Analysis

  • max time kernel
    119s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    12-06-2024 10:36

General

  • Target

    88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe

  • Size

    1012KB

  • MD5

    c6754415c6cf116c9d588b42d9b53932

  • SHA1

    a8e845a34ade1430669b9fe0592fb0586bb51e77

  • SHA256

    88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43

  • SHA512

    d7f57f3b89cdd4d1ec334e900948e3dba4b0880830de91aabd3309a8c32aceac493d8462ce96a6e2d5f0535a567972803feeb8054a90a4e90a9118a1e8541929

  • SSDEEP

    12288:OPppN1nwJrIWXoFQnUCcf7VxFssV8Uc2KD0fTMFz8eYwlfA2CdWxjFP7dxljI8wL:OrzmuV71TMFYOlfpfFPhxljI8w

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 51 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe
    "C:\Users\Admin\AppData\Local\Temp\88ba1b56151c5ae35ec555a37db70ec3734fbfd6e1b76a1c2c53b1e2f8203b43.exe"
    1⤵
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1620
    • C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" C:\Windows\system32\regsvr32.exe /u /s "C:\Users\Admin\AppData\Local\Temp\DeskmgrShellExtx64.dll"
      2⤵
        PID:2808
      • C:\Windows\SysWOW64\Netsh.exe
        "C:\Windows\system32\Netsh.exe" exec "C:\Users\Admin\AppData\Local\Temp\UNI7A3D.tmp\firewallLog.txt"
        2⤵
          PID:2668

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Persistence

      Pre-OS Boot

      1
      T1542

      Bootkit

      1
      T1542.003

      Defense Evasion

      Pre-OS Boot

      1
      T1542

      Bootkit

      1
      T1542.003

      Discovery

      System Information Discovery

      1
      T1082

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\Tencent\DeskGo\DeskGoUninst_20240612103645.Log
        Filesize

        6KB

        MD5

        504f91f57777bd4627607d14db6fbb18

        SHA1

        b9ba3d86410f2e9ff3d8ab07f7ba5ef25be34310

        SHA256

        ff1dd094265dc8e7ac3cea200590ebfe5506f946fac45bdfa99ffc1e7573707b

        SHA512

        84ca8294b058971a4780bebde1b6916b2041b8455e63c9d22f58897320c55189d27cba4717e58690675c4675fe394c19a2a3a9f8e80bc9d2af3c99daeb9b088a

      • C:\Users\Admin\AppData\Local\Temp\UNI7A3D.tmp\firewallLog.txt
        Filesize

        104B

        MD5

        bb2bc660ceba457e96e328d6771f93cb

        SHA1

        5387c389561eee423fc284a887ae752d478e3dd6

        SHA256

        c784f85e2d745af795236284f46b9c0a0cab51d8cd5dffc7d94e2421cefeae5c

        SHA512

        6ced4915cd8988895bf9a8f96d75508f57a20b8f5f7952f09706bdc5c8dd651d0f2ea52397a370abd8a578215e7828dbffba36e695c80920475d859ba3de00a0

      • \Users\Admin\AppData\Local\Temp\UNI7A3D.tmp\dr.dll
        Filesize

        427KB

        MD5

        68a34245c650829c613e9068bdc6f79d

        SHA1

        f877ad637c2097915ba894fdccb1a596a52a726e

        SHA256

        c72cc19b9ee4546378d22483d5cbe612805be585658df9d28677174b19c2b3bf

        SHA512

        1c9181c1693f3fb4c3044f57f9113f1858cb709c56ea7beec1d41026c4a64070e221dcb61669fbdab63fc0669df24f4a126ea517a157a738b9a35d784cef9afe

      • memory/1620-84-0x0000000000A40000-0x0000000000B41000-memory.dmp
        Filesize

        1.0MB