Overview

overview

9

Static

static

9

31e8dda13e...14.exe

windows7-x64

8

31e8dda13e...14.exe

windows10-2004-x64

8

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

$PLUGINSDI...ss.dll

windows7-x64

3

$PLUGINSDI...ss.dll

windows10-2004-x64

3

$SYSDIR/36...er.dll

windows7-x64

1

$SYSDIR/36...er.dll

windows10-2004-x64

1

$SYSDIR/36...pw.dll

windows7-x64

1

$SYSDIR/36...pw.dll

windows10-2004-x64

1

$SYSDIR/Qt...in.dll

windows7-x64

1

$SYSDIR/Qt...in.dll

windows10-2004-x64

1

$SYSDIR/Qt...in.dll

windows7-x64

1

$SYSDIR/Qt...in.dll

windows10-2004-x64

1

$SYSDIR/Qt...in.dll

windows7-x64

1

$SYSDIR/Qt...in.dll

windows10-2004-x64

1

$SYSDIR/Qt...ng.dll

windows7-x64

1

$SYSDIR/Qt...ng.dll

windows10-2004-x64

1

$SYSDIR/Qt...ls.dll

windows7-x64

1

$SYSDIR/Qt...ls.dll

windows10-2004-x64

1

$SYSDIR/Qt...pt.dll

windows7-x64

1

$SYSDIR/Qt...pt.dll

windows10-2004-x64

1

$SYSDIR/Qt...s2.dll

windows7-x64

1

$SYSDIR/Qt...s2.dll

windows10-2004-x64

1

$SYSDIR/Qt...ts.dll

windows7-x64

1

$SYSDIR/Qt...ts.dll

windows10-2004-x64

1

$SYSDIR/Qt...rt.dll

windows7-x64

1

$SYSDIR/Qt...rt.dll

windows10-2004-x64

1

$SYSDIR/Qt5Svg.dll

windows7-x64

1

$SYSDIR/Qt5Svg.dll

windows10-2004-x64

1

Analysis

  • max time kernel
    92s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-06-2024 11:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe

  • Size

    13.6MB

  • MD5

    6b4517207feb4de39ab3fd702bdb7287

  • SHA1

    59da9861323d5b1c9308e5272436b53c138494a4

  • SHA256

    31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14

  • SHA512

    f16fb22de5842a191db72ec747c667bcf05059abe03a8ab948a9e616c0a39ccc126cec3bd7b0e631ba7542b5eec97154856902c59a5cb04890afae99a43d9da0

