a38f8a7e057e205d3961095a025f5014c0da0567495f2ca5a15f26d89c481026

Resubmissions

05/07/2024, 19:50

240705-yka7bsthqp 3

05/07/2024, 19:49

05/07/2024, 19:25

05/07/2024, 19:20

05/07/2024, 19:15

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
05/07/2024, 19:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

InfiniteBlue (1).exe
Size

1.8MB
MD5

70b9c08114c970f97ba983227e0f08b4
SHA1

0c3c846828734aed1d74ea47253feef6f81940ac
SHA256

a38f8a7e057e205d3961095a025f5014c0da0567495f2ca5a15f26d89c481026
SHA512

dc223e4cbfe89a8d92b2042b1c8a0403b26adc7383317cbadc56602d1e9c02a4a80450ec5aa243fdb8ef3a0882a20af48c3ebb7165ca58dfe34c62691c36f5eb
SSDEEP

49152:RqrObhdGZu/xJrtcaXxfjDSVQEWnu3+w3JJn+:oExvFXpCQG3+OXn+

Score

8^/10

bootkit discovery evasion persistence

Malware Config

Signatures

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	InfiniteBlue (1).exe

Disables Task Manager via registry modification
evasion

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2484	takeown.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	InfiniteBlue (1).exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2908	InfiniteBlue (1).exe
2908	InfiniteBlue (1).exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2908	InfiniteBlue (1).exe
Token: SeDebugPrivilege	2908	InfiniteBlue (1).exe
Token: SeTakeOwnershipPrivilege	2484	takeown.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 2484	2908	InfiniteBlue (1).exe	28
PID 2908 wrote to memory of 2484	2908	InfiniteBlue (1).exe	28
PID 2908 wrote to memory of 2484	2908	InfiniteBlue (1).exe	28
PID 1472 wrote to memory of 2632	1472	chrome.exe	33
PID 1472 wrote to memory of 2632	1472	chrome.exe	33
PID 1472 wrote to memory of 2632	1472	chrome.exe	33

C:\Users\Admin\AppData\Local\Temp\InfiniteBlue (1).exe
"C:\Users\Admin\AppData\Local\Temp\InfiniteBlue (1).exe"
1⤵
- Disables RegEdit via registry modification
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Windows\system32\takeown.exe
  "takeown.exe" /f C:\Windows\system32\LogonUI.exe
  2⤵
  - Modifies file permissions
  - Suspicious use of AdjustPrivilegeToken
  PID:2484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:1472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef1d29758,0x7fef1d29768,0x7fef1d29778
  2⤵
  PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2908-0-0x000007FEF5353000-0x000007FEF5354000-memory.dmp

Filesize
4KB

Download
memory/2908-1-0x0000000001310000-0x00000000014DA000-memory.dmp

Filesize
1.8MB

Download
memory/2908-2-0x000007FEF5350000-0x000007FEF5D3C000-memory.dmp

Filesize
9.9MB

Download
memory/2908-3-0x000000001B580000-0x000000001B850000-memory.dmp

Filesize
2.8MB

Download
memory/2908-4-0x000007FEF5350000-0x000007FEF5D3C000-memory.dmp

Filesize
9.9MB

Download
memory/2908-5-0x000007FEF5350000-0x000007FEF5D3C000-memory.dmp

Filesize
9.9MB

Download
memory/2908-6-0x000007FEF5353000-0x000007FEF5354000-memory.dmp

Filesize
4KB

Download
memory/2908-7-0x000007FEF5350000-0x000007FEF5D3C000-memory.dmp

Filesize
9.9MB

Download
memory/2908-8-0x000007FEF5350000-0x000007FEF5D3C000-memory.dmp

Filesize
9.9MB

Download