d26a7f2d4f3521827201e6cdcd296f132c7d18c3a1ce70c24b423300cff326fe

Analysis

max time kernel
44s
max time network
46s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
24-06-2024 17:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

360TS_Setup_Mini.exe
Size

1.4MB
MD5

31fee2c73b8d2a8ec979775cd5f5ced7
SHA1

39182a68bc0c1c07d3ddc47cd69fe3692dbac834
SHA256

d26a7f2d4f3521827201e6cdcd296f132c7d18c3a1ce70c24b423300cff326fe
SHA512

db51b602a8675641bc3a0a980a197243787ed12f5e0619cb1d390c91193d7e3447e3e86e2321c3ea273c6732b356003a249241d7d8a5699931810e5a35d5c650
SSDEEP

24576:kL/7n6lbcC8oblv1zj1SqdAGFQZIxvC45UJoe1Z:E6+C8o5tzjYq+ZIxL5UJoeL

Score

7^/10

bootkit persistence

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
4424	360TS_Setup_Mini.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	360TS_Setup_Mini.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3288	msedge.exe
3288	msedge.exe
1876	msedge.exe
1876	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	4424	360TS_Setup_Mini.exe

Suspicious use of FindShellTrayWindow 29 IoCs

pid	Process
4424	360TS_Setup_Mini.exe
4424	360TS_Setup_Mini.exe
4424	360TS_Setup_Mini.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
4424	360TS_Setup_Mini.exe
4424	360TS_Setup_Mini.exe
4424	360TS_Setup_Mini.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe
1876	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4424 wrote to memory of 1876	4424	360TS_Setup_Mini.exe	77
PID 4424 wrote to memory of 1876	4424	360TS_Setup_Mini.exe	77
PID 1876 wrote to memory of 4716	1876	msedge.exe	78
PID 1876 wrote to memory of 4716	1876	msedge.exe	78
PID 1876 wrote to memory of 2812	1876	msedge.exe	79
PID 1876 wrote to memory of 2812	1876	msedge.exe	79
PID 1876 wrote to memory of 2812	1876	msedge.exe	79
PID 1876 wrote to memory of 2812	1876	msedge.exe	79
PID 1876 wrote to memory of 2812	1876	msedge.exe	79
PID 1876 wrote to memory of 2812	1876	msedge.exe	79
PID 1876 wrote to memory of 2812	1876	msedge.exe	79
PID 1876 wrote to memory of 2812	1876	msedge.exe	79
PID 1876 wrote to memory of 2812	1876	msedge.exe	79
PID 1876 wrote to memory of 2812	1876	msedge.exe	79
PID 1876 wrote to memory of 2812	1876	msedge.exe	79
PID 1876 wrote to memory of 2812	1876	msedge.exe	79
PID 1876 wrote to memory of 2812	1876	msedge.exe	79
PID 1876 wrote to memory of 2812	1876	msedge.exe	79
PID 1876 wrote to memory of 2812	1876	msedge.exe	79
PID 1876 wrote to memory of 2812	1876	msedge.exe	79
PID 1876 wrote to memory of 2812	1876	msedge.exe	79
PID 1876 wrote to memory of 2812	1876	msedge.exe	79
PID 1876 wrote to memory of 2812	1876	msedge.exe	79
PID 1876 wrote to memory of 2812	1876	msedge.exe	79
PID 1876 wrote to memory of 2812	1876	msedge.exe	79
PID 1876 wrote to memory of 2812	1876	msedge.exe	79
PID 1876 wrote to memory of 2812	1876	msedge.exe	79
PID 1876 wrote to memory of 2812	1876	msedge.exe	79
PID 1876 wrote to memory of 2812	1876	msedge.exe	79
PID 1876 wrote to memory of 2812	1876	msedge.exe	79
PID 1876 wrote to memory of 2812	1876	msedge.exe	79
PID 1876 wrote to memory of 2812	1876	msedge.exe	79
PID 1876 wrote to memory of 2812	1876	msedge.exe	79
PID 1876 wrote to memory of 2812	1876	msedge.exe	79
PID 1876 wrote to memory of 2812	1876	msedge.exe	79
PID 1876 wrote to memory of 2812	1876	msedge.exe	79
PID 1876 wrote to memory of 2812	1876	msedge.exe	79
PID 1876 wrote to memory of 2812	1876	msedge.exe	79
PID 1876 wrote to memory of 2812	1876	msedge.exe	79
PID 1876 wrote to memory of 2812	1876	msedge.exe	79
PID 1876 wrote to memory of 2812	1876	msedge.exe	79
PID 1876 wrote to memory of 2812	1876	msedge.exe	79
PID 1876 wrote to memory of 2812	1876	msedge.exe	79
PID 1876 wrote to memory of 2812	1876	msedge.exe	79
PID 1876 wrote to memory of 3288	1876	msedge.exe	80
PID 1876 wrote to memory of 3288	1876	msedge.exe	80
PID 1876 wrote to memory of 5016	1876	msedge.exe	81
PID 1876 wrote to memory of 5016	1876	msedge.exe	81
PID 1876 wrote to memory of 5016	1876	msedge.exe	81
PID 1876 wrote to memory of 5016	1876	msedge.exe	81
PID 1876 wrote to memory of 5016	1876	msedge.exe	81
PID 1876 wrote to memory of 5016	1876	msedge.exe	81
PID 1876 wrote to memory of 5016	1876	msedge.exe	81
PID 1876 wrote to memory of 5016	1876	msedge.exe	81
PID 1876 wrote to memory of 5016	1876	msedge.exe	81
PID 1876 wrote to memory of 5016	1876	msedge.exe	81
PID 1876 wrote to memory of 5016	1876	msedge.exe	81
PID 1876 wrote to memory of 5016	1876	msedge.exe	81
PID 1876 wrote to memory of 5016	1876	msedge.exe	81
PID 1876 wrote to memory of 5016	1876	msedge.exe	81
PID 1876 wrote to memory of 5016	1876	msedge.exe	81
PID 1876 wrote to memory of 5016	1876	msedge.exe	81
PID 1876 wrote to memory of 5016	1876	msedge.exe	81
PID 1876 wrote to memory of 5016	1876	msedge.exe	81