  • SSDEEP

    393216:uX3gUfZgh5sqbgpD+wRsB7CiY0SQZDdQ0KJAUxf38bG:uAUQsmgJ+wQ9YDCC0KGO3oG

Score
8/10
bootkitevasionpersistence

Malware Config

Signatures

  • Modifies Windows Firewall 2 TTPs 2 IoCs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 11 IoCs
  • Enumerates connected drives 3 TTPs 25 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 23 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 32 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 20 IoCs
  • Suspicious behavior: EnumeratesProcesses 58 IoCs
  • Suspicious behavior: LoadsDriver 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe
    "C:\Users\Admin\AppData\Local\Temp\31e8dda13e7a2e04829a653f8d30ddea96763b4045c6f9123160539cbf7b1e14.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1684
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c netsh advfirewall firewall add rule name="winrdlv3" dir=in action=allow program="C:\Windows\system32\winrdlv3.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3732
      • C:\Windows\SysWOW64\netsh.exe
        netsh advfirewall firewall add rule name="winrdlv3" dir=in action=allow program="C:\Windows\system32\winrdlv3.exe"
        3⤵
        • Modifies Windows Firewall
        PID:5020
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c netsh advfirewall firewall add rule name="winrdlv3" dir=out action=allow program="C:\Windows\system32\winrdlv3.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3780
      • C:\Windows\SysWOW64\netsh.exe
        netsh advfirewall firewall add rule name="winrdlv3" dir=out action=allow program="C:\Windows\system32\winrdlv3.exe"
        3⤵
        • Modifies Windows Firewall
        PID:4756
    • C:\Program Files (x86)\Common Files\System\systecv3.exe
      "C:\Program Files (x86)\Common Files\System\systecv3.exe" SW_HIDE
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:1720
    • C:\Program Files (x86)\Common Files\System\winrdgv3.exe
      "C:\Program Files (x86)\Common Files\System\winrdgv3.exe" SW_HIDE
      2⤵
      • Executes dropped EXE
      PID:4176
    • C:\Windows\SysWOW64\winrdlv3.exe
      "C:\Windows\system32\winrdlv3.exe" SW_HIDE
      2⤵
      • Executes dropped EXE
      PID:2520
  • C:\Program Files (x86)\Common Files\System\winrdgv3.exe
    "C:\Program Files (x86)\Common Files\System\winrdgv3.exe"
    1⤵
    • Executes dropped EXE
    • Modifies data under HKEY_USERS
    • Suspicious use of WriteProcessMemory
    PID:3836
    • C:\Windows\SysWOW64\winrdlv3.exe
      C:\Windows\SysWow64\winrdlv3.exe winwdgv3.dll,RunMonitor32
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1752
      • C:\Windows\SysWOW64\winrdlv3.exe
        C:\Windows\SysWow64\winrdlv3.exe winoav3.dll,RunAgent32
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Enumerates connected drives
        • Writes to the Master Boot Record (MBR)
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:1084
        • C:\Windows\system32\regsvr32.exe
          C:\Windows\system32\regsvr32.exe /s trmenushl64.dll
          4⤵
            PID:1988
          • C:\Windows\system32\regsvr32.exe
            C:\Windows\system32\regsvr32.exe /s /u trmenushl64.dll
            4⤵
              PID:1624
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
        1⤵
          PID:3536
        • C:\Windows\System32\svchost.exe
          C:\Windows\System32\svchost.exe -k NetworkService -s TermService
          1⤵
            PID:4464

          Network

          MITRE ATT&CK Matrix ATT&CK v13

          Initial Access

          Execution

          Persistence

          Create or Modify System Process

          1
          T1543

          Windows Service

          1
          T1543.003

          Pre-OS Boot

          1
          T1542

          Bootkit

          1
          T1542.003

          Privilege Escalation

          Create or Modify System Process

          1
          T1543

          Windows Service

          1
          T1543.003

          Defense Evasion

          Impair Defenses

          1
          T1562

          Disable or Modify System Firewall

          1
          T1562.004

          Pre-OS Boot

          1
          T1542

          Bootkit

          1
          T1542.003

          Modify Registry

          1
          T1112

          Credential Access

          Discovery

          Query Registry

          3
          T1012

          System Information Discovery

          4
          T1082

          Peripheral Device Discovery

          2
          T1120

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Resource Development

          Reconnaissance

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Common Files\System\systecv3.exe
            Filesize

            2.3MB

            MD5

            b9e0a7cbd7fdb4d179172dbdd453495a

            SHA1

            7f1b18a2bee7defa6db4900982fd3311aabed50d

            SHA256

            cb72b724c5f57e83cc5bc215dd522c566e0ea695b9e3d167eed9be3f18d273ce

            SHA512

            720985495b67e87f6ecf62268d7dc8fecdb7c06cf9606ce1a12ce4ea741dd3d46a759420e02ec54bc6e96e49d37a2e19ac307093b1228c01914c8e632a8d373c

            Download Submit
          • C:\Program Files (x86)\Common Files\System\winrdgv3.exe
            Filesize

