Overview

overview

9

Static

static

9

2bc68cb6d7...d6.exe

windows7-x64

9

2bc68cb6d7...d6.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    144s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-06-2024 01:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe

  • Size

    5.4MB

  • MD5

    2cf8e658c125ab577a4796a7e58e03ae

  • SHA1

    ad6e809d428862584d327f570693effd223c9944

  • SHA256

    2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6

  • SHA512

    9cfff2e8c7ff373c9d39dc563e80773c0a2b727f76aeea17e1cb6877afe1c55067f92076ed2c20164b21a9ad3dcc00948c01ee40de68ea30d8db67d2aa8de5fb

  • SSDEEP

    98304:n2kVbc4gkJBAUZLDATC2oLbxLeORVOumgkGUa0o:lwDkJV/AG2oLb0OHmWn0o

Score
9/10
bootkitoss_akpersistence

Malware Config

Signatures

  • detect oss ak 1 IoCs

    oss ak information detected.

    oss_ak
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 50 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe
    "C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe"
    1⤵
    • Checks computer location settings
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4640
    • C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe
      C:\Users\Admin\AppData\Local\Temp\2bc68cb6d702f6e11d5df761da13d323012912421c6fb32c7a0e32847e0ea6d6.exe
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:4736
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c schtasks /delete /tn WindowsMediaPlayer /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4012
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /delete /tn WindowsMediaPlayer /f
        3⤵
          PID:1280
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c schtasks /create /tn WindowsMediaPlayer /tr "\"C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe\"" /SC ONLOGON /delay 0000:03 /RL HIGHEST
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3676
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /tn WindowsMediaPlayer /tr "\"C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe\"" /SC ONLOGON /delay 0000:03 /RL HIGHEST
          3⤵
          • Scheduled Task/Job: Scheduled Task
          PID:3132
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /d 1 /t REG_DWORD /f
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4488
        • C:\Windows\SysWOW64\reg.exe
          reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /d 1 /t REG_DWORD /f
          3⤵
            PID:3400
        • C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe
          "C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe"
          2⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • Writes to the Master Boot Record (MBR)
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3764
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\System32\svchost.exe
            3⤵
              PID:944
            • C:\Windows\SysWOW64\svchost.exe
              C:\Windows\System32\svchost.exe
              3⤵
                PID:3432
              • C:\Windows\SysWOW64\svchost.exe
                C:\Windows\System32\svchost.exe
                3⤵
                  PID:1636
                • C:\Windows\SysWOW64\svchost.exe
                  C:\Windows\System32\svchost.exe
                  3⤵
                    PID:2784
                  • C:\Windows\SysWOW64\svchost.exe
                    C:\Windows\System32\svchost.exe
                    3⤵
                      PID:4448
                    • C:\Windows\SysWOW64\svchost.exe
                      C:\Windows\System32\svchost.exe
                      3⤵
                        PID:4592
                      • C:\Windows\SysWOW64\svchost.exe
                        C:\Windows\System32\svchost.exe
                        3⤵
                          PID:3108
                        • C:\Windows\SysWOW64\svchost.exe
                          C:\Windows\System32\svchost.exe
                          3⤵
                            PID:3448
                          • C:\Windows\SysWOW64\svchost.exe
                            C:\Windows\System32\svchost.exe
                            3⤵
                              PID:1800
                            • C:\Windows\SysWOW64\svchost.exe
                              C:\Windows\System32\svchost.exe
                              3⤵
                                PID:1960

                          Network

                          MITRE ATT&CK Matrix ATT&CK v13

                          Initial Access

                          Execution

                          Scheduled Task/Job

                          1
                          T1053

                          Scheduled Task

                          1
                          T1053.005

                          Persistence

                          Pre-OS Boot

                          1
                          T1542

                          Bootkit

                          1
                          T1542.003

                          Scheduled Task/Job

                          1
                          T1053

                          Scheduled Task

                          1
                          T1053.005

                          Privilege Escalation

                          Scheduled Task/Job

                          1
                          T1053

                          Scheduled Task

                          1
                          T1053.005

                          Defense Evasion

                          Pre-OS Boot

                          1
                          T1542

                          Bootkit

                          1
                          T1542.003

                          Credential Access

                          Discovery

                          Query Registry

                          2
                          T1012

                          System Information Discovery

                          3
                          T1082

                          Peripheral Device Discovery

                          1
                          T1120

                          Lateral Movement

                          Collection

                          Exfiltration

                          Command and Control

                          Impact

                          Resource Development

                          Reconnaissance

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Program Files\Windows Media Player\wmplayer\wmplayer.exe
                            Filesize

                            3.4MB

                            MD5

                            785124e9e0ab753f092765d87db2e6c5

                            SHA1

                            134dc470100b161a9d532608525d81a7e4abb671

                            SHA256

                            8c597cb6a277c0a0527bf287cb1612ab8a70df4b938603eaaf3f404bbd90d336

                            SHA512

                            bf48d9cb3179c4aa1a2d91798c22a58532f31d36194a52c195aa138773e97359e07d82c3679547e299f10a4dc261712a9ee1c8c8e51037c63251dc00d713477b

                            Download Submit
                          • C:\Windows\RECYCLE.BIN
                            Filesize

                            451B

                            MD5

                            cc99b98acccbc375c5b1ff7485d52fb7

                            SHA1

                            484dc697d64625b37cc9e53e5108d3b2530dabf4

                            SHA256

                            dcb786e381fae3c782fe8059b9b87257bbb04e5f4dbb2ccd73acacce3961ceb7

                            SHA512

                            c60da6bfa5a30512c09b105ee51da3c9c44f428c190412550e07e76e1383bc49ae70b84f7b56b6953c9b30c7fa3ba4dbed3efd822c8b9ea07f9662520925e9ba

                            Download Submit
                          • C:\Windows\RECYCLE.BIN
                            Filesize

                            536B

                            MD5

                            b062e828ed7652ffa91ea845d0ef1bf1

                            SHA1

                            3c37e9c764f9748002491be2d19154ed812d4d19

                            SHA256

                            067e24d6a1ab178976b85e286dd39517799c277a40c1965afc7807714405ff51

                            SHA512

                            4703fbb56c0b84cf8002ca653703dae4e2ba0d013703affbbeb5c1260f0b2cf830469b6349765f0de7ccde82e215c2c2b3398e1842976c61516cfa2be3787ba9

                            Download Submit