C:\Users\Admin\AppData\Local\Temp\360TS_Setup_Mini.exe
"C:\Users\Admin\AppData\Local\Temp\360TS_Setup_Mini.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "http://www.360totalsecurity.com/en/download-free-antivirus/360-total-security/?offline=1"
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1876
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd41233cb8,0x7ffd41233cc8,0x7ffd41233cd8
    3⤵
    PID:4716
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1928,12285266994126737123,2909694303284252338,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1840 /prefetch:2
    3⤵
    PID:2812
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1928,12285266994126737123,2909694303284252338,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1988 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3288
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1928,12285266994126737123,2909694303284252338,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2676 /prefetch:8
    3⤵
    PID:5016
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,12285266994126737123,2909694303284252338,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
    3⤵
    PID:4836
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,12285266994126737123,2909694303284252338,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3156 /prefetch:1
    3⤵
    PID:540
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,12285266994126737123,2909694303284252338,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3872 /prefetch:1
    3⤵
    PID:1072
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,12285266994126737123,2909694303284252338,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
    3⤵
    PID:3244

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2864

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f2eb94e31cadfb6eb07e6bbe61ef7ae

SHA1
3f42b0d5a90408689e7f7941f8db72a67d5a2eab

SHA256
d222c8e3b19cda2657629a486faf32962e016fc66561ce0d17010afdb283c9de

SHA512
9f7f84149885b851e0bf7173c540e466a2b2eb9907d8b608f60360933328cc75d9d1b63640ea4ecc1e64ecc5dd7ee74d82903f96a8b4418ca56296641a8c0703

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d56e8f308a28ac4183257a7950ab5c89

SHA1
044969c58cef041a073c2d132fa66ccc1ee553fe

SHA256
0bc24451c65457abc1e4e340be2f8faceae6b6ec7768a21d44bcd14636543bae

SHA512
fd5798559f4025ec3408f5550b8671d394b1ec83b85fdac8c005b0cc3e183272bdd07db15a156a572c9c5e5798badf235dc10aae62a052efa8dd9dfdbdca8189

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e77a14fc3deaf4a73b87810913485656

SHA1
5d6900da9f56c37bc761308a60792e92c1918f67

SHA256
d0b47e79b78f3fa2f8af4fb75a8f0222fbd6add8d34b8c041c353d8b49fae5ea

SHA512
ab2f2464c6a0a0563b9bae40e340e65dc85bb45ba44388a07ea108b95898e885f6698880dd46a829b955d2122e1ed78ab9a008b120a7ff01e3b3240e59b87dc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b4e4d30487a0e89ba29c2a6be8df264d

SHA1
70f548aeeb4ac337f75b8ccefad049567d3fe998

SHA256
58ed9e85aeb0d3e4d67c25b0cd4f807eb03814cba0d9685f29ef4119e96c889c

SHA512
f764891ca7cb0478d7d72d5443b5fa9a594068aa44c7f80ac489a617f03305d2206cd1415e65c9d30f6d93129aa18c1be3254977fe4859cd7a9874310d1cb3b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
b67f835ec1b1c553744329ce58ed5e7b

SHA1
82291fcfeb53949c78d9297d4473eb5f6ef9035f

SHA256
ed0d4b3a4acd05b3ed7beb44a73181977704312ba096e8895858a844b0244bab

SHA512
23c44065122b1176e38bf64b6c21a26073b47097ca913a149fa5f7a53d5c3ebffabaeef29a73e67f01c5648fb7351513d8507e48338ed91075c5ac8432f999ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\{3B7223BF-91B1-409c-B047-01D6ECA8A547}.tmp\360P2SP.dll

Filesize
824KB

MD5
fc1796add9491ee757e74e65cedd6ae7

SHA1
603e87ab8cb45f62ecc7a9ef52d5dedd261ea812

SHA256
bf1b96f5b56be51e24d6314bc7ec25f1bdba2435f4dfc5be87de164fe5de9e60

SHA512
8fa2e4ff5cbc05034051261c778fec1f998ceb2d5e8dea16b26b91056a989fdc58f33767687b393f32a5aff7c2b8d6df300b386f608abd0ad193068aa9251e0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{EBECB6B3-BD25-40d2-9AB4-041FEEE8527F}.tmp

Filesize
3KB

MD5
b1ddd3b1895d9a3013b843b3702ac2bd

SHA1
71349f5c577a3ae8acb5fbce27b18a203bf04ede

SHA256
46cda5ad256bf373f5ed0b2a20efa5275c1ffd96864c33f3727e76a3973f4b3c

SHA512
93e6c10c4a8465bc2e58f4c7eb300860186ddc5734599bcdad130ff9c8fd324443045eac54bbc667b058ac1fa271e5b7645320c6e3fc2f28cc5f824096830de1

Download Submit
memory/4424-13-0x0000000003CF0000-0x0000000003CF1000-memory.dmp

Filesize
4KB

Download
memory/4424-14-0x0000000003CF0000-0x0000000003CF1000-memory.dmp

Filesize
4KB

Download