            1.7MB

            MD5

            97ac3ef2e098c4cb7dd6ec1d14dc28f1

            SHA1

            3e78e87eefe45f8403e46d94713b6667aee6d9c9

            SHA256

            a3d817490804a951bac1c7b1ea6f48aed75baec7e3b4e31be4fbd1fe82860bb1

            SHA512

            693e90da2581306a1f9bb117142429301c7dc28a8caf623c4dfc21f735c53c4502e2b58a5ebdbd8c568dfd3393d1687428f1934f4c28b4fc715eb8f856ac02cd

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\nsy4F1B.tmp\System.dll
            Filesize

            12KB

            MD5

            6e55a6e7c3fdbd244042eb15cb1ec739

            SHA1

            070ea80e2192abc42f358d47b276990b5fa285a9

            SHA256

            acf90ab6f4edc687e94aaf604d05e16e6cfb5e35873783b50c66f307a35c6506

            SHA512

            2d504b74da38edc967e3859733a2a9cacd885db82f0ca69bfb66872e882707314c54238344d45945dc98bae85772aceef71a741787922d640627d3c8ae8f1c35

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\nsy4F1B.tmp\nsExec.dll
            Filesize

            7KB

            MD5

            ec9c99216ef11cdd85965e78bc797d2c

            SHA1

            1d5f93fbf4f8aab8164b109e9e1768e7b80ad88c

            SHA256

            c1b7c3ef8b77a5bb335dc9ec9c3546b249014dde43aa2a9ed719b4d5933741df

            SHA512

            35ff522c4efb3875fce0d6dce438f5225e5f27b414e7c16df88031e90b528c057fe10b4bbf755445c0500c3521e0797f562690aa7209f588169164bbfaceaba1

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\nsy4F1B.tmp\nsProcess.dll
            Filesize

            4KB

            MD5

            88d3e48d1c1a051c702d47046ade7b4c

            SHA1

            8fc805a8b7900b6ba895d1b809a9f3ad4c730d23

            SHA256

            51da07da18a5486b11e0d51ebff77a3f2fcbb4d66b5665d212cc6bda480c4257

            SHA512

            83299dd948b40b4e2c226256d018716dbacfa739d8e882131c7f4c028c0913bc4ed9d770deb252931f3d4890f8f385bd43dcf2a5bfe5b922ec35f4b3144247a7

            Download Submit
          • C:\Windows\LInstSvr.exe
            Filesize

            413KB

            MD5

            fb741fceeb80a76f7f0005a1ac60604a

            SHA1

            a6a8d97365634b266f0b5a001038a5a86b9ed2d6

            SHA256

            c8bd29c490368ebfc56dc5c951e24af613f7e5b68a8493240f5ec1afd9d4a9b1

            SHA512

            8e43d1a8448828e9ea5fcac792b95dcb63640ea200cb2d2dff4902c4ceb6e79a405e0739d293c7cc14bb6ee025089fb9e954ba38e6707b92ac9fe251918bd780

            Download Submit
          • C:\Windows\SysWOW64\Ocular\AgentTask\AgentTaskList.dat
            Filesize

            32B

            MD5

            cb8011b1b79f2a807d75bddd80ac6e0e

            SHA1

            130414054b8e1be7c7a153d7ba48edebeeedbc65

            SHA256

            cf0869f7602342ad3042ab84cf2de0b5adbd71b3316a062182c7a47c7671a630

            SHA512

            7cf22ffecbc743c35e5149ad8a404426dde094c0058479273d5a92b8a4bf3f840bd2f4b3f6074331e214d6e6e1d71837f1431c8f6685ae2ad22a68f70f991860

            Download Submit
          • C:\Windows\SysWOW64\Ocular\OAgent.ini
            Filesize

            7KB

            MD5

            1acb166750b21d9c394ccacfdaa718bc

            SHA1

            28232adfe22d1aa042ef4534e9a988375537afc9

            SHA256

            2526e939a30a437cfa4a2b546805f6fc4cc76fdeecf0a5281d1bd85eda78e7df

            SHA512

            8cbc831caa3d5291f37087c5f38dd917b7c8b6b3ccb3a54ed61292fd505fb1fba68bf8f73fb305cfd19fc6a9bac72ddcf09a1cff2c599bd523c129eb1fc015e1

