf65ad8be53784b486dcc08898b7577a323c7c7e1e83655f861ea86c5453cfa4c3d55353d329ef3af6320b

    Download Submit

  • memory/4804-42-0x0000000004D70000-0x0000000004D71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4804-47-0x0000000004D70000-0x0000000004D71000-memory.dmp

    Filesize

    4KB

    Download