            Download Submit
          • C:\Windows\SysWOW64\Ocular\OAgent.ini
            Filesize

            7KB

            MD5

            7b3a1244f62a7b081f16d40b4431e999

            SHA1

            ce67398ac5f23581c7506971e5bd1da798e787e3

            SHA256

            492aa8726ba8f06e791be0fdd8c7014bbc12a2cf5f428d2f1aaff0c75ac7b4c9

            SHA512

            01bf399933c895e54c622a163345dec636bb25070341fb45165c4377c5540bbf6067fb4616fc91e5a62fd5a65738ba8bed915f7c3ba1becd09961166a5081343

            Download Submit
          • C:\Windows\SysWOW64\Ocular\OAgent.ini
            Filesize

            7KB

            MD5

            966a04a5791d4e38cceb84c0e2bc13c7

            SHA1

            46867a894d097d19d38ed6deef8428c20d18b382

            SHA256

            e3f20634c4a5cd0529ea200585020a4f454eadf5a1b0987b54dc4c21927b30af

            SHA512

            d5f879ae75e72b1b109a41bff994f7c246c2eaf44225738d593c461e892523e5bf7b695c0e8a24449ce07d4f651f925617cdedfd2c3b767be2d4559059912b47

            Download Submit
          • C:\Windows\SysWOW64\Ocular\OPolicy.ini
            Filesize

            7KB

            MD5

            b0ad710d556202e4e10ec85de251a05e

            SHA1

            e3ed531e03631b313586905696d41bd4614206b4

            SHA256

            cfbe90e8a34e2c62825dd2645a501b895df9b9df30742d818d9121b0e0d0cc1a

            SHA512

            b18fce2a1f162be627b5721e06db24262c5ffb10ea343cabf9da3577e0942dedac4d350f5f40d0f074e2fe7710744ab9f8c476e4f554eadffde7cb3ab7a0b43a

            Download Submit
          • C:\Windows\SysWOW64\Ocular\OPolicy.ini
            Filesize

            7KB

            MD5

            31e66fec0db16beab8587d7bb9c38cd3

            SHA1

            b513ea121a16a37cd790fda6f5525f7c7d2743fd

            SHA256

            c988049765cf91bb6d0858fa01f0aa68737bc442ebc0022dfd16199acc8c6533

            SHA512

            b1ea2e845cd11b7a01d28a046aaca345a20d393bbc8ad446d6051969ed00f85508c854a8989807f3ee487be76672b2d3abf2fcf2e0668c4b31e775db1966d2d0

            Download Submit
          • C:\Windows\SysWOW64\Ocular\msmidtierserverclass3.dat
            Filesize

            132B

            MD5

            802914edc8dec4d5414de5bb98601d40

            SHA1

            13fe97de7e7593781a472d95324303e34eab552b

            SHA256

            01b4788cf9af339f50345c428bc0f850ad3902610df4ef31fff80b5e4b899947

            SHA512

            64486f3c23652c9a251c49a01f6c2794b5f27a0a2e10069bd4cd3172d8b7cee0c49bf98300152d8338facb025c4c771a85f3cd920f7375b6b7d7e27fd4f3adcf

            Download Submit
          • C:\Windows\SysWOW64\Ocular\msodhash3.dat
            Filesize

            6KB

            MD5

            cc6f29a25411edb2c70d8435f65d07e7

            SHA1

            979d233f6f28be82c13741656ade2267570b370f

            SHA256

            51181f1ca5c983ae43772423bfa3474a89f146ed2ac8bf9213fe892483382689

            SHA512

            0f60b4ce017e44b429821d3d6f613ed7b683effc5d38e80a28a042687702cea8febc843bd037af18442a84c77766adef2c8ca890bb42e830814f39e364e1fd59

            Download Submit
          • C:\Windows\SysWOW64\winoav3.dll
            Filesize

            13.7MB

            MD5

            3ae42cb8a028c5be3f57575342bbb56d

            SHA1

            2939396b9069d4b46febc047b13ce2c30de7e886

            SHA256

            0e0efb65f52f8ae90f1227aafddb1bd23803229497fc82c5c458c8d6eb83a609

            SHA512

            f4e5c0ff991fc907049171f8bc0ac763462e081b411547a3b24f7d57b51a73fb2c3d0a8daf5cccb0ddd8970ed5c81baf3a2c8e5b22eb3ccdc672a1e1aa01ae24

            Download Submit
          • C:\Windows\SysWOW64\winwdgv3.dll
            Filesize

            2.1MB

            MD5

            0aed8f70a00060f8005efa8d1c668b98

            SHA1

            c75fe3d1a2476da55f526d366f73bedbfd56f32a

            SHA256

            326abf1af467670de571252bfd8118b9ea0b8a3babc10df092fffc2da3e11671

            SHA512

            738f9cbd6f693647d8b091d7192db8963e2c4ecb179ce1b5c7a81f56045674694faed7fdf88af5d7e144149d86df167d9adf6460e3905024faf526c08f7dc787

            Download Submit
          • C:\Windows\bakrdlv3.sys
            Filesize

            57KB

            MD5

            0cbeb75d3090054817ea4df0773afe35

            SHA1

            58c543a84dc18e21d86ad2c011d8ac726867fb78

            SHA256

            453e2290939078c070e46896b2d991f31d295bbc1c63059b10f3c24cad7c4822

            SHA512

            f3ab9f393da18df2cfc22020627e72ae9e7c7b47db088aaf0fa773028c96d0e7e3d4127082b59296eecfc9c60d389a43c78ba0a4348b0f6ceb76cc8978ba649c

            Download Submit
          • C:\Windows\system32\winwdgv364.dll
            Filesize

            1.3MB

            MD5

            889482a07ba13fc6e194a63d275a850a

            SHA1

            16a164fded3352abb63722a5c74750cdc438f99a

            SHA256

            799d176813c3d0f5a01fd482576aeab6a63e5024f3392e7974f5e437c3d7e3a0

            SHA512

            e5cb9cf49120ed20b07faceefccef24da4335f28f49d9ae7bfafccbc9a239c4039e9ce5f5d13b49d0be475b3913311d08b7d70a1a2df0c974d4c5a5f7bec507a

            Download Submit
          • C:\Windows\win.ini
            Filesize

            1KB

            MD5

            c92f152bf334d2f075282a47811a4f0b

            SHA1

            b72210f515a7534b81fb6141ec1fce55a85fd912

            SHA256

            0d14a2fc3b0e1877869b8fa8fa0709d426cea00ba2a5b4bd39e275afb7dad8db

            SHA512

            b3a976a74cd0efb69270dd864a75a2569a4f0984eaa47937162f122a8c838d830d8fcf5ad3d16a4f950a870d58b35b89190d9cd30fc232d63bbeac0799f3037c

            Download Submit
          • C:\Windows\win.ini
            Filesize

            1KB

            MD5

            e25d461a755183bbb769732ea712cf31

            SHA1

            0a3251c72e3d4765263bf3ff41a40d43d6eb51cf

            SHA256

            21856c17a98d852bda4530905f984a54af6d7cbe877ae4236cfc7311eb37effe

            SHA512

            da3ba088bd383d83c6b8ec8c63f1708cd5464656d9560971e3599f9191863ab87ee026686e351c64a5be2e9a0724fb8e6f436739662aa0d41a0eecba702b5698

            Download Submit
          • memory/1752-271-0x0000000001900000-0x000000000272C000-memory.dmp
            Filesize

            14.2MB

            Download